Let's Start Busting 10 GDPR Myths!

Only 2 weeks left before the enforcement of the General Data Protection Regulations (GDPR) and there is FEAR! And fuelled by it there is paranoia surrounding what needs to be done.  Rumours. Assertions. And crazy ideas. In this blog: we will bust all the ridiculous myths that we have heard so far.

Myth 1: GDPR is a European Union (EU)  law and only applies to European companies

This particular myth challenges the parameters of the application of the GDPR. It certainly does not apply to only European companies. It applies to ALL companies who in any way collect, receive and process data of people residing in the EU. Moreover, any company that offers goods or services to EU Data Subjects or monitors their behavior in any way has to comply, regardless of the company’s location. It is in fact possible that a European company only processes data of American residents. In that case, the GDPR does not actually apply to the company. Essentially, it does not matter where the company is based or originated from, the criteria that should be used to assess whether the GDPR applies or not is “whose data do you touch?”

Myth 2: GDPR was made to punish companies by imposing fines

The principles around which the GDPR is based is not to punish companies but rather to empower people with more control over their data and to ensure responsible collection and processing of data. The potential fines that could be imposed have just been stated over and over again to reiterate the importance of compliance for companies. However, at this point no one can predict how strictly the authorities will impose these fines, if at all. They will most likely allow companies extension and a lot of leeway if they see efforts being made to comply. Fines will not imposed for every little non-compliance issue. This is because in essence the nature of GDPR is empowering rather than punitive.

Myth 3: GDPR is only for the IT departments and senior management

Everytime people think of Data Protection they usually immediately jump to the conclusion that it is something for the IT department. However, in the case of the GDPR this is not the case at all. The GDPR is to reform the way companies handle data which is why it applies to and add responsibilities to every department and every person within a company. Processes need to be created but also employees need to be educated about the GDPR. For instance, recording all processing activities will entail the involvement of representatives from all departments of a company.

Myth 4: All breaches not matter how little need to be reported to the Data Protection Authorities

Breaches need to be reported to the relevant Authorities however, this only applies to those breaches where it’s likely to result in a risk to people’s rights and freedoms. So not every breach needs to be reported.

Myth 5: All details need to be provided the minute a breach occurs within a company

If there is a breach within a company, details of it are sometimes not available immediately. Companies themselves need to investigate before they can collect all the necessary information. The GDPR takes this into account and allows 72 hours to report such instances when feasible. Once reported details can also be provided after the allotted 72 hours if needed.

Myth 6: Consent needs to be taken for every activity

The general perception among companies is that consent is at the centre of the GDPR. Without consent, no data processing activity can be carried out. This perception is extremely misleading. The GDPR allows for several different ways of justifying a processing activity of which consent is ONLY ONE. Some others can be seen below from the ECOMPLY app where you can just pick one to form the legal basis for an activity:

Myth 7: Under the GDPR, you need to get consent again from all stakeholders!

So having busted the first myth about consent under the GDPR, the second one is specifically about asking for consent under the GDPR. Most companies think this needs to be done from scratch to be GDPR compliant. However, consent obtained under the Data Protection Directive suffices under GDPR standards. Just review the consent and the standard that GDPR sets for it.

Myth 8: New data portability rules apply to all businesses

Data portability requirements apply only when the legal basis of a processing activity is based on consent or contractual necessity.  When the legal basis is legitimate interest or public interest or another provision allowed under the GDPR the requirements don’t apply.

Myth 9: Data centre needs to be in the EU!

This is another common misconception. A company’s data centre doesn’t have to be in the EU. It can also be in one of the third countries that GDPR allows for. Basically, it cannot be in a country that doesn’t have regulations on data protection. Here’s what we found helpful on this topic.

Myth 10: Biometric data is sensitive data under the GDPR

This is the most understandable misconception that has developed regarding the GDPR. Biometric data that a company collects just like any other data is sensitive only if it is actively used for identification purposes. It is predominantly collected for purposes of identification but if that is not the case then Biometric data doesn’t have to be treated as sensitive data.  


The Ultimate GDPR Compliance Checklist for SaaS

There is a tonne of material on the General Data Protection Regulation (GDPR) and several organizations and people claiming to be experts and throwing around advice. There is an overwhelming amount of information regarding this topic because of the foreseeable enforcement of GDPR in sight.

We want to condense all this information into a point by point checklist to help companies keep track of what they have done and what still needs to be done. So this time around we are focusing on the Software as a Service (SaaS) industry.

First, it is important to understand that for SaaS companies a lot of these processes can be automated but it is not really necessary to do that. You need to take stock of the costs of automation or manual labour and need to decide accordingly what works for you.

Here are the rights of the Data Subjects (client/customer/user/employee in layman terms) that you need to preserve:

  • The right to erasure (the right to be forgotten/deleted from the system),
  • The right to restriction of processing (you have to restrict the access to the data and cannot do anything with it without further consent of the user
  • The right to data portability (provide the possibility to your users to download a machine-readable, exportable file of their data you have collected and processed)
  • The right to rectify data (have an edit button for data fields)
  • The right to be informed which means you need to get rid of those long terms and conditions and provide this information in a way that is clear and concise

Here you can read the 10 Critical Steps to General Data Protection Regulation (GDPR) for SMEs that highlights the principles that you need to keep in mind.

