Step-by-step guide: how to create Records of Processing Activities!

As the enforcement of General Data Protection Regulation (GDPR) approaches, Records of Processing Activities (RPAs) is a term that is being thrown around quite a bit. It is also referred to as Procedure Index, Data Mapping, Data Flows among others. It is what data protection authorities will need evidence for after May 2018. It is a daunting prospect for most companies since only 34% of the companies (vpnMentor, 2018) are on their way to compliance so far. To make it easier on you all, we are going to outline all the steps to keep your RPAs ready for authorities:

Step 1: Collect the names of all the departments in your company

Think of all the functionalities you have in your company. The departments are not always divided clearly especially if you are a start-up: chances are you don’t really have organised departments. So take a moment, and think of all your functionalities and organise them in a detailed manner so that every activity that you do is put in a department.

Step 2: Fill out your basic Company Information

This includes name of your company, the contact details of the person, usually the company’s Managing Director or Chief Executive Officer (CEO).

Step 3: Pick a platform for all GDPR related documents and work

You need to decide how you want to manage all the documents together. Do you want to use Google docs and keep them all in a drive? Or do you want to make folders on your internal company network and use Microsoft Office? Or would you like a Task Management Software for GDPR? It is important that you pick an option and then stick to it since there will be lots of documents that you would need access to. Keep them in one place so finding them is not a hassle.  

Step 4: Now think of all departments that have processes for personal data

Now think of all the departments in your company that utilise data in one way or another. For instance, Sales and Marketing, Product Development and Finance Department. Are these departments using any user data you obtain in any way? Make a list of these departments.

Step 5: Think of the people responsible for these Processes in each department

Think of all the people who mostly manage the data related activities in each department. Make a list of all these people. It is important that the person you pick knows very well what the department does with the data and can answer questions relating to all such department activities. The person you pick does not necessarily need to be the Head of the Department but rather the one who knows the most about activities related to personal data.

Step 6: Now put the information together to create a Department Profile

Now combine the two lists so that you have the Name of the Department and the corresponding contact person of the department.

Step 7: Find an Internal Data Protection Officer

Ideally, you need to appoint one person for your company who will act as the Data Protection Officer. This person can be anyone from your company and would later need some training or would need to read the law or at least have functional understanding of it. Ideally, this could be your Chief Operations Officer or Head of Legal.

Step 8: Sign a document with them to officially appoint them as your DPO

In order to officially appoint the chosen person as your DPO, you need to sign a document with them. Outlining their responsibilities and the purpose of the role in line with the Article 37 of the GDPR. Our tool provides you with the document that you can then download and request signature for.

Step 9: Every department makes a list of all their activities that use data

So ideally, each department should record the activity that uses data in any way. For instance, exchanging business cards would be one activity in the Marketing Department. Personnel Holiday Planning would be another one for the Human Resources (HR) Department.  Step 10: Give details of each of this activity

This is the tedious long-term task that has no short-cuts. You need to go step by step and and define this activity. There are a few important points that you need to write down for each of these activities. Let’s go over these points one by one.

 

Step 10.1: Description of the Activity

This would include what the activity is and who is the contact person responsible for the activity. For example: IT for Employees and someone in the IT department would be responsible for it.

Step 10.2: Purpose and Legal Basis of the Activity

In line with the GDPR, you have to explicitly mention how this activity is aligned with the overarching purpose or vision of your company. If it uses personal data of people, you need to show the legal justification of how you are obtaining this data from people: is it through consent for instance? Or a processing of a contract?

Step 10.3: Data Collection and Data Processing

In this part, answer the question if you collect Personally Identifiable Information like name, email address, band details etc. If you do from where do you collect it and do you explicitly ask for consent before you get the information? Do you give this data to third parties? If yes, who are they and what do they do?

Step 10.4: Nature of the Data

Whose Data is this? Is it customers, clients, employees or partners? And what is it? Names, email addresses, bank details are some examples.

Step 10.5: Data Storage and Deletion

This is the straightforward part if your processes for this are defined. Unfortunately, most companies do not have processes for this kind of thing. It includes how long you store the data for? What is the exact location of this storage? And when do you delete it?

Step 11: Now combine them all in one Report

The final step is to organise all this information from different departments and people, consolidate it, make sure you are not missing an activity or details of it and put it all together in one place for the authorities.

