If your restaurant is based in the European Economic Area (EEA), or serves customers located in the EEA, then you’ll need to be prepared for the EU’s new General Data Protection Regulation (GDPR) that will take effect from May 25, 2018.
What is the GDPR?
The GDPR is new European privacy regulations that will give people better privacy protections and force companies to make changes to the way they collect data and consent from users, with fines for those who don’t comply.
The GDPR applies to all companies that process the personal data of people located in the European Economic Area (EEA). Personal data includes any information related to a person that can be used to identify them, including their name, email address, IP address, bank details, etc.
The GDPR applies on May 25, 2018.
What new rights do people get?
Under GDPR, people located in the EEA have the following rights:
- They can ask to obtain the information a company has collected about them through a “data subject request”.
- The can ask to have their “data updated” or corrected.
- They can invoke their “right to be forgotten”, which means companies must delete their data if they withdraw their consent for it to be held.
What requirements are there for companies?
Companies that handle or own data for people located in EEA need to:
- Ensure they only collect data if there’s a specific business purpose for it, rather than collecting extra information at the point of sign-up just in case.
- Respond to user “data subject”, “data update” and “right to be forgotten” requests, for free (there are minor exceptions).
- Inform users within 72 hours if they have a data breach.
- Replace long terms and conditions filled with legalese with simple-to-digest consent requests.
Two categories of companies are responsible for customer data: the “data controller” and the “data processor”. The requirements differ depending on your role in the data collection and handling process.
Mobi2Go is both a data controller (of data about the restaurants, our clients), and a data processor (of the restaurants’ customer data).
Restaurants collecting data on their customers, via Mobi2Go or any other digital systems, are data controllers in relation to the GDPR. Restaurants need to ensure that they are GDPR compliant across all of their digital systems.
How is Mobi2Go responding to the GDPR?
At Mobi2Go, we’re ensuring that our own operations will comply with the GDPR, and will be providing restaurants with the tools to help them comply with the GDPR. However, ultimately the restaurant itself is responsible for ensuring that their overall business complies with GDPR.
We believe in the sensible privacy and data protection that the GDPR is bringing, so the benefits will be available to restaurants and customers globally over time.
Here are the main things our team has been doing to ensure both Mobi2Go and the restaurants using Mobi2Go are ready to comply with GDPR.
We’ve made processes to meet your customer’s rights
Mobi2Go has always been respectful of your customer’s data, and asks for the minimum of data required to fulfil their order (name, email, phone). By default, explicit consent from a customer is required for them to opt in to your marketing, and the status of this is visible in your customer data.
We’ve long had an internal process to delete a restaurant’s customer from our database, and have now published how to request this along with how to deal with other customer requests you need to be able to fulfil:
- How to obtain data about a customer (a “data subject” request)
- How to update data about a customer (a “data update” request)
- How to delete a customer's data (a “right to be forgotten” request)
Our teams are planning the necessary features for you to fulfil these requests from within the Mobi2Go admin in future, without needing to initially contact our support team.
We’re reviewing our security
Trust and Security is critical to Mobi2Go. We’ve already reviewed our incident response procedure in case of a data breach, and we’ll be publishing details of our product security.
We also have work underway to:
- Review our internal processes and training to ensure the right staff have the right level of customer data access.
- Improve our admin and API logging so that changes to a restaurant’s setup and access to customer data can be linked to a specific user.
We’re working with our vendors / subprocessors
Mobi2Go uses many vendors to manage our business, including but not limited to:
- Amazon (our infrastructure is hosted by Amazon Web Services in Sydney)
- Google (our staff email, etc)
- Stripe (Mobi2Go Payments is built on top of Stripe)
- Zendesk (managing support tickets)
- Intercom (customer communication)
- Slack (internal and partner communication)
- Trello (internal task tracking)
We’re working with our vendors to understand their response to GDPR and are ensuring our data processing agreements with them are GDPR-ready.
We’ve also updated our internal data policy to ensure customer data is only held in those systems where absolutely necessary, and this is reflected in our internal process to delete a customer’s data. Our data policy will be reviewed regularly.
We’re working with our partners
Mobi2Go also integrates with many partners to make it easier to manage your restaurant, for example:
- POS systems
- Payment gateways
- Delivery systems
- Loyalty and Marketing systems
We’re having discussions with our partners to understand their response to GDPR, however it will ultimately be a restaurant’s responsibility to ensure that the systems they use alongside Mobi2Go are GDPR compliant (for example, your POS system and your marketing system).
Our Terms of Service will include a new Data Processing Addendum with the Model Clauses required by the GDPR. We're aiming for this to be available to sign by May 18. If you’d like to sign the DPA, or if you have any questions in regards to GDPR, please get in touch with our team at firstname.lastname@example.org.