 

Dos:

1.Create and agree with data protection goals – Article 5

This essentially means that you need to conceptualise, write down and declare your data protection goals. You can find a pre-made template for this on ECOMPLY.io or if you are not a customer: download it here.

2.Appoint an internal DPO with no conflict of interest – Article 37

This can be anyone in the company who is aware and informed about the GDPR. The person should sign a document accepting the responsibilities and should remain impartial when it comes to questions of GDPR implementation.

3.Make a cookie policy – Perfect way of showing cookies – Article 7

Here’s the right way to go about it: https://www.cookiebot.com/en/cookie-declaration/ It has been enough till now to display that common “we use cookies” warning however, the GDPR changes that. From the GDPR perspective, cookies essentially means you are collecting user data and need to make sure that you have legal grounds for it.

4.Add ‘cookiebot.com’ consent – Article 7

5.Update your privacy policy – Perfect Privacy Policy Article 12:

Example of short form of Privacy Policy

6.Add features list

  • Consent box and record with it the Privacy Policy version – Article 7
  • Right to edit or modify feature – Article 16
  • Right to delete or forget – Article 17
  • Right object of processing & profiling feature – Article 21 & 22
  • Right access (I want access all my data i.e. export & import feature) – Article 15
  • Right to stop automated profiling – Article 18 & 23
  • Have double opt-in on newsletter, lead magnets & sign up – Article 7
  • Automatic deleting or provide timeline to delete the data feature to your users – Article 17
  • Consent checkbox on your contact form as well – Article 7

7.Create records of processing activities and maintain it:

ECOMPLY.io helps with it. You can also read our step by step blog on how to do it.

8.Ask your third party vendors to be compliant i.e suppliers and subcontractors:

This includes basically every software and service you are using. ECOMPLY.io helps you by giving you a list of common vendors and allowing you to add your custom ones.

9.Technical Measures for IT: 

  • Add anonymization or pseudonymization if a user is no longer using your system
  • Add encryption in your system
  • Have authentication mechanisms for modifying data
  • Double authentication or 2 step verification
  • Focus on data minimization if you don’t need it
  • Show the system has a strong backup and data can’t be lost
  • Web Application Security such TLS, SSL
  • Data Centres and its protection. It should be in Europe or US mostly (if possible)
  • Encrypted passwords for all the systems
  • Internal hard drive or cloud drive should be protected and have different access level

10.Organizational Measures: 

  • Educate your team about the privacy and data protection
  • Physical access to your office should always be protected with keys
  • Laptop and other devices should be protected of the staff

11.Sales & Marketing:

  • Take consent in all your marketing magnets and contact form and record it
  • Inform customers about your CRMs, automatic tools and analytics tool
  • Always have an opt-out button

12.Data Processing Agreement:

As a SaaS Vendor, you should be able to provide a data processing agreement on behalf to your customers and promising technical measures to protect their data. ECOMPLY.io will help you with that

13.Human Resources (HR):

Have different level controls for each staff. Not everybody should have access to all the system

Donts:

  1. Don’t assume your vendors are compliant
  2. Don’t assume that privacy shield or ISO 27001 already makes you compliant
  3. Don’t write a cold email to customers a cold email on their personal email
  4. Don’t assume, documentation will save you. Actually do those changes
  5. Don’t keep your laptops open in an open space and people can see those data
  6. Don’t assume it is a one-time project. You need to keep making sure that your documentation is correct and updated. Also, you follow all those guidelines and check frequently.

 

If you are still confused about the GDPR and don’t know where to start, just book an appointment with us for an informal chat.


Who is GDPR Ready?

Given all this hype surrounding the General Data Protection Regulations (GDPR), among companies and consumers alike, we just could not help but get curious. So who out of the big, famous companies are actually GDPR Ready?

So we did a little, cheeky experiment and e-mailed these companies to find out if they were aware of the legislation and what data they had on us.

Due to the enforcement of the GDPR, you can request companies to give you all the data they have on you. You can also ask them to delete it and forget you. This is primarily how GDPR empowers us as consumers. For companies to be GDPR ready, they need to have processes in place to deal with these requests.

Essentially, in GDPR terminology, we made a Data Subject Request to check which companies were aware of the coming GDPR and subsequently preparing for it.

In total, we reached out to 200 companies and tested them on two things: awareness and readiness. We assigned six people to write to different companies. One of them wrote to companies from Spain, three from Germany and one from United Kingdom (UK). So let’s summarise the results by geographic location.

United Kingdom

We wrote to companies in the United Kingdom (UK) recently.

From their replies, we gauged that 50% of these companies were aware of the coming regulation however, only 10% of them were ready to cope with the Data Subject Requests. So we got a full excel sheet with our entire data sent to us from the ones that were ready. However, after the initial response the excel sheet was usually sent to us later which is acceptable under the GDPR (note: GDPR allows the company 40 days to respond).

Also, one of the “aware” companies clearly explained that they were engaged in a variety of activities to become GDPR compliant and at the moment could not provide a machine readable format of the data. This was definitely a sign that the company was well aware and in the process of preparing for the GDPR.

Spain

We reached out to ten companies which include names like Vodafone, Santander, and Groupon among others. We found that 28% of these companies were ambiguously aware of it but none of these companies were ready for the enforcement of the GDPR. It could be and is rather likely that since then, they have at least made progress in awareness of the GDPR and are in the process of preparing for it.

