(GDPR) - Do You Really Need That Explicit Consent?

(GDPR) - Do You Really Need That Explicit Consent?

Are you worried when you see the word ‘GDPR’?

It’s infuriating, isn’t it?

It’s been 5 months since GDPR.

Wait! If you are new to this whole thing — read our GDPR guidebook for starters.

What has changed? Oh yeah, now we get to experience those beautifully designed cookie banners on almost all the websites under the sun!

Does that mean they are compliant? Hell, no! that’s not the only thing you need to do. However, if you still haven’t got your cookie banner up and running –— try this Wordpress plugin

So, quick question:

Are you GDPR compliant?

I know what you are thinking!

Don’t worry, you’re not alone. . .

According to the research by Datanami, the 14 largest companies in the world are not compliant—including Facebook.

Feeling better?

In any case, you need to be compliant irrespective of who else is compliant.

You can get more practical advice here — how to be GDPR compliant

But regarding this article let’s stick to the one topic that has been making all the headlines — ‘Consent, I mean Explicit Consent’.

So, what is ‘Explicit Consent’, in terms of GDPR?

Consent simply means that you need to have the data subject’s permission in order to process their data, and it is one of the methods you can follow to become GDPR compliant!

The concept of ‘Explicit Consent’ is one of the most impactful consequences of the GDPR. And the main reason is that GDPR requires you to obtain ‘a clear affirmative action or a statement’ in an explicit manner from the data subjects.

A data subject is any individual whose personal data is processed by a controller or a processor.

If you are getting overwhelmed by these legal words — read this to get a basic understanding of GDPR terminology.

Becoming GDPR compliant means you need to prove a lawful basis on how you’re dealing with data processing in your organisation.

Explicit Consent has been topping the news all the time and many organisations were/are worried about whether they need to get fresh consent from their prospects and clients.

There’s been a lot of misconceptions about explicit consent and whether it is the only lawful basis and so on. . .

Let’s be honest. GDPR still has a lot of grey areas.

Let’s discuss explicit consent, and what’s the fuss about it:

Do you really need that explicit consent?

No! here’s the thing — consent is just one of the 6 lawful bases to comply with.

According to Art. 6 GDPR, the lawfulness of data processing includes:

  1. Consent
  2. Contract
  3. Legal Obligation
  4. Vital Interests
  5. Public Task
  6. Legitimate Interests

So, explicit consent is not the only method by which you can get your GDPR compliance badge.

Okay, so what’s the best lawful basis?

No single basis is ’better’ or more important than the others – meaning, you can follow any of them depending on your purpose and relationship with the data subject.

Does it also mean you can follow more than one lawful basis?

Yes, you can — because it’s not like one lawful basis per one organisation.

You don’t have to pick one for your organisation and stick with it. Simply speaking, you shouldn’t go for a one-size-fits-all solution in case of a lawful basis for processing.

Ideally, you should start by identifying each and every data pool that you hold and process — such as existing customers’ data, prospective customers’ data, suppliers’ data, employees’ data, website visitors’ data, and so on so forth. . .

And then you need to carefully decide and apply an appropriate lawful basis for each of those data pools you hold and process.

Whatever lawful basis you follow, you need to clearly state the same in your privacy policy in an easily understandable language.

But the sad thing is — even the biggest companies that we know are not up to the mark with GDPR. Their privacy policies are vague and not transparent enough. We’ll get to some specific examples in a while.

Anyways, back to explicit consent! It’s hard to get explicit consent and maintain it and more importantly prove (make it auditable) it when necessary.

This is where it gets tricky – The Recital 171 of the GDPR goes like this:

“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation”.

Put as simply as possible, it means that you can continue to use the consent you have already obtained pre-GDPR if that consent is in line with GDPR standards i.e. unambiguous, demonstrable, and explicit consent. That’s the issue. Most businesses haven’t obtained consents in-line with GDPR before GDPR, simply because they weren’t aware of GDPR.

For example, if your signup form has a pre-ticked box combining consent with a terms & conditions statement, then clearly your consent for this data pool is not in-line with GDPR standards and you can not use it from now on.

So, if that is the case with you, then they are invalid, and you can’t rely on them.

Even if you have carefully unbundled the consent from terms and conditions and have been getting the consent up to GDPR standards, you’ll still need to be able to demonstrate that consent. But pre-GDPR we hadn’t known about the demonstrating factor and did not have a mechanism in place to maintain and demonstrate consent. So, explicit consent is not the appropriate legal basis upon which to process the data under GDPR.

Sounds very complex right? This is why explicit consent is the most discussed topic.

So, what can you do now? What’s the alternative?

Legitimate interests!

Is Legitimate Interests a GDPR gift?

Legitimate interests are simply the benefits you may gain by processing the data; you need to keep in mind that those benefits shouldn’t override the basic rights of the data subject.

Also, if you’ve decided to use legitimate interests as your lawful basis of processing, you need to keep in mind another important aspect in this concept which is laid out in Recital 47. . .

Legitimate interest is the most flexible lawful basis for processing. However, it is necessary to use people’s data only “in the ways that they would reasonably expect you to use [it], and which have a minimal privacy impact, or where there is a compelling justification for processing.”(ICO)

That means you can only use legitimate interests if the data subject can reasonably know what you are going to do with it at the time of providing the data itself.

Let’s take an example to make our lives easier. . .

When you browse Pizza Hut’s website and order something, you obviously leave your personal details. Now, it is perfectly understandable, even a normal UK Citizen, that Pizza Hut is going to use his details to contact him. That’s in the legitimate interest of Pizza Hut, which is not overridden by basic rights. However, Pizza Hut should not use the same details to send you an SMS every week! Why? Because when you gave your contact details you did not reasonably expect them to send you weekly SMS coupons.

So, if you want to use legitimate interests in any of your data processing activities, you need to do so ideally through a process in which you can assess the situation:

  • You need to identify a legitimate interest
  • Deduce that processing is necessary to achieve your interests
  • Balance it against a data subject’s interests, rights and freedom

That being said, legitimate interests should, in no way, be used as a band-aid to explicit consent.

It is very important to go through the above-mentioned steps and carefully state it in a document called Legitimate Interests Assessment (LIA).

The Data Protection Network has published a detailed explanation of legitimate interests and has provided a template for assessing legitimate interests.

So, what next?

Start by looking at all different kinds of data you collect. Yes, I know it’s a difficult process, but it is inevitable.

You already understand that data plays a huge role in improving your services, marketing and all the other operations. So, if you are significantly dependent on data to make informed decisions, then you should at least start by mapping what kind of data you collect and how you process it.

As soon as you have done the data mapping step, you need to look at every single process to evaluate which data processes fall under legitimate interests, and which processes fall under contractual basis and the others. You need to basically segregate the data pools and decide your legal basis for the processing of each pool.

And that’s not it! You need to be transparent about this whole process, and clearly mention which legal basis you follow for each particular data pool and why.

As we’ve discussed earlier, even the biggest corporations on the planet are not doing it right. Their policies are significantly vague, and they don’t even mention this table of their lawful basis of processing data. How sad!

Some examples of how not to do it and how to do it the right way!

Example #1 - Facebook:

Facebook has already been in the news for breaching and compromising data on several occasions and still their privacy policy is something you should strictly keep in mind to not get into trouble:

So, let’s take a look at Facebook’s legal basis for processing data:

Don’t laugh!

Yes, that’s it—that’s all they say.

They merely describe the definitions of different lawful bases (as if we don’t know), and they don’t say which of their data processing activities follow which kind of legal basis.

Fine, okay — there seems to be a ‘learn more’ option. Let’s see what it contains:

My goodness, what is that?

Firstly, this information is hidden in some inner pages. And secondly, it’s written in a very sophisticated legal jargon tone, and not in a clear and easily understandable language.

In addition, they have ensured that it is very vague with a considerably disturbing user experience design!

Takeaway: Don’t be a Facebook, when it comes to your GDPR compliance! They can afford to pay fines, but can you?

Example #2 - Google:

Okay what about the godfather, how are they being transparent about ‘their’ way of handling and processing data, let’s check it out:

Type caption (optional)

Well, Google didn’t get it quite right. They tried to do their best but still did not include all of their data processing activities.

Yes, they did not hide it somewhere else and they made it available in an easily understandable language, but they are very vague and did not describe everything that needs to be included.

So, you might be thinking . . . can you give me an example of how to do it considerably well:

Yes, I have another example for you, which I think did really well as far as describing how they handle data processing, and on which basis.

Example #3 – Twitter:

Twitter does an impressive job on this aspect, to be honest, they show a table that contains a lot of the general purposes for which they process personal data from the EU and the primary legal basis they follow.

How cool? The table also contains detailed information on different data processing activities with specific links for additional information.

And if you see they have identified which data processing activity falls under which legal basis. Bravo!

So, have a serious look at this page to get a nice overview of how Twitter’s legal basis for data processing rules.

Example #4 - Amnesty International UK

Amnesty International UK takes a very different and good approach in giving examples of the different legal bases they follow:

How nice is that?

Type caption (optional)

They explain each and every lawful basis with nice practical examples. Visit their privacy policy to grab some insights.

So, let’s wrap up!

On a final note:

Let’s face it.

GDPR is tough to implement but it’s a good business practice with primary emphasis on transparency and accountability principles.

GDPR compliance is not something you can get done with and forget about, but it’s an ongoing process.

That is why you should consider using an all-in-one solution GDPR solution like Ecomply, and make your GDPR compliance journey as smooth as possible.

Going back to the topic—if you were previously in the opinion that explicit consent was the only road that could help you with GDPR compliance, then I’m sure this article has helped you in realising the fact that there are other roads that can help you in this journey.

Legitimate interests are the most flexible lawful basis to process data under GDPR. But it is necessary to carefully document it within your Legitimate Interests Assessment.

Do You Really Need That Explicit Consent?

Not really!

Let’s break it down into two points as described in SMSwarriors’ GDPR article about ‘Marketing under GDPR and ePrivacy Regulation’:

  • If your marketing plan doesn’t use additional data analytics to do profiling, then you can get away with legitimate interests as your lawful basis for processing data under GDPR and a no consent approach or soft opt-in or opt-out procedure as your lawful basis for performing marketing under PECR/e-Privacy Regulation, provided you always give them an option to unsubscribe. Here you must make sure to send only generalised marketing campaigns.
  • If your marketing plan uses profiling, segmentation and dynamic content for re-marketing purposes, then you can still get away with legitimate interests as your lawful basis for processing data under GDPR, provided you have clearly set the expectation during the sign-up process and provide a link to a multi-layered privacy notice.
    Additionally, you will need consent to serve these cookie and ad analytical tools to be compliant under PECR/ e-Privacy Regulation.

You can start by going through the data mapping process, identifying different data processing activities and deciding on the lawful basis that best fits your organisation.

Also, keep in mind to write your privacy policy as clear and transparently as possible — look at the examples above and you will realise which is the best way to present your privacy policy.

So, if you’re still looking for a tool to organise your GDPR workflow try our solution.

Disclaimer: While we have checked our sources, it is important for you to seek legal advice related to GDPR compliance. This article does not constitute legal advice. The examples mentioned in this article are just a perspective, and are not meant to defame any esteemed organisations.

Author's Bio:


Surya Maneesh is the Brand Strategist at SMSwarriors, a smart SMS marketing software that allows marketers and businesses to communicate faster and promote themselves better through SMS. Connect with him on LinkedIn 


GDPR Readiness Survey for Software and SMEs

A comprehensive GDPR Readiness Survey Report on how software companies and SMEs prepared and currently operate under the GDPR.

GDPR, you’ve heard of it, probably feared it, but you cannot ignore it. If you are like us, you wanted to get everything ready for the May implementation or, in contrast, you might have thought ‘I doubt any other startup/SME will become compliant, I won’t bother yet’. Well, we wanted to put both sides of the argument to the test and so carried out extensive research on just how GDPR ready Software Industry and SMEs are, what their problems were and how they view their activities in line with GDPR.

Why did we bother?

As a GDPR Compliance Software company, we wanted to find out the state of the market and whether our solutions is useful, as well as how we can improve to offer more value.

Although we are GDPR ready ourselves, we needed to understand some of the barriers companies are facing in becoming fully compliant, where they are in the process internally and what they think of GDPR, so we set out to investigate using a number of questions to get the most out of our respondents.

Data we collected

In this GDPR Readiness Survey, we investigated 100 different software companies and startups of varying sizes, ranging from 1-250 employees in order to get varied data from all companies across the spectrum . We collected the survey in a GDPR compliant way. Here is a breakdown of some of the demographic data we employed:

  • 1-250 employee companies.
  • Worldwide locations, but operate in the EU or store EU citizens' data.
  • We opted for quantitative & qualitative data.
  • We combined open ended questions with multiple answer questions.
  • We investigated the biggest challenges SME and software companies faced in being GDPR compliant.
  • We offered different aspects of GDPR requirements and requested respondents mark with which they comply with and leave blank those that they do not comply with.
  • The respondent’s annual budget for compliance efforts.

What did we find?

Our results from GDPR Readiness Survey were quite surprising, and illustrated a fairly accurate environment surrounding GDPR in the real world.

Although GDPR can bring about heavy fines, we are yet to see any real world examples of these fines in full swing, and with 50% of our respondents indicating they managed GDPR compliance internally without the consultation of an external body or an external lawyer, we may see that change in the near future as those companies that misinterpreted the regulations come to light. Companies became compliant to serve their customers better, as indicated by Marcin from Survicate.

We do our best to implement services that fulfill our customers’ needs. One of the most important customers’ requirement is the security of their data. That is why for us it is paramount. Survicate understands how the fulfillment of GDPR obligations improves protection of our customers’ data.

