Taking an open approach to GDPR compliance challenges

The General Data Protection Regulation (GDPR) has been a fact of life for every business with customers in the European Union or the UK since 2018. 

But as the team here at YouCanBook.me has learned in a number of areas of our business, there is nothing about data protection that can be considered “set it and forget it”. 

The GDPR sets out guidelines that businesses must follow when collecting and processing personal information from individuals who are located in the European Union or the UK.

As with so many other businesses, four years ago, we spent a huge amount of time and energy not only on meeting the letter of the law, but also ensuring that our whole organization understands and lives the spirit of that law. 

It has always been important to us that we make our privacy notice, and terms transparent, easy to understand, and simple.

We know what it’s like when a company makes you dig for information about how your data is handled, and we don’t want to treat our customers that way. 

So we created a Data Protection Agreement (DPA) that covered everything you needed to know about how we handle and treat your data and all the organizations that we work with in order to provide you with the service you love. 

A few years later, and with the added wrinkle of the UK leaving the European Union and the changes to GDPR that came with it, we carried out a full review of all our terms, privacy notice, and data processing agreement, including a review of our data processors.

What became apparent was that what was intended as a clear and transparent description of our processors was actually more confusing.

Because we were listing both our processors (where we are the controller) and our sub-processors (where we are the processor), it wasn’t clear or transparent to our Account Holders what sub-processors are actually involved when they set up booking pages and receive bookings.

So in the spirit of living three of our company values, Commitment to Excellence, Confidence in Transparency, and Simple is Beautiful, we changed it!

And not only that. 

Today we’re going even further to give you a complete Data Processing tutorial. You’ll find everything you need to understand Controllers, Processors, and Sub-processors. You’re going to be such a hit at that party next weekend!  😉

Who is in control?

Software as a Service (SaaS) companies like YouCanBook.me will often use other businesses in order to provide their service. For example, we use Amazon Web Services to host our servers. 

These services, or sub-processors, need to be listed in Data Processing Agreements between a data controller and a data processor as required by the EU GDPR and UK GDPR.

But what is a sub-processor? 

And does it include the services a business uses to run, like Microsoft or Google for calendars and mailboxes, development tools, support systems, or accountancy software?

It can get very complicated very quickly trying to explain and understand who is in control of what data, but it is also very important, not only for Data Processing Agreements but also for data management and data security.

We make sure we know exactly what happens with the data we process, but we also want to make sure our Account Holders know. After all, they are in control of that data.

So to try and make it transparent we mapped it out to show how data flows, who is in control of what data, and who is involved in the processing.

Processors and Controllers 

Account Holders

An Account Holder (in this case a data subject) sets up an account with YouCanBook.me (in this case the controller) to simplify their scheduling. They give YCBM certain data about themselves to set up their account, like their name and email address.

Bookers 

Bookers (also a data subject) schedule a meeting with a YouCanBook.me Account Holder via the Account Holders YouCanBook.me booking page. They might give data like their name, email address, or account number.

YouCanBook.me

YouCanBook.me (here the controller) holds and uses personal data about the Account Holder (the data subject) to run the Account Holders booking page(s). This could be their account email address or calendar information. 

BUT YouCanBook.me (as a processor) also processes the Booker’s (the data subject) personal data in order to schedule bookings in the Account Holders calendar and send out email or SMS notifications.

And in that case, the Account Holder becomes the controller. They control what personal data is collected about their Bookers (data subjects) and instructs YouCanBook.me (the processor) on what and how to process the Booker's personal data.

So when is a Processor a Sub-processor?

A subprocessor is a third-party company that also processes personal data. In some cases, it can also be a processor.

For example, YouCanBook.me (the controller) uses AWS, Twilio and Postmark (the processors) to run the YouCanBook.me service for Account Holders. In this case, it might be hosting your booking page on AWS, or sending you an email about your subscription renewal via Postmark. 

But when it comes to your Booker’s data, YouCanBook.me becomes the processor (because you are the controller of that data).

And it uses those same third-party companies as sub-processors: to process bookings made by Bookers (the data subject) via the Account Holders (the controller) booking page(s).

• Data is hosted in AWS, 
• SMS notifications to bookers are sent via Twilio, 
• and email confirmations and reminders are sent via Postmark.

Data Processing Agreements

The data processing agreement (DPA) YouCanBook.me has with Account Holders is a legally binding document that regulates how we will securely and compliantly process their booker's personal data, including the scope and purpose, as well as the relationship between the controller and the processor and any sub-processors involved - Article 28(3) of the GDPR.

YouCanBook.me Account Holders may use YouCanBook.me as part of the service they are delivering to their Bookers, in which case YouCanBook.me is a sub-processor for the Account Holders service. As an Account Holder, you may want to detail that information in a DPA that you provide for your own customers.

Why did we update our sub-processors list?

As you can tell, depending on who is the controller of the data will determine who is a sub-processor. 

When we first listed all of our sub-processors we wanted to be really clear on every service we used as a business that may process personal information.

Not all of these services are needed for the YouCanBook.me service (the booking pages) to run but are used by the Team at YouCanBook.me to help the business run.

So our sub-processors list was a bit of a mash-up and we heard from many of you that it wasn’t entirely clear.

So we changed it! It is now much simpler to see which party is involved, what data they process, and, importantly, how long they keep it.

We also added in Processors in Common which are businesses that we operate with on your behalf.

A good way to think about this is that for processors and subprocessors, we decide who to use.

But for Processors in Common, you decide who you want to work with (Google or Microsoft, Zoom or Hangouts).  

We don’t want to make GDPR any more confusing than it already is; recent feedback on our changes has made us hopeful we have helped even a little bit in making GDPR a bit less confusing!

We always welcome feedback. If you have any comments, suggestions, or questions about our privacy, terms, and conditions, or our sub-processors please get in touch.