The General Data Protection Regulation (GDPR) affects European and non-European businesses targeting users in the European economic area. The new rules are coming on May 25th, 2018, so it’s important you’re ready. You can find a great summary of the GDPR here, in case you need more information.
This document summarizes the Volare product changes that we’ve implemented to make sure that we, Cloud4Wi, and you (Customer) have everything in place to comply with GDPR.
Let’s start with some taxonomy:
- Customers (You) - administrators of the Volare product dashboard
- Users - users of wireless services (WiFi hotspots)
Actions We’ve Taken
- Appointed a Data Protection Officer (DPO) and a data protection working team.
- Completed data mapping of our processing activities and made sure we can handle all pieces of user’s personal data
- Conducted a data protection impact assessment on the data processing activities
- Updated data processing flows to ensure security compliance and embed data privacy by design and by default practices
- Conducted internal training sessions to ensure all our team understand the new law and what these changes mean to them
What We’ll deliver by May 25th, 2018
- Updated end user license agreement (EULA) - contract between Cloud4Wi and our customers
- Data Privacy Addendum to our standard contract
- New feature that blocks Cloud4Wi access to Customer’s account for support reasons unless they explicitly grant it
- New feature that easily enables the deletion of all user’s data
- New feature that allows you to easily export all user’s data
- New feature that allows you to personalize and publish a privacy and terms summary text to be published on the Splash Page
- Ensure all our sub-processors (like Amazon and Twilio) are ready and sign a Data Privacy Addendum with them
What You Need to Do
In preparation for the GDPR release, you need to:
- know who is controlling their data and how to contact you
- Make sure your configuration of login options is compliant with the new rules
You also need to make sure that all administrators of the account in your organization are aware of these guidelines. We suggest you update your admin account email so that you will receive, via email, any communication from us.
If you are a data controller
Our Volare product allows our customers to operate the service with full autonomy. You can decide what data to collect and what to do with it.
You must ensure you review and update those terms and make sure they are compliant with the new rules. If you don’t do this, you may be at risk of violating the requirements of the GDPR
If you are a managed service provider
If you are operating the service on behalf of your client, you also operate as a data processor, as long as your customer is the one to make all the decisions about personal data and how it is processed. You need to establish an agreement between you and your customer that clearly defines your roles and responsibilities as a data processor.
If you are an agency
If you are operating the service deployed in your customer's locations, but you have full autonomy in the decisions of how to process personal data, for example: executing marketing campaigns, you are operating as a data controller.
If you are a customer of Cloud4Wi, you assume all the responsibility of a data controller. If you are serving our customer with a direct contract, you need to make sure that the contract or any other legally binding document correctly and accurately reflects the relationship between you and your client. You may be a joint data controller or a data controller in common, so we suggest you get legal advice on this topic to ensure you set up the proper measures to comply with the EU GDPR.
What if you’re not in Europe?
If your company is not located in the EU you still need to be compliant if you deliver the service and process data of EU citizens. Notwithstanding GDPR compliance may appear a big effort and a big change in your company processes, you should consider that ultimately compliance is a good thing. In fact, we consider GDPR compliance a great competitive advantage as it will permit companies to really take care of the data value for money as long as they will surely increase value chain processes flow efficiency.
Set up a Volare account
If you are data controller, you must verify that the account is configured with your organization’s correct data and contact information. Your users should know who is offering them the service and how they can contact your company for any queries regarding their personal data.
All communications sent to users should include your contacts. We are going to release a new feature under Preferences that will allow you to personalize the email address that your users will see when they receive the email (such as firstname.lastname@example.org). In this way, it will be easier for your users to recognize your organization.
Collection of consent
You will have to review and/or personalize this text to make sure it contains all of the details about how you intend to use the data.
Subject Access Request and Data Portability
Users have the right to be informed by an organization whether or not it is processing personal data that relates to them. You need to be able to verify the identity of the user, possibly by asking questions related to multiple data points. You can make this process easier if you ask users at least two pieces of personal data in the registration process, for example their email and birth date.
Data controllers are required to respond to a data subject access request (DSAR) by providing, in an intelligible form, copies of the personal data and any information about the sources of the data within 30 days of collection.
Once you get a request from a user, you can search and identify the user in Volare Admin Panel. We will soon be adding an “Export” button that will export all the data we know about a user to a portable file format (CSV).
Right to be forgotten
Users can request to be forgotten and force you to erase any data you own about them. Once you have identified the user in the system, you can use the Delete button to accomplish this. We are going to upgrade the delete feature to erase any trace of the user’s personal data from the system.
Who can access your data
At the time of writing, only the CTO and the dev ops team have direct access to the servers and databases. Other technical and support staff have access to the locations and client data for troubleshooting and support reasons only.
As part of the upcoming update, we are releasing a feature that, by default, will block direct access to customer account to Cloud4Wi. When the customer has a support request for our team, and we need to inspect the customer’s account, the customer can allow us to do so by checking a new option on the account page.
When we inspect the account for support reasons, we will not have access to the end user’s personal data and will not be able to export any data via a web interface or APIs.
How long the data is stored
As a data controller. you are in control of the data retention period. Volare uses some default retention terms of 18 months for most of the data, including:
- Radius and accounting data
- User profile data
- User activities data (connections, visits)
- User marketing activity logs (survey responses, coupon downloaded and redeemed, emails sent and opened)
Note that automated database backups are stored and encrypted for 7 days.If, you need to change these retention periods, please get in touch with our support team to discuss a customization option.
Where the data is stored
We store this data on Amazon AWS servers located in both Ireland and the US. All customers who have a deployment in Europe are served from the EU Amazon data center.
How we handle user data
User data can be broken down into four types:
- Personal data — social data, emails, etc
- Authentication (radius) data — what is used to log in to a hotspot
- Activity data - when a customer receives an email or redeems a coupon
- Location data - MAC address, timestamps
Personal data is encrypted in-transit and at rest. User data is collected via the splash pages and includes personal data, such as name, emails and phone number and can include social data from Facebook, etc (whatever is authorized by the user upon login). User data is sent from the splash pages over a secure channel.As a data controller, our customer decides which data to collect from users and how to use it.
Authentication data is not encrypted in transit, since this is sent via radius authentication and accounting packets. Radius traffic, by default, is not encrypted. The data that is sent unencrypted includes user MAC addresses and internal IP addresses. Some data is encoded server-side over an encrypted channel. So, while the channels the final data is sent over are not encrypted, the data itself is secure. This data includes ephemeral, single-use usernames and passwords (not associated with user accounts). We use this to log users into the splash pages. This data is necessary for running the service.
Activity data includes all the logs of users’ interactions with the service, including, for example, logs of when a user downloads a coupon, respond to a survey, or uses a pin code. All activity data is encrypted in-transit and at rest.
Location data is collected by the network and may or may not be encrypted in transit, depending on the WIFI vendor. Location data includes the device identifier (MAC address) and other attributes, such as a timestamp and WIFI signal power. We immediately hash the MAC addresses as soon as we receive them and discard the data of users who opted out from tracking.The data is then processed with the scope of calculating aggregate analytics and the original samples are then discarded.
We use a salted hashing mechanism that ensures that the data is anonymized and not directly associated with the device that generated it. The salt of the hashing is different for each customer and also changes over time on different types of datasets: for example, for data used for producing hourly reports, the salt changes every hour, minimizing the amount of information we know about the users.
As a data controller, you also have the right to decide whether to collect this data and so as part of the upcoming update we we’ll release an option that allows companies to choose whether to collect this data.