In contrast 42% of respondents contacted a lawyer to advise on GDPR compliance, but it’s a likely trait of larger businesses to put more resources into legal help compared to the 50% who didn’t, who are smaller and so less likely to bring in external aid.

Since lawyers are important for GDPR compliance, Peter Sterkenburg from Leadfeeder wants a more robust way to prove GDPR compliance by external lawyers and third parties.

A healthy angle to responsibly consider using personal data. I really do miss proper certification mechanisms though. Still very little movement on that. I am also looking forward to the PECR and what that brings.

So how many companies were GDPR compliant?

What we found interesting though, was that 52% of survey respondents believed that they are fully GDPR compliant - an indicator that there is a lot of groundwork to cover up in small businesses and software companies industry wide. The reasons for this low number of that metric were also surprising, and that smaller businesses are less inclined to comply compared to the larger companies with more resources.

However, Joi, believed differently, CEO of Crankwheel. He said:

We took a mostly manual route with e.g. implementation of data subject rights and how we implement DPAs (it's a manual customer support procedure that we've trained our support folks in). If we see significantly more requests regarding data subject rights, or significantly more customers, we are likely to invest in tools to help with these, either built in-house or sourced externally. Same goes for our employee training etc., we are very small for now but when we grow we would be somewhat likely to invest in a tool that would help with training and compliance certification (even if not formal certification). We have a quarterly process in place to update procedures, training materials, perform new risk analysis etc. and for this, so far, Google Calendar + Google Drive (docs and spreadsheets) have proven to be enough.

Jim from Dynamic Signal spoke in the similar fashion.

Our GDPR efforts were comprehensive and we invested many cross functional resources as well as bringing in external consultants and legal support to ensure we were following all of the guidelines for GDPR and fully protecting our investors, employees, end users, and most of all our customers.

Of those that were compliant, the two main reasons for investing in GDPR compliance were in fact meeting the newly increased customer expectations and in order to circumvent the likelihood of lawsuits for non-compliance, especially given the nature of software companies and the amount of cyber threats they are up against daily.

What were our respondents reasons for lack of GDPR compliance?

Further to this, our GDPR Readiness Survey found 38% of companies believed the new regulations were too complicated, and rightly so. The idea of GDPR was to remove any kind of uncertainty or loophole opportunities from previous legislation, as well as unify the European stance on data handling and processing.

Olga, the Marketing Manager at Chanty, was also confused with the new regulation and she said:

GDPR is the 88-page monster that has struck fear into the hearts of companies slowing down growth and blocking effective marketing efforts. As a result, inboxes were swamped with GDPR consent emails that were deleted in bulk without even opening, not even speaking of giving consent. Companies had to delete entire blasts of emails from the databases that took years to build. As internet user, I don't feel the difference after May 25th. As a marketer, I feel GDPR definitely doesn't contribute to development and innovation in European business sector.

In our opinion the GDPR leaves too many grey areas in certain business environments where what should have been black and white rules are now open to interpretation. This is compounded the fact that most companies didn’t have a dedicated GDPR consultant or compliance team, with only 22% reporting compliance was managed by IT and legal.

Of those that were compliant, what steps had they taken?

Despite a clear lack of monetary investment in GDPR compliance, it was great to see that most companies, regardless of size, took steps and measures to comply with GDPR, with all software companies and SMEs we surveyed reporting that they updated their Privacy Policies to acknowledge GDPR and explain how they were taking steps to be compliant.

Adam from Better Proposal says about the GDPR:

GDPR is a step in the right direction. It's been a long time coming and it's good for businesses and consumers to have a standard in place. It's important to us to make sure people feel safe using our software and GDPR is a good "badge" to have to show you at least take it that seriously.

Software was the name of the game

The startup mentality was in fact in full swing here, as many respondents admitted to using a third party compliance software tool, instead of lawyers support, to quickly handle generating a new Privacy Policy and Cookie Consent document, although how accurate those policies are in line with GDPR and the businesses using the software is unknown.

Of all steps necessary for GDPR compliance, we found (without surprise) that vendor compliance was in fact the area with least focus from our respondents. We believe this to be not from a lack of effort, but from a lesser understanding of how to obtain the necessary documentation and agreements from third party services and data processors they were using in the course of providing their software or products. This is an area we would like to see improved by the GDPR committee, as obtaining the correct information from business critical third party processors (like analytics software, data enrichment services etc) is somewhat of a grey area, especially for smaller companies who cannot dedicate the time and resources to seek that information out from its partners.

Talking about the transparency & data processors with the third parties, Sander from Unless said:

Oddly enough, new privacy laws like GDPR have actually made it easier to do it right, by highlighting the need for transparency and compelling business owners to understand what kinds of data they collect and how they use it.

Additionally, in our GDPR Readiness Survey, 50% of software companies and SMEs we surveyed indicated that they had conducted Data Protection Impact Assessment and Data Mapping, which is a good foundation for compliancy but there is clearly room for improvement. As expected, due to the small size of most of our respondents, the budget to invest in GDPR compliancy was only €5000 annually, so it would be unfair to expect full compliancy soon after the regulations’ effective date.

GDPR Readiness Key Statistics

Overall, GDPR readiness in software companies and SMEs is an ever changing, dynamic landscape of variable compliance levels depending on budget, size of company and departmental dedication.

With regards to GDPR compliance in software companies and SMEs, what we gathered overall illustrated the following:

  • More than 52% of the companies surveyed think they are GDPR complaint (according to our GDPR Readiness Survey).
  • The two biggest reasons for investing in compliancy was the fear of lawsuits and meeting customer expectations.
  • 38% of companies think that the law is too complicated.
  • All customers have updated their privacy policy documentation in line with GDPR.
  • Privacy Policy and Cookie Consent documents are compiled using third party software tools instead of internally for the majority of respondents.

48% of surveyed companies think that GDPR has neither a positive nor negative impact on their business operations.

If you're still trying to learn more about the GDPR and want to become compliant. Get this free GDPR Guidebook.


Below are the questions and survey results from our GDPR Readiness Survey for your own interpretation

What is the employee count of your company?
Employee Size (GDPR Readiness Survey Question 1)
Where is your headquarter based?
Geographic Presence (GDPR Readiness Survey Question 2)
Do you get external help for the GDPR?
External vs Internal Help (GDPR Readiness Survey Question 3)
Which department is leading/responsible for your GDPR efforts?
Department Role in the GDPR (GDPR Readiness Survey Question 4)
Which of the following best describes your state of GDPR compliance?
Current State of GDPR Compliance (GDPR Readiness Survey Question 5)
What were your reasons for investing in GDPR compliance?
Reasons to invest in the GDPR (GDPR Readiness Survey Question 6)
What is the biggest challenge about the GDPR?
Biggest Challenge in the GDPR (GDPR Readiness Survey Question 7)
Please choose the key requirements you have already executed:
GDPR Requirements Executed (GDPR Readiness Survey Question 8)
Please choose the key requirements you have already executed with a software service:
GDPR Execution with a Software (GDPR Readiness Survey Question 9)
GDPR Budget Distribution
Annual Budget for the GDPR in SMEs (GDPR Readiness Survey Question 10)
What was the impact of GDPR Compliance?
Impact of the GDPR (GDPR Readiness Survey Question 11)
Now that the 25th May GDPR deadline has passed, how will the data privacy management change at your company?GDPR Readiness Survey Question
GDPR Importance after 25th May (GDPR Readiness Survey Question 12)
Do you plan to increase investment in technology and tools to support your ongoing GDPR compliance efforts? GDPR Readiness Survey Question
Investment in technology for the GDPR compliance efforts (GDPR Readiness Survey Question 13)

Below is a list of those companies which supported this survey and agreed to the publication of their names.

Aazar Ali Shad is the former Co-Founder of ECOMPLY, and has more than 5 years of SaaS Experience. He is a huge privacy enthusiast.

Userpilot - User Onboarding & Product Adoption Software

https://salesflare.com - An Intelligent Sales CRM for teams who thrive on technology

https://www.poptin.com - A Lead Conversion Platform

https://lemlist.com - A Conversational Email Outreach Platform

https://www.visitor-analytics.io/ - The friendliest way to view your website statistics

https://www.proposify.com/ - Get the business proposal software that streamlines the creation of quotes, contracts, and other sales documents

dynamicsignal.com - The Employee Communication and Engagement Platform

https://crankwheel.com/ - CrankWheel enables you to add a visual presentation to your phone call in 10 seconds flat. Any browser, any device, works every time.

https://contentstudio.io - The only platform you will ever need for your content marketing and Social media management.

https://www.growthdynasty.com - A Tech Marketing Agency

Publbox.com - Now You Can Create, Organize and Automate All Your Social Media - From One Place

AcademyOcean.com - Use Academies to get new leads and to turn them into loyal customers

www.albacross.com - Albacross tells you exactly who’s visiting your website and how to reach them..

www.sendpilot.co - You won't need a social media team if you use SendPilot

www.meetnlearn.com - Marketplace for online & offline tutoring

www.wunderx.com - Enabling Equipment Data Mining: Edge is coming.

starhunter.com - All-in-One Solution for Recruitment Agencies

https://www.heysuccess.com/ - a default platfrom for international student mobility and recruitment.

https://kyvio.com - We Help Trainers and Coaches Sell More, Sell Faster

https://www.receptive.io - Leading B2B SaaS companies use Receptive to build winning products

https://www.sendinblue.com/ - SendinBlue empowers businesses to build and grow relationships through marketing campaigns, transactional messaging and marketing automation.

ryd.one - Your Car Assistant

https://www.chanty.com - Join Chanty – simple AI-powered team chat. Get unlimited message history free forever.

https://betterproposals.io - Online Proposal Software

https://demio.com - A Webinar Platform Built for Marketing

https://www.flipsnack.com - Digital flipbook maker for stunning magazines

https://survicate.com - Survicate is the fastest way to collect feedback from customers.

Easyecom.io - Best inventory management software, a key to rule in eCommerce industry

Vogueestates.com - The Real Estate Solution

https://competitors.app - Track Competitors Software Tool

https://rocketlink.io - Track and retarget any link you share

http://www.subbly.co/ - A subscription ecommerce platform for entrepreneurs & marketers

www.munevo.com - Munevo wants to support people with disabilities to live independently by using smart technology

https://unless.com/ - Personalize your website to give your visitors the unique experience they deserve.

www.climedo.de - The intelligent research database with integrated electronic research management

https://nightwatch.io/ - The All-in-one SEO Tool

Folder Security - NTFS Permissions Analyzer

We Converted 50% More Leads with Cold Calling After GDPR [Case Study]


Nightmare, you’re thinking, right? You wouldn’t be alone in this assumption – we’re getting more and more people ask us for help, and we’ve seen hundreds of thousands scour the web for GDPR related information like how to stay compliant, establishing a GDPR legitimate interest and how the legislation affects cold calling.

Still thinking nightmare? You probably are, and that’s fair enough.

But, we are here to help – we’ve compiled some of our thoughts, advice and how to’s on establishing a GDPR legitimate interest, cold calling while staying legal and background info on the new regulations.

Let’s jump right in!

So, as I’m sure you know, GDPR has been on the tip of the tongue for all businesses regardless of size in the past year, with hundreds of GDPR consultants, advisors, software solutions and GDPR auditors starting up all around Europe. All of which aim to provide a solution to achieve GDPR compliance with the regulations implemented on the 25th May 2018. Let’s take a look at what GDPR actually is, the associated fines for non compliance and how it is impacting the worldwide business environment, including GDPR’s influence on cold calls and establishing a GDPR legitimate interest for outbound marketing and sales.

So What is GDPR?

The General Data Protection Regulation 2016/679, commonly abbreviated as GDPR, is a set of rules and regulations that stipulate the collecting, handling and processing of personally identifiable information (PII) such as names and addresses, IP addresses, banking information and any other data type that can be used to identify a living individual. Not only this, it provides EU residents more control over the data companies store on them, offering more power to view and request the removal of that data should they decide they want to be forgotten.

The GDPR is designed to replace the antiquated Data Protection Act and other European country equivalents, GDPR acts as a blanket regulatory system governing businesses located inside the European Union, but also requires compliance by companies situated outside of Europe that collect and process the PII of citizens in Europe. Safe to say, it’s not something that can be easily avoided.

The regulation set had been in the design process for a long time, with the aim of encompassing all potential scenarios that businesses might face in order to avoid ambiguity or grey area exploitation (although, many argue the GDPR’s regulations are widely open to interpretation).

Additionally, the purpose of the new GDPR implementation is to take a much tougher stance on how companies and businesses handle the PII of individuals, with the intent to place restrictions and minimise mass marketing, automated cold calling and spam to individuals and businesses unless there is a GDPR legitimate interest for these efforts.

Additionally, data protection legislation throughout Europe had been previously broad and differing from member state to member state, resulting in a confusing process for compliance auditing internally and by external compliance processors. GDPR is designed to harmonise data protection legislation across all EU countries, resulting theoretically in a much more sustainable and straight forward road to compliance and protection of EU citizens’ data.

Meanwhile, the potential fines for non-compliance, which were previously viewed as a speeding ticket for major corporations such as Facebook, Google or other large entities, have now been greatly increased in order to displace incentives for these large corporates to abuse the rules, with the potential to take into account the company’s revenue to ensure the fine is proportional to the their wealth.

How big are the fines?

The newly enforced levels of fines has garnered a lot of media attention and will likely worry the big Fortune 500 companies – no longer can they get away with gross data protection breaches with a cheap get-out-of-jail-free card. With a maximum GDPR fine for non-compliance running at potentially 20 million Euros, or 4% of the company’s annual turnover (whichever is greater), it will be a significant loss for falling foul of the GDPR requirements.