However, we only say ambiguously aware because the responses we got from them indicated that out of those who were aware of it: they either only had a specialized email address for GDPR related queries which ended up bouncing anyway or asked to show up in person. Therefore, the awareness that they did have was not clearly translated.

Germany

Before we start, here it is important to consider that we reached out to a lot more companies in Germany than anywhere else. We are based in Germany and of course, are knowingly a little biased.

The hub of data protection and the place is known to be the most sensitive to data privacy lived up to its reputation.

Almost 63% of the companies, were actually ready for the GDPR. These companies included the big automotive companies like Mercedes, BMW, and Porsche. Moreover, 5% of these companies were aware of the GDPR and working towards it. So all in all, the German market seems to be quite aware of what the GDPR entails and are working towards it.

On average the response time of these companies was about 3 days and the latest one was not any later than 7 days. This was definitely a positive indicator on readiness.

We also sent an email to companies like Whatsapp, Snapchat, Booking.com, Disney and Instagram to find out if these popular companies were ready. However, we found out that none of them were ready and we were unable to assess if they were aware or not. Keep in mind that these Data Subject Requests were sent to them early 2018 so it is possible that they are by now compliant. Time needed to be fully compliant actually depends on several factors including but not limited to company size and number or processes.

These companies either did not reply to our request or we got a general automated message from them.

We also realised that no response could either mean that these companies are either in the middle of their blazing GDPR activities (quite unlikely), or they do not know of the GDPR and its implications (quite unlikely and sad if true) or that they just do not care enough at this point (likely).

To be fair, a lot of companies are still in the process of researching and figuring out exactly to do with the GDPR. For instance, we asked Woodpecker and one of our customers: Combyne on how they went about the process. Moreover, training and development of the employees especially in the field of customer service is on-going for most companies. So that in itself could be a factor why we assessed the companies as unaware since we only judged it through the replies we got.

Compliance will most likely be a high priority for companies if after enforcement, data authorities actually crack down on non-compliant companies and issue the dreaded fines.

If you need further guidance on the GDPR, Book a Free Demo with us!


Step-by-step guide: how to create Records of Processing Activities!

As the enforcement of General Data Protection Regulation (GDPR) approaches, Records of Processing Activities (RPAs) is a term that is being thrown around quite a bit. It is also referred to as Procedure Index, Data Mapping, Data Flows among others. It is what data protection authorities will need evidence for after May 2018. It is a daunting prospect for most companies since only 34% of the companies (vpnMentor, 2018) are on their way to compliance so far. To make it easier on you all, we are going to outline all the steps to keep your RPAs ready for authorities:

Step 1: Collect the names of all the departments in your company

Think of all the functionalities you have in your company. The departments are not always divided clearly especially if you are a start-up: chances are you don’t really have organised departments. So take a moment, and think of all your functionalities and organise them in a detailed manner so that every activity that you do is put in a department.

Step 2: Fill out your basic Company Information

This includes name of your company, the contact details of the person, usually the company’s Managing Director or Chief Executive Officer (CEO).

Step 3: Pick a platform for all GDPR related documents and work

You need to decide how you want to manage all the documents together. Do you want to use Google docs and keep them all in a drive? Or do you want to make folders on your internal company network and use Microsoft Office? Or would you like a Task Management Software for GDPR? It is important that you pick an option and then stick to it since there will be lots of documents that you would need access to. Keep them in one place so finding them is not a hassle.  

Step 4: Now think of all departments that have processes for personal data

Now think of all the departments in your company that utilise data in one way or another. For instance, Sales and Marketing, Product Development and Finance Department. Are these departments using any user data you obtain in any way? Make a list of these departments.

Step 5: Think of the people responsible for these Processes in each department

Think of all the people who mostly manage the data related activities in each department. Make a list of all these people. It is important that the person you pick knows very well what the department does with the data and can answer questions relating to all such department activities. The person you pick does not necessarily need to be the Head of the Department but rather the one who knows the most about activities related to personal data.

Step 6: Now put the information together to create a Department Profile

Now combine the two lists so that you have the Name of the Department and the corresponding contact person of the department.

Step 7: Find an Internal Data Protection Officer

Ideally, you need to appoint one person for your company who will act as the Data Protection Officer. This person can be anyone from your company and would later need some training or would need to read the law or at least have functional understanding of it. Ideally, this could be your Chief Operations Officer or Head of Legal.

Step 8: Sign a document with them to officially appoint them as your DPO

In order to officially appoint the chosen person as your DPO, you need to sign a document with them. Outlining their responsibilities and the purpose of the role in line with the Article 37 of the GDPR. Our tool provides you with the document that you can then download and request signature for.

Step 9: Every department makes a list of all their activities that use data

So ideally, each department should record the activity that uses data in any way. For instance, exchanging business cards would be one activity in the Marketing Department. Personnel Holiday Planning would be another one for the Human Resources (HR) Department.  Step 10: Give details of each of this activity

This is the tedious long-term task that has no short-cuts. You need to go step by step and and define this activity. There are a few important points that you need to write down for each of these activities. Let’s go over these points one by one.

 

Step 10.1: Description of the Activity

This would include what the activity is and who is the contact person responsible for the activity. For example: IT for Employees and someone in the IT department would be responsible for it.

