With General Data Protection Regulation just around the corner, we explain how United Baristas manages your personal information and the principles that guide us
United Baristas was started to better connect coffee businesses and baristas as the specialty coffee industry quickly grew, and then became increasingly fragmented. Our industry experience allows us to understand that there are certain functions that are better conducted at an industry level that no single company or individual can tackle. There’s an element of sweet irony that it is the fragmented and modular nature of digital technologies and the internet itself that has allowed us to build a variety of services that better connects the coffee community.
For those of you that are not familiar with how digital technology has progressed it’s important to explain that it’s often not necessary to actually build things in the traditional sense; rather one assembles components linking together various cloud services and software products. If you grew up in the mechanical age, then digital is now at the point where you can often go out and buy a boiler, a PID and a variety of other components and then assemble them to make a bespoke espresso machine. A good example is that it doesn’t make functional, financial or security sense for us to build a login platform to manage users across the various United Baristas services and websites, so we use an off-the-shelf product to perform this function. Auth0 is used by many companies and they have developed a purpose-built product, backed with superior engineering, infrastructure and technical expertise, and their overview of managing logins across the internet gives them additional data and insights which allows them to provide greater security that we ever could.
Enter the General Data Protection Regulation (GDRP)
When we started considering the implications of GDPR in 2017 we (correctly as it turns out) identified that consumers were likely to see marketing communications (newsletters, social marketing etc) and the right to request and have deleted personal information as the hallmarks of the directive (more on this below). But really it’s the issues are around processes and polices for managing data, which are more significant. For example, take our login example above, if you log in using Facebook then some information is shared with them, and if you log in using ‘magic link‘ that email is sent using Amazon Web Services. Furthermore, when you log in that triggers a webhook which passed through a third-party platform into our CRM, so we can have flags if users are having technical difficulties and troubleshoot any issues faster. The simple act of logging in to United Baristas uses around six cloud services (plus their underlying services). The management of data flows have a far greater, but less visible, impact for many consumers, some of which has more recently come to the public’s attention as the blame-game has played out in the media between Facebook and Cambridge Analytica.
On a side note, I sat in a seminar during the summer of 2015 coordinated by an advertising agency where a sales representative of a company explained how the personalty profile quizzes being circulated on Facebook had created a database which we could buy insights from by supplying our email list so that it was possible to run personalty-specific advertising. They had conversion rate case studies and we’re selling hard to business. It’s precisely this type of re-selling and cross-platform data flows that GDPR is seeking to in part protect consumers against – and we’re on board with that. It’s never been out business practice or future intention to use the data we gather from our users in this way.
Tackling the regulation and finding satisfactory ways to implement GDPR has, like for many businesses, been a challenge. We started by auditing our platforms and modules last year and realised that we used over 30 different platforms, plus various services.
Simply documenting them all in a single list has been a great starting point for us. And it threw up some interesting examples. One was we moved CRM about a year ago and subsequently closed our account with the old provider. Obviously no-one had had the need to use them since we transferred over, however in a moment of curiosity I logged in and found all our records still there as the CRM platform hoped we’d return and re-activate our subscription (the records have since been deleted). Obviously we’ve had to think more carefully about our internal processes when transferring platforms moving forward, and many cloud services have implemented options to properly delete records with the pending introduction of GDPR.
We also used the opportunity to go back-to-basics and consider again what we wanted to do and how we wanted to go about doing it. Part of this process involved putting the values that guide United Baristas down on paper. We’ll talk more about our values in the future, but there are two that drive our approach to data and data protection: privacy and transparency.
United Baristas believes greater transparency is required for our industry to become more sustainable and viable. As the specialty coffee industry matures the primary and secondary markets should become more stable. But this hasn’t really been the case. For example in the 10 years since explosion of specialty there’s still a wide range of asking prices for used espresso machines, take La Marzocco’s Linea. Unlike, say iPhones (which are also 10 years old and company’s will quote on without inspecting the product), people still take quite different estimations of the value of their equipment. We have seen significant movement towards established secondary market pricing for equipment over the last two years, but it’s still difficult to state with confidence what the selling price of a machine might be. Part of the function of services like United Baristas Marketplace are to shine a light on previously disparate transactions so that market pricing can be established – this is good for businesses and baristas as well as buyers and sellers.
