A Beginner's Guide To School Data Protection Policy

As an educational institution, you will have unique stakeholders who will be impacted by the General Data Protection Regulation (GDPR). The School Data Protection Policy guide will take you, step by step through the necessary actions you need to think about and conceptualise your compliance around.

Who will be impacted by this Data Collection?

The first step is for you to understand, as with any Organisation taking their first steps to comply, how data travels in your Organisation and who is it touched by through this process. The questions to think about here are the following:

Whose data are you collecting?

This for a typical school would include contracts of your teachers, teaching assistants, administrative staff, Principals and Vice Principals but also of caretakers and students. This will all be categorised as Personal information. This would also include any digital or other pseudonyms that a person can be identified with.

These are the types of data you must map:

Personally-Identifiable Information

Any data that can help identify an individual. It is also examples of personal data include name, location, personal identification number, the colour of your hair, the list of customers (parents, students) names and their addresses, IT usage data, traffic data, information about education, income and license plate.

Sensitive personal data

Like personal data because its main purpose is to help identify an individual, but more dangerous if breached or vulnerable to privacy. Examples of sensitive personal data include religious beliefs, race, political opinions, sexual orientation, physical and mental health conditions, biometric data or genetic data.

Biometric data

Any data that is used to identify a human being by his/her unique characteristics. Digital fingerprints are one example of biometric data. The GDPR states that the processing of such data is prohibited unless the data subject (user/consumer) has provided the consent and the processing is necessary for specific reasons such as protecting the vital interests of the individual.

Updating the parents

As a school, you will naturally have a lot of students who will be too young to give you qualified consent. This essentially means that you have to inform the parents about all your data processing activities and obtain consent from them.

As providers of childcare as well as providers of education, it is important for you to create an atmosphere of trust and build up your reliability among parents pertaining to Data Protection. Steps to ensure that the parents and their families’ data is being adequately protected will reduce the subject access requests later.

Below are the important points you need to mention in your letter to the parents. Make sure you customize it to your need that is if you are a kindergarten, you will have different data collection and processing methods than if you are only a high school.

You should start off with a brief description of what The General Data Protection Regulation (GDPR), is. In this part, you should also inform the parents of their rights:

The rights of the data subject (individual):

  • information about the processing of your personal data;
  • obtain access to the personal data held about you;
  • ask for incorrect, inaccurate or incomplete personal data to be corrected;
  • request that personal data be erased when it’s no longer needed or if processing it is unlawful;
  • object to the processing of your personal data for marketing purposes or on grounds relating to your situation;
  • request the restriction of the processing of your personal data in specific cases;
  • receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
  • request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right, in this case, to express your point of view and to contest the decision. (EU GDPR, 2018)

Access for Parents

How they can access your privacy notice and data protection policy (this could include a link to your website). How you are complying with the new regulations:

  • what data you are storing
  • how you are storing it
  • how you are sharing it and with whom
  • how long it is retained for
  • how it is destroyed and when

Ideally, you should inform them who they need to contact (Ideally your Data Protection Officer) regarding any questions they may have on data protection or to request access to information.

A link to your Data Protection Authority website so parents can learn more about GDPR if they are interested.

You could also ask parents to review the information that you are storing on them/their child and to confirm if it is still current or make amendments as appropriate. Or to revisit consent for use of photographs of their child.

You may use this communication as an opportunity to ask parents to sign a new contract with your organisation that includes new data protection wording compliant with the GDPR

Using Online Tools in Schools under The GDPR
Check source here.

The GDPR and Data Protection Act 2018 says that only children aged 13 and above are able to provide their own consent for commercial internet services to process their personal data.

Online service is the only context in which the GDPR and DPA 2018 define the age at which children can provide consent.

A Child’s Consent Under the GDPR

Conditions applicable to child’s consent in relation to information society services

  1.   Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

  1.   The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
  2.   Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

Services provided ‘directly to a child’

This rule applies specifically to services which are considered to be provided “directly” to children, and where consent is the lawful basis for processing the child’s personal data.

“Directly to a child” means that a child can access the service independently – for example, via an app store. This is irrespective of whether the child signs up independently or whether the service is provided to them under a contract between the service and their school (or another organisation).

These services are referred to as “information society services” in the regulations, and include social media, educational apps and online platforms.

The rule described above is primarily directed at providers of such services. Typically, a child signs up and submits their personal data directly, so the provider needs a lawful basis to process this data.

Prerequisites for your Organisation’s Compliance

Document all personal data your Organisation holds

GDPR requires you to maintain records of processing activities. If you want a detailed guide on how to do this, read our blog on it.

Your organization must document all the data that it holds, where it came from and how it uses that data if it somehow refers to an identifiable person. Furthermore, your organization must be able to submit up-to-date reports, so-called records of processing activities (RPA), to the competent data protection authority at all times.

The development of the records of processing activities is also a key step because it enables the Organisation to evaluate the whole process and understand where corrective measures have to be taken. Without such a record, no compliance to any further requirement of GDPR can ever be achieved!

Checking if your data processing adheres to the individual rights

Now that you have sorted your data, you have to legally review all procedures concerning personal data. Are they compliant to GDPR or not? The answer is complex and usually work of a lawyer. Generally, you must keep in mind that processing activities concerning personal related data might affect the rights of the individuals. Those processing activities therefore always have to be justified.

Requests for subject access

Your organisation should update the procedures and must plan how you will handle subject access requests to take account of the new rules. In most cases, you will not be able to charge for complying with a request.

You will have a month to comply, rather than the current 40 days.

You can refuse or charge for requests that are excessive, but you will need to provide the requests with a machine-readable format of their data. If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.

Data Protection Officer (DPO)

Probably your organisation has to appoint a DPO to take responsibility for the regulatory compliance.

This DPO will report to the highest position in the firm and has to make sure the Organisation will take the needed measures to have its processes and information flow according to the GDPR. Some special aspects regard to the mandatory need of a DPO apply, however, it is a good idea to have a specialized role within the organization.

Another option is a virtual DPO, that can help your Organisation be GDPR compliant. The best part is that it costs much less and reduces Organisation man-hours involved by 75%!

Data Protection Impact Assessment and Protection by Default and Design

Your Organisation has to evaluate deeply the type of processing activities it will require for each data it collects to analyze the risks it may cause to the data subject. Every software used, activity performed and measure taken must have protection by design. It ensures that there will be no breaches and no vulnerability regarding the security of this data and no harm to the rights of the data subject.

If the processing activities or the data is susceptible to high risks, an impact assessment must be performed to evaluate the right measures to be taken to minimize this risk. Important aspects to grant this security are pseudonymizing, minimization of the data, ensuring the erasure of data according to the consent deadlines, and granting access to the data subject.

Data breaches and notifications

Your Organisation must adopt internal procedures and require the same to third-party partners, in order to deal with data breaches.

Those procedures should include identification of the actual data breach, investigation of the circumstances of the breach, and assessment of the implications it may cause both to the Organisation and to the data subject regarding his privacy.

One thing to remember is that the information should be notified to the Supervisory Authority in no more than 72 hours when the data subjects are exposed to some kind of risk, and in those cases, the data subject also have to be notified.

Applying the rule in a school setting

The rule becomes more complicated to apply in a school setting if you’re using this type of service because consent will be between the child/parents and the service provider. So, if consent is refused, you won’t be able to use the service with those children.

Steps to take before you use any online service with pupils

  1. Determine whether pupils’ use of the service is necessary for educational purposes (see below). This will inform what lawful basis you can use if the school itself will be processing any personal data, and the measures you put in place to protect pupils’ data
  2. Conduct a data protection impact assessment to identify and minimize the data protection risks and determine whether you should proceed
  3. Look into the service provider to establish, to the best of your ability, whether it complies with data protection regulations.

What counts as necessary for educational purposes?

It’s up to you to determine this in your own context, but Forbes suggested that, typically, a service will be considered necessary where the nature of it will require the school and service provider to share pupils’ personal data between them.

For example, an online platform that supports or enables standardised assessments and decision-making will help to achieve learning objectives and is likely to need to receive personal data from the school and send personal data back in return – such as pupils’ scores. This may be considered necessary for educational purposes. Similar principles are likely to apply to a homework portal.

However, if you want to use a social media platform to research photos in class, this may be considered more of a ‘convenience’, with a higher risk to children’s privacy if you do not have a data sharing agreement in place with the provider. There may also be alternative approaches available with less risk to children’s privacy. This would be harder to justify as necessary for educational purposes.

Identifying a lawful basis

If pupils’ use of the service will require the school to process any personal data – i.e. if you need to collect and share data with the service provider, or will receive data back from the provider – you’ll need to identify a lawful basis for this.

