We Converted 50% More Leads with Cold Calling After GDPR [Case Study]


Nightmare, you’re thinking, right? You wouldn’t be alone in this assumption – we’re getting more and more people ask us for help, and we’ve seen hundreds of thousands scour the web for GDPR related information like how to stay compliant, establishing a GDPR legitimate interest and how the legislation affects cold calling.

Still thinking nightmare? You probably are, and that’s fair enough.

But, we are here to help – we’ve compiled some of our thoughts, advice and how to’s on establishing a GDPR legitimate interest, cold calling while staying legal and background info on the new regulations.

Let’s jump right in!

So, as I’m sure you know, GDPR has been on the tip of the tongue for all businesses regardless of size in the past year, with hundreds of GDPR consultants, advisors, software solutions and GDPR auditors starting up all around Europe. All of which aim to provide a solution to achieve GDPR compliance with the regulations implemented on the 25th May 2018. Let’s take a look at what GDPR actually is, the associated fines for non compliance and how it is impacting the worldwide business environment, including GDPR’s influence on cold calls and establishing a GDPR legitimate interest for outbound marketing and sales.

So What is GDPR?

The General Data Protection Regulation 2016/679, commonly abbreviated as GDPR, is a set of rules and regulations that stipulate the collecting, handling and processing of personally identifiable information (PII) such as names and addresses, IP addresses, banking information and any other data type that can be used to identify a living individual. Not only this, it provides EU residents more control over the data companies store on them, offering more power to view and request the removal of that data should they decide they want to be forgotten.

The GDPR is designed to replace the antiquated Data Protection Act and other European country equivalents, GDPR acts as a blanket regulatory system governing businesses located inside the European Union, but also requires compliance by companies situated outside of Europe that collect and process the PII of citizens in Europe. Safe to say, it’s not something that can be easily avoided.

The regulation set had been in the design process for a long time, with the aim of encompassing all potential scenarios that businesses might face in order to avoid ambiguity or grey area exploitation (although, many argue the GDPR’s regulations are widely open to interpretation).

Additionally, the purpose of the new GDPR implementation is to take a much tougher stance on how companies and businesses handle the PII of individuals, with the intent to place restrictions and minimise mass marketing, automated cold calling and spam to individuals and businesses unless there is a GDPR legitimate interest for these efforts.

Additionally, data protection legislation throughout Europe had been previously broad and differing from member state to member state, resulting in a confusing process for compliance auditing internally and by external compliance processors. GDPR is designed to harmonise data protection legislation across all EU countries, resulting theoretically in a much more sustainable and straight forward road to compliance and protection of EU citizens’ data.

Meanwhile, the potential fines for non-compliance, which were previously viewed as a speeding ticket for major corporations such as Facebook, Google or other large entities, have now been greatly increased in order to displace incentives for these large corporates to abuse the rules, with the potential to take into account the company’s revenue to ensure the fine is proportional to the their wealth.

How big are the fines?

The newly enforced levels of fines has garnered a lot of media attention and will likely worry the big Fortune 500 companies – no longer can they get away with gross data protection breaches with a cheap get-out-of-jail-free card. With a maximum GDPR fine for non-compliance running at potentially 20 million Euros, or 4% of the company’s annual turnover (whichever is greater), it will be a significant loss for falling foul of the GDPR requirements.

These are of course proportional to the level of non-compliance and the GDPR governing body allows supervisory committees in EU member states to make a judgement call and enforce less severe actions such as reprimands, warnings, or smaller fines. Still, most companies should and are endeavouring to ensure compliance. On the smaller scale, fines can be 10m Euros, or 2% of a company’s annual turnover, for less critical or large scale breaches, but which still should have been prevented.

How is it affecting the world of business and cold calling?

There has been much controversy and questions about how the GDPR will affect traditional sales and marketing efforts, such as cold calling. