Skip to content

Guidance on GDPR

GDPR came into force on May 25th 2018 so we're sharing some information to help you answer customers’ questions and let you know what changes we've made.

The General Data Protection Regulation (GDPR) is a European data protection regulation. One of its main aims is to make sure individuals have control over their personal data. It also aims to simplify the regulatory environment for international business by unifying the regulation within the EU. 

What are the changes we're implementing?

The main changes we've made to Tonic are as follows:
  • Email Marketing subscriber opt ins. Rather than asking users to opt out of email marketing permission, we are now required to ask users to opt in. This change has already been implemented. 
  • Protecting customer data. You may have noticed customer emails and phone numbers have been removed from the attendee list. This is to protect loss of customer data. This is still available through your Tonic dashboard.
  • Force password reset. GDPR laws state that any automatically generated password delivered in plain text to a user within an email will require a password change on first log-in. As of now, when you invite a new user to have access to your dashboard in Tonic, they won't be emailed their password, but instead a link to activate their own password/account. 
We have worked with all our suppliers who are involved with the safe-storage of your data in Tonic, to ensure all of them are already GDPR compliant. We use the biggest, global tech companies when it comes to storage of data so you can be safe in the knowledge that all our internal processes are fully GDPR compliant; as signed off by our Data Protection Officer from The Access Group.

When these new laws are in place we become your "data processor" and it is our responsibility to ensure that your data is stored and collected in a GDPR compliant manner. You become the "data controller" and it is your responsibility to then handle and use that data in a GDPR compliant manner. A good rule of thumb is "don't do anything stupid with your data" - don't bombard customers with marketing, do not email/phone/SMS them if they haven't opted into your marketing and don't leave copies of customer data downloaded and un-password protected on your laptops.

As the data processor we are not legally in a position to give you personal advice on how to control your data in a GDPR compliant manner, so if you are unsure on what is expected of you, we strongly advise you to do online research and perhaps seek professional assistance. 


A) Does the data need to be destroyed after a certain period of time? 
Our internal data protection officer has spoken with ICO and she believes that in the realm of ticket purchases there is no time limit, as they may make a purchase again with you in the future.

B) Do confirmation emails, follow up emails, reminder emails need marketing permission? 
No. These emails are part of the customer's "booking contract" with you, so you are free to continue to send these to all customers.

C) Do you need to get your database to re-opt in? 
We don't like to give you definitive advice on this (as per the red paragraph) but at DesignMyNight we are going to send out an email to our database to opt-out if they don't want to hear from us again. Take from that as you will. It's probably a good time to cleanse your database too...if someone hasn't opened your last 3 campaigns they probably aren't worth having anyway...quality over quantity! 

D) How do I add a marketing opt-in option to the checkout? 
Check out our marketing opt-in guide

Feedback and Knowledge Base