If you can demonstrate that the service is necessary, then it’s most likely that you’ll need to justify this processing under the public task basis. Otherwise you’ll have to rely on consent if using the service isn’t necessary for educational purposes.

If the school will not need to process any personal data in order for pupils to use the service – i.e. if pupils will sign up independently and the school will not receive any data from the provider – then you’re not acting as a data controller and will not need to identify a lawful basis. However, this carries more risk and, as we explain later, you must not require pupils to use an online service where this is the case.

If the outcome of the data protection impact assessment is that you can proceed, take the steps below. If not, consider alternative ways to achieve the same aim with less risk to children’s data privacy.

Additional actions if the service is necessary for educational purposes

Note: this will be the safest option for you, and most likely the only justifiable one if you require pupils to use the online service.

Where you have determined and can demonstrate that using the online service is necessary for the education of a child, and justifiable under the public task basis, you should:

  • Enter into an agreement/contract with the service provider. This means you’ll retain control of the personal data and therefore minimize any data protection risks. Make sure your contract covers the terms and information about data protection required by the GDPR
  • Share only the personal data that the provider needs to perform the services
  • Incorporate information about your use of the service and the personal data you exchange with the provider in relevant privacy notices. You can also link to any privacy information from the provider

Additional actions if the service is not necessary for educational purposes

In this situation, you cannot require pupils to sign up for the service.

Where you’ll need to process personal data in order to use the service

You’ll need to rely on consent as your lawful basis if you’ll need to collect and share any personal data with the service provider, and/or receive personal data back when pupils are using the service.

Pupils or their parents/carers must be able to give or refuse consent freely.

You must:

  • Request consent, ensuring that your request meets the requirements of the GDPR, before using the service with the pupil.
  • Provide a privacy notice explaining what the programme or service does, why and how the school uses it, what data it will require from pupils, and what rights pupils have. You can do this by incorporating information on sharing data with third parties in your privacy notices, and by linking to privacy notices for the services you use in an appropriate place

You should also put in place a written data sharing agreement with the provider.

Where the exchange of personal data will only be between the pupil and the provider

In situations where a pupil will be signing up directly with the service, and no personal data will be exchanged between the school and the provider, the issue of consent and providing relevant privacy information will be between the provider and the pupil.

There will be no useful reason for you to obtain pupil or parental consent for this, as you’ll not be processing any personal data in relation to the pupils’ use of the service.

As stated above, you will not be able to require pupils to use services in this case.

If the purpose of using a service where the exchange of personal data will be between the pupil and the provider is to support the delivery of the curriculum, you should seek safer alternatives. For example, using social media such as Instagram and Pinterest in school to research, and share, images is difficult to regulate and monitor. In this instance, the curriculum could be delivered using other resources such as search engines for researching images and secure cloud storage to enable students to upload and share images.

If you decide to use social media platforms, you should ensure that parents are fully informed as to how it will be used and the potential risks associated with its use. Mark suggested that you seek parental consent in this instance due to the potential safeguarding risks. As explained above, parental consent will not be needed for the processing of personal data.

As a school, your responsibility lies towards your students which would usually mean getting parents on board. This law is essentially empowering for both organizations and consumers. It allows for you to garner trust among parents as well as build an organization based on the principles of Data Protection.

 

If you have any questions or concerns as a school about the GDPR, book a time with us.


Guide To Developing Your Data Protection Policy

Developing a Data Protection Policy

According to the General Data Protection Regulation (GDPR), every company needs to have Data Protection Goals. These goals also need to be translated into policies in areas that heavily process data. There are numerous policies one of which is Data Protection Policy which sets some of the criteria that a Data Protection Officer has to follow.

A company needs to also ensure that the principles of the GDPR are incorporated into their organizational structure. This is a step by step guide for how an organization can have compliant GDPR policies within their organization. It will start off with a memorandum to the Board of Directors informing them of what the GDPR will entail for the company. It will then give you a basic template of how to inform your employees about the collection and processing of their data.

Memorandum to Board of Directors

To the Board of Directors [add your Company Name] and its affiliates (Company):

The EU General Data Protection Regulation (GDPR) will become effective on 25 May 2018. The GDPR will bring considerable changes to data protection laws in the UK and across the European Economic Area (EEA). It will include significantly greater fines for breaches of up to €20 million or 4% of total worldwide annual group turnover. This memorandum summarises the need for a Company-wide programme (GDPR Compliance Programme), requiring the allocation of resources, for compliance with the GDPR.

Issues Concerning Data Protection Under The GDPR:

Under this section, you should explain what type of data is being collected and processed for e.g. if personal data is held by the Company relating to customers, employees or any other parties.  The second part in this section should be an example of a map of Personal Data Flow. You need to clearly lay out how the data travels within the company and record whoever touches this data no matter how briefly. If this data is to leave the borders of the country your company is located in, make sure to mention that as well since it will require signing a Data Protection Agreement with your Vendors (international and local ones).

Reiterate in concrete terms what failure to comply would mean for the Company and the Board of Directors. You should also give a brief description of “Personal Data” as defined by the GDPR.

Here’s an example of how you can add both:

Personal data is defined broadly and comprises data relating to any living individual who can be identified from that data. Personal data and includes:

  • Social security numbers.
  • Telephone numbers.
  • Health information of, for example, customers and employees.

There are many potential ramifications of failure to comply with the GDPR, including:

  • Prosecution of or regulatory enforcement action against the Company, resulting in substantial penalties in European Economic Area (EEA) jurisdictions, including the UK, of up to 4% of an annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater).
  • Adverse publicity, potentially leading to reputational damage and lost customer trust.
  • Missed opportunities and wasted resources.
  • A variety of sanctions in different jurisdictions.
  • Increased scrutiny from data protection authorities whose confidence and powers are increasing substantially under the GDPR.
  • Civil liability or punitive damages for employment-related breaches.
  • Criminal liability for directors and senior managers resulting in imprisonment and substantial penalties.
  • Critical system delays and failures.
  • Orders issued by the Information Commissioner’s Office in the UK, and data protection authorities in other key markets, that seriously impact business. Investigative powers include a power to carry out audits, as well as to require information to be provided, and to obtain access to premises.
  • Business continuity issues.
  • Becoming embroiled in litigation and its attendant time, effort and expense.

An individual has a fundamental right in the UK and across the EEA to have their personal data protected and their personal data may only be processed (that is, obtained, recorded, held, used or disclosed) under certain circumstances. This has a wide impact on Company business.

The GDPR Compliance Programme:

A well-constructed and comprehensive Company-wide GDPR Compliance Programme can provide a solution to these various competing interests and represents an effective risk management tool. It is essential for compliance and for the purposes of informing your employees, customers, vendors, business partners, regulators and the courts that your Company is, in fact, committed to the GDPR principles of data protection.

Board’s duty to know about and oversee the GDPR Compliance Programme:

You need to inform the board of what their duties and obligations are. Here’s an example of how you can do this in a comprehensive manner.

The Board has a duty to know about the content and operation of the GDPR Compliance Programme and to oversee its implementation and effectiveness appropriately. The GDPR’s new accountability principle requires data controllers to be able to demonstrate compliance with the GDPR by showing the supervisory authority (the Information Commissioner’s Office in the UK) and individuals how the data controller complies, on an ongoing basis, through evidence of:

  • Internal policies and processes that comply with the GDPR’s requirements.
  • The implementation of the policies and processes into the organization’s activities.
  • Effective internal compliance measures.
  • External controls.

Failure to comply with the accountability principle may result in the maximum fines of up to €20 million or 4% of total worldwide annual group turnover.

Implementing the GDPR Compliance Programme:

The pre-requisite for this section is to already have an idea of what your implementation plan will look like. If you do not yet have a plan on how you will ensure compliance within your company, make sure you make one first. You can also follow the steps below to make a skeleton of this plan. It is essential that you at least appointed a Data Protection Officer (DPO) have your Records of Processing Activities (RPAs) for both having a Data Flow Map as well as the basis of your plan. Here’s what you can do and subsequently communicate to your Board of Directors.

Data Protection Officer (DPO)

Under the GDPR it is now mandatory for the Company to appoint a data protection officer (DPO), reporting to the Board. The DPO’s role is to provide the knowledge, expertise, day-to-day commitment and independence to properly advise the Company of its duties and conduct compliance activities in relation to the GDPR.

However, taking into account the complexity and risks associated with the GDPR, we should consider carefully whether we should appoint a DPO, in any case, to report to the Board. The DPO would be responsible for providing the knowledge, expertise, day-to-day commitment and independence to properly advise the Company of its duties and conduct compliance activities in relation to the GDPR.