Specialty coffee has embraced this transparency around green sourcing, and now it’s time for it to be better applied to all sorts of areas. This openness helps to level the metaphorical playing field and allows good businesses to get better and poor operators the opportunity to improve. It is our position not to pick individual winners and losers, but to seek to provide all businesses and baristas with the opportunities to succeed and to facilitate a rising tide of professionalism that lifts all and the industry.
Transparency has certain obligations for United Baristas as well. For example, GDPR stipulates data breaches are to be reported to the ICO and impacted users (fortunately we have not had any yet). But we’ve taken the decision to more widely share insights we generate from our services because we recognise that it’d be useful for industry. For example, to stick with United Baristas Marketplace, the transaction volume has over doubled over the past 12 months. Given that more espresso machines for specialty coffee are probably bought and sold on United Baristas that any other UK platform, it’s a significant nugget of information that, when pieced together with other pieces of data, paints a broader picture on the state of industry for equipment brands, roasters and shop operators. We’re moving towards even greater transparency for the benefit of the industry because we believe and lobby that transparency to be an even greater part of our industry’s future. We think that those that stand against it are playing yesterday’s game and increasingly are standing in the way of the industry’s progress.
We have – and always will be – committed to personal privacy. Our services and programmes require us to collect an array of information. We don’t sell or lease information and it has long been our policy to only make introductions or pass on information when we have the relevant permissions. GDPR contains specific requirements and provisions, for example it allows our users to request a copy of the data that we hold about them, and we’ve had to design processes which facilitate that. However, our commitment to privacy runs deeper. We are involved in the coffee community and are privy to am array of industry information from sales figures to hiring and firings to openings, closings and business transfers. It’s our position to hold each conversion in confidence (unless otherwise stated, rather than the inverse), not to spread gossip and to connect people or businesses directly so they can best decide what is appropriate to share. In short, whether on our platforms or in person, we recognise that our users and community entrust us with their information for the smooth running of our services and to allow us to connect at times disparate dots – and we want to do good by them.
The border between transparency and privacy is when data becomes aggregated and anonymous. Information that relates to specific businesses and baristas should be private and the default setting for industry-wide information should be open with priority given to information with greater utility.
We think that this is pretty straight-forward, but recognise that the coffee industry has largely previously operated in the inverse. Industry wide data and insights have been seen as commercial valuable and are held as tightly as possible; while specific information about businesses or baristas travels quickly through the industry’s grapevine. We’ve been making noises about our dissatisfaction with the status quo for several years and now seems like a good moment to state clearly that we think this needs to change so that the industry can continue to grow and mature – and we want to be a part of that development.
Committed to change
We feel like we have embraced the spirit of GDPR. It’s currently a moving feast and its going to take some time to see the technology solutions come on stream and to see how the directive is enforced in practice. I’m not saying that United Baristas is perfect or even that we have managed to get our heads around exactly what it means for ourselves and our operations (I’m not sure anyone has), but we have taken the biggest step forward that we are capable of at this time and we are prepared to develop further. One may remember the ‘Cookies Directive‘. For a period of time one was bombarded with banners about cookies on every site visit until one click an acceptance (itself requiring a cookie); now the general implementation is to have specific cookie information readily available, changes which are embedded in GDPR. It seems likely that there’ll be a similar learning curve about what’s required and how this might be best implemented – albeit on a much larger scale. We are committed to monitoring developments, better understanding how the emergent best practice would apply to our operations, and to making the appropriate changes. We are all at the start of a GDPR journey.
Committed to the future
We have also committed ourselves not onboard or partner with companies or products that are not GDPR compliant.