Ecomply.io allows you to create one-click reports, provides you with all the templates as well as guidance on what information to put into the different gaps. Our Task Management Tool is based on the legal requirements of the GDPR to ensure that the guidance actually helps you understand what to do.

If you would like to check out our platform, book a free demo now.


10 GDPR questions answered for SaaS Companies

In the last few days, after our product hunt launch, we have received questions from people who are are curious about the process of compliance. How do you start? What are some of the things to keep in mind? Since the GDPR will be be enforced this coming May we see a lot of companies scrambling to comply. We thought that an example from a company that is in the final stages of GDPR compliance would help. So we caught up with Woodpecker.co to find out what they have done, how they have done it and what they think could have helped them in the process.

1) How did you get started with the GDPR?

We’re based in Poland, so we heard about GDPR pretty soon. We’ve tried to keep abreast with the news since the moment we heard about the changes. So, we can say that we began by keeping an eye out on the discourse around GDPR.

2) What were your first steps? Please feel free to mention your steps

First, we read the whole regulation. In my opinion, there should be one person at every company who has read the regulation from start to finish. It helps a lot. Especially since there’s a lot of panic around GDPR as well as around the implications that may follow from it. Reading the whole thing clears things out for you.

Then, we found a couple of GDPR conferences. One of our colleagues, who we appointed as Data Protection Specialist, took part in those conferences and shared what she learned with the rest of us. She prepared small presentations for every department: Office Management, Sales, Marketing, and told us how GDPR will affect our work. Her input was invaluable.

We updated our Policy and Terms of Service. We reviewed our signup forms for our newsletter, downloadable marketing content and the app itself.

Then, we researched how other companies were preparing for GDPR. We decided to let our customers know what we were doing for GDPR. That’s how we created the page. It’s made to inform our customers and subscribers how we’re handling things.

3) How did you change your email marketing for the GDPR?

The first step we took was to make sure our signup forms were clear to understand, as it is one of the requirements of GDPR. The signup forms should be free of any jargon words or windy sentences. The signees should know what they subscribe to.

The subscribers should feel their personal data is secure when they give it to us, and that they are in full control of it. Of course, they can unsubscribe from our newsletter or update their data at any point. We have made sure it’s easy for them to do that.

GDPR also calls for data limitation, collecting only the kind of personal data that’s essential. It has always been the case when it comes to our marketing communication. We don’t collect more data than necessary to send a newsletter. For instance, we’re not going to call our newsletter subscribers, thus we don’t collect phone numbers.

Next, we took care of the signatures that come at the end of our newsletter emails. We made sure there’s all the information that anyone would need. We’re working on the short notification that would inform the newsletter subscriber that they received the email, because they subscribed to the blog.

4) What are 10 simple changes & advice for a marketer who is reading this blog?

  1. Don’t panic. GDPR wasn’t made to kill all of your marketing activities. It was written to protect the rights of consumers. Not to harass marketers or make their job harder.
  2. Don’t trust everything you’ve read about GDPR. A lot of stuff out there is just somebody’s interpretation of the regulation. Learn to separate the wheat from the chaff.
  3. Appoint one person at your company who’ll review the way personal data is being handled. Are you sure you know what happens with the data? Who has access to it? Is the process secure? If you have no idea, it’s time to come up with a plan to make it as secure as you can.
  4. Review opt-in forms. All opt-in forms should be short and easy to understand. They shouldn’t be written in fine print nor should they be in hard-to-see colors.
  5. Ask for the information you really need. GDPR stresses out that the personal data you collect should be adequate and relevant to the purpose of its processing. So don’t ask for the company address, if you’re not going to mail the company anything.
  6. Keep your database clean. Do the major cleaning of your contact lists from time to time. If you don’t know how the subscriber ended up on your list, it’s better to either delete them or ask them whether they want to opt in for your marketing communication. Similarly, if a person unsubscribes, cross them out.
  7. Be transparent – Tell your subscribers in what ways you’re going to process their personal data. GDPR calls for transparency. The customers and newsletter subscribers should understand in what ways you’re processing their personal data and what kind of data you keep.
  8. Keep your word – if you say you’re processing personal data to send them a weekly newsletter, don’t send email twice a week. If you say you delete them from your list, do that. Now it’s even more important to keep your word.
  9. Learn how GDPR is interpreted in your own country. EU member states differ in their interpretation when it comes to the regulation.
  10. Inform your newsletter subscribers and customers about what you did to be GDPR compliant. We still receive some questions about whether we think App A or B is GDPR compliant. And we can’t say unless this company released a GDPR statement.