These are of course proportional to the level of non-compliance and the GDPR governing body allows supervisory committees in EU member states to make a judgement call and enforce less severe actions such as reprimands, warnings, or smaller fines. Still, most companies should and are endeavouring to ensure compliance. On the smaller scale, fines can be 10m Euros, or 2% of a company’s annual turnover, for less critical or large scale breaches, but which still should have been prevented.

How is it affecting the world of business and cold calling?

There has been much controversy and questions about how the GDPR will affect traditional sales and marketing efforts, such as cold calling. Now, if you found this article to discover how it will affect you, please be reassured – cold calling is not dead and the GDPR will not affect B2B efforts in the extreme case you are imagining. There are however, some suggested methods of GDPR cold calling you may not have previously employed which will only help you stay on the right side of the law, and we’ll investigate those below. Just a heads up – we are a GDPR documentation, auditing and service provider and selling to privacy professionals is no mean feat, so if we can’t stay compliant then how will anyone?

When cold calling with the intention to stay GDPR compliant, there are a few things to note. You need to have established that the business you are reaching out to has a legitimate interest in the business services you are offering. A legitimate business interest will allow for full compliance and will not be considered a spam or unsolicited marketing effort under GDPR, but you must really consider whether it is legitimately of value to your prospect (i.e. you can’t just say it is when you and everyone else knows it’s irrelevant, which is bad sales technique anyway). With B2C scenarios, we suggest to avoid cold calling altogether as usually these fall foul of GDPR cold calling regulations. It’s pretty much the same thing with cold email outreach.

GDPR Cold Calling

How We Cold Call, Establish a Legitimate Business Interest and Stay GDPR Compliant

Any kind of outbound sales efforts come with their own set of challenges when it comes to GDPR and data protection legislation, whether that is for companies governed by GDPR or other regulations like those found in the USA such as SPAM. As a company that specialises in GDPR compliance, we must always comply, usually more so than most other regular businesses, but we need to also prospect and push our sales efforts in order to survive. So, let’s take a look at some of the main pointers in how we carry out sales efforts, establish a legitimate business interest and stay GDPR compliant. Daniela Duda, one of our experts, explains legitimate interest.

What is legitimate interest?

This is how we prospected and conducted cold calls, while also staying compliant with GDPR:

  1. First, we prospected using LinkedIn and Xing in order to make use of the mass of highly targetable data they offer. We set our sights on Data Protection Agencies, who usually only have around 1-10 employees so reaching a decision making unit was likely.
  2. We did not store any personal information on our prospects. Company name and business telephone number was sufficient for us to carry out our GDPR cold calling activities.
  3. This one is interesting. Instead of directly calling an individual at the business, we called the generic line and asked the operator/switchboard to connect us with the relevant person who makes strategic decisions regarding partnerships. Although this is an extra step, it just strengthened our ability to stay compliant.
  4. Although our sole intention was to increase sales (as with any sales call), the way we pitched and structured the call was focused on establishing a mutually beneficial partnership between ECOMPLY.io and their agency.
  5. Again, as they are an agency focused on data protection compliance, and ECOMPLY.io provides GDPR Compliance Software Solution, there was a clear and indisputable legitimate business interest for them to receive our sales call and for us to reach out to them, thus preventing any GDPR related issues. We also used them as an indirect channel partner, where they could potentially promote the product to their clients or partners, meanwhile selling a license to them as well, so it was a win-win for us.
  6. We also understood their problems very well and crafted a sales pitch that they wanted to hear by addressing their problems directly. Data Protection Officers (DPOs) in Germany have many clients because the law says any company that has more than 10 employees need to have a DPO. Therefore, this role is mostly outsourced. Hence, the pitch to the problem was very targeted. External DPOs want to save time, manage multiple clients and look professional. That’s what we pitched them.
  7. Finally, and this is very important, we respected their right to refuse the call. If they were not interested, we did not follow up or continually call them to convince them, we just moved on.

What Was Our Success Rate?

Good question. We, luckily for you, gathered our metrics for our GDPR cold calling campaign here at ECOMPLY.io, and have some interesting results for you, have a peak below:


  • We successfully reached 29% of prospects we reached out to. This was pretty good taking into account how people usually ignore sales calls. Generally, if you’re reach rate (directly reaching the prospect you need) is below 15%, we suggest you change your approach to cold calling so as not to waste time.
  • Of those that we reached, we were able to qualify 69% of them, meaning they were a good fit for our product and we knew we solved their problem. Similarly, if your qualification rate is below 30%, you need a new list of more relevant leads (don’t go buying generic leads, please!)
  • We were then able to convert 51.7% of those that were qualified, which we were pretty happy with. Again, if your conversion rate is below 50%, you need to work on your pitch. Conversion means either demo or sign up by the prospect.

These metrics were taken from Steli Efti’s Close.io Blog.

Overall, we were pretty happy with these results. We have a little improvement on our pitching side to get that conversion rate up a little, bit so far it was a successful campaign and we’ll continue to invest time into GDPR cold calls – and you should too!

And finally, we’ve mentioned it a lot. What is a legitimate business interest, and how do I establish one in B2B sales?

Establishing a legitimate business interest is crucial for B2B sales and marketing efforts when you do not have prior opt-in consent. Although somewhat of a grey area, a legitimate business interest can be thought of similar to how a B2C organisation might think when marketing to a customer who has already purchased from them. For example, the business prospect should operate in the same niche or market as you, and you can therefore have good reason to believe that the party is interested in your services, thus giving you some ground to cold call.

Additionally, companies often list contact information for certain personnel publicly on their website in order to receive valuable business propositions (it’s hard to operate a business in complete isolation). This gives you a fairly strong indication that it’s okay to call the relevant company to discuss a legitimately business proposal without fear of repercussions. However, before doing any cold call, we do suggest doing your legitimate interest assessment. Here’s the resource for the legitimate interest assessment.


As you can see, it’s not as scary as you first thought right? You don’t have to close down shop or look elsewhere for work – you can still carry out your sales processes and cold calling as long as you have that all important GDPR legitimate interest. Really, all it boils down to is respecting other’s privacy, not being irresponsible when it comes to personal data and making efforts to stay compliant. That way, you’ll avoid those fines!

Want to hear more from us? Give us your details, we will only use your email address to send the data protection and privacy news, updates and content. By giving your details, you are agreeing to our privacy policy.


Disclaimer: This article is not legal advice so please seek professional legal advice to discuss your specific circumstances.

GDPR Tools & Solutions

Top 10 Free GDPR Tools and Solutions You Didn’t Know Before

Top 10 Free GDPR Tools and Solutions You Didn’t Know Before

The internet has become one of the most important technological innovations in the history of humankind as it ushered in the coming of the Information Age. It introduced the world to an even greater sense of interconnectivity and its impact can be felt in all facets of human society. Perhaps its greatest impact can be felt in economics and marketing as it paved the way for companies to reach an even broader audience and introduce innovations that allowed them to specifically target audiences with personalized forms of advertising.

Personalized advertising has quickly become the norm for digital marketing. It, however, gave rise to questionable information-gathering tactics and has raised issues regarding consumer rights to privacy. The clamor for consumer data protection grew even greater, which led the European Union (EU) to impose legislation that would govern how consumer data is collected. This new law replaces the outdated Data Protection Directive 95/46/EC and came to be known as the General Data Protection Regulation (GDPR).

The new legislation highlighted the greater need for protection in consumer data and placed more responsibility at the hands of big businesses. In the advent of the GDPR, consumers now have greater control over their personal information. Businesses now need to perform GDPR assessment over their data-gathering policies to make sure they do not face stiff penalties.

There is now a greater need for compliance. The need to comply necessitates the use of GDPR tools and solutions to ensure that consumer data is protected. That is why we’ve come up with a list of GDPR tools and solutions to help your business adhere to the policies set by the EU. These free tools and solutions providers perform automate the process of auditing and assessment of your sites to maintain GDPR compliance.

What does GDPR mean?

The General Data Protection Regulation, or GDPR, aims to assert the rights of EU citizens on their privacy and personal data and highlights the responsibility of businesses doing business in and with the EU in handling the personal data of their citizens.

Under the GDPR, individuals have certain rights to their personal information. These are:

  • The right to access
  • The right to be forgotten
  • The right to data portability
  • The right to be informed
  • The right to have information corrected
  • The right to restrict processing
  • The right to object
  • The right to be notified

The new regulation gives individuals, prospects, customers, contractors, and employees more power over their data and takes away power from organizations that collect data for monetary gain. Non-compliance will leave businesses facing hefty fines, which can amount to 4% of their annual global revenue, or 20 million Euros, whichever is greater.


Why is GDPR necessary?


The existence of the GDPR is the European Union’s response to public concerns over data privacy. Even before the internet became the business powerhouse it is today, the EU’s Data Protection Directive, released in 1995, was placed to protect any individual’s data with regard to their processing and free movement.

With increasing accounts of high-profile data breaches, public concern over privacy continues to escalate. In fact, an RSA Data Privacy & Security Report indicated that around 80% of consumers in Germany, France, the UK, Italy, and the U.S. have lost pertinent financial and banking data. Lost security and identity information were among those that were highlighted as areas of high concern.


The establishment of the GDPR aims to ease public concerns over the storage, sharing, and security over private information. Not only that, companies are held more accountable in handling these pieces of information. This highlights the need for GDPR solutions through GDPR assessment to


What Types of Data does the GDPR Protect?


The requirements set by the GDPR have significantly altered the way companies can gather information and make use of these pieces of information. These guidelines protect:


  • Web data such as IP addresses, locations, cookies, and RFID tags
  • Information related to a person’s identity such as the names, ID numbers, and addresses
  • Ethnic or racial information
  • Genetics and health-related information
  • Biometric information
  • Sexual orientation
  • Opinions on politics


The GDPR imposes strict penalties for those that breach the GDPR – penalties that we’ve covered above. This is why compliance with the GDPR rules and guidelines is extremely necessary.


In order to speed up the process of compliance, we’ve come up with a list of free GDPR tools to help with your company’s GDPR assessment strategies. Keep in mind that GDPR solutions like these are extremely valuable in today’s internet landscape so make sure to check them out.


Top Ten Free GDPR Solutions and Tools:

  1.   Ghostery

Ghostery is a user-friendly browser extension that allows users to browse faster and smarter by controlling ads and the way they track your data. They make use of state-of-the-art tracking technology to make sure your information is safe and secure.

  Key Features:

  • Blocks third-party data-tracking technologies
  • Removes advertisements to eliminate clutter
  • Page optimization to make pages load faster by automatically blocking and unblocking trackers to meet page quality criteria
  • Customize the information users can see to display only relevant information
  • Enhanced anti-tracking and ad-blocking technologies to create safer browsing environments
GDPR Tools and Solutions
Ghostery Product Screen Shot
  1.    Cookie Script

Cookie Script is a GDPR tool that helps websites comply with European Cookie Law and the GDPR. It incorporates various functionalities that users care for and have requested, such as an all-in-one suite to control various websites from a single account, ability to delete cookies before user opt-in, consent withdrawal, platform versatility, and a self-hosted solution to make sure sites are GDPR compliant.

  Key Features:

  • GDPR tools to help comply with the EU e-Privacy directive and the GDPR
  • Offers various design options
  • Ability to control first-party and third-party cookies
  • Data consent tracking
  • Geotargeting that shows privacy policy pop-up for users from EU countries
GDPR tools and solutions
Cooke Script Details
  1.   Let’s Encrypt

Let’s Encrypt is a global Certificate Authority (CA) that allows people and organizations around the world to obtain, renew, and manage SSL/TLS certificates. It is an automated GDPR assessment tool that makes it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate without human intervention, allowing sites to provide more security over user information while using sites.

  Key Features:

  • Can generate ECDSA root and intermediates that can be used to sign end-entity certificates.
  • Employs TLS ALPN Challenge support for users who only want to use port 443 for validation.
  • Makes use of and installs a plethora of security certificates to enforce data security and privacy.
GDPR Tools & Solutions
Let’s Encrypt Website


  1.   Activemind Privacy Policy Generator

Activemind is a consultancy agency that assists in GDPR assessment strategies to improve data protection and management and ensure that sites are compliant with the GDPR. They employ a wide variety of GDPR tools & solutions to help companies and organizations fulfill legislative requirements set by the GDPR.


  1.   CNIL

 Commission Nationale de l’Informatique et des Libertes, or CNIL, is a French data protection authority that aims to protect data and preserve individual liberties while also ensuring that innovations are supported. CNIL publishes a free Privacy Impact Assessment tool to ensure the lawfulness of processing data to enforce user rights over data. The tool is designed to build site compliance with the GDPR.

  1.   Trew Knowledge

WordPress makes available a variety of GDPR tools aimed at ensuring site compliance with the GDPR, the highest-rated of which is GDPR by Trew Knowledge. The plugin is meant to assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.

Key Features:

  • Consent management
  • Privacy Preference management for Cookies, with front-end preference UI & banner notifications
  • Rights to erasure & deletion of website data with a double opt-in confirmation email
  • Re-assignment of user data on erasure requests & pseudonymization of user Data Processor settings and publishing of contact information
  • Right to access data by admin dashboard with email lookup and export
  • Right to access data by Data Subject with front-end requests button & double opt-in confirmation email
  • Various other features that ensure GDPR compliance



  1.   AvePoint Privacy Impact Assessment (APIA) System

The Avepoint Privacy Impact Assessment (APIA) System automates the process of GDPR assessment and evaluation and keeps you updated on the process, ensuring that compliance-related efforts are going on the right direction. It helps monitor activity and progress throughout the process. It also supplies categorized suggestions to help close existing gaps with regards to people, technologies, or processes.

