§ GDPR: Your main obligations as a WiFi hotspot operator

The clock is ticking and it is not long now until 25 May 2018. It is as yet still unclear as to how the new regulations and announced monitoring of compliance will be implemented. However, it is nonethless advisable to be prepared and make sure that your operations conform to the most important principles. As data traffic increases at the global level, instances of data theft and misuse are unlikely to decline so that any efforts made by lawmakers to increase awareness of the problems and assign more responsibility to businesses should therefore be welcomed. The GDPR has since become a major topic of interest in the media. Nonethless, an astonishing number of companies are still ill-prepared – if at all – for what is coming. We hear questions like these time after time:

“Does it really concern us? Do we need to do anything?” The answer is simple: YES.

Every enterprise – from small companies to large corporations – is affected because they now all process personal data.

The next questions, after this realisation has sunk in, are usually: “What is actually at issue here anyway?“ and “What do I need to do?” The brief summaries that follow will provide you with the necessary basic insights.

@Question#1

The objective of the General Data Protection Regulation (or GDPR) is to provide adequate protection to the security of personal data and to the private spheres of natural persons in this era of mass data processing and global data networks. The regulation actually came into force in 2016. We are currently passing through a transitional phase during which there will not be any systematic monitoring or penalties for violations. From 25 May on, however, organisations failing to comply with the regulation face fines of up to 4% of their global turnover.

@Question#2

Given these circumstances it is best we take another look at the major obligations imposed by the regulation:

• 1. ART 5/1B and 1C – DATA MINIMISATION: Prohibited is the collection of more data than that required for the adequate purposes for which it is being processed. For instance, if you offer restaurant guests free WiFi access it is not necessary to ask for their address data in this connection. However, if you are interested in finding out where your guests are from – which can be a completely legitimate interest for a restaurant owner to have – you are indeed entitled to pose the question, but your guests must divulge the information consciously and voluntarily (see section 3) and perhaps you should only ask them for their postcode.
  

  How can the Privacy Toolkit help me in this regard?

  The IACBOX can help you even without the kit as it makes possible registration methods based on a data minimisation concept in which a room number, ticket ID or other parameters that provide only limited links to a particular individual can be used for authentication purposes. The Privacy Toolkit does even more as it can document all logins – including those made through external systems (see the obligations in section 4) – and also issues warnings when settings critical to data protection are configured.

• 2. ART 5/1E – STORAGE LIMITATION: Data may not be stored for longer than is necessary for the purposes for which the data is being processed or than is necessary to meet legal requirements.
  

  How can the IACBOX help me in this regard?

  The IACBOX provides support in the form of configurable anonymisation and deletion options. Although anonymised data is no longer personal and could theoretically be stored for an infinite period of time, data that you no longer need is ultimately just ballast, so why not simply get rid of it? The Privacy Toolkit also warns you if you have defined critical retention periods. Of course, you may well have good reasons for longer retention periods, which is why you have the option of disabling such warnings.

• 3. ART 5/1A – LAWFUL, FAIR AND TRANSPARENT DATA PROCESSING: Data subjects have a right to know what their data is being used for and must be able to rely on the fact that it will not be used for other purposes. This is why coupling of information is prohibited. Collected data may only be used for the agreed purpose – for example, to allow restaurant guests to use the in-house WiFi. Hence, the coupling of the provision of WiFi access to a compulsory subscription to a newsletter is no longer permitted. You are naturally permitted to invite your guests to subscribe – but you will need to do so separately and in an obvious manner.
  

  How can the IACBOX help me in this regard?

  The Login API of the IACBOX supports the inclusion of CRM or mailing software so you could include a small newsletter subscription option in the form of an extra checkbox on your registration page to enable users to confirm they wish to subscribe. IMPORTANT: Every processing activity of this nature must be justified and documented – see section 4. The Privacy Toolkit helps you in this regard by storing the necessary records and explanations in the dynamically generated data processing register.