Organisational Culture

A co-ordinated chain of command (in which the Board is designated as having ultimate responsibility) will need to be developed, together with written reporting procedures, authority levels, and protocols, including seeking and complying with legal advice.

The Company should consider the establishment of a working group, drawing on stakeholders from across the business, to take responsibility for the day-to-day management of the GDPR Compliance Programme.

Standards and Procedures

The privacy policy, Data Protection Policy, IT Security Policy and Data Retention Policy [List any others] are key elements of the GDPR Compliance Programme. Amendments are likely to be needed to the existing policies. Separate policies may be appropriate where the Company collects different types of personal data for different purposes, such as marketing and recruitment. In each case, the policy needs to be accessible at every relevant personal data collection point, for example:

  • Call-center conversations.
  • Online account and job application forms.
  • Business acceptance procedures.

The Company will need to carefully review existing procedures in relation to obtaining an individual’s consent as a legal basis for processing personal data. For example, it will need to ensure that any consent obtained indicates affirmative agreement from the individual (opt-in) (for example, ticking a blank box). Mere acquiescence (for example, failing to un-tick a pre-ticked box) does not constitute valid consent under the GDPR. Furthermore, the Company must demonstrate that this explicit consent has been obtained, ensure that an individual can easily withdraw their consent at any time.

The Company must also be in a position at all times to respond quickly to any data subject’s request (such as for a copy of all of the personal data held or to erase all such personal data). This is likely to require substantial modifications to the Company’s technological infrastructure and its organizational processes.

Other channels may be needed in certain circumstances, for example, the staff handbook regarding personal data collected from employee monitoring.

A written and comprehensive information security programme is needed to protect the security, confidentiality, and integrity of personal data held. It should set out action plans for any security breach, disaster recovery, and data restoration.

The Company should develop appropriate contractual strategies and have access to appropriate templates as a risk management tool.

Under the GDPR, the Company will also be required to implement “privacy by design” (for example, when creating new products, services or other data processing activities) and “privacy by default” (for example, data minimization). It must also carry out “privacy impact assessments” before carrying any processing that uses new technologies (and taking into account the nature, scope, context, and purposes of the processing) that is likely to result in a high risk to data subjects, takes place.

The GDPR also requires businesses to notify the supervisory authority of all data breaches without undue delay and where feasible within 72 hours. The Company will, therefore, need to look carefully at its data breach response plans and procedures.

The above represents only a short synopsis of the requirements under the GDPR. There are many more that are not included in this note for the sake of brevity. Getting prepared for compliance with all the compliance requirements will need considerable planning across the Company.

Adequate Resources

Financial, technological and human resources should be sufficient to reasonably prevent and detect non-compliance and promote compliance with the GDPR.

Taking into account the number of employees, assets, turnover, Company business activities, a budget for [Insert Year] of £[Insert Amount] is proposed, broken down as follows: [Insert Breakdown Of Budget].

  1. Training and Enforcement

Effective compliance training programmes are required for personnel at all levels, including directors, heads of departments and key Company service providers. Bearing in mind the above factors, a formally documented training programme with employee evaluation and attendance certification should be put in place as soon as possible.

Serious misconduct should be addressed with appropriate disciplinary action, regardless of seniority. An anonymous whistle-blowing mechanism should be considered, but legal a should be sought before implementation in the UK and any other countries in which the Company carries on business.

Regular Reviews

From time to time, the GDPR Compliance Programme should be reviewed and updated in the light of new laws and business activities and changes to data flows and the introduction of new processing activities.

Informing your Employees

To establish data protection as a pillar of the organization and to ensure that all employees are on board and aware would set the premise for the culture and workings of the company in general. After informing your Board of Directors, it is also important that you conceptualize and get your agreements signed by your employees. This would work both as an agreement as well as an awareness step.

Here’s a template for your employees:

Privacy Notice to Staff

  1. What is the purpose of this document (Data Protection Policy)?

You have legal rights about the way your personal data is handled by us, [Insert Name]. We are committed to protecting the privacy and security of your personal information.

This privacy notice describes how we collect and use personal information about you during and after your working relationship with us. It applies to all employees, workers, and contractors. This notice does not form part of any contract of employment or another contract to provide services. We may update this notice at any time.

During your employment or engagement by us, we collect, store and process personal data about you. To comply with the law and to maintain confidence in our business, we acknowledge the importance of correct and lawful treatment of this data.

It is important that you read this notice, along with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you. This gives you information about how and why we are using such information. All people working in or with our business are obliged to comply with this policy when processing personal data.

  1. Our Role

We are a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. Data protection legislation requires to give you the information contained in this privacy notice.

  1. Data protection principles

We will comply with data protection law. This says that the personal information we hold about you must be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have explained to you clearly and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited to those purposes only.
  • Accurate and kept up to date.
  • Kept only for such time as is necessary for the purposes we have told you about.
  • Kept securely.
  1. The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are “special categories” of more sensitive personal data that require a higher level of protection.

We may collect, store, and use the following categories of personal information about you:
[add all categories]

  1. How is your personal information collected?

Usually, we collect personal information about employees, workers, and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies [list them here, if any].

We will collect additional personal information during work-related activities throughout the period of you working for us.

  1. How we will use information about you

We will use your personal information only when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform the contract that applies to our working relationship.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  • Where we need to protect your interests (or someone else’s interests).
  • Where it is needed in the public interest or for official purposes.
  1. Situations in which we will use your personal information

We need all the categories of information in the list above (see the kind of information we hold about you) primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases, we may use your personal information for our legitimate interests or those of third parties, provided that your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are as follows [add all the situations in which you will use this data. Some examples would be ascertaining the terms of work, deciding about employment or monitoring equal opportunities metric].

Some of the above grounds for processing will overlap and there may be several grounds that justify our use of your personal information.

  1. If you fail to provide personal information

If you do not provide certain information when we ask for it, we may not be able to perform the contract that applies to our working relationship with you (such as paying you or providing a benefit), or we may not be able to comply with our legal obligations (such as to ensure the health and safety of our workers).

  1. Change of purpose

We will only use your personal information for the purposes that we have collected it for unless we need to use it for another reason and that reason is reasonable and compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.

We may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or allowed by law.

  1. How we use particularly sensitive personal information

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the situations below:

  • In limited circumstances, with your clear written consent.
  • Where we need to carry out our legal obligations and in line with our data protection policy or other policy that applies to such information.
  • Where it is needed in the public interest, such as for equal opportunities monitoring [or in relation to our occupational pension scheme], and in line with our data protection policy or other policy that applies to such information.
  • Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.

Very occasionally, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

  1. Our obligations as an employer

We will use your particularly sensitive personal information in the following ways:

  • We will use information relating to leaves of absence, which may include sickness absence or family-related leave and related pay, to comply with employment and other laws.
  • We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
  • We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sex life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
  • We will use trade union membership information to pay trade union premiums, register the status of a protected employee and comply with employment law obligations.
  • List any other circumstances where you may process personal data that reveals Racial or ethnic origin; political opinions; religious and philosophical beliefs; trade union membership; genetic data; biometric data; health data; or data about an individual’s sex life and sexual orientation.
  1. Do we need your consent?

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will give you full details of the information that we would like and the reason we need it, so that you can consider carefully whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

  1. Information about criminal convictions

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy or other policy that applies to such information.

Very occasionally, we may use information relating to criminal convictions where it is necessary, in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public

We [envisage OR do not envisage] that we will hold information about criminal convictions.

[We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so.] [Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly from you while you are working for us.] [We will use information about criminal convictions and offences in the following ways: [add the list here]

  1. Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We can use automated decision-making in the following circumstances:

  • Where we have notified you of the decision and given you 21 days to request a reconsideration.
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision based on any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

In case, no automated decision is made at your company, use this: [We do not envisage that any decisions will be taken about you using automated means, however, we will notify you in writing if this position changes.]

  1. Data sharing

We may have to share your data with third parties, including third-party service providers and other entities in the group.

We require third parties to respect the security of your data and to treat it in accordance with the law.

We may transfer your personal information outside the EU.

If we do, you can expect a similar degree of protection in respect of your personal information

  • Why might you share my personal information with third parties?

We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

  • Which third-party service providers process my personal information?

“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers: payroll, pension administration, benefits provision and administration, IT services OR The following third-party service providers process personal information about you for the following purposes: [add purposes].

  • How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

  • When might you share my personal information with other entities in the group?