Key Features:

  • End-user reporting on access to site traffic, search usage, active users, checked-out documents, and top documents
  • Compliance and governance reporting to security and compliance officers for easy identification of suspicious activity
  • Office 365 support for records management to improve automated conflict resolution
  • Content archiving approval to empower end-users to review content prior to archiving
  • Virtual machine backups for improved protection on virtual elements
  1.   BayLDA

The Data Protection Authority of Bavaria for the Private Sector (BayLDA) is another data protection authority that is mandated to enforce data protection measures under the GDPR and ensure that data protection laws are followed by data controllers. They provide GDPR assessment services and inspections on existing organization policies to make sure the laws are being followed and take action when breaches are committed such as crucial data processing and sharing.

GDPR Tools and Solutions

  1.   Webskoll

Webskoll is a cookies analyzer and helps you understand how privacy friendly your website is.  Web Privacy Check monitors privacy enhancing features on websites and helps you find out who is letting you exercise control over your privacy. We check to what extent a website monitors your behavior and how much they gossip about the monitoring to third parties. We’ve also compiled a set of recommendations for web designers and managers on how to not track or gossip in digital environments. We also suggest questions and feature requests from users of websites who want to alert webmasters to the opportunity for improvement.

Key Features:

  • Sharing cookies that the your have on your website
  • Sharing the indexes
  • If you have a secure connection

  1.   ECOMPLY.io

ECOMPLY.io provides GDPR assessment that come with an easy-to-understand, clearly-stated step-by-step plan towards creating policies that ensure compliance. Their GDPR solutions allow easy application on any platform, which incorporates features that save 70% GDPR preparation and documentation time by giving the right answers to the right questions, even without legal assistance from any lawyer.

Project management & workflow strategies employed by ECOMPLY.io provides any organization and business with a clear report of any requirements currently needed to ensure compliance. We offer a free 14-day trial that can surely bring your organization multiple steps closer to compliance. Plus, we give a FREE GDPR Gap Assessment to help identify key issues and help you come up with an action plan.

Key Features:

  • Clear instructions towards GDPR compliance
  • Saves you time on familiarization because their GDPR tools are easy to use
  • Compliance progress tracking
  • Multi-user management for every team
  • Reports are easily exportable as beautiful PDFs
  • 1-click assignment of data flows
  • Provides automatic reminders of progress
  • All data protection efforts come in an all-in-one platform
  • Automatic vendor management
  • Attachment of compliance badge as a demonstration of compliance after successful strategy adoption
  • Multitudes of templates are available to suit your needs
  • Compliance for both controllers and processors

Offer: If you make less than €1000 as a business. ECOMPLY.io is going to offer the solution for FREE.



The General Data Protection Regulation, or GDPR, has indeed changed the way data can be collected and certainly brought with it still penalties for non-compliance. Choosing not to do business with the EU in lieu of compliance is also not an option. These essential GDPR tools and service providers can surely be of immense help to businesses and organizations as they employ strategies and policies that will help them comply with the new regulation. Remember that these GDPR tools & solutions have several benefits that can make the process of compliance much easier and more efficient.

So, which free tool was your favorite? Which one are you going to use?

Do I need a Data Protection Impact Assessment to avoid GDPR fines?

Do I need a Data Protection Impact Assessment to avoid GDPR fines?

Companies due to rapid technological development can conceptualize and develop new and innovative business models. However, a lot of times companies introduce changes within their workings that requires them to process huge amounts of data. In this case, they have to do a Data Protection Impact Assessment (DPIA). If you conduct a DPIA, it will help you understand and execute compliance to avoid GDPR fines.

Everytime, you make a change, according to the General Data Protection Regulation (GDPR), you need to do an impact assessment. The change you introduce can be a technological one or a structural one. Regardless of the type of change, you need to do an impact assessment. If you fail to carry out this assessment, it can lead to GDPR fines of 20 million or 4% of revenue, whichever is higher.

In this article, we aim to provide businesses with a basic understanding of a Data Protection Impact Assessment (DPIA). We also give you the pointers you need to conduct one to avoid gdpr fines.

Who needs to do a Data Protection Impact Assessment?

We have so far in our research and experience not found an answer that experts would agree upon. GDPR enthusiasts have not been able to answer it sufficiently. We came up with some pointers to make it easy for you to understand. Here are the essentials you need to consider in order to avoid the gdpr fines:

  • If your organization processes Special Categories Data (refer to the Defining Data Categories under the GDPR to know more)
  • Companies/organizations that process data on a large scale (refer to the Defining Large Scale section to know more)
  • If your organization/company does profiling of individuals
  • Companies/organizations that directly target their service/product towards children


Article 35 of the GDPR also allows Data Protection Authorities (DPAs) to issue blacklists of Processing Activities. These lists contain all activities for which you are required to conduct a DPIA to avoid gdpr fines. You can add these in your DPIA template as well to refer to later. Here’s a list that the German Authorities have come up with.

Below is Daniela Duda’s (a renowned specialist in Germany) answer to this question.

Privacy Impact assessment

What is a Data Protection Impact Assessment?


The European Union (EU) introduced the Data Protection Impact Assessment as a tool under the General Data Protection Regulation (GDPR). The GDPR recommends it for doing a risk analysis of the threats that a processing activity in a business entails.


If you introduce a new technology in your organization which automates processing activities you need to do an assessment. You need to leverage it to assess and ultimately reduce the risks of the processing. If you reach the conclusion that it results in considerable harm for the individuals involved, consult the DPA as well.


The Data Protection Impact Assessment will help you organise your projects as well as simultaneously help you dodge gdpr fines.


What does the General Data Protection Regulation (GDPR) say about DPIA?


According to Article 35, you as a controller are responsible for carrying out an assessment:


“Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”


Article 35(3) stated above lays out the rules for when exactly an assessment needs to be carried out. In short, it states that you have to carry out a data protection impact assessment for any type of processing. It becomes especially important when you introduce new technologies, and analyse how data will be processed using these technologies.


Moreover, you need to take into account the nature, scope, context, and purposes of the processing itself. If you recognize a high risk to the rights and freedoms of natural persons then go back to project planning. You must integrate a data protection impact assessment before you start the project. You, as the controller, also have to consult with the relevant Data Protection Authority (DPA) if there are high risks.


If you use the DPIA template or customize it for use by your company, add the article of the GDPR. This will serve as a guiding legal basis and can be referred to at any time.


Defining Nature, Scope, and Context


To make it simpler for you to understand, let’s take an example:


A hospital records and processes the health data of its patients. The nature of the processing is defined as the type of data that you are processing. For example, as a doctor you collect blood samples and the history of illnesses. You use this data to prescribe a treatment or medicine so the person can recover.


All this data, under the GDPR, is categorized as PII. The scope of the processing is defined as the scale of your processing activity. Basically, it asks who has access to data and how much data are you processing. So, in our example a doctor examines 30 patients after listening to their complaints and records their information. This data can be processed by 15 doctors who have access to the data. So nurses for instance, cannot access the data. Processing is also not automated. A doctor can look at the stored data but there is no algorithm that analyses it and suggests a diagnosis. In the future, those 15 doctors can use this data to diagnose the patients as well. You need to define how long you keep this data as well in Records of Processing Activities document. This would be the scope in our example.


The context is defined as the situation in which the data is recorded and processed. In this case, it is the hospital and the legal basis is consent. So when a patient comes in, you need to explicitly ask them for consent for their data. If it is a regular patient, you won’t need to do this every time they come in. However, if you change something in the processing then you need to inform them again.


These pointers need to be clearly mentioned and sketched out in your DPIA template.


Defining Data Categories under the GDPR

If you understand these categories, you can conduct a Data Protection Impact Assessment easily. You can also train your project managers to be able to distinguish between data categories. The General Data Protection Regulation defines personal data as any information of an individual which can help you identify them.

This data could be any professional data or any other private data that a person can have. It also includes data that is indirectly identifiable through cross referencing. An example is a matriculation number assigned to you at university or your IP address.

Special Category of data is another typology of data under the GDPR as set out by Article 9. It lays out the framework for processing of sensitive data. Sensitive data is defined as any data that could reveal the racial and ethnic origins or political or religious views. It also includes any data that reveals trade union membership, health data or other biometric data.

If you process sensitive or personal data you needs to record it under the GDPR as Records of Processing Activities documentation. You need to do this record keeping for all processing of data.

Further Data Categories

Here are some further definitions, according to Pegasystems, that you might find useful:


Data concerning health is defined by the GDPR as personal data related to physical or mental health of an individual. It includes the provision of health care services, which reveal information about his or her health status.

Genetic data is defined by the GDPR as personal data relating to inherited or acquired genetic characteristics of an individual. It includes data that gives unique information about the physiology or the health of that natural person. It’s any data that you get from an analysis of a biological sample from the natural person in question.”

Biometric data is personal data from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual. It’s any data which allows or confirms the unique identification of that natural person. Examples are facial images or dactyloscopic data. (Pegasystems, 2018)

Defining Large Scale


Processing data on a “large scale” is difficult to define and there is much ongoing debate about the legal terminology. If you process data on a large scale, you have to conduct a DPIA to not get gdpr fines. So what exactly is large scale? According to EC Europa:


“The GDPR does not define what constitutes large-scale. WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
– The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
– Volume of data and/or the range of different data items being processed
– The duration, or permanence, of the data processing activity
– Geographical extent of the processing activity.”


This is also what we know for sure:


  • If you’re processing Special Category data, then even with one data subject because you have to conduct a DPIA. Add this as a footnote in your DPIA template.
  • As a freelance practitioner, any number of data subjects more than average require a Data Protection Impact Assessment. Examples of freelancers are doctors, lawyers, or other professions dealing with clients. Any number of data subjects more than average in your particular field is considered large scale.
  • Similarly, as an organisation where data processing is an integral part of your business you need a DPIA. If it is a regular activity then based on the following factors, you can justify why or why not you are processing on a large scale: number of data subjects, the volume of personal data and geographical locations.

Here are some examples you can add in your Data Protection Impact Assessment:

“…processing of patient data in the regular course of business by a hospital, processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards), another one is processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialized in these activities, processing of customer data in the regular course of business by an insurance company or a bank  processing of personal data for behavioural advertising by a search engine processing of data (content, traffic, location) by telephone or internet service providers.

Examples that do not constitute large-scale processing include:
the processing of patient data by an individual physician
processing of personal data relating to criminal convictions and offences by an individual lawyer” (EC Europa, 2018)


As a form of guide and for your Data Protection Impact Assessment to effectively help you avoid fines, you can add these examples to your DPIA template to serve as a tool for understanding the process.  Different Project Managers then can refer to the same document.

When is it necessary to conduct one?

You need to carry out a Data Protection Impact Assessment (DPIA) when you do systematic and extensive profiling. You also need to carry it out when you do significant decision-making about people. Especially, when it is done through automated processes or algorithms. When you use new technologies to process data on a large scale you need to do a Data Protection Impact Assessment.

Moreover, if you use technology that processes special category data or criminal offence data an assessment needs to be carried out.  Any technology with which you process personal data and criminal offence data, you need to have a pertaining DPIA for it.

When you use profiling, automated decision making and processing of special category data do a DPIA. Especially when you use these processes to make decisions on opportunities and access to these opportunities, services or benefits. For example, getting a phone or network contract from a carrier or getting a loan.

Regular and Systematic Processing

When your organisation indulges in regular and systematic monitoring, a Data Protection Impact Assessment becomes necessary. EC Europa sums up the notion of systematic monitoring:


“The notion of regular and systematic monitoring of data subjects is not defined in the GDPR. But clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment.”


If you are combining and accessing data from multiple sources to compare or match, a DPIA is also recommended. For instance, making shopper’s profiles from data you get from their social media public profiles or online shopping behaviour. If you are tracking the online or offline location and generate data through it, then a DPIA is also essential.


In case your company is processing children’s personal data you need to do an assessment. Even if you do this through automated decision-making or for marketing it requires a Data Protection Impact Assessment. You will also need a consultation with the DPA if the service or product is being marketed directly to them.


If you identify that processing of personal data could result in a risk of physical harm an assessment is required. Physical harm under the GDPR is considered very serious in nature.


How to conduct a Data Protection Impact Assessment?


Companies need to conduct a Data Protection Impact Assessment before the start of the project especially before the start of processing.


Step 1: Describe the Processing

You need to describe in detail the nature, scope, context and purposes of the processing. Make sure that you ask your data processors to collaborate with you in order to fully understand and document their processing activities and identify any associated risks.


For instance, if you are tracking shopping behaviour, you would define the scope of the tracking. What exactly do you track? Do you track what consumers buy, the products they look at, how long they look at a product? This needs to be stated clearly.


You also need to state why exactly you are doing the tracking: to make useful, personalised, recommendations. Answer the question of how you protect the data. Where the servers are located, what’s the necessity of the processing activity and basically answer all the questions that you would look at when you do your standard records of processing activity. You need to document all of this for your processing activity.


Step 2: Identify the risks of the processing activity

Work together with your team to identify all the risks that this activity might have for the rights and freedoms of the individuals from whom you are collecting the data. We check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure data protection compliance. The assessment of severity of risks to individuals rights and interests needs to be done as objectively as possible.


Step 3: Document everything!

You need to document all of this for your DPIA including any disagreements you have with your Data Protection Officer (DPO). After documentation, you can move forward to implementing the measures you have integrated into your project planning.


