Q&A : GDPR & Coworking
A deep-dive into getting compliant and protecting the privacy of EU consumers.
Sick and tired of the abundance of conflicting information about GDPR and what you actually need to do?
So are we! So we brought in some of our legal partners from Linkilaw to do a deep-dive into the topic as the very first included Q&A on “GDPR and Coworking Communities“.
So without further ado, you can pop your questions in the form below, one at a time, and soon you’ll be sharing answers from the awesome and dedicated GDPR department at Linkilaw.
-
Panicking? Don’t!
Linkilaw also offer an exclusive discount on their GDPR Compliance Pack through included.co too.
-
I have two questions:
a) I run a fairly basic website for my coworking space. It has a newsletter subscription button that adds users emails to our Mailchimp. We also accept CC payments via Stripe. Is the onus then not on Mailchimp and Stripe to let the user know about GDPR since they’re the ones processing the data?
b) We do save our coworkers’ billing addresses for non-CC payments in a file on the cloud, but don’t “process” it in any other way. Do the coworkers need to agree to this upon signing up?
Thanks!
- There’s one misconception in both of your questions, and that’s to do with the word “processing.” Processing has a much broader meaning under the GDPR than it does in day-to-day language. If you use someone’s information in your business in any way—even something as simple as storing their email address in your contacts—you’re “processing” it (legally speaking).So, to answer your first question, the onus is still on you to let users know about GDPR, because you’re still using the information that Mailchimp and Stripe collect. Actually, you have even more responsibility to do so, because you control the fact that Mailchimp and Stripe are processing data from your site. As for your second question, saving billing addresses counts as “processing,” but you don’t need explicit consent for that because you need the information to fulfill your contract with them (which makes the processing legal without their consent).
Gillian Fishmanfrom Linkilaw
With regards to data breaches, is our coworking space liable in any way for bugs/worms/viruses/trojans/etc spread across our network? Is there anything we should be looking at (from a legal prospective) to cover any liability here?
-
A coworking space would be considered a “Data Controller,” which means it’s your responsibility to evaluate the severity of breaches and determine when it’s legally required to report them to the ICO and to your clients (or others you collect data from). The GDPR requires you to have a data breach process in place, and you should include severity evaluation and reporting mechanisms in that process. You should also contractually limit your liability to your users for viruses (in a Website Terms & Conditions, for example—which Linkilaw offers, by the way!).
Gillian Fishmanfrom Linkilaw
Our coworking space uses a specific space/community management software, what kind of details do we need from them to make sure we’re compliant and how/when do we tell our members about this?
- The GDPR requires you to get “assurances” from third parties that they are also GDPR-compliant. You should have a written record that contains information on their data processing, protection and deletion practices. You should inform your members about this (and any other third parties you use) in your Privacy Policy.Gillian Fishmanfrom Linkilaw
My coworking space is in the United States, but we sometimes have customers from European businesses stay with us.
Do I need to create any specific terms of service or protocol just for these customers?
(Oh and is GDPR even enforceable here in the US?!)
-
Instead of having separate terms for these customers, my recommendation would be to make all of your terms GDPR-compliant (so you don’t have to have two sets of everything floating about).
The question of enforcement in the U.S. is a complicated one.The GDPR theoretically applies to any business who handles a EU citizen’s data. The EU and the US have agreements in place about how enforcement will work for US companies, but we’ll learn a lot more about how that’s going to work when enforcement in the US actually begins to happen. My advice is to assume that the GDPR applies to you—let someone else be the guinea pig!Gillian Fishmanfrom Linkilaw
My website has a contact form, which saves a users data to my wordpress site, on my webhosting and then sends me their details on my gmail, from where I’ll reply to them.
What falls under my GDPR obligations?
My server? The contact form plugin? The database? Gmails servers?
help!?
- All of the above. Any mechanism for collecting, storing, or using personal information falls under the GDPR. You’ll want to have a Privacy Policy in place that explains how all of these systems work to your users, and you need a variety of internal documentation and processes about your data use (such as a data breach process, data deletion process, etc.).Gillian Fishmanfrom Linkilaw
I have a small coworking space and the vast majority of data and processes are just on my personal computer in spread sheets, apps like trello, mailchimp and mail. As I have GDPR emails from most of these companies, am I covered?
- No! Even storing or using client information on your personal computer is considered “processing” under the GDPR, which means you need all of the compliant processes and documents in place. Do keep track of the new Privacy Policies etc. from the apps you mentioned, though—documenting that third parties you use are GDPR compliant is required.Gillian Fishmanfrom Linkilaw