We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganization or group restructuring exercise, for system maintenance support and the hosting of data [Describe other known activities].

  • What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.

  • Transferring information outside the EU (use only if it applies to your company)

We may transfer the personal information we collect about you to the following country/countries outside the EU [List companies here] to perform our contract with you. There [is OR is not] an adequacy decision by the European Commission in respect of [that OR those] [country OR countries]. This means that the [country OR countries] to which we transfer your data are [deemed OR not deemed] to provide an adequate level of protection for your personal information.

However, to ensure that your personal information does receive an adequate level of protection we have put in place the following appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection: [Specify measure, for example, Binding corporate rules]. If you require further information about [this OR these] protective measure[s], [you can request it from [Position] OR it is available [On the intranet/Provide link here].

  1. Data security

We have put in place measures to protect the security of your information. Details of these measures are available [upon request OR on the intranet].

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. [Details of these measures may be obtained from [Position].]

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

  1. Data retention
  2. How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. [Details of retention periods for different aspects of your personal information are available in our retention policy which is available from [[Position] OR [The intranet/Provide Link]]. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances, we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with [our data retention policy OR applicable laws and regulations].

  1. Rights of access, correction, erasure, and restriction
  2. Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

  1. Your rights in relation to personal information

Under certain circumstances, by law, you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request that your personal information is erased. This allows you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to stop processing personal information where we are relying on a legitimate interest and there is something about your situation that makes you want to object to processing on this ground.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data or request that we transfer a copy of your personal information to another party, please contact [Position] in writing.

  1. No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

  1. What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

  1. Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing, and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact [Position]. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

  1. [Data protection officer]

[We have appointed a [data protection officer (DPO) OR data privacy manager] to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the [DPO OR data privacy manager]. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.]

  1. Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

If you have any questions about this privacy notice, please contact [Position and Contact Details].

 

I, ___________________________ (employee/worker/contractor name), acknowledge that on _________________________ (date), I received a copy of [EMPLOYER]’s Privacy Notice for employees, workers and contractors and that I have read and understood it.

 

Signature:         _________________________

Name:                _________________________


Hiring a DPO

A Complete Guide For Hiring A Data Protection Officer (DPO).

General Data Protection Regulation has been enforced since 25th May 2018. So if you have still not hired a data protection officer, this guide should help you. It is a complete guide for hiring a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR). We’ll go step by step to help you with all the questions regarding a Data Protection Officer.

Who is a Data Protection Officer (DPO)?Data Protection Officer for GDPR Compliance

Data Protection Officer is the professional responsible for the data protection activities and implementation of measures inside the company. They hold the security leadership role in charge of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. They directly report to the senior management, managing directors, and CEO of the company.

Who needs a Data Protection Officer?

According to the text, you need a data protection officer if:

  • You have more than 250 employees in your company
  • You are processing data on a large scale basis. This would mean that the data you collect, process, store or use affects a large number of people. It could be a city population or processing of personal data for behavioral advertising by a search engine
  • Your processing is carried out by a public authority or body
  • You are processing  sensitive data such as health, trade union membership, geolocation, sexual orientation, genetic, or children data
  • You are monitoring, and tracking systematically. For example, if you are monitoring users video data systematically or tracking internet users systematically to review television rating points
  • You are processing special categories of data that could be related to a criminal offense
  • If you are a processor and systematically monitoring data such as internet traffic, IP address or visitors etc.

What are the basic responsibilities of a Data Protection Officer?

The Data Protection Officer should have the following responsibilities:

  • to inform and advise the controller or the processor as well as the employees who carry out processing pursuant to this Regulation and to other Union or Member State data protection provisions
  • to monitor compliance with this Regulation or with other Union or Member State data protection provisions. This also includes compliance with the policies of the controller or processor in relation to the protection of personal data: the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits
  • to provide advice when requested with  regards to the data protection impact assessment and monitor its performance pursuant to Article 35
  • to cooperate with the supervisory authority;
  • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36,
  • The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context, and purposes of processing.

This means a data protection officer is a coordinator between the controller/processor and the supervisory authority. They are also responsible to respond to data subjects that is the consumers/customers of the company. Under the GDPR, Data Subjects can request access to their data that is collected and processed.

What are the basic tasks of your Data Protection Officer?

In line with the responsibilities mentioned above, this section now highlights how the responsibilities mentioned above turn into tasks. The DPO has to ensure that the data protection rules are respected in cooperation with the data protection authority (for the EU institutions and bodies, this is the EDPS). In the EU institution and bodies, the DPO must:

  • Ensure that controllers and data subjects are informed about their data protection rights, obligations, and responsibilities and raise awareness about them;
  • Create data protection goals and principles based on the GDPR and make sure the controller i.e. the company follows it
  • Give advice and recommendations to the institution about the interpretation and/application of the data protection rules;
  • Create records of processing activities within the institution and notify the EDPS of those that present specific risks (so-called prior checks);
  • Ensure data protection compliance within their institution and help the latter to be accountable
  • Handle queries or complaints on request by the institution, the controller, other person(s), or on their own initiative;
  • Cooperate with responding to requests about investigations, complaint handling and inspections conducted by the authorities
  • Draw the institution’s attention to any failure to comply with the applicable data protection rules
  • Conduct a Data Protection Impact Assessment if required and review it monthly, quarterly and yearly
  • Create Data Processing Agreement and coordinate with the third-parties
  • Create and update privacy policy, cookie policy and other data protection related policies
  • Train staff involved in data processing
  • Conduct audits to ensure compliance

Qualifications for Data Protection Officer

DPO certificate

 

There are no exact qualifications written in the law. But the law does say, “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. The data protection officer should have at least 30-60 hours of training to understand the law and its requirements. You can get your Data Protection Officer trained at the following places:

 

  1. IAPP Certifications
  2. TÜV in Germany
  3. IT Governance in the UK

Since there is no exact criteria, our suggestion is that adequate training or certification of a certain number of hours should help you. If your data protection officer is a lawyer by profession it would make training easier.

What do we have to do to support the DPO?

 

You must ensure that:

  • the DPO is involved, closely and in a timely manner, in all data protection matters;
  • the DPO reports to the highest management level of your organization, i.e. the board;
  • the DPO operates independently and is not dismissed or penalized for performing their tasks;
  • you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge;
  • you give the DPO appropriate access to personal data and processing activities;
  • you give the DPO appropriate access to other services within your organization so that they can receive essential support, input or information;
  • you seek the advice of your DPO when carrying out a DPIA; and
  • you record the details of your DPO as part of your records of processing activities.

This shows the importance of the DPO to your organization and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn’t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.

 

10 Best Practices for Hiring a Data Protection Officer

As a controller or processor, the following are the best practices for hiring a data protection officer:

  1. You can find data protection officers on LinkedIn & Facebook Groups with the search term GDPR for groups
  2. IAPP has their own groups where you can find 40,000 different privacy professionals
  3. Conferences on GDPR like Summits and gatherings are a good place to find such data protection officers
  4. Hire a data protection certified specialist or a lawyer specialized in the  field
  5. Make sure your data protection officer understands your IT infrastructure and your application
  6. You can hire an external DPO
  7. A DPO should have great managerial and negotiation skills. They should also have a comprehensive understanding of the controller/processor, the data subjects, and the law
  8. Many experts give tutorial and content on the GDPR. If you are planning to hire an external DPO then see their webinars, blogs and public profiles
  9. Do your due diligence and ask for at least 3 references from their previous customers. If you are hiring someone internally, then ask their immediate supervisors
  10. If you are hiring an external data protection officer, make sure that you go with someone who does not have a lot of clients. If this data protection officer has a lot of clients, then your work is probably going to get ignored if you don’t pay them based on packages

 

Should I hire an external or internal Data Protection Officer?

Internal vs. External Data Protection Officer

In principle, a company can appoint a Data Protection Officer both internally by assigning the role to an employee and externally in the person of a service provider. The decisive criterion should always be the necessary expertise and reliability that a DPO needs in order to be able to properly fulfill the intended tasks. But what distinguishes an internal from an external data protection officer? We would like to explain the differences on the basis of essential dimensions such as competence, liability and dismissal protection. In addition, to enable you to directly compare the costs of an internal and external data protection officer, we use a fictional calculation to show you how your company’s investment in data protection could be structured.

 

Internal Data Protection Officer

If you assign an Internal Company Data Protection Supervisor (DPO), the managing director hands over the task of DPO to an employee of the company. If an internal employee meets all the necessary requirements, they can be appointed as an internal data protection officer. After the appeal to the internal DPO, the employee is under protection against dismissal and has rights to further claims, such as their own equipment or training. However, if a company data protection officer is appointed, who does not have the required skills, this is treated by law as if no privacy officer would be present in the company.