Step 10.2: Purpose and Legal Basis of the Activity

In line with the GDPR, you have to explicitly mention how this activity is aligned with the overarching purpose or vision of your company. If it uses personal data of people, you need to show the legal justification of how you are obtaining this data from people: is it through consent for instance? Or a processing of a contract?

Step 10.3: Data Collection and Data Processing

In this part, answer the question if you collect Personally Identifiable Information like name, email address, band details etc. If you do from where do you collect it and do you explicitly ask for consent before you get the information? Do you give this data to third parties? If yes, who are they and what do they do?

Step 10.4: Nature of the Data

Whose Data is this? Is it customers, clients, employees or partners? And what is it? Names, email addresses, bank details are some examples.

Step 10.5: Data Storage and Deletion

This is the straightforward part if your processes for this are defined. Unfortunately, most companies do not have processes for this kind of thing. It includes how long you store the data for? What is the exact location of this storage? And when do you delete it?

Step 11: Now combine them all in one Report

The final step is to organise all this information from different departments and people, consolidate it, make sure you are not missing an activity or details of it and put it all together in one place for the authorities.

Ecomply.io allows you to create one-click reports, provides you with all the templates as well as guidance on what information to put into the different gaps. Our Task Management Tool is based on the legal requirements of the GDPR to ensure that the guidance actually helps you understand what to do.

If you would like to check out our platform, book a free demo now.


10 GDPR questions answered for SaaS Companies

In the last few days, after our product hunt launch, we have received questions from people who are are curious about the process of compliance. How do you start? What are some of the things to keep in mind? Since the GDPR will be be enforced this coming May we see a lot of companies scrambling to comply. We thought that an example from a company that is in the final stages of GDPR compliance would help. So we caught up with Woodpecker.co to find out what they have done, how they have done it and what they think could have helped them in the process.

1) How did you get started with the GDPR?

We’re based in Poland, so we heard about GDPR pretty soon. We’ve tried to keep abreast with the news since the moment we heard about the changes. So, we can say that we began by keeping an eye out on the discourse around GDPR.

2) What were your first steps? Please feel free to mention your steps

First, we read the whole regulation. In my opinion, there should be one person at every company who has read the regulation from start to finish. It helps a lot. Especially since there’s a lot of panic around GDPR as well as around the implications that may follow from it. Reading the whole thing clears things out for you.

Then, we found a couple of GDPR conferences. One of our colleagues, who we appointed as Data Protection Specialist, took part in those conferences and shared what she learned with the rest of us. She prepared small presentations for every department: Office Management, Sales, Marketing, and told us how GDPR will affect our work. Her input was invaluable.

We updated our Policy and Terms of Service. We reviewed our signup forms for our newsletter, downloadable marketing content and the app itself.

Then, we researched how other companies were preparing for GDPR. We decided to let our customers know what we were doing for GDPR. That’s how we created the page. It’s made to inform our customers and subscribers how we’re handling things.

3) How did you change your email marketing for the GDPR?

The first step we took was to make sure our signup forms were clear to understand, as it is one of the requirements of GDPR. The signup forms should be free of any jargon words or windy sentences. The signees should know what they subscribe to.

The subscribers should feel their personal data is secure when they give it to us, and that they are in full control of it. Of course, they can unsubscribe from our newsletter or update their data at any point. We have made sure it’s easy for them to do that.

GDPR also calls for data limitation, collecting only the kind of personal data that’s essential. It has always been the case when it comes to our marketing communication. We don’t collect more data than necessary to send a newsletter. For instance, we’re not going to call our newsletter subscribers, thus we don’t collect phone numbers.

Next, we took care of the signatures that come at the end of our newsletter emails. We made sure there’s all the information that anyone would need. We’re working on the short notification that would inform the newsletter subscriber that they received the email, because they subscribed to the blog.

4) What are 10 simple changes & advice for a marketer who is reading this blog?

  1. Don’t panic. GDPR wasn’t made to kill all of your marketing activities. It was written to protect the rights of consumers. Not to harass marketers or make their job harder.
  2. Don’t trust everything you’ve read about GDPR. A lot of stuff out there is just somebody’s interpretation of the regulation. Learn to separate the wheat from the chaff.
  3. Appoint one person at your company who’ll review the way personal data is being handled. Are you sure you know what happens with the data? Who has access to it? Is the process secure? If you have no idea, it’s time to come up with a plan to make it as secure as you can.
  4. Review opt-in forms. All opt-in forms should be short and easy to understand. They shouldn’t be written in fine print nor should they be in hard-to-see colors.
  5. Ask for the information you really need. GDPR stresses out that the personal data you collect should be adequate and relevant to the purpose of its processing. So don’t ask for the company address, if you’re not going to mail the company anything.
  6. Keep your database clean. Do the major cleaning of your contact lists from time to time. If you don’t know how the subscriber ended up on your list, it’s better to either delete them or ask them whether they want to opt in for your marketing communication. Similarly, if a person unsubscribes, cross them out.
  7. Be transparent – Tell your subscribers in what ways you’re going to process their personal data. GDPR calls for transparency. The customers and newsletter subscribers should understand in what ways you’re processing their personal data and what kind of data you keep.
  8. Keep your word – if you say you’re processing personal data to send them a weekly newsletter, don’t send email twice a week. If you say you delete them from your list, do that. Now it’s even more important to keep your word.
  9. Learn how GDPR is interpreted in your own country. EU member states differ in their interpretation when it comes to the regulation.
  10. Inform your newsletter subscribers and customers about what you did to be GDPR compliant. We still receive some questions about whether we think App A or B is GDPR compliant. And we can’t say unless this company released a GDPR statement.