Hauke Holtkamp advices companies to “…track statistics as opposed to making profiles.” He elaborates by giving the example of ECOMPLY.io:


“We want to understand how our users go through each step to comply with the GDPR. To see how much time our users spend on each step so we can make the app better by analysing further the steps where more users get stuck. It can easily be done anonymously by not making profiles of our users but just by looking at statistics of each step. This way we incorporating the principles of privacy within our app.”


Data Protection Impact Assessment

Challenges of conducting a DPIA


When companies use external parties to conduct a Data Protection Impact Assessment, the challenges they face are that the clients do not want to carry out the Data Protection Impact Assessment due to lack of awareness of what it constitutes and what its consequences might be. Therefore, usually there’s a fear that somehow carrying out one would result in restricted business practices and options.


Another issue is the lack of information to enable a Data Protection Impact Assessment to be carried out fully. This is due to two reasons, first because the GDPR is relatively new and only a small percentage of the companies are somewhat compliant. This means that they are not fully aware of their data pathways and trajectories making the documentation in the DPIA a bit difficult to complete.


There’s also a negative connotation attached to the Data Protection Impact Assessment that it is extremely arduous and time-consuming. This puts off companies from embarking on any such assessment or investing time or financial resources into it even if it means huge gdpr fines.


Hauke Holtkamp, Cofounder of ECOMPLY.io, having talked to their customers says that the:


“The biggest challenge for our customers is to figure out where to start since right now there’s not much reference material. Also, a lot of business model depends on some non-compliant processes. However, a DPIA is a good instrument for realizing where in your business you have non-compliant processes.”


Benefits of a Data Protection Impact Assessment


Conducting a Data Protection Impact Assessment before the start of a project will allow you to be aware of the information flow within the project from the very beginning.


  • It will improve your communication regarding data privacy to different stakeholders
  • You can garner confidence among your user-base and customers that you process their data responsibly
  • Your organization can ensure that your users are not at risk and reduce the costs for when a security breach does take place
  • It will also help you reduce operational costs by optimising the flow of information
  • You will avoid gdpr fines by maintaining compliance




The GDPR is still a relatively new legislation and the DPIA has not been conducted by businesses at this point. It is firstly, extremely important to map all your business data flow and train your staff to understand how data flows through your business and is processed.


Your organization should also train staff to assess when a DPIA is needed and how to conduct it. You should see this as an integral part of compliance. In general,you should conduct a DPIA for any new process, employee or organization measure that you change.


According to Hauke Holtkamp:  


A Data Protection Impact Assessment to avoid GDPR fines is incredibly hard to do as a business. First thing you should do is get structure of your processes. If you can formulate an ordered list of processes and go through it like a checklist stating which one is “harmful” and which is “harmless”. This will make it easy to structure the carrying out of the assessment if you have a good understanding of your processes. In the end, if you identify high risks for certain processes, make sure you implement measures to reduce those risks.”

PH Launch

How Startups Can Have a Successful Product Hunt Launch

How Startups Can Have a Successful Product Hunt Launch

As a start-up, it can be hard to launch when you are still trying to create a space for yourself in the market. On top of that, as a new start-up, you are probably low on employee days and might even be lacking some skills. If you do not have a skilled marketer or content creator, then you need to either spend the time to acquire these skills or use finances to hire a freelancer or a skilled employee. All in all, if you plan it correctly and involve your whole team in it, you can pull it off without any big hitches. We were a group of 5 people and we made it to the top ten products of the day on Product Hunt! Here’s what we learned out of the experience:

  1. Getting a popular hunter can help

We decided to go without a popular hunter which meant that we had to spend considerable effort on marketing material and activities. If you have a popular hunter launch your product, it
gets traction more easily. Since the hunters usually have a huge following, every time they launch a product their followers get a notification.

  1. Engage with communities

Two weeks before the launch, you should look for all the groups on social media channels like Facebook, LinkedIn and even Slack Open channels. Join the channels and start engaging with the members there. You can either do this by posting relevant questions or content
in the group. Be genuinely interested in that groups’ owner, their purpose, their interests and their members. As a start-up, it’s also good to attend some meetups and engage with people. Divide the work according to fields and functionalities of your team members. For instance, our developers engaged with all the development groups while our sales team members talked to other
sales reps.

  1. Tease before Product Hunt

Make sure you build up a pre-launch hype! As a start-up, your product, of course, is not as well-known as those of established companies. Use this launch to create awareness around your product/service.

Product Hunt

  1. Algorithms of Product Hunt –  This is what we know with some certainty about the PH Algorithm:

Contributors and Makers upvote count more
Recommendations and comments count more
Only upvotes don’t count as much especially coming from new members

So, make sure you target your pre-launch hype and marketing efforts at existing Product Hunt contributors. Becoming a contributor also takes a while so if you are getting your friends, family, colleagues or acquaintances to upvote, make sure you start telling them a week
or two before launch so that they can at least become contributors. Have a plan to get at least 100 genuine upvotes from the contributors. Not someone who just signed up. This goal will help you guide your launch.

  1. Find a way to reward your customers and educate them about Product Hunt

    Early adopter FOMO (fear of missing out) is a thing and you need to use it! Get all the techies excited about it especially your customers. No matter how many customers you have, make sure you inform them of your reward scheme if they support you in your launch. Make a good
    offer: discount or a good deal should always do the trick. Also, something like an ‘early bird’ discount or early access works.

  2. Get customer testimonial videos to post on maker story

If you already have some customers who are happy with your product, find a way to market their testimonials via a photo, video or some other way. You can either add this to your Maker Story or use it as part of your pre-launch marketing.

  1. Involve the whole team and GET YOUR MARKETING READY!

Your whole team should be aware of the launch! Make sure you have your whole company on board. As a start-up, you will need all hands on deck!

Product Hunt

You need GIFS, thumbnails, a well-written maker story, Facebook cover photo and profile photos as well as Twitter and LinkedIn banner. The most important thing is that you have tested different channels beforehand and know which ones work for your target audience. Whether it’s social media or Google advertisement, you need to figure this out for your marketing efforts to be impactful. Give yourself 4-5 weeks to prepare in advance for the launch and keep all your messages simple and to the point. If you have a big customer, you should get them on board to support you. Ask them to launch your product on their website and to their users/customers as well.

  1. Don’t ask people to upvote

This cannot be reiterated enough! You have probably already come across this piece of advice through several different channels and that’s essential because it is extremely important that you only ask for feedback and assessments. Asking for upvotes will impact your ranking negatively. Don’t be sad if you don’t become Product Hunt’s product of the day. Sometimes one of the big companies launches a product on the same day catching you unaware.

  1. Product Hunt is not a one-time thing!

You can keep launching free or smaller products depending on what you are doing. New updates and features are always something that you can create a launch around. Make sure your Product Development and Sales teams are aligned on the launches. What you are launching and when! Your whole company should be a part of the launch’s preparation and execution. You can even schedule several launches with your product team.

  1. Set smart goals and measure them

Product Hunt is not just about launching a new product, it can have several goals. You can get feedback on your prototype through a launch, make your product better or simply gain customers, gain more traction for your website or simply get the word out there about your product. Set the goal before you start with your marketing and planning. Come up with relevant metrics in line with the goal so you can concretely measure your performance and what you can do better in the next launch.

Here you can check out our first launch on Product Hunt and we have another smaller one too!

Take half a minute to sign up with us and make your business GDPR compliant to avoid all those big fines!

GDPR Compliance

25 GDPR Compliant Software Companies - The Trustworthy Vendors

25 GDPR Compliant Software Companies – The Trustworthy Vendors

Many software companies claim to be the GDPR Compliant Software. But it takes a lot for companies embedded in our current structures to fundamentally change their business practices and processes to comply with a change in legislation. When the General Data Protection Regulation (GDPR) was introduced, it required exactly this kind of strenuous effort and commitment from companies in order to be compliant. The process of GDPR compliance is, of course, a long-term and continuous process.


Companies do not only have to internally modify the way they work but also have to pay attention to the vendors they pick and work with. The vendors basically include all the softwares that you will use whether it for sending marketing emails or a Customer Relationship Management (CRM) System. To make your life easier and also to celebrate the hard work of companies who have successfully embarked on the GDPR compliance process, we decided to compile a list of vendors who are GDPR compliant. So here it goes in no particular order:

GDPR Compliance Software



Basically, a Marketing software that allows you to analyse, optimise and personalise your website with different tools all in one place.

They have clearly thought out their GDPR compliance process since they have all the essentials of a responsible data processor. To offer GDPR compliant services for A/B Testing and heatmaps is not an easy feat but they have proven that it is in fact achievable! They have an opt-out button that you can use and their privacy policy from their parent company: Freshwords is quite comprehensive. This GDPR compliant software has the most detailed information about their practices.

For more information, check out: Freshmarketer


This software allows you to make surveys with a high completion rate due to the conversational nature of their surveys. Our favourite part is their empowering approach to the GDPR where they state:

“We are the facilitators who make data processing and management simple for you. You control and own your data!”

They also transparently give you a short checklist of everything they have done to comply with the GDPR.

For more information, check out: Survey Sparrow


Another automated sales email outreach software for your business that allows for integration with your Google account, Exchange account and Office 365 account among many others.

We love that they already had an effective GDPR program starting 01.01.2018 where they provided the status of their different GDPR related activities. Not only that, their GDPR compliance page follows a simple question-answer format to make it simpler for anyone to read as well as answer any questions people might have. They also have a GDPR e-book that they have created from their own experience!

For more information, check out: Woodpecker


If you have a huge number of subscribers whom you want to reach out to then this is the GDPR compliant software that you should get. It offers integrations, automation through time-based onboarding and drip sequences among other features.

They have added Full GDPR compliance in their Added Features List. All their servers are based in the European Union (EU) and they also have a checklist of what they have done and one for you to know how they keep you compliant as a Vendor.

For more information, check out: EmailOctopus


This service allows you to make your own creative pop-ups that can effectively pop-up at intervals that would increase conversion for you.

They have followed ECOMPLY.io’s steps and are endorsed by us in their GDPR compliance efforts. They have comprehensively done all their Records of Processing Activities as well as have an updated privacy policy and Data Protection Agreements with vendors. And they did such a great job of completing all the steps in our app that they earned a Badge! Well done, Poptin!

For more information, check out: Poptin


This Conversion software allows you to personalise your content by segmenting your website visitors and providing them the relevant content accordingly. And of course, they do this in a GDPR compliant way.

According to the GDPR, they are a processor and their “Data Processing” description on their dedicated GDPR page shows that they really have thought through their compliance. Their customer can understand how they are keeping their data secure as well as who is their sub-processor. Their page and privacy policy is comprehensive making them another transparent and compliant vendor.

For more information, check out: Unless


Another Marketing vendor that has clearly made considerable efforts to become GDPR compliant. These are the features they provide: Powerful Retargeting, Custom Domains, Branding, Smooth Link Shortening and even QR codes for your marketing efforts.

Their GDPR compliance seems very consumer oriented and empowering. This can be seen in their headline for the contact form that goes straight to their Data Protection Officer. It reads:

“Exercise your rights under GDPR”

You can submit your request by choosing it from the drop-down box and then submitting it. Very interactive compliance!

For more information, check out: RocketLink


This one is all about driving up your conversion through effective link shortening and sharing for various advertisement activities. It even allows you to personalise your 404 error when one of your links doesn’t work.

They help their European Customers gain consent for their advertising activities very simply! Here’s how they do it:

“Display a customized CTA only to your European visitors and automatically fire the pixel based on your visitor’s choice.”

Their updated privacy policy informs their customers of their rights under the GDPR!

For more information, check out: PixelMe


Are you a tweeting marketer looking for followers? Then this is the tool for you. It finds you followers from your target market.

It’s privacy policy and GDPR compliance is so well-structured that if you are looking for a specific piece of information or have a particular question, you can simply click on the relevant question headline and it takes you to that part.

For more information, check out: Jooicer


This one is for marketing agencies and managers who collaborate with teams and clients regularly. You can create, share, get feedback and get approved the content that you create for your company or other companies easily.

It is a US based company but they have an updated privacy policy that reflects their GDPR efforts. Their privacy policy tells you exactly the type of data they collect through their service but also through cookies and other tracking technologies. They also have a dedicated email address where you can submit your Data Subject Access Requests and they promise to acknowledge and process them in 30 days.

For more information, check out: Gain


Another US based company for Retail Marketing Automation via Facebook Messenger. Basically, it helps with closing sales and building valuable long term relationships.

Their Privacy Policy is pretty straightforward and because they work with Facebook as their main partner (which we can imagine isn’t easy given the loss of trust they recently faced from consumers), they do a pretty good job of effectively providing links to privacy initiatives from their partners. They provided their customers with the GDPR compliant policies of all their big partners like Amazon and Shopify!

For more information, check out: Shopmessage


For content marketing, optimization and social media marketing: Elokenz offers a range of these services to bloggers and content marketers.

We have to say that its Privacy Policy in line with the GDPR is absolutely on point! They provide you with a policy summary that is easy to go through and then just below it you can delve into details if you need to. Not only that we love that they have little icons in the summary. Talk about marketing the privacy policy!

For more information, check out: Elokenz


GDPR Compliant Software


If your business is based on a huge volume of calls, this is your software to optimise the distribution and attendance rates of your calls. You can use the data from marketing initiatives check which campaign made your phone ring or how your call agents are doing.

Since they will clearly be dealing with a lot of data, we were very curious to find out what efforts they had made to be GDPR compliant. Their privacy policy is updated in line with the GDPR and they also guide the reader to the relevant part:

“If you are a visitor of a site which is running services provided by Ringostat (“Ringostat Enabled Site”), the ‘End Users’ section of this Privacy Policy applies to you.”