 

External Data Protection Officer

In contrast to the internal data protection officer, the external DPO is a certified data protection expert who is available to your company as a service provider. The high level of expertise of an external data protection officer guarantees the best protection for your company. With a transparent cost structure, contractually agreed prices and a variable contract period, the external data protection officer takes care of your business quickly and efficiently, thus protecting you from high fines.

 

Differences between external and internal data protection officer

First of all, internal and external DPOs can be distinguished with regard to the costs incurred. While for internal data protection officers the company has to pay for education and training, as well as the acquisition of literature from the company, in addition to the regular salary. Your company benefits from the transparent cost structure in the case of an external DPO since all services and costs are contractually defined.

 

In terms of competence, an internal DPO first has to undergo time-consuming and costly further training measures to gain the specialist knowledge if they are not already specialized in the field. An external DPO, on the other hand, can showcase certified and immediately retrievable expertise from the beginning of the cooperation. In contrast, however, the internal DPO has advantages in terms of training, as the operating procedures are generally already known, while an external DPO must first familiarize themselves with the operational procedures and processes.

 

If there is a momentous error based on the consultation with the data protection officer, for e.g.misuse of customer data, an internal DPO is liable with the limited employee liability which results in the full liability of the manager. In contrast, an external DPO is liable for its advice and thus minimizes risks for the company.

 

Already with the order of an operational data protection officer already a possible, later notice should be considered. An internal DPO is subject to special protection against dismissal, which is comparable to the position of the works council. However, the commissioning of the external data protection officer can be terminated on time.

 

We would like to explain this to you in more detail with a table:

 

Item Internal DPO External DPO
Cost In addition to the regular salary, costs for education and training, as well as acquisition of literature, must be borne by the company Transparent cost structure through contractually agreed prices
Competence Time-consuming and complex further education measures to obtain the technical knowledge Certified, existing and immediately retrievable expertise
Liability Partially transfers the liability Liability for the correct advice by the external DSB. Risk minimization for the company
Data Control All the data stays within the company All the data and company understanding stays with an external

 

Time Commitment 100% committed to the project Partially committed to project and most likely involved with many other companies

 

Time to understand the business It won’t take much time to understand the business and process since the internal DPO was a part of the company It takes time for an external DPO to understand the company and mostly like you’ll pay for an audit

 

Response time Much faster since already part of the company Much slower because the external DPO was not part of the company

 

Cancellation of employment contract An internal data protection officer is protected by law. Basically, you can’t fire him/her An external DPO can be easily replaced based on the contract terms and timelines

 

How much does a data protection officer cost?

Based on our experience of talking to hundreds of data protection officers, the average cost in Europe for a data protection officer depends on the hourly rate. The data protection officer without a legal background would cost around 100-200€ per hour. If your data protection officer is a lawyer, then they would cost around 300-500€ per hour. There are many data protection officers who work based on the hourly rate in a year or package basis per month. If you are hiring an external data protection officer, keep in mind that if the rate is really low then remember either that they have many clients so you won’t get individual attention or consulting. If they’re a big brand then, probably you’re paying a lot but still getting less attention.

 

Common Mistakes to avoid while hiring a DPO

  1. Don’t hire cheap data protection officers. They’re not worth it and probably won’t take your case seriously
  2. If all the work is done by the company’s internal lead, and the external DPO is only for the  purposes of the website then don’t hire that DPO
  3. Don’t hire someone internally in your company as a DPO if the role has an inherent conflict of interest. For example, don’t hire a marketing or customer support person as a DPO because they might be biased. Here’s what the working party suggests regarding hiring an internal DPO and avoiding a conflict of interests:
    1. to identify the positions which would be incompatible with the function of a DPO,draw up internal rules to this effect in order to avoid conflict of interests
    2. to include a more general explanation about conflict of interests  
    3. to declare that the DPO has no conflict of interest with regards to its function as a DPO, as a way of raising awareness of this requirement
    4. to include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be kept in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally
  4. The following roles are in conflicting positions: chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of the marketing department, head of Human Resources or head of IT department
  5. Hiring a full-time data protection officer, when you only need a part-time data protection officer

 

Here’s a sample Appointment Letter for a DPO from ECOMPLY.io

Sample Appointment Letter for Data Protection Officer:

 

Ms. Sample                                                               – Data Protection Officer –

Sample Street 2

23456 Sample City

Appointing Mr. / Ms. ### as Operational Data Protection Officer

The ACME LLC herewith and with immediate effect appoints Ms Sample as the Data Protection Officer – as stipulated in Article 37 GDPR referencing § 38 BDSG-neu for our company. To facilitate the execution of this role as Data Protection Officer, he/she shall report directly to management, specifically NAME_MANAGING_DIRECTOR.

Ms. Sample is entrusted with providing consultancy services and ad-hoc spot checks to ensure company-wide adherence to the provisions of the GDPR and to further data protection regulations.

In concrete terms, his/her duties shall be derived from the GDPR and shall, specifically, be aligned with Article 39 GDPR.

Ms. Sample shall act without being subject to supervisory instruction in the application of expertise in the area of data protection and shall be supported by management in his/her executional endeavors. To this end, he/she may consult the data protection regulatory authority responsible for our company whenever clarification is required.

Representing the management:

_______________________________      ______________________________

Place, Date                                                    Signature Managing Director

                                                                    NAME_MANAGING_DIRECTOR

                                                                  

I approve of my appointment to Data Protection Officer:

_______________________________

Signature Data Protection Officer

Ms Sample

 

If you have any further questions or want to know how we can help your DPO, book a demo with us!

 


The Only Guide to GDPR Compliance for Social Media Marketers.

If you’re not hiding in a cave, or haven’t decided to skip over press articles, then you must have come across the General Data Protection Regulation (GDPR). GDPR compliance is now incumbent on all of your marketing efforts and other business operations. This article will help you gain an understanding of what GDPR compliance means for your social media efforts.

This past month, you probably observed a number of emails asking for permissions. These are mostly from companies, moving towards GDPR compliance, asking to be on their mailing lists. It’s a small part of what post-GDPR world for Marketing looks like. For advice on Sales, give this guide a read.

Even though GDPR has been in the making for the past couple of years, it has only this year been officially enforced. If companies disregard the GDPR and put off compliance, they can get fined for up to 20 million euros or 4% in revenue: whichever number is higher. So what does it mean for your marketing department?

GDPR Compliance and Digital Marketing Platforms

In general, people think social media is just about posting memes, or relationships, or engagement & interactivity. If you as a Social Media Marketer don’t care about data privacy or online security, then maybe the recent Congressional Testimony of the CEO Mark Zuckerberg will make you think again.

Soon after the enforcement of the GDPR, compliance became a trending topic in digital marketing. Many marketers are concerned with how GDPR compliance will shape their new campaigns. Another concerning point is how to use the social media tools & platforms effectively. Getting worried about asking for consent from followers, users or connections is totally natural. Thinking about how to store or use data in a gdpr compliant way is the last thing a social media marketer wants to worry about.

AREAS OF CONCERN FOR SOCIAL MEDIA MARKETERS

  • Google Analytics

Google Analytics is the most common tool used by many digital marketers to analyze performance. It collects users’ ID data, does behavior profiling and has cookies. To be GDPR compliant with this tool, one can either add an overlay to the site which gives users a notification of the usage of cookies & asks for permission for entering the site.

  • Re-targeting Ads and Tracking Pixels

If your website is using re-marketing ads, i.e. Facebook pixel, you should inform the visitors as soon as they enter the site & obtain their consent.  For publishing sponsored content & affiliate links, you need to ask the client if they use tracking pixels or cookies for capturing the personal information & if they do, then get the consent from the visitors.

  • Email Opt-In

To be GDPR compliant with opt-in emails, first, verify if the email service provider is offering GDPR tools. Second, add a checkbox for the visitors to consent to everything, in the subscription form. Put a visible disclaimer, if the newsletter is using tracking pixels to keep an eye on when they open it.

  • Display Ads

If a website runs an ad from a third-party ad server, then the users should consent to the third party server for using their data for advertising & marketing purposes upon entering the site. If it uses the cookies for targeting purposes, the visitors need to be informed.

  • Contact Forms

You should get explicit consent with a checkbox before you ask people to submit their information in any contact form.

  • Comments

Before a user leaves a comment they should give consent by a checkbox. They should also know how their information is going to be used & which information is going to be displayed publicly.

