The European Data Protection Regulation will be applicable as of May 25th 2018 in all member states to harmonize data privacy laws across Europe. The main questions: are the Vik extensions compliant with this new law? What actions should be taken in order to be compliant?

 

The European Data Protection Regulation will be applicable as of May 25th 2018 in all member states. It primarily aims to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The strict data protection compliance regime may apply severe penalties to those European companies who do not respect the regulation. This is what put on the alert many companies.

A lot of our clients have asked the question "is my Vik extension compliant with the new GDPR?". Well, this is the wrong question because there is really not a "compliant" or "non-compliant" software. It's all related to the use you make of the software. However, a software should allow the organization (who uses it) to fulfill the requirements of the GDPR. There can't be a software compliant to the GDPR because the organization could make it "non-compliant".
Who needs to comply with the EU GDPR is the Data Controller, so the organization that uses the software to collect the data from their customers, through the use of the software (Data Processor). All Data Processors (the software) are in the context of the GDPR, but so are also the Data Controllers (the organization who uses the software).

That being said, all the Vik extensions allow organizations to fulfill the requirements of EU GDPR. The Vik extensions are already "compliant", even though we said that we should NOT use this adjective for a software that acts as the Data Processor. We should rather say that the Vik extensions support the EU GDPR requirements.
However, it is necessary for the organizations to configure the software in the right way, as well as to set up some articles and contents on your own website, through the use of native functions of your CMS, to fulfill all the requirements and become COMPLIANT with the GDPR. No third party extensions are needed in this case, for no reasons.

The GDPR focuses on some main points that every European organization should fulfill:

1. Data Protection Officer (DPO)

This role must be covered by either someone inside or outside the company. It is expected to be someone proficient at managing data security. The DPO is responsible of the data protection.

2. Types of Data Collection and Permissioning

The data you collect through the processor (software) must be explicitly described in your website Terms of Service and Privacy Policy articles. If you do not have a Terms of Service with connections to the Privacy Policy and how you treat the data collected, then you should definitely prepare, write and publish on your own website such articles.
If by the use of the Data Processor (software) you collect specific details from your customers, then you are expected to be given the permission from your clients to do so. In all the Vik extensions, you should check the configuration of the "Custom Fields", as that's how you control which data to process and collect.
The GDPR encourages to collect the minimum necessary details from your clients, to lower the number of explanations you should give to your clients. You are expected to always explain the reasons why you need this data, how you collect it, for which purpose, and what you do with it.
If you have been collecting particular details from your clients, for which you were not given the permission before by your clients, maybe because the use and reasons for collecting this data were not explained on any mandatory-to-accept Terms of your website, then you are supposed to request the permission to your clients within May 25th. This operation is called "re-permissioning". Otherwise, you should probably delete these "un-authorized" details you've been collected. The functions available in the administrator section of all the Vik extensions will let you remove or modify data.

3. Terms of Service and Privacy Policy

As also discussed in the point above, your website must have (at least) an article that explains the Terms of Service (Terms and Conditions/Terms of Use) for your website, and another article that explains your organization's Privacy Policy. More precisely, you need to be transparent with your clients by explaining: what kind of data you collect and how, why you need this data and for which purposes, how you use the data collected, how you protect the data, whether you share it with third parties. Moreover: describe the use of the cookies on your website, and how your clients can review, modify or cancel their data.
Every time you collect, process and store data from your clients, you must let them read and accept your policies. Your clients must be aware of anything you do with their details. You can do this by creating "Custom Fields" of type "Checkbox" from your Vik extension.

4. Data Review, Modification and Cancellation

With the new General Data Protection Regulation, customers can request to the Data Controller (the organization) to review, modify or cancel their personal details. Such requests must be fulfilled within 30 days from the request. Therefore, we strongly recommend to publish a Contact Form on your own website to let the customers send a message to view their details, to request a modification or to request the cancellation of their details. If this becomes the method to let your clients view, modify and cancel their data, you should explain it in your Terms of Service and/or Privacy Policy, or in any other parts of your website you retain necessary.

So long as your organization can fulfill the requirements above, you support the new data regulation rules described by the GDPR. In case of doubts, we suggest to talk to an expert.
However, remember that if you are transparent to your clients in charge of the Data Controller, not much will change for your company after May 25th 2018. Those organization that were used to share details with third parties will have to request an explicit permission from their clients.

Most of our clients who use the Vik extensions are not in particular situations for data collection as Data Controllers. They simply collect details to save reservations in their system. If that's your situation, then just follow our guidelines above and you will be fine.