Over the past months the good news is that – to date – almost all of our cloud service providers have completed their GDPR. With around two weeks to go before implementation we have just one platform yet to clear this hurdle, and we understand that they are committed to making the 25 May deadline.
Committed to communication
There’s a distinction to drawn between transactional and marketing emails and communications. Transactional emails are largely necessary to provide receipts and transaction information as well as update users on key or critical changes to platforms or services. Marketing emails are about driving sales. There is some blurring of the middle, for example, when does a transactional email from United Baristas Marketplace or United Baristas Careers updating users on new listings or job vacancies become a marketing email?
Sensing that email communication might become a hot topic for consumers with the introduction of GDPR we started building alternative channels for our community to receive relevant information, if they so wished. Over the past six months we have built:
- UBot on Messenger – you can see recent job and equipment listings and set notifications for new listings, plus more
- Apple News – read our articles, browse jobs and receive United Baristas service updates (iOS only)
- RSS feeds – see specific new listings, products and articles in your RSS reader, or build your own notifications
- United Baristas email communications overview
You have always been able to control the notification emails you receive from:
We also have sought to hone the content that we publish on our social media. All these channels channels have respective strengths and weaknesses which is why we will continue to make community-wide mail shots for key United Baristas updates such as price changes, changes in services and changes in our operation. You, of course, have the option to not receive these but we strongly recommend that you continue to receive them (see below).
Committed to support
The majority of queries we receive are for clarification on how a specific aspect of our services works, or confusion following a misunderstanding of how the services we supply work, especially after changes. The information and documentation is readily available; but at times scattered across the services and frequently queries originate from people who have perviously opted out of updates.
It’s been our position to not provide support on social channels, but this has been blurred at times in the past. Going forwards, for security and confidentially, all customer support will solely be provided over email.
We are currently building a single repository for guides to our services, including FAQs etc. This will be self-service, so if you miss an update you’ll be able to more readily find answers to your questions. It’s a large undertaking for us and to be honest the timing has been inconvenient as it has eaten into the available time for building our new United Baristas Workshop. We hope to be able to launch both later in 2018.
Committed to security
GDPR has new obligations on organisations to report breaches in data security. United Baristas has prioritised security from its inception. For example, as a digital only service we have never recorded personal information on paper records and this information has only ever been stored on secure severs and platforms. Neither do we hold debit or credit card information (this is stored on Stripe’s secure severs), so it can’t be stolen from us. However our services requires us to hold significant amounts of personal information. Presently these all operate on secure websites (with the exception of United Baristas Workshop, which contains no personal information and will be upgraded anyway later this year). We have always defaulted to gathering the least amount of personal data possible to smoothly run our services and programmes and this principle will continue to guide us into the future. Where we hold data we take our responsibilities seriously, but we also recognise that nothing is as secure as not having it in the first place.
GDPR for the coffee industry
We originally envisaged that this article would serve as a guide to help coffee businesses adapt to the new requirements, but in the process of reviewing and updating our own systems, procedures and policies recognised that each business has distinct requirements. We’ve taken the time to share our approach because we believe it may be useful to others. While many coffee businesses will have simpler systems, we hope that we’ve highlighted that the use of cloud applications and services can quickly create complexity and necessitates the need for careful review and implementation for GDPR. In summary, we tackled the changes by:
- Mapped out then audited our current uses and platforms
- Re-designed processes and data flows for the new regime
- Created new internal documentation
- Implemented new processes for GDPR, including their periodic review
- Checked the services we use to provide our services are or will be GDPR ready
- Registered with the ICO
- Communicating these changes to our users
If you have any questions on how we’re managing your data, please drop us an email. If you’re struggling to get your business ready for GDPR the Information Commissioner’s Office has some useful guides.
We want to thank everyone who’s been a part of our journey to date. We started United Baristas under the strap line ‘Together we achieve more’ and a couple of years in that is definitely proving to be the case. We’ve made some solid steps forward facilitating industry solutions to help tackle career uncertainty, better redistribute equipment and encourage the regular maintenance and upkeep of equipment. The good news is we feel like we’re just getting started.