  • Product Sales Takeaway

When selling products or services to EU residents, you should collect only the necessary information from the customers. You should also let them know how the information is going to be used. Make sure to get the consent for every purpose of data collection.

 

How GDPR applies to Social Media Marketing?

 

There are two main changes which are considered to be the biggest for the social media marketers. First, that they won’t be able to send opt-in emails or letters. Second, they won’t be allowed to drop cookies automatically without clear permission from the prospect. To be able to have a GDPR compliant Strategy, social media strategists are required to

  • Perform a complete audit of the website to determine the hold of data.
  • Get to know about the information of EU residents they have connected to.
  • Prepare an action plan on how to update the privacy policy for obtaining permission.

There are many social media management tools available for marketing agencies, strategists & managers to support them in scheduling, analyzing and building campaigns. These tools assist companies/brands to come closer to their users and help them generate leads and establish a strong customer base.

Social Champ – A GDPR compliant tool

Social Champ is one example of a compliant, easy to use social management tool which gives you the power of scheduling, repeating & analyzing your content & helps users and brands to increase their audience reach by 75%.

Since the content produced on social media is usually user-generated it means that GDPR applies to both content and its users. This is because it contains personal information of the users shared.

All the products & services of Social Champ are GDPR equipped. It provides a Data Protection Agreement (DPA) for all the users who are signing-in. Social Champ is not distinguished as a “Data Controller”, but “Data Processor” organization by the GDPR. This means it “only practices content according to the instructions given by the users through Social Champ’s features.”

The users have the complete right to control, collect, & use their content however they wish to. As a matter of fact, the users are the data controllers (in legal terms) of the content they process through Social Champ. In short, make sure your tools and processes for Social Media Marketing are GDPR compliant.

If you would like to know more about how you can comply with the GDPR, book a demo with us!


Word Cloud Privacy Policy

Four Hacks To Have GDPR Compliant Privacy Policy.

Disclaimer: This editorial does not claim completeness and does not provide legal advice on the GDPR Compliant Privacy Policy.

Here’s the idea that is getting people really nervous:

Inside the law firms of the world, there are lawyers just waiting for 25 May 2018 to scan our websites and sue anyone not following the GDPR Compliant Privacy Policy. To defend ourselves against it, it is essential to make sure our websites do not reveal weaknesses of either machine scans (crawling) or superficial human inspection.

This means that we need to pay attention to the use of cookies, plugins and tracking tools to make sure we are all doing our duties and have compliant public documents.

First, take a deep breath, get some coffee and take ten minutes to read our suggestions below. You do not need a lawyer to do this for you.

In order to make sure that you don’t overlook any details of GDPR Compliant Privacy Policy just follow the four hacks which are actually steps in the process of having a GDPR compliant website.

Step 1: Encryption

The first step of owning a website that follows GDPR Compliant Privacy Policy is to make sure your website is only accessible via HTTPS (the little lock symbol in the browser). Thanks to Let’s Encrypt and other alternatives, this is an easy problem to solve.

Step 2: Changes to website content/plugins

The second step is to consider where in your website data is collected/sent (automatically or by a person). Typically, forms, plugins, tracking tools and cookies do this. The general rule is:

‘You must tell your visitors what is being tracked/collected. Ideally, you get their consent. But at least you have to give them an option to opt out.’

To understand how this step works in your favor i.e. in your efforts to be one with the GDPR Compliant Privacy Policy, let’s break this down further:

Forms

It does not matter what type of form you will be using or its purpose. Only ask the things you really need in order to provide the service you are offering. For instance, if it’s a newsletter registration make the email address a required field and keep all other fields as optional.

Plugins

For your social media plugins, add something like Shariff to give users more control over being tracked. For videos, Youtube has a data protection mode (https://support.google.com/youtube/answer/171780?hl=de). Unfortunately, Vimeo does not support that yet and should not be embedded any more on your website.

Tracking

Like most websites, you probably use Google Analytics. Make sure you take these steps:

Cookies

Tell people that you are collecting cookies and give an option to opt-out. Hopefully, your website system has that built in otherwise you need to add it yourself.

Step 3: Privacy Policy

This is the most important part. As an organization, you have the obligation to be transparent about your data processing activities. How can you be transparent? Put it all in the privacy policy. It should be precise, transparent, easily accessible, and written in clear, simple language. So Do It Yourself (DIY) with the must-haves below:

  • Contact information of your organization,
  • List of data categories (‘name’, ‘visitor behavior’, …) that you collect and the purposes for that this data is collected,
  • Legal basis for this processing (ideally, either ‘consent’ or ‘performance of a contract’),
  • how long you plan to save the data,
  • A possibility for the customer to limit the processing (contact you?)
  • The email address of your Data Protection Officer (if you have one), like ‘privacy@sample.com’.
  • Where a customer can reach you for a complaint

There are some conditionals:

  • Do you use Google Analytics? Do mention it and try to offer an opt-out.
  • Do you set cookies? Mention it!
  • Do you use  automated processes? You have to mention that too.
  • Do you use a company like Mailchimp to send your newsletters? Mention it, especially that you share your visitors’ email addresses or other information with them.

As you can see there is no 1-click solution for this (although we are working on one!). Doing it by hand is also not prohibited. In about a day, you should be able to cover most of this.

4 – The rights of Users

This is another part you need to add. Here’s an example for you:

In particular, Users have the right to do the following:

Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.

Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.

Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.

Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.

Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.

Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.

Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User’s consent, on a contract which the User is part of or on pre-contractual obligations thereof.

Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

Details about the right to object to the processing

Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.

Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.”

Text credit: Iubenda.com

In short, following this guide should get you on the right path towards compliance. If you have further questions and want to know how we can help: to get on board the GDPR compliant Privacy Policy sign up with us!

Image credit: http://thebusinessecoach.com/


Let's bust 10 the biggest GDPR Myths many believe today!

Only 2 weeks left before the enforcement of the General Data Protection Regulations (GDPR) and there is FEAR! And fuelled by it there is paranoia surrounding what needs to be done.  Rumors. Assertions. And crazy ideas. In this blog: we will bust all the ridiculous GDPR Myths we have heard so far.

Myth 1: GDPR is a European Union (EU)  law and only applies to European companies

This particular myth challenges the parameters of the application of the GDPR. It certainly does not apply to only European companies. It applies to ALL companies who in any way collect, receive and process data of people residing in the EU. Moreover, any company that offers goods or services to EU Data Subjects or monitors their behavior in any way has to comply, regardless of the company’s location. It is, in fact, possible that a European company only processes data of American residents. In that case, the GDPR does not actually apply to the company. Essentially, it does not matter where the company is based or originated from, the criteria that should be used to assess whether the GDPR applies or not is “whose data do you touch?”

Myth 2: GDPR was made to punish companies by imposing fines

The principles around which the GDPR is based is not to punish companies but rather to empower people with more control over their data and to ensure responsible collection and processing of data. The potential fines that could be imposed have just been stated over and over again to reiterate the importance of compliance for companies. However, at this point, no one can predict how strictly the authorities will impose these fines, if at all. They will most likely allow companies extension and a lot of leeway if they see efforts being made to comply. Fines will not be imposed for every little non-compliance issue. This is because in essence, the nature of GDPR is empowering rather than punitive.

Myth 3: GDPR is only for the IT departments and senior management

Every time people think of Data Protection they usually immediately jump to the conclusion that it is something for the IT department. However, in the case of the GDPR this is not the case at all. The GDPR is to reform the way companies handle data which is why it applies to and add responsibilities to every department and every person within a company. Processes need to be created but also employees need to be educated about the GDPR. For instance, recording all processing activities will entail the involvement of representatives from all departments of a company.

Myth 4: All breaches no matter how little need to be reported to the Data Protection Authorities

Breaches need to be reported to the relevant Authorities however, this only applies to those breaches where it’s likely to result in a risk to people’s rights and freedoms. So not every breach needs to be reported.

Myth 5: All details need to be provided the minute a breach occurs within a company

If there is a breach within a company, details of it are sometimes not available immediately. Companies themselves need to investigate before they can collect all the necessary information. The GDPR takes this into account and allows 72 hours to report such instances when feasible. Once reported details can also be provided after the allotted 72 hours if needed.

Myth 6: Consent needs to be taken for every activity

The general perception among companies is that consent is at the center of the GDPR. Without consent, no data processing activity can be carried out. This perception is extremely misleading. The GDPR allows for several different ways of justifying a processing activity of which consent is ONLY ONE. Some others can be seen below from the ECOMPLY app where you can just pick one to form the legal basis for an activity:

Myth 7: Under the GDPR, you need to get consent again from all stakeholders!

