We have put great efforts in doing system and organisational changes to be GDPR compliant while many companies are just doing modifications of contracts (Privacy and T&C) and pretending this is enough.
I’m Mike, the CTO of SimplyBook.me. I’m not a writer, so don’t expect a Socrates dialog, but finally there is a time for us in the techie team to make an article about our security and the new GDPR privacy regulations and what we have been up to about it.
So, let’s start…
Security is not just ciphers, algorithms and good door locks. It is about how you treat your client’s data and how to you deal with potential risks. The internet gives people the possibility to do a lot of things which were impossible some years ago. Doing their work and accessing things from anywhere. At the same time it also gives new possibilities for hackers, criminals and trolls (I’m not talking about our bookingtroll – it is other kind of troll). Protection of any valuable asset is an important and complex task. For instance, you can put very good and expensive locks on your cheap wooden door and it will not protect your beloved ashera cat from thieves. Same thing goes with data protection. You have to apply diverse procedures and do it with both to risk factors and user experience in mind. For example, it would be very good for security to set a few minutes limit for user session to prevent some dishonest people at your office to get hold of your booking information while you are making your morning coffee. But such restriction will make you and others mad and you would quickly stop using this “secure” software.
You have already noticed a ton of “Policy change” emails clogging your inbox in the last couple of days. This is due to GDPR becoming effective as of today and all proper businesses are eager to comply with those new regulations. You may think it is just a regulation affecting company policies, which is in fact what many of our competitors and a whole lot of other companies think this is, but that is not the case. It also involves making your client’s data as secure as possible but still trying to keep the user experience so that the system stays usable.
A good data protection is all about balancing risk factors and usability. This is what we have concentrated our efforts on for many months and there are lots of things we have implemented to make you be safe keeping your and your client’s data in our hands. The key changes we made are as follows:
- More secure authentication into the system
- Your patient log data is encrypted and safe. We implemented SOAP plugin with client-side encryption (our servers will not touch your plain text data), and we have data backups encryption (to prevent very low risks of disk access in datacenter)
- Company, user and client data reports is an important requirement in GDPR and yes, all your clients can get all their personal data (except SOAP encrypted data) automatically. For this they would need the private key that only you have. You can manually give them this data upon request.
- All users and their clients need to specifically accept our terms & condition which explain rights and obligations of the different parties. This is important because you and they need to know your this. You clients also need to specifically accept your terms. It is no longer enough to have the terms hidden somewhere on the website or as a pre-checked box. Without confirming having gone over this, the clients can not book. There is no other way for you to say that clients were informed if this method is not used, and you are obliged to inform them.
- Additionally, we have added checkbox where clients specifically must accept to receive anything else than normal system notifications about appointments. This applies for example to promotions and Come back soon notifications. This is to protect all our user’s clients against possible spamming.
- We have mapped all processes, and also our development processes. We have changed our developers workflow to increase your security. Long before GDPR we started having all personnel sign NDA and give us clean criminal records. Because GDPR is also about this. To keep it short, there is now a complete set of rules and checklists to make your data more protected and we also need to clearly tell you how we are going to handle your data and protect it.
To summarize, GDPR is a set of rules to increase privacy, data protection and give people control over their personal information. The good news are that we made an immense effort to comply with these new set of rules. You can take a sigh of relief because your data and the data of your clients is very safe in the hands of SimplyBook.me. You, as a SimplyBook.me user can request your personal data that we keep on our servers for inspection at any time. You can actually do this from your admin interface. It is your data and the control is in your hands.