5) How long did it take for you guys to be GDPR compliant?

To be honest, we’re at the finishing line. We still need to polish a thing or two. We’re sure to announce it within a week or less. We’ve been working on it for a couple of months, because we process our users’ personal data and our users process personal data of prospects. We need to work our way through GDPR compliance.

6) What piece of advice – would you give to the readers who are starting now?

Don’t try to do everything at once. It might be overwhelming. Especially since there’s a lot of contradictory advice on the Internet. Start with baby steps. That’s how we came with an idea of creating a GDPR checklist available on our blog. If you don’t know what to do, take a lawyer’s advice. But I’m sure you’ll manage to take care of GDPR compliance on your own.

Start with thinking what data you collect and where from. It is not only the pillar of conducting risk assessment. It will also help you realize what kind of data security policy you need.

Change the way you think about GDPR. It isn’t a policy which covers mistakes in the current system but policy which showcases how the system works.

7) Would a step-by-step and simple to use GDPR solution make sense if people are starting now?

That would be even better. I think the compliance took so much of our time because we didn’t have everything in one place. Have we had a solution to keep our work organized, it would have taken far less time to become GDPR compliant.

8) How much did you hate using spreadsheets for the GDPR?

We have the GDPR documents scattered around, because there is a lot of information to keep an eye on, likewise, we have had to review our database and do everything in our power to secure the personal data of our users and newsletter subscribers. It got really hectic. If we had an app or something that would keep everything under one roof and let us collaborate, we’d be thrilled.

9) You mentioned here – “make a list of all the in-app areas that need to be taken care of to comply with the regulation (COMPLETED)” – What were those changes?

As a sales automation tool, Woodpecker is both, data processor and data administrator. We process personal data and allow our users to process personal data of their prospects. That’s why we needed to review how we process personal data and how others can process personal data in the app. We need to be cautious about our users’ data. And we need to make it possible for our users to process the personal data of their prospects in a way that is GDPR compliant.

10) Do you have an example of a cold email you write to your business contacts based on the GDPR who have not opted in?

An email body doesn’t change much from what it was before. There are two things that need our attention when writing a cold email though. The first thing is having a tightly targeted list of prospects. A spray-and-pray approach has never been effective, but now it’s illegal under GDPR. When we decide to send somebody a cold email, we should be able to justify why you chose a specific person to be on our cold emailing list. Our business statute should be tightly connected with theirs.

The other thing is that we should be transparent. We should include information, or at least be prepared to give it when asked to, that we’re processing our prospect’s personal data and that prospects can opt out from receiving further emails from us any time they want. We have an example of that in our article about GDPR.

You can check out Woodpecker.co right here!

And if you are confused about how to start your compliance process or are drowning in heaps of excel sheets, book a free demo with us!


Why combyne uses ECOMPLY.io?

Combyne, the mobile app, solves the age-old dilemma of picking the perfect outfit for different outings and events. Now you can simply create outfits using different clothing items from your favorite brands. You can also take a photo of any of your own clothing items and add them to your outfit.

So basically, you can dress on your phone saving you the hassle of actually trying on each outfit before you decide on the perfect one.

We caught up with Christian Dienst, the Chief Operating Officer at combyne to find out why they chose to trust ECOMPLY.io to manage their GDPR compliance.

What is GDPR according to you?

Christian: I believe it gives businesses and organizations the chance to outline their internal data structures and improve their systems accordingly. In the end, it is an international standard that companies need to adhere to in order to protect their customers and employees’ data and privacy.    

Why did you need to be GDPR compliant?

Christian: From day one of our GDPR journey to compliance, the most important factor for us has been to provide data protection to our users and employees. Even if we are not at all involved in large-scale processing, GDPR has given us the opportunity to organize ourselves and our internal system and also to improve our data management approach. We felt that by establishing a data-conscious environment, our user community and partners can only benefit more from our products.

Why did you choose ECOMPLY.io?

Christian: After we came up with a strategy on how to tackle our data processes, we thought that ECOMPLY’s integrated format could benefit us greatly. Given that we are still a small company (according to the GDPR guidelines), we were really happy to have found a simple, accessible platform that would allow every member of our team to understand and add information.

Who works with ECOMPLY.io? How does it fit into your own processes?

Christian: During the “mapping” stages, just a small part of the team was involved. We needed to figure out how to approach this and to select the processes that we knew for certain involved collection and use of personal information. Afterwards, we managed to bring in the whole team, and everyone’s input proved to be extremely helpful.

How did ECOMPLY.io add value to your GDPR journey?

Christian: For us, ECOMPLY has been an effective facilitator. By having access to a comprehensive list of processes, requirements, and explanations, we managed to save a lot of time and effort. After selecting the appropriate processes, we were able to add our own, internal activities. This helped us build a comprehensive database of processes, in a single format. Also, the ECOMPLY's team has always been open to answering questions when we couldn’t figure something out.  

What were the alternatives?