So having busted the first of the GDPR myths about consent under the GDPR, the second one is specifically about asking for consent under the GDPR. Most companies think this needs to be done from scratch to be GDPR compliant. However, consent obtained under the Data Protection Directive suffices under GDPR standards. Just review the consent and the standard that GDPR sets for it.

Myth 8: New data portability rules apply to all businesses

Data portability requirements apply only when the legal basis of a processing activity is based on consent or contractual necessity.  When the legal basis is legitimate interest or public interest or another provision allowed under the GDPR the requirements don’t apply.

Myth 9: Data center needs to be in the EU!

This is another common misconception. A company’s data center doesn’t have to be in the EU. It can also be in one of the third countries that GDPR allows for. Basically, it cannot be in a country that doesn’t have regulations on data protection. Here’s what we found helpful on this topic.

Myth 10: Biometric data is sensitive data under the GDPR

This is the most understandable misconception that has developed regarding the GDPR. Biometric data that a company collects just like any other data is sensitive only if it is actively used for identification purposes. It is predominantly collected for purposes of identification but if that is not the case then Biometric data doesn’t have to be treated as sensitive data.  


Stock Photo Checklist

The Ultimate GDPR Compliance Checklist for SaaS

Before getting into the GDPR Compliance Checklist For SaaS let’s understand why the need for it has arisen.

There is a tonne of material on the General Data Protection Regulation (GDPR) and several organizations and people claiming to be experts and throwing around advice. There is an overwhelming amount of information regarding this topic because of the foreseeable enforcement of GDPR in sight.

We want to condense all this information into a point by point checklist to help companies keep track of what they have done and what still needs to be done. So this time around, we are focusing on the Software as a Service (SaaS) industry.

First, it is important to understand that for SaaS companies a lot of these processes can be automated but it is not really necessary to do that. You need to take stock of the costs of automation or manual labor and need to decide accordingly what works for you.

Here are the rights of the Data Subjects (client/customer/user/employee in layman terms) that you need to preserve:

  • The right to erasure (the right to be forgotten/deleted from the system),
  • The right to the restriction of processing (you have to restrict the access to the data and cannot do anything with it without further consent of the user
  • The right to data portability (provide the possibility to your users to download a machine-readable, exportable file of their data you have collected and processed)
  • The right to rectify data (have an edit button for data fields)
  • The right to be informed which means you need to get rid of those long terms and conditions and provide this information in a way that is clear and concise

Here you can read the 10 Critical Steps to General Data Protection Regulation (GDPR) for SMEs that highlights the principles that you need to keep in mind.

GDPR compliance Checklist Dos:

1. Create and agree with data protection goals – Article 5

This essentially means that you need to conceptualize, write down and declare your data protection goals. You can find a pre-made template for this on ECOMPLY.io or if you are not a customer: download it here.

2. Appoint an internal DPO with no conflict of interest – Article 37

This can be anyone in the company who is aware and informed about the GDPR. The person should sign a document accepting the responsibilities and should remain impartial when it comes to questions of GDPR implementation.

3. Make a cookie policy – A perfect way of showing cookies – Article 7

Here’s the right way to go about it: https://www.cookiebot.com/en/cookie-declaration/ It has been enough till now to display that common “we use cookies” warning, however, the GDPR changes that. From the GDPR perspective, cookies essentially means you are collecting user data and need to make sure that you have legal grounds for it.

4. Add ‘cookiebot.com’ consent – Article 7

5.Update your privacy policy – Perfect Privacy Policy Article 12:

Example of short form of Privacy Policy

6. Add features list

  • Consent box and record with it the Privacy Policy version – Article 7
  • Right to edit or modify feature – Article 16
  • Right to delete or forget – Article 17
  • Right object of processing & profiling feature – Article 21 & 22
  • Right access (I want to access all my data i.e. export & import feature) – Article 15
  • Right to stop automated profiling – Article 18 & 23
  • Have double opt-in on a newsletter, lead magnets & sign up – Article 7
  • Automatic deleting or provide a timeline to delete the data feature to your users – Article 17
  • Consent checkbox on your contact form as well – Article 7

7. Create records of processing activities and maintain it:

ECOMPLY.io helps with it. You can also read our step by step blog on how to take this item off your GDPR compliance checklist.

8. Ask your third-party vendors to be compliant i.e suppliers and subcontractors:

This includes basically every software and service you are using. ECOMPLY.io helps you by giving you a list of common vendors and allowing you to add your custom ones.

9. Technical Measures for IT: 

  • Add anonymization or pseudonymization if a user is no longer using your system
  • Add encryption in your system
  • Have authentication mechanisms for modifying data
  • Double authentication or 2 step verification
  • Focus on data minimization if you don’t need it
  • Show the system has a strong backup and data can’t be lost
  • Web Application Security such TLS, SSL
  • Data Centres and its protection. It should be in Europe or US mostly (if possible)
  • Encrypted passwords for all the systems
  • Internal hard drive or cloud drive should be protected and have a different access level

10. Organizational Measures: 

  • Educate your team about the privacy and data protection
  • Physical access to your office should always be protected with keys
  • Laptop and other devices of the staff should be protected as well.

11. Sales & Marketing:

  • Take consent in all your marketing magnets and contact form and record it
  • Inform customers about your CRMs, automatic tools, and analytics tool
  • Always have an opt-out button

12. Data Processing Agreement:

As a SaaS Vendor, you should be able to provide a data processing agreement on behalf of your customers and promising technical measures to protect their data. ECOMPLY.io will help you with that.

13. Human Resources (HR):

Have different level controls for each staff. Not everybody should have access to all the system.

GDPR compliance Checklist Don’ts:

  1. Don’t assume your vendors are compliant
  2. Don’t assume that privacy shield or ISO 27001 already makes you compliant
  3. Don’t write a cold email to customers a cold email on their personal email
  4. Don’t assume, documentation will save you. Actually, do those changes
  5. Don’t keep your laptops open in an open space and people can see those data
  6. Don’t assume it is a one-time project. You need to keep making sure that your documentation is correct and updated. Also, you follow all those guidelines and check frequently.

If you are still confused about the GDPR and don’t know where to start, just book an appointment with us for an informal chat.


Stock Image Problem

Who is GDPR Ready?

Given all this hype surrounding the General Data Protection Regulations (GDPR), among companies and consumers alike, we just could not help but get curious. So who out of the big, famous companies are actually GDPR Ready?

So we did a little, cheeky experiment and e-mailed these companies to find out if they were aware of the legislation and what data they had on us.

Due to the enforcement of the GDPR, you can request companies to give you all the data they have on you. You can also ask them to delete it and forget you. This is primarily how GDPR empowers us as consumers. For companies to be GDPR ready, they need to have processes in place to deal with these requests.

Essentially, in GDPR terminology, we made a Data Subject Request to check which companies were aware of the coming GDPR and subsequently preparing for it.

In total, we reached out to 200 companies and tested them on two things: awareness and readiness. We assigned six people to write to different companies. One of them wrote to companies from Spain, three from Germany and one from United Kingdom (UK). So let’s summarise the results by geographic location.

United Kingdom

We wrote to companies in the United Kingdom (UK) recently.

From their replies, we gauged that 50% of these companies were aware of the coming regulation however, only 10% of them were ready to cope with the Data Subject Requests. So we got a full excel sheet with our entire data sent to us from the ones that were ready. However, after the initial response the excel sheet was usually sent to us later which is acceptable under the GDPR (note: GDPR allows the company 40 days to respond).

Also, one of the “aware” companies clearly explained that they were engaged in a variety of activities to become GDPR compliant and at the moment could not provide a machine readable format of the data. This was definitely a sign that the company was well aware and in the process of preparing for the GDPR.

Spain

We reached out to ten companies which include names like Vodafone, Santander, and Groupon among others. We found that 28% of these companies were ambiguously aware of it but none of these companies were ready for the enforcement of the GDPR. It could be and is rather likely that since then, they have at least made progress in awareness of the GDPR and are in the process of preparing for it.

However, we only say ambiguously aware because the responses we got from them indicated that out of those who were aware of it: they either only had a specialized email address for GDPR related queries which ended up bouncing anyway or asked to show up in person. Therefore, the awareness that they did have was not clearly translated.

Germany

Before we start, here it is important to consider that we reached out to a lot more companies in Germany than anywhere else. We are based in Germany and of course, are knowingly a little biased.

The hub of data protection and the place is known to be the most sensitive to data privacy lived up to its reputation.

Almost 63% of the companies, were actually ready for the GDPR. These companies included the big automotive companies like Mercedes, BMW, and Porsche. Moreover, 5% of these companies were aware of the GDPR and working towards it. So all in all, the German market seems to be quite aware of what the GDPR entails and are working towards it.

