September 12, 2018 | Scott Hines
Part II of our series on New Privacy Laws: GDPR and CCPA
We've already discussed whether or not your field service company is ready for the new privacy laws. If you're not, the next question is - what do I need to do? In order to comply with these new consumer privacy laws there are 6 key steps to complete:
1. Update Corporate Privacy Policies
2. Data Mapping
This can be a tricky process, but you’ll want to start by taking an “inventory” of your data. Make a list of all your applications that store data about individuals and include how the data is used, stored, and shared. If you’re working with a cloud software platform provider like AgileField, they should be able to provide you with a starting map for the Personal Information (PI) in their platform.
This data mapping exercise allows you to identify not only which data you store that actually belongs to individuals, but also allows you to offer your customers the ability to review their data. For example, your customers may be happy to allow you to use their address data to schedule jobs, ut they may not allow you to use their job service history to promote new services. If you don’t group your data properly you won’t be able to give your customers choices about which data they will allow you to use.
For your field service company, at a minimum, we recommend the following data groups:
- Contact Information - Any information related to making contact with a customer: name, addresses, phone numbers, emails, etc. Employees, partners, and vendors also fall into this category.
- Service History - Information related to the jobs and services you provide your customer: job dates, locations, activities and tasks, equipment serviced, inventory used, technicians assigned, etc.
- Trade Specific - Information related to the specific industry you service. This includes data like measurements taken in the field, equipment information, inventory attributes, etc.
- Exempt - Under certain cases there could be personal data that you store that could be exempt from these privacy laws. For example, data collected more than 12 months before the CCPA law went into effect is exempt from CCPA. You want to be able to group this data separately so that it allows you to keep it out of scope of your compliance practices.
One of the key concepts of the CCPA is that you must make it easy for individuals to understand your privacy policies, what data you store, and for what purpose you use it. This means that not only do you have to publish your policies, but you have to make sure that any representatives of your business that are likely to interact with the public must be able to clearly explain your privacy policies and the services you offer to support individuals’ privacy rights.
4. Subject Access Requests
The Subject Access Request or SAR as they are called in the industry, is the process that an individual goes through if they want to exercise their privacy rights under GDPR or CCPA. When an individual makes a Subject Access Request they are asking to see the data that you store, understand how it’s used, and then may require you to change, delete, or transfer the data. The number of SARs you will receive depends on how frequently you engage with individuals; how much data you store on them, and what you use it for. You may even receive some SARs from individuals who are disgruntled customers, employees, or individuals seeking a claim against your company.
There are a few key issues you must be aware of when handling a Subject Access Request:
- Time Limit - If you receive a SAR from an individual, don’t ignore it. Both GDPR and CCPA require that you respond to the SAR within a fairly short period of time. 72 hours for GDPR and 40 days for the most recent version of CCPA. Failure to respond to a SAR can lead to financial penalties, enforcement action, legal proceedings and reputational damage.
- Anti-Discrimination - You can’t do things that discriminate against individuals who submit Subject Access Requests. For example, you can’t charge them different prices, you can’t deny them service, you can’t deny them employment, etc. You have to treat them exactly like individuals who don’t submit SARs.
- Understandable - You have to provide the data in a format that is understandable to a lay person.
- Redact Other Individuals - Sometimes the SAR may request information on both the Subject of the SAR as well as other individuals. An example of this could be a photo that shows two individuals that was taken at a job site. If one of the individuals submits a SAR, you may be required to provide access to information that contains personal information about other individuals. If this is the case, you must redact the personal information of other individuals that are not the subject of the SAR.
- Pro Tip: Train your field technicians to take photos of the job site that do NOT include people. Try to include only the equipment related to the job whenever possible.
5. Audit Log
One of the most challenging aspects of GDPR and CCPA is that they both require you create evidence to show you complied with the regulations. Most field service companies can probably handle this audit log on paper with signatures and dates showing that the evidence was logged in a timely manner. If you receive more than a small number of SARs you may want to evaluate a privacy compliance platform like GDPREdge.
Getting your field service company ready to comply with these new privacy laws seems like a lot of work. There is a lot of information to learn, understand, and implement, but there are ways to make complying with these laws a competitive advantage for your business.
To learn more about how AgileField can keep your business compliant, please request a demo to speak with one of our product consultants.