For more information, check out: Ringostat


Designed for Small and Medium Businesses, Reply is a comprehensive Sales Platform that helps you take your sales to the next level. The platform also automates outreach to potential employees and bloggers as well as influencers for PR purposes.

We find their little GDPR Ready icon at the top of their page absolutely brilliant! Once you click on this icon, they give you a detailed overview of their responsibilities and the contact people in case of any issues. They serve as an example of how GDPR actually increases trust among your customers if your business remains transparent about their data collection activities.

For more information, check out: Reply.io


Taskdrive allows you to outsource your lead research so you can focus on other tasks. The service is pretty straightforward and so is their GDPR compliance. They have the consent checkbox for their forms that prospective customers provide their data through. They also clearly state that “consent is voluntary”. Their privacy policy is updated and they also provide the link to their data retention policy.

For more information, check out: Taskdrive


Here’s a tool that combines different tools all in one. It offers CRM, HRM, invoices, reports, contacts and projects all in one platform. It makes collaboration easy and makes managing projects very convenient too.

Their GDPR efforts are clear through their updated privacy policy and their dedicated GDPR page. They clearly have incorporated the principles of the GDPR in their business and this is our favourite part:

Revisiting GDPR compliance regularly.

As part of our commitment to remaining GDPR compliant and respecting the privacy of our users, we will revisit this document at least once per year to ensure that all of the information is accurate and up-to-date.”

For more information, check out: Teamwave


This tool helps you create and automate your sales funnel. It allows for a range of different integrations with mailboxes and also helps your Sales team collaborate.

Their GDPR compliance can be seen in their Privacy Policy which has detailed content on all their GDPR related efforts. Not only that their CEO personally was involved in all their compliance activities. The have divided their privacy policy by content and function so it is easy for their business customers to see. They also link the privacy policies of all their vendors so their customers can trust their services. 

We are also using Salesflare because their focus on GDPR compliance is a priority. We also believe that they are the GDPR Compliant Software company because we regularly see their documentation.

For more information, check out: Salesflare


This International Google mail oriented Customer Relation Management (CRM) System allows for carrying out sales, support and hiring activities all from your inbox.

Their commitment to data protection is evident in the fact that they comply with both the California Online Privacy Protection Act and the GDPR. Not only that their dramatic Privacy Policy sub-heading gives us goosebumps:

“We never share potentially dangerous information. We stand by our no-spam policy.”

For more information, check out: Streak


If you are looking for a Customer Relationship Management tool that is built on the basic principles of GDPR and allows you to take consent before recording any information through webforms and opt-in check boxes, but also it allows you to deal with all the Data Subject Requests that you might get.

“Freshsales makes it easy to view, export, and delete records in a single click!”

This is in line with the rights that the GDPR empowers users with to ask for their data at any point.

For more information, check out: Freshsales


This Belgium based Sales automation platform has warmed our Data-Protection-crazed hearts. Not only do they have an updated Security Policy, they also have a Privacy Policy with all the vendors as well as the right information to make their users aware of their rights. And they don’t stop there! They even help their customers understand the GDPR with the frequently asked questions on a dedicated GDPR Page. They even clarify the role of cold e-mailing under the GDPR, which has been on the minds of a lot of businesses:

“The GDPR does not outlaw the use of cold emailing, as long as the emails you are sending are directed to people who will find their content useful. Certain requirements also need to be fulfilled nonetheless:

  • The topic of the email must be clearly identified.
  • There must be a clear way to opt out from future emails.
  • A genuine physical address must be included in the email.
  • The sender must be clearly identified.”

For more information, check out: Prospect.io

GDPR Compliant Software


Another subsidiary of Freshworks: it provides its customers with an automated IT help desk which combines IT Project and IT Asset Management. Freshservice shows its commitment to the principles of the GDPR through a dedicated page that informs its users of the steps Freshservice has taken to be compliant as well as the specific features they provide to make their help desk and consequently your business (if you use them) GDPR compliant. Not only that, Freshservice seems to have mastered Privacy by Design as they themselves claim:

“Programs, projects, and processes at Freshservice are aligned to Privacy Principles right from the inception of an idea or project…”

For more information, check out: Fresh Service


Crankwheel is a screen sharing tool that works on any device and apparently also with a bad network connection.

Within their privacy policy, they have divided their sub-processors into function based categories and they link their respective privacy policies. Their headings are concise and add value to the content of the privacy policy. They even give advice on how their customers can comply in their privacy policy:

“How Data Controllers Using CrankWheel as a Data Processor (Sub-Processor) Should Prepare”

For more information, check out: Crankwheel


This workflow management tool simplifies your daily work tasks by helping you create a process list and a checklist to see what has been done and what still needs to be done for certain repetitive tasks at work. It basically simplifies your work by allowing for integrations as well as reusing checklists and procedure documents.

It comes as no surprise then that their GDPR compliance is succinctly explained in an article: GDPR Statement. Simple and easy just like the gist of their service.

For more information, check out: Process.st


An ecommerce platform that enables entrepreneurs and marketers to focus on growing their business. It allows you to use drag and drop to build your website, build your payment system and also collect data in a GDPR compliant manner. They have a dedicated page with a checklist for their GDPR efforts as well. Our favourite part about their checklist is the transparency that they show. Take a look at this pointer:

“Thoroughly test all of the changes to verify & validate compliance with GDPR – IN PROGRESS – ETA 8th June 2018”

Not only are they making efforts to be compliant, they even have a goal set for the time that they want to reach it in. #lifegoals

For more information, check out: Subbly


This Bulgarian company provides a Google Mail tool for task management making project management tools necessary for your business. You can do it all from your Google mailbox.

Their GDPR compliant Privacy Policy is structured by their apps and services. They have divided it into what each of their different applications collect and do with the data. For instance, their Android mobile app, their extension, their default settings. They concisely mention all the relevant and important information.

For more information, check out: Yanado

In this article, we have on our own picked 25 different tools that have taken measures to be GDPR compliant software. We have not reached out to these companies because we wanted to be unbiased in our evaluation of their GDPR efforts. Of course, there is no guarantee what they actually do in practice but if their privacy policies and information about the GDPR to its users is any indication, our guess is that they really do care about their customers data. So if you are looking for Sales and Marketing or Productivity related tools, just click on the link in the article and buy them! We recommend using one of these tools instead of one that might or might not be GDPR compliant.

Disclaimer: We do not claim that these are a 100% GDPR compliant software. We have not done an internal audit. We researched 100 SaaS Startups. The information on their website is the only information we used to assess their GDPR compliance.

And if you need to do any GDPR related documentation for your company, sign up now! It takes less than a minute.

GDPR Regulation

GDPR Regulation - What Are the Long Term Implications?

GDPR Regulation Long-Term Implications

The General Data Protection Regulation (GDPR) was created on 14 April 2016 but the new regulations were enforced starting 25 May 2018. So far, the new laws and regulations focus on protecting personal data, yet the long-term impact i.e. GDPR Regulation Implication is still relatively unknown.

However, it provides more control to the users over their data, potentially create a different digital infrastructure and new businesses will be established following its introduction.

In this article, I’ll shortly introduce the GDPR regulation, why the European Union wanted such regulations and the long-term implications for businesses as well as the long-term implications for EU citizens, once all the dust has settled around its introduction.

Let’s get started.

What Is the GDPR?

The European Parliament’s intentions by introducing the GDPR is to enhance the privacy protection of European citizens by making sure the people and businesses that handle personal data do so in a proper and secure way.

The GDPR is a regulation enacted by European countries and it therefore, applies to any data subject who is residing in the European Union, but it doesn’t stop there. Any cross-border and internationally operating company that processes data of EU residents are obliged to comply with the new GDPR regulations. For example, Facebook, Google, Twitter and Aliexpress are included but also a digital marketing firm in the U.S. handling social campaigns targeting German customers.


Why was the GDPR Introduced?

This GDPR was introduced as most businesses failed to protect data properly and personal data was abused by companies without the customer even having the slightest idea about it.

Something similar occurred during the 2006, 2007 and 2008 financial crisis attributed to the banks. The banks also “promised” to self-regulate, the banks didn’t need any third-party influence or regulations, they could do the regulations alone – not.

Europe is experienced and saw banks fail to self-regulate. Internet companies are now in the same position roughly 10 years later. The amount of legal jibber-jabber in privacy and terms of service statements on websites was the norm. It was specifically designed so that only a person with a legal background could make something of it. It was so vague that any legal action against the website owner could be avoided.

Thus, the EU decided that companies needed the GDPR in order to comply with a certain set of laws and regulations as they wouldn’t do this by themselves. The fines for not following the GDPR regulations are pretty serious too.

There are two different levels: lower level and upper level. GDPR EUs website stated the following in regards to the fines:

Lower level

Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher.

Upper level

Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher,

To put that into perspective, Facebook generated an annual revenue of 40.653 billion USD. So, in any case of infringement, Facebook would receive a 1.63 billion USD in fine.


Businesses Shift Focus

An important aspect of the long-term implications of the GDPR regulation is to emphasize on the outcome of the legislation.

Simply put, the focus will most likely shifting in the direction of giving the internet-users more power and control over their own data. And in return, individuals and businesses must in fact improve their privacy statements, compliance and governance procedures and terms of service.

Many companies have already made the required changes to their privacy and terms of service statements, which many of us received emails about – yet editing some statements is just the beginning.

This means that new companies will also rise from the implementation of the GDPR regulation in order to help customer to select a service or product tailored to their specific privacy needs. I’m talking about services such as an internet explorer or a phone contract that doesn’t only depend on quality, speed or price but also your privacy values.


Online Advertising Market

Online advertising will definitely change in the future, especially if the GDPR regulation model is adopted by more countries – the U.S. could have a huge impact.

Currently, the major players in the advertising field like Facebook, Instagram and Google Adwords are dependent on data sharing of their users, tracking cookies, shadow profiles and other tracking techniques that create profiles of each user. These profiles are then used to offer the most relevant ads to the customer.

However, that model might need innovations and improvements once people start to block tracking cookies. At this point, Facebook is still creating shadow profiles of people who don’t even have Facebook, but this might change in the future. Also, people could disable companies to use their data to target relevant ads.


ePrivacy in GDPRs Footsteps

Shortly after the enforcement of the GDPR regulation, the European Union started working on a new set of regulations called ePrivacy. But what is ePrivacy exactly?

AtInternet defines the new ePrivacy regulation as follows:

“The proposed Regulation on Privacy and Electronic Communications, also known as the ePrivacy regulation, is a proposal from the EU Commission designed to strengthen the protection of EU citizens’ private lives, and create new opportunities for business.”

The regulation will follow closely after the GDPR regulation and will regulate electronic communications, non-personal data (cookies law) and it has different legal precedents. The regulations will mostly battle against browser cookies, their function and controls – from websites to the browser.

The ePrivacy regulations aren’t enacted yet, however, it’s expected to be introduced rather sooner than later. As this is only the first set of new regulations to follow the GDPR, I won’t be surprised if more regulations follow. And, especially if other countries follow Europe’s example of designing new privacy laws because most countries have extremely outdated online privacy laws and regulations.


Privacy Groups Exploit GDPR

As briefly mentioned before, new businesses will establish themselves following the introduction of the GDPR regulation. The new legislation also provides the ability to file class-action complaints, which is a rather uncommon style of filing complaints in Europe. These type of court filings are mainly common in the U.S.

Simply put, people or groups can join forces and file data privacy complaints as a group rather than as an individual. I expect companies to establish themselves as mediators for these groups and they’ll carry the legal workload for a certain percentage of the fine.

For example, take a look at flight compensation businesses like AirHelp. As stated on AirHelp website:

“Flight delays happen, but that doesn’t mean you have to accept them. You may be entitled to as much as $700 in compensation if your flight has been delayed, canceled or overbooked within the last three years.” 

99% of the people won’t be able to or don’t have time to file a case against an airline to receive compensation. But it’s incredibly easy through a company like AirHelp, where you input the flight details, your story and it’s processed through already established funnels to get your money back. It’s almost like an automated machine.


Who Might Get Caught: Enforcing Legislation

Facebook has been on the news relatively often in the wake of the GDPR regulation and especially Mark Zuckerberg’s performance in front of the U.S. Congress and European Parliament, which was, well… interesting. Many people might consider Facebook as one of the first to receive a huge fine by the GDPR regulators. I believe this to be incorrect.

Facebook has “limitless” resources for legal teams and other experts who can help the company to comply with all the new rules and regulations. Therefore, I think the first companies to be fined are small U.S. webshops, cloud tools, advertising application vendors and so on.

These businesses handle, store and use a lot of EU citizens’ personal data to either run their business or optimize their business models. Due to the large quantity of EU data involved and potentially little budgets to follow the new regulations, the first victims may fall in this industry.

It’s going to be interesting how companies are going to be fined, how quickly, how many and how often in the future. It’s yet to be seen how many regulators are going to go after businesses that fail to comply.


My Final Thoughts

At the of the day, it’s a bit too soon to tell what’s really going to happen in the future. It might not really provide a satisfying answer to the very core of this article, however, it’s simply too hard to predict right now and it’s mostly speculation.

There are also a lot of other factors at play that may or may not have a huge impact on the further development of the GDPR regulation, and potentially other regulations by the European Union as well as other countries.

Personally, I’m especially interested to see whether the U.S. government is going to take any actions in regards to U.S. data privacy and data protection. If so, what regulations might be introduced? Also, it’s hard to tell whether the new regulations are going to strengthen the tech-giants or weaken them.

It’ll largely depend on how strictly EU regulators enforce the new regulations and whether they’ll get bigger budgets in the future.

Yet, are people prepared to trade their online privacy for convenience, and if so, up to what point? Only time will tell.