Christian: Obviously, the alternatives would have been organizing the departmental information, creating templates and using all sorts of documents. We would have been required to spend a lot of extra time on creating an accessible format and then to add our input. That would have significantly delayed our GDPR compliance journey!

Any final thoughts?

Christian: Ecomply offers a simple, step-by-step approach to comply with the GDPR at an attractive price and with great customer service.


Inspired by combyne’s journey to compliance? Get a free demo now!

Want to Dress on Your Phone? Download combyne


GDPR Compliance Tools: Why ECOMPLY.io?

The General Data Protection Regulation (GDPR) is ripe and the market is buzzing with many different compliance tools. Some are super helpful, others are mildly so and some are simply pretending to be helpful to get some benefit out of jumping on the GDPR bandwagon.

We thought we would tell you exactly what it is that we do that helps you with compliance. So here goes!

Do you want to spend 100s of euros on document templates like the ones by Certkit?

Since you must fill out the documents and log in all your activities for all your departments anyway. Just paying money for word/excel/other templates that you will have to fill in yourself without any guidance is definitely not worth the money you will put in.

Ecomply.io has these templates with all the content as well as guidance on what is relevant for different fields. So, you won’t face any confusion about what you should write in the template.

Do you want to hire an external consultant for all the work?

It is not just the cost of the external consultant but think about all the time your company will spend on finding the right consultant or firm. Giving them a rundown of everything your company does, answering their questions, getting them to sign all the NDAs, setting up accounts for them and all the other organizational tasks that your company would have to do just to start them off.

It would easily be a week of just onboarding them! And what’s more: even the externals suggest to use us!

Ecomply.io replaces 75% of the work of external consultants. The left over 25% is basically writing new policies in accordance with the GDPR.

 

Do you want to sit down in countless back to back meetings to fill everything out?

Think of all the meetings you will have to have if you were to fill out everything yourself. First, prepare and organise for a kick-off meeting. This would entail understanding the GDPR with all its intricacies and being able to condense it into a workshop for the rest of the departments and people. After your initial meeting, you would still have to force people to write down or record in one way or another all the ways that they use data in. Then follow-up meetings, ensuring everyone does it on time, clarification meetings and what not. This would be the norm!

With ECOMPLY.io, you can simply add people from different departments to work on their activities and track the overall progress.

Do you want Excel sheets and more Excel sheets and more Excel Sheets?

Don’t forget that this means an unimaginable amount of excel sheets. Imagine every department filling out all their activities, all the details they collect ranging from name of their user or consumer to their login dates and what not. Then you will have to extract the relevant information from all these specific department/functionalities reports and combine them together according to the requirements of the Data Protection Authorities.

With ECOMPLY.io, you can generate this report with one single click.

Here is a table we compiled that can further help you with the comparison:

If you have any questions about the GDPR, book a free demo with us now!


How long does GDPR Implementation take?

56 days left until GDPR enforcement and we hear a lot of companies wondering how long it takes to actually be compliant. This is the omnipresent question that you will find companies, executives and pretty much everyone else asking these days. So we decided to try and answer this question for you. We surveyed about 15 experts to help us answer this question.

 

The first thing to realize is that compliance is a step by step process and depends on a number of factors like the number of employees and processing activities among others. Here are some basic assumptions that we have made:

1): We are excluding big multinational firms from this survey since they have complex structures and estimating the time for them would require extensive research into these structures.

2): The parameters around the size of the company that we have set for this blog is a small or medium-sized company with 50 to 250 employees in total.

3) We exclude financial, health, recruitment and market research companies since they are more complicated.

However, the experts whom we surveyed were able to tell us from the get-go that the amount of time needed to become GDPR compliant depends on a lot of different factors. Some of these are:

  • Commitment to compliance
  • Number and type of processes
  • Number of vendors
  • Type of data
  • Knowledge
  • Prior Processes
  • Number of employees

Moreover, what everyone needs to understand is that compliance is a step by step process that also requires long-term commitment and integration into the existing structures and processes of the company.

So take a deep breath…

And let’s break down this big term into some basic, simple steps:

 

Step 1: Pre-Assessment

So before you start going down the compliance path you need to take stock of what your current state of compliance with regards to the General Data Protection Regulation (GDPR) framework actually looks like. The pre-assessment depends heavily on the size of your company and the processes you have. The aim is usually to figure out the resource commitment that your company needs to actually comply.

Through our survey we found out that half of the experts whom we surveyed estimated that for a company between 50 and 250 employees, it would take on average 15 hours to complete a pre-assessment.

The important thing to remember here, is that setting the scope and ensuing commitment to your assessment as well as the extent of prior knowledge you have will play a determining role in how long pre-assessment will take.

 

Step 2: Creating Records of Processing Activities

Keeping Records of Processing Activities (RPA) is a stipulation of Article 30 of the GDPR explicitly requiring businesses to document their processing activities and recording the processing purposes, data sharing and retention. These records need to be made available upon the Information Commissioner’s Office (ICO). In short, every periodic step that the data is processed through has to be documented for the authorities. If you are confused about the RPA, you can check out this video and get this cleared out.

This is of course, highly dependent on what the company actually does and its pertaining activities. For instance, a headhunter has sensitive data that they have to document. This could include the candidates’ names, current position, company, data of birth and many others. Every step that this data goes through has to be documented so that if the Data Subject inquires about how their data is used, the headhunter is ready to answer that.

