Mono & GDPR

The Mono Platform provides all the functionality to make it easy and convenient for your SMB customers to comply with personal data privacy regulations.

Please note that Mono Solutions is not in a position to offer legal advice, and we therefore recommend that you consult your own legal counsel.

Data Privacy

What is GDPR?

The General Data Protection Regulation (GDPR) is a European Union (EU) regulation aimed at strengthening the data protection of individuals (data subjects) within the EU. Its focus is to give more control and transparency to data subjects about what, how and when data is collected about them online. With the GDPR, data subjects have four main rights:

  • Consent and control
  • Right to be forgotten
  • Data portability
  • Restriction of processing

Data roles

Who is who in GDPR

In handling personal data, each entity has a specific role. For more detailed information on each specific role, we recommend this article. In the context of Mono as the technology provider, the following roles apply: 

  • Data subject = website visitor
  • Data controller = SMB
  • Data processor = Reselling Partner (often referred to just as our Partners)
  • Sub-contractor = Mono Solutions
  • Sub-contractor = Third-party vendors to Mono Solutions (for example, payment gateways

Deadline

When does it start?

The EU GDPR comes into effect on May 25, 2018. 

impact

How it affects smbs

Across all EU member states, the regulation is intended to make it simpler for businesses to comply with personal data protection. It also means that all SMBs that serve EU citizens need to comply with GDPR. For example, if a small business outside of the EU offers their products/service to EU citizens, then they will need to comply with GDPR.

responsibility

Who needs to take action

While the Mono Platform provides the functionality to ensure that websites built on it can easily comply with GDPR, it is ultimately up to your SMB clients to ensure that their business is compliant. But of course, there are some steps that can help them along the way.

  • Help them understand their role as a data controller
  • Encourage them to update their privacy policy
  • Encourage them to centrally manage all personal data collected via their website

From a platform perspective

GDPR-specific functionality

Easily manage personal data

We are building dedicated functionality so that you and/or your SMB clients can easily generate a report on any personal data collected and stored via the website, as well as manage other important personal data-related matters, including data retention and setting a dedicated privacy policy. This makes it easier for small businesses, as the Data Controller, to find, manage and if needed, delete the personal data of their website users.

forms

Getting user consent

A part of GDPR is getting explicit consent from users (data subject) when collecting their information and making sure that they can easily understand how that data is used. This is a simple exercise of updating the site’s privacy policy to outline what data is collected, why it’s collected, how it is used, when/if it is automatically deleted and how to delete it upon request. 

Mono will be adding functionality to all form modules to make it easier for visitors to access the privacy policy in the form as well as easier opt-in functionality that documents time and place (URL) of consent.

mono crm

Easily manage personal data

With Mono CRM, your SMB clients can store data on customers and prospects (data subjects) in one place. Managed centrally, CRM helps SMBs get a better overview of the personal data they have on any given individual. Mono CRM also features clear permission settings that display whether a user is registered to receive email campaigns, and if a user has access to password protected areas. 

With a dedicated system in place to store and manage data, SMBs can more easily understand what information they’ve collected from their website visitors (data subjects), and establish clear processes on how to manage their collected data.

mono e-commerce

Order data

In most countries, business owners are required to keep transactional data (order data) for at least five years. We will be adding functionality to make it easy for your SMB clients to adjust this and delete the data after a specific amount of time, as specified in their country's regulation. 

Note that payment information (e.g. credit card details) is not stored on the Mono platform. We recommend you engage directly with the payment gateways you use to understand their compliance in relation to GDPR.

cookies

What is tracked

As a standard on the V5 platform, all websites are enabled with Google Analytics. Google’s compliance with GDPR is available on their website. The cookies put onto visitors’ browsers from Google Analytics do not store any personally-identifiable information on visitors (note this is also against their terms of use). 

Other cookies used within the platform are based on sessions and are necessary in order to carry out and support basic website functions such as login, form submissions and maps. Just as with analytics, these cookies are not personally identifiable and only session-based. In short, the cookies the Mono Platform uses do not affect an SMB’s ability to comply with GDPR. As a reminder, Mono does not take any responsibility for third-party code or applications added to a website.

legal texts

Updating data privacy policies

Each of your SMB clients has likely been advised to update their privacy policies to reflect the requirements of GDPR in an easy-to-understand language. The privacy policy, as we interpret, should outline specifically what data they collect, why they collect it, how it is used, when it is deleted, and how to request a copy of their data and/or request it be deleted. Using the “Legal Text” Global Data field is a great place to do this as it can then easily be edited centrally going forward. 

Visitors to the SMB website, that is data subjects, must agree to the SMB’s privacy policy before being obliged to submit any personal data via the website in order for the SMB to comply with its obligations under applicable data protection laws. This is where the new form functionality mentioned above becomes important.

As the data processor, our partners should ensure that the data controller (SMB) updates their privacy policy accordingly. This is especially critical because if our partners, in the capacity as data processor, process data given to them by the controller (SMB) which was not lawfully collected, they can be held directly liable to the data subject for the breach under the GDPR and can be fined by the local data protection authority for breaching the GDPR.

Given all of this, Mono does not recommend our partners to take a one-size-fits-all approach to updating SMB’s legal texts regarding the collection and use of data. Legally, Mono has been advised not to support this action on behalf of our partners so requests to update privacy or legal texts en masse are not possible.

TIP! In collaboration with local legal counsel, this could be a good place to monetize your services to help your SMB clients update their privacy policy with content regarding personal data. As the data processor and creator of their website, you likely know which data they are collecting and can help them add the required language to the data privacy policy while also ensuring all website forms reference the policy accordingly.

our organization 

Corporate compliance

Mono Solutions is committed to operating within legal requirements on all levels. From a technology standpoint, we are focused on ensuring that personal data management is as straightforward, simple and convenient as possible for your SMB customers (data controller). On an organizational level, Mono Solutions is undertaking all necessary measures to ensure full corporate compliance, including but not limited to:

  • Updating contracts with partners and third-party vendors
  • Updating our privacy policies on all corporate websites
  • Updating marketing permission consent

Mono Solutions does not share personal data with third parties beyond what is needed to provide our core platform and services (e.g. the provisioning of domains).

more gdpr

Resources

Questions? 

If you have any questions or concerns about the GDPR, please feel free to get in touch with your Partner Success Manager.