Wifi securiy banner.jpg

Compliance & Security

 "If you think compliance is expensive, try non-compliance."

- Paul McNulty, former U.S. Deputy Attorney General

How we ensure Compliance

Businesses offering a public WiFi service to their customers are required by law

to comply with the relevant legislation governing the handling of collected data,

be it POPI in South Africa or GDPR in Europe and the UK.

 Essentially, information may only be processed if voluntary, specific, and informed consent is obtained. Furthermore, certain security features and protocols are required to be in place to protect guests from accessing questionable content.



Prevent guests from accessing sites with  questionable content such as the darkweb,

malware , adult sites & torrents



Transparency and informing the public about

how their data are being used are important to Flow Networks

DNS Content Filter


You can switch content filtering on or off from within our platform 


Once enabled, our built-in filter will block DNS requests for:

Once enabled, your device will block DNS requests for:

Content Filtering.png

Block Inappropriate Content 

block content.png

The content filter will also enforce:

Safe Search.png

How we ensure GDPR Compliance:

Updated our Terms of Service to automatically include the GDPR relevant information governing how we process your  customers' personal data.

Added an Opt-In Consent Form to allow you to be able to set it up as unchecked for your Guest Wi-Fi networks, and also allowed you to tie third-party Automations to whether the customer has opted into marketing.

Updated our Guest Wi-Fi Terms & Privacy Policy to make sure we provide information around the rights individuals have under the GDPR, and to include some of the information that you may be required to provide under the GDPR.

Added The GDPR Compliance Function 

to allow you to enable locations as GDPR Compliant, and forcing all EU locations to be GDPR Compliant.

Added a Data Processing Addendum that governs the Processing by Flow Networks of Personal Data under the Agreement, where the GDPR applies to the Processing of Personal Data.

Added a My Profile Opt-Out and Data Deletion Function 

which is a way for Guest Wi-Fi users to request that their individual customer records be deleted to comply with the GDPR


The GDPR vs POPIA debate: Flavours of the same thing?

The good news is that the GDPR and POPIA are simply different flavours of data protection laws. They are actually quite similar to each other. Obviously, when South Africa enacted POPIA, South Africa did not know what the GDPR would look like. The concern was that the GDPR would be radically different from POPIA and it would mean that the South African Parliament would need to change POPIA significantly. The GDPR is more an update to data protection law, rather than a complete overhaul.

At Flow Networks we have ensured GDPR Compliance 

POPI must be brought in line with the GDPR

Considering the EU is one of South Africa’s biggest trade partners, South Africa is going to have to bring POPIA more in line with the GDPR. This could be done by Parliament amending POPIA or the Information Regulator interpreting it in line with the GDPR or publishing Regulations that are in line with the GDPR. We think it is unlikely that Parliment will amend POPIA and the POPI Regulations don’t change the position much so it will be up to the Information Regulator to do it over time.


Data protection changes

These are the changes made to guest data collection when GDPR compliance is enabled:

  • Guest data that is collected as part of the login process is immediately tokenized.

  • If the guest does not complete the login process, this tokenized data is discarded within 48 hours, during which time it is not accessible by any other systems.

  • Guests must explicitly confirm their consent (opt in) to data collection and storage. This allows automations to run for that guest.

  • If they do not confirm their consent (they opt out), their sensitive data (email address and phone number) are pseudonymized. 

  • This pseudonymized guest data allows us to continue to perform functions such as "One Click Welcome Back" and generate appropriate reports and data aggregations, but without being able to retrieve the actual guest data. It cannot be used for any means of personal identification or for further communication.

  • No automations will be triggered by guests who have not confirmed their consent to data collection.

Social profiles collected from guest logins that are GDPR compliant will have a badge stating this.


Is GDPR compliance mandatory?

Anyone operating within the EU or UK, or who process data from EU or UK citizens must use our GDPR compliance feature as of 25 May 2018. Anyone outside those regions does not have to use GDPR compliance or the opt-in form, but it's still recommended as a courtesy for your guests.


