All processes have been mapped out
GDRP processor-controller contract has been prepared
Server security has been hardened even further
All staff that comes near any personal information needs to show clean criminal records and sign Non-disclosure agreements
Privacy policy has been made in much more details
Terms & conditions have been changed
All suppliers have been scrutinised and some have been dropped just for security’s sake
Back up procedures have been changed to minimize personal information storage for deleted systems
There have also been done various system changes to make our user’s more compliant with GDPR regulations. There are both changes that make the security enhanced so that our users are better protected in case someone gets hold of their equipment, and changes so that user’s permission for client’s data and communication is more clear.
for enhanced login security into systems. It is very important that users embrace this quickly as the most likely cause of data breach is probably that someone gets hold of equipment virtually or in reality that enables them access to the system and the data.
that enables users to set how long data is needed to be kept on data subjects that have made bookings within the system. If you do not need to keep the data, then this tool is great to auto delete data after for example 30 days(depends on user settings) since booking is completed. If users have set up client login, use membership etc, then this module should not be used.
where users can set their own T&C along with Privacy policy where they detail in human readable language (not in some legal blah) how they plan to use the data
where users can detail how their cancellation policy is enforced
usually available on the internet for all to see
(the ones who provide the service) usually available on the internet for all to see so clients can choose them to book
never available on the internet for other than system users to see
Each of these groups has an easy to use interface where every single bit of information stored in the SimplyBook.me system is printed on the screen, or can be exported into a structured JSON report. Additionally, upon request, all client details can be deleted with the use of a simple button. These records can only be accessed by users after simple authentication procedure by re-entering the password. If they have double authentication, they will be asked for a verification code to get access. As client data is often part of statistical information about sales and bookings, the data is not all deleted but made completely unrecognisable but still kept usable for stats. This is very important.
No direct access for SimplyBook.me support team
Upon activation of double authentication, the SimplyBook.me does not have any access to the user’s system which can be bad if you need quick assistance but also enhances security. Although all of SimplyBook.me staff that can come in contact with personal information have clean criminal records and have signed an NDA, access now becomes restricted and the only way for them to gain access is if the user gives them temporary code so they can help them out with settings if needed.
One of the most delicate information in the system are patient details, and these are usually stored in a component called SOAP. The SOAP component has now been enhanced to be encoded at rest so that no one can have access to this information, even if they break in to the user’s system, or even into SimplyBook.me servers UNLESS they have the secret key. This key can be kept on an USB drive, or in a computer’s folder. It is never stored on SimplyBook.me servers. Just make sure that the computer is well protected, so that if it is stolen, thieves would not have easy access to the hard disk. Same applies to the USB drive, this can also be encrypted with a code that only you remember.
All emails have unsubscribe links but this has now also been added to the promotions emails so clients that have unsubscribed from getting these messages will not be receiving them. This has though fortunately not been a problem as clients are generally happy to receive promotions from their favorite providers.
For users that want to harden security even more, there is the HIPAA feature that can be enabled for Standard and Premium subscriptions. This feature allows users to set automatic system log out after predefined time, like 20 minutes after system was being used. It also allows users to get notifications upon each login into the system. Furthermore, this feature disables personal data to be sent over email or SMS, it removes client’s and service names from these notifications, making it harder for snoopers to see personal data.
It is also recommended for users to harden the security on mobile devices using long passwords, and automatic deletion of phone data when there are several wrong passwords attempts. This will avoid thieves getting hold of double-authentication access code.
All users should set auto screen lock to decrease the risk of snooping from people that may be browsing the workplace. Here is a link that describes how this can be done on Windows based computers.
Here is a link to good article from PayPal about how GDPR affects anyone handling personal data from subjects in EU, and what steps to take.
Remember that your are responsible for the privacy policy towards your own clients and no one can make this for you, as this is something you decide. Make it in a clear concise manner so that your clients understand how you plan to treat their data and explain what measures you take to make their data safe.
Here is a good article with some of the main points that need to be addressed in your privacy policy which you will include in your terms & conditions that clients agree to before making a booking or becoming a member or a user in your system. You should also make a link to the privacy policy of SimplyBook.me where it details how we process the subjects data on your behalf, and what transfers take place. The SimplyBook.me policy can be found here.
