I would put it as “The system helps you comply with GDPR”. GDPR isn’t just a tick box or something we can solve through software, it’s about all your processes. We can’t stop you from using the system in non-complaint ways - you could download a list of customer details, print it out, and leave it on a bus - but we try to make it easy for you to comply.
In terms of the GDPR, you’re the data controller - you own the data - and we’re a data processor, processing it on your behalf. We don’t use the data for anything on our own account, we can’t analyze it or send it to a 3rd party without your permission.
For security - the data lives on a server in Amazon’s EC2 cloud, at the hosting center based in Ireland, so it’s physically very secure: we don’t have physical access to the hardware the virtual machine is on. The database server is inside a virtual private cloud, and not directly accessible from the internet: access requires a secure VPN connection. The database is backed up onto a non-Amazon server (hosted by Bytemark) for disaster recovery which has a minimal exposed surface area, and may be downloaded onto a development machine if that is required to diagnose and fix a problem you are having with the system. It is company policy to remove client database from developer laptops as soon as the problem they are required for has been fixed, to minimise the possibility of data being lost if the laptop is lost or stolen.
I don’t believe that you require tick box consent for opening an account. One of the key tests in the GDPR is about reasonable expectations. If a customer creates an account on your website, they expect you to store that data. But what you do with it must match what they reasonably expect, so you need the data to sell them a ticket and that’s fine, but you can’t pass that data on to a 3rd party marketing company trying to flog them widgets.
See second 5 of https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf
Consent is ONE lawful basis for processing data. The other 5 are:
A contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract.
Compliance with a legal obligation:if you are required by UK or EU law to process the data for a particular purpose, you can
Vital interests: you can process personal data if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else.
A public task: if you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing under UK law – you can. If you are a
UK public authority, our view is that this is likely to give you a lawful basis for many if not all of your activities.
Legitimate interests: if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.
So basically under “Contract” and “Legitimate Interest” you’re fine.
You do require consent for using their data to send marketing communications - I can show you how this works. We capture marketing permissions in a granular, auditable, compliant way. For example, you are not allowed to require marketing consent as a condition for the fulfillment of a contract, and the system won’t let you do that because the marketing consent screen is after the purchase is complete. We don’t allow you to change marketing consent questions after people have agreed to them, in order to keep a history of what people have agreed to - instead, you have to create a new permission with the new text, which replaces the old one, and people have to agree to that separately.