Pixel Privacy

Bill here from PixelPrivacy.com. My blog is all about making the world of online security accessible to everyone. I pride myself in writing guides that I’m certain even my own mom could read! Be sure to head over to my blog if you’re interested in keeping your private information just that: Private!

GDPR Checklist

The Most Comprehensive EU GDPR Checklist

GDPR ChecklistThis GDPR checklist has been crafted in according to the GDPR compliance. Moreover, this is the only GDPR checklist you will ever need.

Before going through the GDPR checklist, it is important to repeat some basic steps. The first starting point is to know about the general rights that your customers/users will have:

Data subject rights: these are rights of your customers and users under the General Data Protection Regulation (GDPR).

Data portability: the right of an individual under the GDPR to transfer their data to other data controllers. Essentially, this means that consumers can move from one company to another through quick and efficient data transfer

The right to be forgotten: customers/users can ask you to delete all their data

The right to prevent profiling: this can be through automated decision-making or through other forms of decision-making, that processes personal data of an individual and reaches conclusions about that individuals.

The right to object to processing: your customers can restrict you from processing any category of their data that you have.

The right to rectification and erasure: this refers to editing data and restricting access to certain types of data.

Subject access requests (“SARs”): these are requests that your customer/user can make at any point in time asking you for data that you have on them and how it is used.

Reiterating the Basic GDPR steps

First, take stock of all the data that you are collecting and processing. If you are a controller, ask yourself why you are collecting this data as a guiding principle. If you are a processor, ask yourself: on whose behalf are you collecting this data. This is the most crucial part of our GDPR checklist.

  1. Appoint a DPO:

A Data Protection Officer can be internal or external to your company. If you appoint someone internally, make sure they have autonomy as well as access to the Managing Directors and upper management. This is primarily so that they can carry out their data protection duties and responsibilities independently without undue stress and blockades. Once this is done, sign an agreement with the relevant person. One prerequisite for assigning a Data Protection Officer, according to the legislation, is that it should be someone with a reasonable capacity for the job. That means your DPO should have a comprehensive understanding of the General Data Protection Regulation (GDPR).


It is necessary that you appoint a Data Protection Officer DPO:

1.1. If your organization’s core business includes processing massive amounts of personal data as well as monitoring your users or as is known in GDPR lingo: Data Subjects. Personal data is the following types of data:

  • Data that allows for direct identification of information such as a person’s name, surname, phone numbers among others.
  • Pseudonymous data or data that non-directly identifies the information of a Data Subject: which does not allow the direct identification of users but allows the singling out of individual behaviors for example through targeted advertising:  to serve the right ad to the right user at the right moment.

1.2. When your organization deals with a large amount of sensitive data that is one of the following data:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health or a natural person’s sex life and/or sexual orientation

2. Data-mapping:

The second most important part of the GDPR checklist is to make a map of all the data and specify all the departments that touch the data in its collection and processing. The data that is being used needs to be categorized for its legal basis to become clear. The legal basis could be consent, legitimate interest and contractual necessity among others.

To assess where data is traveling through you need to create a mind-map for it to help guide your processes of compliance.

3. You should make sure to document all aspects of your company’s interactions with data. Here are the questions you should be able to answer:

Why was the data gathered in the first place? What is its purpose?

Upon what legal basis are you justifying holding that data? Consent or legal requirements?

3.1. Record of Processing Activities will be under this step.

Think of all the steps in your mind-mapping process. Who has access to the data at each step? Through documenting your processes, you will have a much clearer and a better understanding of your own company’s data collection and management strategies as well as what the compliance process entails for you. One definite piece of documentation that you need to do is a data protection impact assessment (DPIA).

3.2. Vendor Management

How are you protecting that data from breaches? What else is that data being used for? Make sure you have listed all your vendors and your customers/users know that you are sharing their data with other parties.

4. Data Breaches

Be honest and transparent about any data you collect. In the case of a breach, people will disclose any data they gather. Your customers need to be aware of what data you’re storing. Here you can read more about how modern businesses need to think about data: https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust

Security breaches that target the data that your company collects and processes can take place and need to be dealt with along the guidelines provided by the GDPR. The crucial point under the GDPR is to inform your user/customers of the breach. Given the importance the EU has placed on personal data, this does not come as a surprise that the relevant stakeholders be made aware when their data has been touched by, no matter how briefly, by other parties that did not have authorization through consent. In such a case, the relevant Data Protection Regulatory body must be informed within 72 hours of knowing about it at the latest.

The same time limit applies to the data subjects whose data you collect and use. The company must contact all individuals and make them aware that their data has been breached. However, companies do not need to have this measure or practice in place: if the data has been encrypted to the point of being incomprehensible or if the data controller has taken the necessary steps to make sure the breach doesn’t put rights or freedoms at risk. If it would take an unprecedented effort to contact every Data Subject individually then a public announcement would also fulfill this requirement.

5. Data Subject Access Requests:

This is the crucial part of the GDPR checklist since it was not available in previous data protection laws. This is one of the basic rights that the GDPR sets out for consumers. This essentially means that data subjects can at any point ask you about what data has been collected by your organization. These access requests cannot be charged for even if it takes a lot of time for you to deal with them. Moreover, they need to be responded to by the data controller within a month. The legislation also sets out the general principle for when a Data Controller can charge the subject for relevant administrative costs if it can be demonstrated that the request is “manifestly unfounded or excessive”. This way, it balances out the individual rights and the company’s rights as well to receive some protection against abuses of this provision. Here is a basic summary of this article as outlined in the GDPR:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”

6. Technical Checklist
As part of GDPR checklist, this checklist will guide you through the technical steps that your organization needs to take.

6.1. Make sure your domain names are secured. You can do this by either renewing them regularly or if you buy them from a third party then you need to make sure that the configured name server that is authoritative is your own and make sure your critical services are secured.

6.2. A lot of companies have Google Apps, Slack, Wordpress that they use in their daily business lives. These services all have default settings that should be improved to increase the security level of your organisation. You also need to ensure that all your services and apps are updated so that new security settings, as well as GDPR compliant settings, are implemented. Here’s one source you can look at for inspiration on making your Google apps more secure: https://blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/

6.3. As tempting as it might be: Do not share Wifi
Shared workplaces are quite a norm these days which consequently means sharing Wifi networks among companies, guests, students or neighbours may open you up to risks of security breaches, for example, people could gather information that is on your network, and might even allow people to access resources protected by source IP. Make it a habit to change your password periodically.

6.4. Develop and communicate a security breach incident response plan

This will allow whoever is in charge at the time of a breach to communicate accordingly about an incident and will allow the fastest response in technical / communication terms.

6.5. Incentivize finding bugs
You could potentially have an external or internal bug bounty program that will incentivize external hackers as well as internal employees to report vulnerabilities. Once reported these vulnerabilities need to be checked by developers or other inside your development teams with the know how to evaluate any reports you receive

6.6. Educate your Technical and Non-technical employees

Quite often your employees and human capital will be the ones who might make you more vulnerable which is why it is imperative that you make sure they are aware of how hackers or other parties can infiltrate your company. By increasing their level of awareness, you are reducing the risk of them falling into a trap. Usually, companies forget to train their non-technical employees. However, they might be the ones you would want to train even more carefully since they lack the expertise to recognize and deal with such cyber-attacks and vulnerabilities.

6.7. Include using 2-factor authentication in your employee handbook as a rule

This would ensure that all accounts of your employees are safe and in case their password gets stolen, the attacker still cannot have access to their accounts and your company’s information in these accounts. As a CEO/CTO/CSO, your role is to make sure everyone complies with this rule. Using a complex and unique password for every website is great advice, but it can be very difficult to recall passwords

Password managers are a great way to manage these since they will remember everything for you with a master password.

6.8. Encrypt the devices

By encrypting company laptops and phones, you protect your company’s assets. Before doing this, you might want to take stock of all your company assets and perhaps segment the employees into categories of security levels needed in line with their jobs.
Here are some sources you can read on for encryption related procedures: https://support.apple.com/en-us/HT204837

6.9. Encourage best practices like “locking” devices and strengthening passwords
Whether employees are leaving the desk for a minute or an hour, encourage them to lock their devices and make it a habit. This would protect your company assets from attacks as well as random accidents. Remember your work environment might be secured but at one point or another, you will have external guests or candidates for interviews who could potentially have access to your data sometimes even by a quick glimpse of a screen. Moreover, when your employees are traveling or go to meet-ups, this habit would help them keep company information secure. You can research password managers, pick a good one and suggest it to your employees.

HR Checklist 

This HR checklist is mostly part organizational measure and part technical measure under our GDPR checklist.

  1. Create a data log: consider what data of your employees you process and create a log as part of your Record of Processing Activities (RPA). As is stated previously you need to specify the following to document the data to be compliant:
  • the type of data (e.g. personal, or special personal (which used to be called sensitive))
  • The categories of data (e.g. recruitment information, bank details, performance information, absence details)
  • Who the data concerns (e.g. employees, next of kin, applicants for jobs etc.)
  • Who has provided the data to you (e.g. the applicant/employee themselves, credit reference agencies, recruitment agencies or other employees)
  • Specify your legal basis to process (e.g. to perform the employment contract, complying with a legal requirement or legitimate interests or other. Consent as a legal basis when it comes to HR related tasks will rarely apply. Think of the legal requirements that you need to fulfill as a legal basis to justify collection and processing (for e.g. complying with employment law or assessing the working capacity of an employee).
  • The purpose of processing (e.g. to pay the employee, for tax reporting purposes, to manage performance)
  • Where and how the data will be stored and who will have access to it for e.g. HR software, tax consultant, printed payslip files
  1. Data transfers: update your vendor list and log it separately. You should also include any events of data being transferred, including who data was transferred to, when it was transferred, where they are storing it, and how you transferred the data. If you are transferring any personal data outside of the European Union (EU) you need to specify what protections are in place and also sign the relevant Data Protection Agreement with your partners.
  2. Specify when exactly data will be deleted: here you can segment your Data Subjects into employees, applicants or any other categories that make sense for your case. For instance, for a job applicant, you could make it a part of the policy to delete the data periodically of rejected employees every month/quarter. However, you need to be able to justify this time period.
  3. Do you carry out any automatic decision making or profiling for e.g. electronic recruitment sifting based on academic achievements, psychometric testing or other metrics? Add it to your RPA
  4. Do you need to carry out a data protection impact assessment and when you are likely to need to do so in the future (e.g. due to the fact that you carry out or will carry out high-risk processing or will be introducing new HR technology)
  5. Check your IT infrastructure allows you to be compliant Your IT infrastructure will be highly relevant to two main themes in terms of GDPR compliance – security and employees’ rights. Security issues:
  6. Consider Employee rights: Do your automated decision-making processes allow you to deal with objections and involve a human decision maker if requested?
  7. How will you respond to Data Subject Access Requests: Can you easily search for all data relating to a particular individual? This will make responding to subject access requests from your employees or prospective employees much easier. Can your employees restrict the processing of their data? Or correct errors?
  8.  What processes do you have for an employee to exercise their right of objection? Do you have the responsibility assigned to a relevant person?
  9. How will you achieve the deletion of personal data, across the business, at an employee’s request in relevant situations?
  10. Is exporting data from your system possible? .csv, .pdf, or .txt files are commonly accepted formats. This will allow you to manage the portability or in layman terms, it would allow you to transfer the data to the employee or to a future/former employer at their request.
  11. Update your data protection policies and employment contracts: Once you have made all the necessary changes it is imperative that you also inform all your employees and other stakeholders when necessary.
  • Privacy notice to staff
  • Data protection policy
  • Data breach reporting policy
  • Subject access policy
  • Data retention policy
  1. Ensure staff has the correct training Make sure all your employees receive an adequate level of training for handling personal data, specific to their job role. They must be informed of the correct policies and procedures. Training needs to be refreshed on a regular basis and you need to keep records of the training provided.
  2. Assess and take necessary measures with all your partners that in some way touch your data.

Sales & Marketing Activities related to the GDPR Checklist

This must be new and the toughest part of the GDPR checklist, since it is takes time.

1. Check and audit your mailing lists. Basically, you need to remove anyone from whom you do not have an opt-in and or have not recorded this opt-in. For new subscribers, make sure that the potential subscriber confirms that they want to join your mailing list by sending an automated email to confirm the subscription.

2. Review the way you are collecting personal data. Are you still buying mailing lists? If so, now might be the time to start fresh with a new mailing list which you have obtained from informed customers and have a legal basis for collecting their e-mail addresses. Delete all e-mails that you haven’t obtained with the proper consent or legal basis. Some ways to still acquire users or convert visitors from your website can be done by offering visitors to your website the opportunity to add themselves to your mailing list using a pop-up on your website.

3. When taking consent to make sure you provide a link to your privacy policy to ensure compliance that tells people exactly what you will do with the data.

4. Educate your Sales and Marketing Teams about what is legally possible and the practices that they need to drop for instance: cold emailing/cold calling (where the e-mail address and/or phone number has not been taken through proper consent).

5. Make sure your customer data is part of your Customer Relationship Management (CRM) system. This will help you with allowing users to edit their data, review how exactly it is being used and accessing it in a machine-readable format.

6. Collect data that is necessary for your sales or marketing effort. Ask yourself, which categories of data do you actually need, and which ones can you simply delete. When it comes to signing up forms, only ask for elements you need and will use.

7. If you do not already have it, try out push notifications. Marketers can use push notifications to send a message to subscribers at any time. They are especially helpful in the post GDPR world because they do not process personal data (IP addresses are anonymized) and ask for explicit consent to opt-in and receive notifications.