5) How long did it take for you guys to be GDPR compliant?

To be honest, we’re at the finishing line. We still need to polish a thing or two. We’re sure to announce it within a week or less. We’ve been working on it for a couple of months, because we process our users’ personal data and our users process personal data of prospects. We need to work our way through GDPR compliance.

6) What piece of advice – would you give to the readers who are starting now?

Don’t try to do everything at once. It might be overwhelming. Especially since there’s a lot of contradictory advice on the Internet. Start with baby steps. That’s how we came with an idea of creating a GDPR checklist available on our blog. If you don’t know what to do, take a lawyer’s advice. But I’m sure you’ll manage to take care of GDPR compliance on your own.

Start with thinking what data you collect and where from. It is not only the pillar of conducting risk assessment. It will also help you realize what kind of data security policy you need.

Change the way you think about GDPR. It isn’t a policy which covers mistakes in the current system but policy which showcases how the system works.

7) Would a step-by-step and simple to use GDPR solution make sense if people are starting now?

That would be even better. I think the compliance took so much of our time because we didn’t have everything in one place. Have we had a solution to keep our work organized, it would have taken far less time to become GDPR compliant.

8) How much did you hate using spreadsheets for the GDPR?

We have the GDPR documents scattered around, because there is a lot of information to keep an eye on, likewise, we have had to review our database and do everything in our power to secure the personal data of our users and newsletter subscribers. It got really hectic. If we had an app or something that would keep everything under one roof and let us collaborate, we’d be thrilled.

9) You mentioned here – “make a list of all the in-app areas that need to be taken care of to comply with the regulation (COMPLETED)” – What were those changes?

As a sales automation tool, Woodpecker is both, data processor and data administrator. We process personal data and allow our users to process personal data of their prospects. That’s why we needed to review how we process personal data and how others can process personal data in the app. We need to be cautious about our users’ data. And we need to make it possible for our users to process the personal data of their prospects in a way that is GDPR compliant.

10) Do you have an example of a cold email you write to your business contacts based on the GDPR who have not opted in?

An email body doesn’t change much from what it was before. There are two things that need our attention when writing a cold email though. The first thing is having a tightly targeted list of prospects. A spray-and-pray approach has never been effective, but now it’s illegal under GDPR. When we decide to send somebody a cold email, we should be able to justify why you chose a specific person to be on our cold emailing list. Our business statute should be tightly connected with theirs.

The other thing is that we should be transparent. We should include information, or at least be prepared to give it when asked to, that we’re processing our prospect’s personal data and that prospects can opt out from receiving further emails from us any time they want. We have an example of that in our article about GDPR.

You can check out Woodpecker.co right here!

And if you are confused about how to start your compliance process or are drowning in heaps of excel sheets, book a free demo with us!


GDPR Compliance Tools: Why ECOMPLY.io?

The General Data Protection Regulation (GDPR) is ripe and the market is buzzing with many different compliance tools. Some are super helpful, others are mildly so and some are simply pretending to be helpful to get some benefit out of jumping on the GDPR bandwagon.

We thought we would tell you exactly what it is that we do that helps you with compliance. So here goes!

Do you want to spend 100s of euros on document templates like the ones by Certkit?

Since you must fill out the documents and log in all your activities for all your departments anyway. Just paying money for word/excel/other templates that you will have to fill in yourself without any guidance is definitely not worth the money you will put in.

Ecomply.io has these templates with all the content as well as guidance on what is relevant for different fields. So, you won’t face any confusion about what you should write in the template.

Do you want to hire an external consultant for all the work?

It is not just the cost of the external consultant but think about all the time your company will spend on finding the right consultant or firm. Giving them a rundown of everything your company does, answering their questions, getting them to sign all the NDAs, setting up accounts for them and all the other organizational tasks that your company would have to do just to start them off.

It would easily be a week of just onboarding them! And what’s more: even the externals suggest to use us!