• 4. ART 5/2 and 30 – ACCOUNTABILITY AND RECORDS: The GDPR requires that everyone dealing with personal data must maintain records of the processing of this data and be able to demonstrate that the corresponding processing activities conform to legal requirements. Hence, they must document in a data processing register which categories of data are collected from which categories of person and how the data is processed. Are you processing the data in-house or is the task outsourced to a service provider? Is data transferred to a country outside of the EU? If so, does the destination country provide a level of data protection equivalent to that in the EU? This is perhaps the most problematic aspect because even if you outsource processing or use a Cloud service provider you are still held responsible for ensuring legal compliance with regard to what happens to any data obtained from subjects.
  

  How can the Privacy Toolkit help me in this regard?

  You can create a dynamically generated data processing register with the new Privacy Toolkit for the IACBOX. The IACBOX checks which registration methods and data fields are in use and generates an individual register as a PDF with a date and time stamp. You can print out and file the PDF register as often as you like; whether you do so after every change or only as and when needed is completely up to you. If your IACBOX is connected via a Login API to a PMS, CRM, database or other backend, you can make use of freely editable text modules where you can record what happens to the data during the course of the connection – a convenient and reliable method of meeting your obligation to record data processing activities. A data processing agreement template is even provided so that you can send this for signing to your external data processing provider to ensure that both they and you conform to data protection requirements.

• 5. ART 5/1F and 28 – INTEGRITY AND CONFIDENTIALITY: You must ensure appropriate security of data and also ensure that it cannot be tampered with. But how do you do that? What if hackers launch a malicious attack? Don’t worry; even government websites are not immune to this sort of thing and it would be hardly fair if the GDPR were to impose more stringent requirements on you. However, you are required to put appropriate technical or organisational measures in place that provide adequate protection of your customers’ data. The GDPR does not spell out in so many words what these required ‘measures’ are. However, you can be certain that you will be at least be expected to have a valid SSL certificate for your data-collecting website and to conclude instruction and confidentiality agreements with your personnel who come into contact with the corresponding data.
  

  How can the IACBOX and Privacy Toolkit help me in this regard?

  The IACBOX and Privacy Toolkit will do quite a lot for you as the maintenance of records will no longer be simply a requirement but will become absolutely essential to demonstrate that you are meeting your legal obligations. Firstly, your IACBOX’s own SSL certificate is always kept up to date so that you can rest assured you are not in violation of basic requirements. Secondly, the IACBOX logs every data access activity undertaken by your admin users to ensure they are documented and traceable. You can also use the Privacy Toolkit to display a confidentiality agreement to every admin user that these users must agree to before continuing their work. Instructions and confidentiality agreements are provided in PDF form so that these can be printed out and signed, as it is a data processing agreement, a full text version of the GDPR for reference purposes as well as a template of a form that can be used to report data breaches and a list of the relevant supervisory authorities.

• 6. ART 12, 13 and 15 – INFORMATION AND RIGHT OF ACCESS: You are obligated to provide information at any time to data subjects whose data you process. This information and your data privacy policy must be written in clearly comprehensible language and include a contact option for data subjects.
  

  How can the IACBOX and Privacy Toolkit help me in this regard?

  The IACBOX requires you to provide appropriate contact information in the data privacy policy text to be displayed on your registration page. The included policy text is worded in clearly comprehensible language. You can enter your own customised text, but please remember to include the contact option. The Privacy Toolkit enables you to respond to a request for information by sending the dynamically generated report to the person requesting information. The report details exactly how data are processed, with deletion periods clearly depicted. If the deletion option in the data privacy, both with and without the Privacy Toolkit, are set within reasionable limits (default is 6 month anonymization and 1 year deletion) this should be sufficient. However, please be aware that if you are using backends, data may also have been processed here additionally, in which case you will need to supplement the report accordingly.

We assume that the ‘special categories of data’ specified in GDPR Art 9/1, i.e. data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation or health, will not normally be processed using the IACBOX. This is in fact generally prohibited, except in the justified circumstances set out in Art 9/2, where, for example, processing is necessary in order to protect the vital interests of the data subject. In such cases, a data protection impact assessment as specified in Art. 35 must be prepared. And the Privacy Toolkit will generally help you to understand the obligations faced by every data processor – even if only to make you aware of the unpleasant consequences that negligence with regard to data security can engender irrespective of whether you are operating a WiFi hotspot or not

Would you like to order your Privacy Toolkit now? Please contact your local IACBOX partner.