8. Make sure Privacy statement is updated, easy to read (not a 1000 pages long and without any lingo).

GDPR Checklist for Data Protection Impact Assessment for Projects

According to the GDPR, when an organization is undertaking a new project that has considerable risks when it comes to the freedoms and rights of individuals, in particular, pertaining to data protection. When organisations identify such a risk with a new or existing operation, these are the following steps suggested:

1. Figure out if there’s a need for the DPIA  – conduct an assessment and determine whether the inherent risks of the processing operation require you to undertake a DPIA. In general, these are some high-risk activities that you would probably need to conduct a DPIA for:

Large-scale processing of location data relating to individuals

  • General big data analytics
  • Large-scale processing of HR data with potential for significant effects on employees
  • Video/audio analysis tools
  • Creating large-scale individual profiles
    Analytics with significant effects for individuals
  • Reward programs that generate profiles
  • Fitness wearables and apps

2. Understand and describe the flow of information – create a map of how the information within the particular processing operation is collected, stored, used and deleted.

3. Identify all the risks – document the threats, their scope, vulnerabilities and the possible pertaining threats to the rights and freedoms of individuals whose data you collect and/or process.

4. Assess your privacy solutions – for every risk that you have identified to the personal data, do a cost-benefit analysis and decide on whether you want to accept the risk, reject the risk or accept it but with measures in place to reduce the impact of the threat.

5. Document the DPIA results – Create a report that is signed by the decision-maker. However, where there has been a high risk identified the DPIA report must be submitted to the regulatory data protection authority for consultation.

6. Incorporate the results into your project plan – make sure at every important project milestone that you refer back to your DPIA to ensure that when actions are needed to counter a risk they are actually taken.

Hope you found this comprehensive GDPR checklist useful. As a general principle, you should remember that any obscure collection and processing of data should be questioned. Educating your employees will always prove to be helpful in staying compliant with the GDPR. Is there something you find missing in this GDPR checklist? Work together with us on this checklist!


Image Credit: Pixabay mohamed_hassan-5229782/

A Beginner's Guide To School Data Protection Policy

As an educational institution, you will have unique stakeholders who will be impacted by the General Data Protection Regulation (GDPR). The School Data Protection Policy guide will take you, step by step through the necessary actions you need to think about and conceptualise your compliance around.

Who will be impacted by this Data Collection?

The first step is for you to understand, as with any Organisation taking their first steps to comply, how data travels in your Organisation and who is it touched by through this process. The questions to think about here are the following:

Whose data are you collecting?

This for a typical school would include contracts of your teachers, teaching assistants, administrative staff, Principals and Vice Principals but also of caretakers and students. This will all be categorised as Personal information. This would also include any digital or other pseudonyms that a person can be identified with.

These are the types of data you must map:

Personally-Identifiable Information

Any data that can help identify an individual. It is also examples of personal data include name, location, personal identification number, the colour of your hair, the list of customers (parents, students) names and their addresses, IT usage data, traffic data, information about education, income and license plate.

Sensitive personal data

Like personal data because its main purpose is to help identify an individual, but more dangerous if breached or vulnerable to privacy. Examples of sensitive personal data include religious beliefs, race, political opinions, sexual orientation, physical and mental health conditions, biometric data or genetic data.

Biometric data

Any data that is used to identify a human being by his/her unique characteristics. Digital fingerprints are one example of biometric data. The GDPR states that the processing of such data is prohibited unless the data subject (user/consumer) has provided the consent and the processing is necessary for specific reasons such as protecting the vital interests of the individual.

Updating the parents

As a school, you will naturally have a lot of students who will be too young to give you qualified consent. This essentially means that you have to inform the parents about all your data processing activities and obtain consent from them.

As providers of childcare as well as providers of education, it is important for you to create an atmosphere of trust and build up your reliability among parents pertaining to Data Protection. Steps to ensure that the parents and their families’ data is being adequately protected will reduce the subject access requests later.

Below are the important points you need to mention in your letter to the parents. Make sure you customize it to your need that is if you are a kindergarten, you will have different data collection and processing methods than if you are only a high school.

You should start off with a brief description of what The General Data Protection Regulation (GDPR), is. In this part, you should also inform the parents of their rights:

The rights of the data subject (individual):

  • information about the processing of your personal data;
  • obtain access to the personal data held about you;
  • ask for incorrect, inaccurate or incomplete personal data to be corrected;
  • request that personal data be erased when it’s no longer needed or if processing it is unlawful;
  • object to the processing of your personal data for marketing purposes or on grounds relating to your situation;
  • request the restriction of the processing of your personal data in specific cases;
  • receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
  • request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right, in this case, to express your point of view and to contest the decision. (EU GDPR, 2018)

Access for Parents

How they can access your privacy notice and data protection policy (this could include a link to your website). How you are complying with the new regulations:

  • what data you are storing
  • how you are storing it
  • how you are sharing it and with whom
  • how long it is retained for
  • how it is destroyed and when

Ideally, you should inform them who they need to contact (Ideally your Data Protection Officer) regarding any questions they may have on data protection or to request access to information.

A link to your Data Protection Authority website so parents can learn more about GDPR if they are interested.

You could also ask parents to review the information that you are storing on them/their child and to confirm if it is still current or make amendments as appropriate. Or to revisit consent for use of photographs of their child.

You may use this communication as an opportunity to ask parents to sign a new contract with your organisation that includes new data protection wording compliant with the GDPR

Using Online Tools in Schools under The GDPR
Check source here.

The GDPR and Data Protection Act 2018 says that only children aged 13 and above are able to provide their own consent for commercial internet services to process their personal data.

Online service is the only context in which the GDPR and DPA 2018 define the age at which children can provide consent.

A Child’s Consent Under the GDPR

Conditions applicable to child’s consent in relation to information society services

  1. Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

  1. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
  2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

Services provided ‘directly to a child’

This rule applies specifically to services which are considered to be provided “directly” to children, and where consent is the lawful basis for processing the child’s personal data.

“Directly to a child” means that a child can access the service independently – for example, via an app store. This is irrespective of whether the child signs up independently or whether the service is provided to them under a contract between the service and their school (or another organisation).

These services are referred to as “information society services” in the regulations, and include social media, educational apps and online platforms.

The rule described above is primarily directed at providers of such services. Typically, a child signs up and submits their personal data directly, so the provider needs a lawful basis to process this data.

Prerequisites for your Organisation’s Compliance

Document all personal data your Organisation holds

GDPR requires you to maintain records of processing activities. If you want a detailed guide on how to do this, read our blog on it.

Your organization must document all the data that it holds, where it came from and how it uses that data if it somehow refers to an identifiable person. Furthermore, your organization must be able to submit up-to-date reports, so-called records of processing activities (RPA), to the competent data protection authority at all times.

The development of the records of processing activities is also a key step because it enables the Organisation to evaluate the whole process and understand where corrective measures have to be taken. Without such a record, no compliance to any further requirement of GDPR can ever be achieved!

Checking if your data processing adheres to the individual rights

Now that you have sorted your data, you have to legally review all procedures concerning personal data. Are they compliant to GDPR or not? The answer is complex and usually work of a lawyer. Generally, you must keep in mind that processing activities concerning personal related data might affect the rights of the individuals. Those processing activities therefore always have to be justified.

Requests for subject access

Your organisation should update the procedures and must plan how you will handle subject access requests to take account of the new rules. In most cases, you will not be able to charge for complying with a request.

You will have a month to comply, rather than the current 40 days.

You can refuse or charge for requests that are excessive, but you will need to provide the requests with a machine-readable format of their data. If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.

Data Protection Officer (DPO)

Probably your organisation has to appoint a DPO to take responsibility for the regulatory compliance.

This DPO will report to the highest position in the firm and has to make sure the Organisation will take the needed measures to have its processes and information flow according to the GDPR. Some special aspects regard to the mandatory need of a DPO apply, however, it is a good idea to have a specialized role within the organization.

Another option is a virtual DPO, that can help your Organisation be GDPR compliant. The best part is that it costs much less and reduces Organisation man-hours involved by 75%!

Data Protection Impact Assessment and Protection by Default and Design

Your Organisation has to evaluate deeply the type of processing activities it will require for each data it collects to analyze the risks it may cause to the data subject. Every software used, activity performed and measure taken must have protection by design. It ensures that there will be no breaches and no vulnerability regarding the security of this data and no harm to the rights of the data subject.

If the processing activities or the data is susceptible to high risks, an impact assessment must be performed to evaluate the right measures to be taken to minimize this risk. Important aspects to grant this security are pseudonymizing, minimization of the data, ensuring the erasure of data according to the consent deadlines, and granting access to the data subject.

Data breaches and notifications

Your Organisation must adopt internal procedures and require the same to third-party partners, in order to deal with data breaches.

Those procedures should include identification of the actual data breach, investigation of the circumstances of the breach, and assessment of the implications it may cause both to the Organisation and to the data subject regarding his privacy.

One thing to remember is that the information should be notified to the Supervisory Authority in no more than 72 hours when the data subjects are exposed to some kind of risk, and in those cases, the data subject also have to be notified.

Applying the rule in a school setting

The rule becomes more complicated to apply in a school setting if you’re using this type of service because consent will be between the child/parents and the service provider. So, if consent is refused, you won’t be able to use the service with those children.

Steps to take before you use any online service with pupils

  1. Determine whether pupils’ use of the service is necessary for educational purposes (see below). This will inform what lawful basis you can use if the school itself will be processing any personal data, and the measures you put in place to protect pupils’ data
  2. Conduct a data protection impact assessment to identify and minimize the data protection risks and determine whether you should proceed
  3. Look into the service provider to establish, to the best of your ability, whether it complies with data protection regulations.

What counts as necessary for educational purposes?

It’s up to you to determine this in your own context, but Forbes suggested that, typically, a service will be considered necessary where the nature of it will require the school and service provider to share pupils’ personal data between them.

For example, an online platform that supports or enables standardised assessments and decision-making will help to achieve learning objectives and is likely to need to receive personal data from the school and send personal data back in return – such as pupils’ scores. This may be considered necessary for educational purposes. Similar principles are likely to apply to a homework portal.

However, if you want to use a social media platform to research photos in class, this may be considered more of a ‘convenience’, with a higher risk to children’s privacy if you do not have a data sharing agreement in place with the provider. There may also be alternative approaches available with less risk to children’s privacy. This would be harder to justify as necessary for educational purposes.

Identifying a lawful basis

If pupils’ use of the service will require the school to process any personal data – i.e. if you need to collect and share data with the service provider, or will receive data back from the provider – you’ll need to identify a lawful basis for this.

If you can demonstrate that the service is necessary, then it’s most likely that you’ll need to justify this processing under the public task basis. Otherwise you’ll have to rely on consent if using the service isn’t necessary for educational purposes.

If the school will not need to process any personal data in order for pupils to use the service – i.e. if pupils will sign up independently and the school will not receive any data from the provider – then you’re not acting as a data controller and will not need to identify a lawful basis. However, this carries more risk and, as we explain later, you must not require pupils to use an online service where this is the case.

If the outcome of the data protection impact assessment is that you can proceed, take the steps below. If not, consider alternative ways to achieve the same aim with less risk to children’s data privacy.

Additional actions if the service is necessary for educational purposes

Note: this will be the safest option for you, and most likely the only justifiable one if you require pupils to use the online service.

Where you have determined and can demonstrate that using the online service is necessary for the education of a child, and justifiable under the public task basis, you should:

  • Enter into an agreement/contract with the service provider. This means you’ll retain control of the personal data and therefore minimize any data protection risks. Make sure your contract covers the terms and information about data protection required by the GDPR
  • Share only the personal data that the provider needs to perform the services
  • Incorporate information about your use of the service and the personal data you exchange with the provider in relevant privacy notices. You can also link to any privacy information from the provider

Additional actions if the service is not necessary for educational purposes

In this situation, you cannot require pupils to sign up for the service.

Where you’ll need to process personal data in order to use the service

You’ll need to rely on consent as your lawful basis if you’ll need to collect and share any personal data with the service provider, and/or receive personal data back when pupils are using the service.

Pupils or their parents/carers must be able to give or refuse consent freely.

You must:

  • Request consent, ensuring that your request meets the requirements of the GDPR, before using the service with the pupil.
  • Provide a privacy notice explaining what the programme or service does, why and how the school uses it, what data it will require from pupils, and what rights pupils have. You can do this by incorporating information on sharing data with third parties in your privacy notices, and by linking to privacy notices for the services you use in an appropriate place

You should also put in place a written data sharing agreement with the provider.

Where the exchange of personal data will only be between the pupil and the provider

In situations where a pupil will be signing up directly with the service, and no personal data will be exchanged between the school and the provider, the issue of consent and providing relevant privacy information will be between the provider and the pupil.

There will be no useful reason for you to obtain pupil or parental consent for this, as you’ll not be processing any personal data in relation to the pupils’ use of the service.

As stated above, you will not be able to require pupils to use services in this case.

If the purpose of using a service where the exchange of personal data will be between the pupil and the provider is to support the delivery of the curriculum, you should seek safer alternatives. For example, using social media such as Instagram and Pinterest in school to research, and share, images is difficult to regulate and monitor. In this instance, the curriculum could be delivered using other resources such as search engines for researching images and secure cloud storage to enable students to upload and share images.

If you decide to use social media platforms, you should ensure that parents are fully informed as to how it will be used and the potential risks associated with its use. Mark suggested that you seek parental consent in this instance due to the potential safeguarding risks. As explained above, parental consent will not be needed for the processing of personal data.

As a school, your responsibility lies towards your students which would usually mean getting parents on board. This law is essentially empowering for both organizations and consumers. It allows for you to garner trust among parents as well as build an organization based on the principles of Data Protection.


If you have any questions or concerns as a school about the GDPR, book a time with us.