 

Opinions of the experts whom we surveyed were quite dispersed and estimated that it could take on average 40 hours.

 

Step 3: Evaluate the third parties

This is a critical step in being GDPR compliant and one that needs special attention since outsourcing and having several vendors is such an integral part of most businesses today. Vendor risk management (VRM) from a GDPR perspective is basically to make sure that all the services you use for your business do not violate your data protection regulations and create disruptions for you.

This, according to our experts, could take you on average 30 hours and depends again on the type of work your company does and the number of vendors you have.

 

Step 4: Data Protection Impact Assessment

Data Protection Impact Assessment refers to estimating the entire risk for the company and it pertaining operations. Essentially, it means that an external person helps the organization to identify, assess and minimize the risk of their processing activities. An overwhelming majority of the experts whom we surveyed were of the opinion that for an external consultant to do that for a client could take from 25 hours on average.

 

What happens after you become compliant?

If you thought it was a one-time thing, then you were…

Because being compliant is a process which changes as your company grows, evolves and modifies its operations. It’s important to think of it as an ever-present goal for your company.

Our experts estimate the number of hours per year that you would need to keep complying would take on average 75 hours. Moreover, some of them were also of the opinion that the company’s Data Protection Officer (DPO) should actually calculate the hours based on the Data Protection Impact Assessment.

To conduct an annual Data Protection Audit, our experts were once again very divided. The average response came to about 10 days a year.

We think that automating your compliance process will actually save you a lot of hassle and will replace the external consultants that you would otherwise have to hire (the cost of which could be on average about 150 euros per hour, according to our experts). So in short, we suggest to really estimate the time you need in your pre-assessment holistically taking into account all your activities.  

Key takeaways:

1) If someone is cheaper than 100 euros per hour: think if they really want to sell their services or actually want you to be compliant?

2) Automating compliance will definitely make this GDPR compliance 5x faster since it will reduce the need for prior knowledge that you need to collect and assess

3) Having a software will also make compliance easier to manage in the future since you will be able to track your progress and be able to see what still needs to be done

4) Overall the GDPR project takes more than 200 hours if you have done nothing at all

“Execution is key but endangered by overthinking.” (Lisa, Scalable Capital)

Book a Demo with us to learn more about how we can help you comply!

Some of the experts helped us to collect this data and wished to be mentioned here. If you want to connect with the experts, feel free to contact them on LinkedIn:

Christian Schmoll, g3s Rechtsanwälte

Jodi Daniels, Red Clover Advisors

Lisa Gradow, Scalable Capital

Mandy Webster of Data Protection Consulting Limited


How Cambridge Analytica’s Trump campaign fiasco could have been avoided!

Since the news broke of what Cambridge Analytica had done, there has been a media frenzy of different stakeholders reacting, accusations being thrown around and public outrage of what is considered a gross breach of trust of consumers. Suffice it to say, that Facebook has a lot of assurances to hand out to their angry consumers.

With the adoption of the General Data Protection Regulation (GDPR) and its long overdue enforcement, will incidents like this be deterred?

Let’s make some sense out of all the noise surrounding the issue and answer this question.

What in the world has happened?

Cambridge Analytica (if you visit their webpage: https://ca-political.com/) as a company claims that they lead data-driven political campaigns which given the political arena today seems like a rather smart thing to do. However, the question arises: How do they get access to this data and how do they collect it?

This is where the problem lies: because in 2014 Cambridge Analytica acquired data from 50 million Facebook users and THEIR FRIENDS without them being made aware of it…

 

...to build psychological profiles of consumers to effectively target them with content to carry out political campaigns.

The primary issue within data privacy in this case as well as in general has been about getting informed consent. The fact that the people, or Data Subjects as they are referred to by the GDPR terminology, did not know that their data and their friends’ data was used for exactly the purpose it was used for aka: political campaigning is problematic. And this is where the GDPR steps in.

GDPR - the savior?

GDPR makes it incumbent for companies to gain the informed consent of the person whose data is being used in three ways:

  1. It makes it necessary for them to collect only the data that is aligned with the purpose of the company itself along with a legal justification of that purpose
  2. The company also has to make sure that it gains the consent of the person in a clear and concise manner (so goodbye huge-ass, complex, consent-taking essays).
  3. It also gives the person the right to withdraw their consent at any moment so in the case, that the person gets to know that their data is being leveraged to design a political campaign for a candidate they don’t like, they can easily retract their approval.

Another thing that the GDPR does is that it makes it mandatory for companies to list their processes, document their processing activities and make maps to ensure transparency for their consumers as well as the authorities.

Did Facebook have Technical and Organizational Measures in place to deter these kinds of incidents? Who knows? But if they did, clearly they were not effective enough since a third party aka Cambridge Analytica was able to harvest it to their advantage through their application. The enforcement of the GDPR ensures that the path that data and their related processing takes in the corporation is documented so that the Data Subject knows exactly what their information is being used for.

It also puts the pressure on C-level executives to take proper measures to comply since they are held personally liable for breaches. So yes, it is in the personal interests of CEOs to make sure that slips like these do not happen.

In short, after the enforcement of the GDPR incidents like these will be heavily penalized as well as prevented to a degree due to the documentation of processes as well as the imposition of heavy penalties. In a post GDPR world, what Cambridge Analytica did, for all intents and purposes will be illegal. The failure of Facebook’s processes would essentially be severely punished as well.