On average the response time of these companies was about 3 days and the latest one was not any later than 7 days. This was definitely a positive indicator on readiness.

We also sent an email to companies like Whatsapp, Snapchat, Booking.com, Disney and Instagram to find out if these popular companies were ready. However, we found out that none of them were ready and we were unable to assess if they were aware or not. Keep in mind that these Data Subject Requests were sent to them early 2018 so it is possible that they are by now compliant. Time needed to be fully compliant actually depends on several factors including but not limited to company size and number or processes.

These companies either did not reply to our request or we got a general automated message from them.

We also realised that no response could either mean that these companies are either in the middle of their blazing GDPR activities (quite unlikely), or they do not know of the GDPR and its implications (quite unlikely and sad if true) or that they just do not care enough at this point (likely).

To be fair, a lot of companies are still in the process of researching and figuring out exactly to do with the GDPR. For instance, we asked Woodpecker and one of our customers: Combyne on how they went about the process. Moreover, training and development of the employees especially in the field of customer service is on-going for most companies. So that in itself could be a factor why we assessed the companies as unaware since we only judged it through the replies we got.

Compliance will most likely be a high priority for companies if after enforcement, data authorities actually crack down on non-compliant companies and issue the dreaded fines.

If you need further guidance on the GDPR, Book a Free Demo with us!


Product Screenshot - Reports

Step-by-step guide: how to create Records of Processing Activities!

As the enforcement of General Data Protection Regulation (GDPR) approaches, Records of Processing Activities (RPAs) is a term that is being thrown around quite a bit. It is also referred to as Procedure Index, Data Mapping, Data Flows among others. It is what data protection authorities will need evidence for after May 2018. It is a daunting prospect for most companies since only 34% of the companies (vpnMentor, 2018) are on their way to compliance so far. To make it easier on you all, we are going to outline all the steps to keep your RPAs ready for authorities:

Step 1: Collect the names of all the departments in your company

Think of all the functionalities you have in your company. The departments are not always divided clearly especially if you are a start-up: chances are you don’t really have organised departments. So take a moment, and think of all your functionalities and organise them in a detailed manner so that every activity that you do is put in a department.

Step 2: Fill out your basic Company Information

This includes name of your company, the contact details of the person, usually the company’s Managing Director or Chief Executive Officer (CEO).

Step 3: Pick a platform for all GDPR related documents and work

You need to decide how you want to manage all the documents together. Do you want to use Google docs and keep them all in a drive? Or do you want to make folders on your internal company network and use Microsoft Office? Or would you like a Task Management Software for GDPR? It is important that you pick an option and then stick to it since there will be lots of documents that you would need access to. Keep them in one place so finding them is not a hassle.  

Step 4: Now think of all departments that have processes for personal data

Now think of all the departments in your company that utilise data in one way or another. For instance, Sales and Marketing, Product Development and Finance Department. Are these departments using any user data you obtain in any way? Make a list of these departments.

Step 5: Think of the people responsible for these Processes in each department

Think of all the people who mostly manage the data related activities in each department. Make a list of all these people. It is important that the person you pick knows very well what the department does with the data and can answer questions relating to all such department activities. The person you pick does not necessarily need to be the Head of the Department but rather the one who knows the most about activities related to personal data.

Step 6: Now put the information together to create a Department Profile

Now combine the two lists so that you have the Name of the Department and the corresponding contact person of the department.

Step 7: Find an Internal Data Protection Officer

Ideally, you need to appoint one person for your company who will act as the Data Protection Officer. This person can be anyone from your company and would later need some training or would need to read the law or at least have functional understanding of it. Ideally, this could be your Chief Operations Officer or Head of Legal.

Step 8: Sign a document with them to officially appoint them as your DPO

In order to officially appoint the chosen person as your DPO, you need to sign a document with them. Outlining their responsibilities and the purpose of the role in line with the Article 37 of the GDPR. Our tool provides you with the document that you can then download and request signature for.

Step 9: Every department makes a list of all their activities that use data

So ideally, each department should record the activity that uses data in any way. For instance, exchanging business cards would be one activity in the Marketing Department. Personnel Holiday Planning would be another one for the Human Resources (HR) Department.  Step 10: Give details of each of this activity

This is the tedious long-term task that has no short-cuts. You need to go step by step and and define this activity. There are a few important points that you need to write down for each of these activities. Let’s go over these points one by one.

 

Step 10.1: Description of the Activity

This would include what the activity is and who is the contact person responsible for the activity. For example: IT for Employees and someone in the IT department would be responsible for it.

Step 10.2: Purpose and Legal Basis of the Activity

In line with the GDPR, you have to explicitly mention how this activity is aligned with the overarching purpose or vision of your company. If it uses personal data of people, you need to show the legal justification of how you are obtaining this data from people: is it through consent for instance? Or a processing of a contract?

Step 10.3: Data Collection and Data Processing

In this part, answer the question if you collect Personally Identifiable Information like name, email address, band details etc. If you do from where do you collect it and do you explicitly ask for consent before you get the information? Do you give this data to third parties? If yes, who are they and what do they do?

Step 10.4: Nature of the Data

Whose Data is this? Is it customers, clients, employees or partners? And what is it? Names, email addresses, bank details are some examples.

Step 10.5: Data Storage and Deletion

This is the straightforward part if your processes for this are defined. Unfortunately, most companies do not have processes for this kind of thing. It includes how long you store the data for? What is the exact location of this storage? And when do you delete it?

Step 11: Now combine them all in one Report

The final step is to organise all this information from different departments and people, consolidate it, make sure you are not missing an activity or details of it and put it all together in one place for the authorities.

Ecomply.io allows you to create one-click reports, provides you with all the templates as well as guidance on what information to put into the different gaps. Our Task Management Tool is based on the legal requirements of the GDPR to ensure that the guidance actually helps you understand what to do.

If you would like to check out our platform, book a free demo now.


Cover - Combyne

Why combyne uses ECOMPLY.io?

Combyne, the mobile app, solves the age-old dilemma of picking the perfect outfit for different outings and events. Now you can simply create outfits using different clothing items from your favorite brands. You can also take a photo of any of your own clothing items and add them to your outfit.

So basically, you can dress on your phone saving you the hassle of actually trying on each outfit before you decide on the perfect one.

We caught up with Christian Dienst, the Chief Operating Officer at combyne to find out why they chose to trust ECOMPLY.io to manage their GDPR compliance.

What is GDPR according to you?

Christian: I believe it gives businesses and organizations the chance to outline their internal data structures and improve their systems accordingly. In the end, it is an international standard that companies need to adhere to in order to protect their customers and employees’ data and privacy.    

Why did you need to be GDPR compliant?

Christian: From day one of our GDPR journey to compliance, the most important factor for us has been to provide data protection to our users and employees. Even if we are not at all involved in large-scale processing, GDPR has given us the opportunity to organize ourselves and our internal system and also to improve our data management approach. We felt that by establishing a data-conscious environment, our user community and partners can only benefit more from our products.

Why did you choose ECOMPLY.io?

Christian: After we came up with a strategy on how to tackle our data processes, we thought that ECOMPLY’s integrated format could benefit us greatly. Given that we are still a small company (according to the GDPR guidelines), we were really happy to have found a simple, accessible platform that would allow every member of our team to understand and add information.

Who works with ECOMPLY.io? How does it fit into your own processes?

Christian: During the “mapping” stages, just a small part of the team was involved. We needed to figure out how to approach this and to select the processes that we knew for certain involved collection and use of personal information. Afterwards, we managed to bring in the whole team, and everyone’s input proved to be extremely helpful.

How did ECOMPLY.io add value to your GDPR journey?

Christian: For us, ECOMPLY has been an effective facilitator. By having access to a comprehensive list of processes, requirements, and explanations, we managed to save a lot of time and effort. After selecting the appropriate processes, we were able to add our own, internal activities. This helped us build a comprehensive database of processes, in a single format. Also, the ECOMPLY's team has always been open to answering questions when we couldn’t figure something out.  

What were the alternatives?

Christian: Obviously, the alternatives would have been organizing the departmental information, creating templates and using all sorts of documents. We would have been required to spend a lot of extra time on creating an accessible format and then to add our input. That would have significantly delayed our GDPR compliance journey!

Any final thoughts?

Christian: Ecomply offers a simple, step-by-step approach to comply with the GDPR at an attractive price and with great customer service.


Inspired by combyne’s journey to compliance? Get a free demo now!

Want to Dress on Your Phone? Download combyne