Ecomply.io replaces 75% of the work of external consultants. The left over 25% is basically writing new policies in accordance with the GDPR.

 

Do you want to sit down in countless back to back meetings to fill everything out?

Think of all the meetings you will have to have if you were to fill out everything yourself. First, prepare and organise for a kick-off meeting. This would entail understanding the GDPR with all its intricacies and being able to condense it into a workshop for the rest of the departments and people. After your initial meeting, you would still have to force people to write down or record in one way or another all the ways that they use data in. Then follow-up meetings, ensuring everyone does it on time, clarification meetings and what not. This would be the norm!

With ECOMPLY.io, you can simply add people from different departments to work on their activities and track the overall progress.

Do you want Excel sheets and more Excel sheets and more Excel Sheets?

Don’t forget that this means an unimaginable amount of excel sheets. Imagine every department filling out all their activities, all the details they collect ranging from name of their user or consumer to their login dates and what not. Then you will have to extract the relevant information from all these specific department/functionalities reports and combine them together according to the requirements of the Data Protection Authorities.

With ECOMPLY.io, you can generate this report with one single click.

Here is a table we compiled that can further help you with the comparison:

If you have any questions about the GDPR, book a free demo with us now!


How Cambridge Analytica’s Trump campaign fiasco could have been avoided!

Since the news broke of what Cambridge Analytica had done, there has been a media frenzy of different stakeholders reacting, accusations being thrown around and public outrage of what is considered a gross breach of trust of consumers. Suffice it to say, that Facebook has a lot of assurances to hand out to their angry consumers.

With the adoption of the General Data Protection Regulation (GDPR) and its long overdue enforcement, will incidents like this be deterred?

Let’s make some sense out of all the noise surrounding the issue and answer this question.

What in the world has happened?

Cambridge Analytica (if you visit their webpage: https://ca-political.com/) as a company claims that they lead data-driven political campaigns which given the political arena today seems like a rather smart thing to do. However, the question arises: How do they get access to this data and how do they collect it?

This is where the problem lies: because in 2014 Cambridge Analytica acquired data from 50 million Facebook users and THEIR FRIENDS without them being made aware of it…

 

...to build psychological profiles of consumers to effectively target them with content to carry out political campaigns.

The primary issue within data privacy in this case as well as in general has been about getting informed consent. The fact that the people, or Data Subjects as they are referred to by the GDPR terminology, did not know that their data and their friends’ data was used for exactly the purpose it was used for aka: political campaigning is problematic. And this is where the GDPR steps in.

GDPR - the savior?

GDPR makes it incumbent for companies to gain the informed consent of the person whose data is being used in three ways:

  1. It makes it necessary for them to collect only the data that is aligned with the purpose of the company itself along with a legal justification of that purpose
  2. The company also has to make sure that it gains the consent of the person in a clear and concise manner (so goodbye huge-ass, complex, consent-taking essays).
  3. It also gives the person the right to withdraw their consent at any moment so in the case, that the person gets to know that their data is being leveraged to design a political campaign for a candidate they don’t like, they can easily retract their approval.

Another thing that the GDPR does is that it makes it mandatory for companies to list their processes, document their processing activities and make maps to ensure transparency for their consumers as well as the authorities.

Did Facebook have Technical and Organizational Measures in place to deter these kinds of incidents? Who knows? But if they did, clearly they were not effective enough since a third party aka Cambridge Analytica was able to harvest it to their advantage through their application. The enforcement of the GDPR ensures that the path that data and their related processing takes in the corporation is documented so that the Data Subject knows exactly what their information is being used for.

It also puts the pressure on C-level executives to take proper measures to comply since they are held personally liable for breaches. So yes, it is in the personal interests of CEOs to make sure that slips like these do not happen.

In short, after the enforcement of the GDPR incidents like these will be heavily penalized as well as prevented to a degree due to the documentation of processes as well as the imposition of heavy penalties. In a post GDPR world, what Cambridge Analytica did, for all intents and purposes will be illegal. The failure of Facebook’s processes would essentially be severely punished as well.

So yes, we definitely believe that the GDPR will be a hero of sorts and will empower people through greater autonomy over their data.

If you want to know how we can be the Robin to your GDPR, book a demo with us!

Disclaimer: the picture in the featured images has been taken from AIB (http://allindiabakchod.in/)