So yes, we definitely believe that the GDPR will be a hero of sorts and will empower people through greater autonomy over their data.

If you want to know how we can be the Robin to your GDPR, book a demo with us!

Disclaimer: the picture in the featured images has been taken from AIB (http://allindiabakchod.in/)


Pimping Up Your Sales in a post GDPR World!

Most people think of the coming enforcement of The General Data Protection Regulation (GDPR) as apocalyptic for sales! While it is true that the GDPR will fundamentally change the way Sales work, contrary to popular belief, all it requires is an understanding of the implications of this law and finding out what’s possible and what’s not. And that’s where this blog comes in…

 

For me, sales used to be all about the automatic email marketing (Hallelujah automation) and to make my outbound emails perfect, personalized and pretty. The email would have one Call-To-Action (CTA) and move the leads in the funnel to the next steps such as demo, exploratory call or landing them to my specific page (a bit of narcissism never hurt nobody). Moreover, I was also a great cold caller. Like you know someone who could pass the gatekeeper and move to the hierarchy very easily. I used to love it. What else could be a better way of telling a customer that what they really need is my SaaS solution and should stop working manually! However, this is what we can’t do.

Assuming that we all know the basic tenets of GDPR, (in case you don’t, catch up here: https://www.eugdpr.org/) I have highlighted all the FAQs here. I’ll move forward to more practical steps. Obviously, DISCLAIMER: these are just my opinions and not legal advice in any manner. So, what is it that you cannot do as a salesman after May 2018?

  1. You cannot send a cold email! Basically, you just cannot send any kind of electronic message (SMS, MMS or email) to the customer who has not given consent to receive your email
  2. You are also prohibited from cold calling customers: even if you found their number on a public website or in their signature, you cannot cold call them! (Exception: Cold calling is not forbidden in the UK yet).
  3. You are also not allowed to put their details in your CRM system without their consent
  4. So, GDPR is all about CONSENT. But what does consent really mean here? (add more here). It means if you want to optimize your sales activities, you need to inform the customers exactly what you are doing and about the tools you will be using
  5. You cannot keep a prospective customer’s details in your CRM for an unlimited period of time so make a habit of periodic deletion:
  6. You cannot put the customer’s details in a sales automation tool and track their open rates, click rates or download rates without their consent
  7. You cannot scrape personal data via Facebook, LinkedIn, Quora, Product Hunt and send them targeted emails based on your scrapping
  8. Forget about buying third party lists…
  9. Or any other cheeky technology to find the email addresses and phone numbers of people
  10. Finally, you also cannot rely on the age-old opt-ins from your database!

This all sounds horrible – Right? As if the GDPR actually moves you away from doing proper business. Well, not exactly!

The GDPR was enforced to give consumers more control over their data and to enable them to exercise ‘privacy as a basic human right’. And this is a groundbreaking first step towards empowering our consumers.

So how should we carry out Sales then, you ask? Well, let me give you some practical advice.

Here are some of the ways I have adopted in sales:

LinkedIn is your friend:

  1. Use it heavily as a social selling tool!
  2. Moving a lead from LinkedIn: Once they accept your request, get their consent, inform them of the duration of retaining their data and what you will be doing with it. Put this in your CRM, and start selling!
  3. Use Inbound methods, let the leads come to you via your Inbound marketing channels such as Case Studies, Ebooks, Guides, blogs etc.
  4. You can still send LinkedIn Inmail via LinkedIn Sales Navigator

Events:

  1. Be great at event marketing. Research your prospect and personalize your message to them when you see them in an exhibition
  2. Attend targeted events where your customers are likely to be
  3. Use Meetup.com as a way to engage with the topic you specialize in
  4. Start building genuine relationships and network with people at these events
  5. Go to the events where your customers are exhibiting and try to talk to them. They’re open to listening to you and try to find a middle ground with them (of course, there’s the possibility that you might stumble upon a non-helpful sales person there but be reasonably persistent)

Thought Leadership:

  1. Organize topic related webinars: look out for pet peeves of your customers
  2. Use LinkedIn and Medium for sharing your opinion about their industry via blogging
  3. Use your company’s Inbound Strategies effectively to get a ‘double opt-in’ or a ‘Soft Opt-in’

Growth Hacking and Happy Customers:

  1. Obviously, you cannot reach customers in bulk messages, but you can still use referral tools, influencer marketing and other channels where customers still give you consent
  2. And the traditional word of mouth still works! Ask your happy customers to refer you to your next prospect. Ask your unhappy customers for feedback and forward it to your Dev Team. In fact, make an email for your customers to make them use as little effort as possible to provide you the referral and feedback.

Mailing:

  1. And of course, get ready to send mails via post! (the old school way). Under the GDPR, you can still personally send letters, postcards and mails to your prospective customers. I’d suggest to write it by hand and personalize it as far as possible for your customer. Who doesn’t like a beautifully, handwritten note?! (It is not scalable so refrain from spamming by mail)

Hope this helps you in navigating the post GDPR world of sales! Remember: it is a very solid step towards reducing the exploitation of private data and to genuinely connect with your customers. If you are a small or middle-sized business confused about what GDPR compliance means for you, get in touch with us here: help me

Embrace the change and comply!