How we ‘do’ GDPR at Teebly

By Phillipe Koenig

It’s the 25th of May, GDPR is officially here and thus it’s time for a Teebly GDPR update. But not one of those asking you whether you’d like to re-opt in, “stay in touch” or “review our privacy statement”. Rather, we want to give you a look under our hood to illustrate how we handle consent management, data transfer- and deletion requests at Teebly. We’ll also highlight some of our features to show how we make data sharing and consent next-level transparent for the companies and consumers using our platform to interact with each other.

Like other B2B2C companies, Teebly plays two roles: that of data processor as well as data controller. To illustrate, our product is a smart communications platform facilitating fast and secure interactions between high-trust companies and their customers. Hence we have to think for both our customers (companies) and their clients (consumers) when it comes to GDPR compliance. But as they’re all people in the end, ease of use and security-by-design are priorities.

Here’s how we do it.

Transparent on-boarding 🔍

It all starts the first time a client uses Teebly (a client is the ‘C’ in B2B2C — basically, our customers’ client, or end-user). We assume that he or she has never heard of us before, so we treat this opportunity not just as a marketing touch-point but mostly as a chance to build the foundation for a trusting relationship. Towards us, and towards the companies that invited them to communicate via Teebly.

It’s at this point where we fully explain what data we hold as Teebly, what we do with it, and why it’s necessary for the functioning of our platform. Then, we explain the main points of our privacy policy in plain English. A seemingly straightforward but often still poorly implemented fact is that informing clients upfront is key to build trust from the get-go. Remember all these emails simply stating “We’ve updated our privacy policy”, without telling you what they actually changed? So do we. And that’s why we wanted to do things a bit differently. So apart from being fully transparent in what we’ll do with users’ data, we also found that explaining what you won’t do with it is often well received (it removes certain objections). Finally, we offer a direct contact to our internal data protection officer in case any questions arise as well as to add a human touch to all this text.

Teebly’s on-boarding process is designed to inform users and give control over consent.

After our users filled in the basics, we explain what data is visible to the company they connect with on Teebly. They can fully control their data input and consent at this point and in the future via their privacy centre. We realise that this is not super revolutionary in itself, but at the same time see that very few companies actually offer this level of control. So, worth a mention.

In this same consent centre, we also give companies the chance to get additional opt-ins for sharing data with third parties, profiling or for newsletters via email. In a future release, companies can also list where data will be stored outside of Teebly, so that with one quick simple step their clients can start their digital communications-relationship fully informed whilst managing their consent at will.

More than just a marketing opportunity, opt-ins are about building a foundation of trust.

People just want to understand what data a company collects and what it’s going to do with it — at any time. That’s why we made those settings super simple and accessible in our privacy centre. And since one person can use Teebly to interact with multiple companies, we thought one overview to rule them all would be useful.

Teebly’s consent management console allows clients to control in detail what personal data each company can see and use.

Users can now, at any time, opt-in or out like a 👑. In the background, Teebly notifies the company so they can take action accordingly (in their internal processes, that is).

For their privacy policies and T&Cs, companies can either pick-and-choose from our pre-defined, most common policy types or define and define and link their own. In the future, companies will also be able to add web-hooks to their e.g. newsletter system to revoke/unsubscribe people directly.

Data inventories, transfers and deletions

GDPR is meant to give consumers control over their data, and companies an opportunity to build trust. One way to facilitate this is that consumers can request to see all the data a company holds on them, and get it transferred or deleted. At any time. The company has to adhere within 30 days.

In the past, companies could charge up to £50 (in the UK) to handle such requests. GDPR dictates that all these requests now need to be fulfilled free of charge. So, companies with automated or semi-automated solutions and processes have a clear advantage, as they save time on every request. But at the basis of such solutions is a solid data inventory system. For clarification: a data inventory is an exact overview of what data is held on which client and where. A solid data inventory is one that is complete and leaves no room for error. Having one in place makes dealing with a transfer/deletion request a lot faster.

Easy, eh?

Unfortunately, in most companies “things” (data) are scattered across a dozen systems. Read about it in our previous blog. But even if companies do have their data organised in a central place, data transfer/deletion requests can be complicated. We learned that many consumers don’t simply want all data exported/deleted— they want to pick and choose. Now, if you’d have to process that manually for each request, the time waste is considerable.

So on our quest to limit time waste, we spoke to many consumers and companies to understand how we could design the best possible interface. For the consumer, it should be as easy has hitting enter, not hopping through privacy policies, email back and forth and getting lost in translation. Hence, as stated above, we first thought that simply giving our users the option to (request to) delete everything would be good enough. But things are never that straight forward, are they? As talks went on, we collected more and more edge-cases— so many in fact, that they became normality.
Some voices we heard from consumers:

Businesses also had their requests:

The above examples show the variety of use-cases we, and every company, has to design for. We realised that if we really wanted this to be good, we’d have to build in a high level of granularity — whilst keeping things simple. We believe we came up with quite an ingenious solution.

“Please forget everything you know about me” in practice

As happens very often, we found inspiration in our past. More specifically, in when we built Management Information Systems (MIS) for enterprises, which allowed decision makers to slice-and-dice through heaps of information, extract some of it, build subqueries and delete sub-sets from bigger sets. See where we’re going with that?

So for once, enterprise inspires startup - kind of. But well, it ain’t stupid if it works, is what our uncle used to say. 🧐

So this is what we built:

Teebly users can easily see, export and delete data we hold about them. Down to the single message.

When requesting a data transfer, Teebly users can filter by the company they interacted with, the type of information exchanged, date ranges and other specifics.

The deletion process works the same, with the slight difference that we notify the company about the deletion request and ask them to confirm that they have deleted the respective data on their end. They are also asked to select which of the documents and messages are required to be archived by law. We’ll explain a bit more in detail how we handle PII deletion in another post in the future.

In conclusion, the Teebly platform now includes a simple, hassle-free and (almost) fully automated solution for clients to manage their data. It covers the new regulations’ right of information, right to be forgotten, transfer of data and consent management. Uncomplicated and straightforward for companies and their clients, as it should be in the 21st century. If you’d like to see more of where that came from, go to teebly.co. We also give demos!

Thoughts?

We’d ❤️ to hear what you think about this. We’re always looking to learn and improve, and are curious what your experiences are with designing for GDPR. What are you facing when it comes to interface and data structure design, and how did you implement the use cases mentioned? Find us in the comments or via teebly.co — we’re always up for a good discussion.

Thanks for reading!

The Teebly Team.

P.S. If you know someone who would benefit from reading this, please do forward!

Do you have questions about GDPR in your firm? Drop us a message at contact@teebly.co or via www.teebly.co. We’d love to have a chat.