Process overview: Spring 2018

The following is a process overview from spring 2018 of how the Flow Networks platform enforces GDPR compliance for Channel Partners:


  1. All EU Locations have GDPR Toggle ON and ReadOnly [cannot be User disabled].

  2. Campaigns have an optional, customisable Opt-In Form and GDPR ON/OFF Toggle.

  3. Upon Guest Login - guest data is treated in GDPR compliant fashion IF Location: GDPR is ON AND/OR Campaign: GDPR is ON.

  4. We are performing tokenisation of all Guest data as the Guest performs the Login Process.

  5. If the Guest does not complete the Login Process, the tokenised guest data is discarded within 48 hours, after which time it is not accessible by any other systems.

  6. The First Step of Splash Page / Login Experience is to swipe the "Agree" button. You cannot proceed to Login without Agreeing to the Terms and Conditions. 

  7. When the Guest successfully completes the Login Process they are presented the Opt-In Form which allows them to confirm their consent (Opt-In / Opt-Out).

  8. Guests are Opted-Out by Default unless they specify explicitly that they choose to Opt-In.

  9. If the Guest confirms consent (they selected Opt-In), the processes to run Automations [Webhooks, Data Push/Broadcast Integrations] on their data are activated and performed.

  10. If the Guest does NOT grant consent (they selected Opt-Out),  NO Automations [Webhooks, Data Push/Broadcast Integrations] will be performed on their data, ever.

  11. If the Guest does NOT grant consent (they selected Opt-Out) then we save a pseudonymised representation of their sensitive Guest data points [E-Mail and/or Phone Number] This is a one-way hash and the real e-mail address and/or phone number cannot be retrieved to their original values.

  12. The pseudonymised Guest data we store allows us to continue to perform functions such as "One Click Welcome Back" and generate appropriate reports and data aggregations, but without being able to retrieve the actual sensitive Guest data, it cannot be used for any personally identifiable means or for any direct communication.

  13. Guests can enter their E-Mail Address or Phone Number to get a link that gives them access to their Guest Data Dashboard, which contains all data points we have collected that's associated with that Email Address / Phone Number.

  14. Guests can change their Opt-In state to an Opt-Out from the Guest Data Dashboard [this will upon execution, pseudonymise their sensitive data and prevent anybody or any system from accessing it in the future and preventing any Automations from running from that point forward].

  15. Guests can delete their data profiles from the Guest Data Dashboard [this will delete all data associated wtih their Data Profile].

  16. We do NOT store cookies on Guests' browsers.

  17. Social User Profiles in Platform indicate Guest consent choice [Opt-In / Opt-Out].

  18. Social User Profiles in Platform indicate GDPR compliance and blur the pseudonymised sensitive data [Email Address / GDPR] for Guests that have Opted-Out.

  19. Social User Contact List in Platform indicate [Guest consent choice] Opt-In / Opt-Out.

  20. Social User Contact List Exports in Platform indicate Opt-In / Opt-Out consent choice and contain pseudonymise data if Guest Opted-Out.

All Channel Partners must adhere to the following GDPR Requirements if serving customers based in the European Union (EU):

  1. Ensure you have implemented custom terms that feature "friendly language" (clear and plain, intelligible).

  2. Add the "Opt-In" Form to your Campaigns with appropriate language & Enable GDPR.

  3. Enable GDPR on your Locations that fall within the European Union countries.

  4. Determine if you’re a controller or processor of data.

  5. Email guests that you are currently communicating with and confirm their consent.

Under the GDPR, controllers and processors are required to implement appropriate technical and organizational measures.
Please read these articles to learn more about apply the OPT-In form and Enabling GDPR.

Are you a Controller or Processor?

If your company name, branding, address or logo appears on the splash/login pages, you’re the data controller.

  • 'Controller' means the natural or legal person, public authority, agency or other bodies which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

  • 'Processor' means a natural or legal person, public authority, agency or other bodies which process personal data on behalf of the controller.

What data does the GDPR apply to? 

The GDPR generally applies to the collection and processing of 'personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, such as:

  • IP Address

  • Name

  • Email

  • Phone Number

  • Location data

  • Online identifier (such as IP or MAC address)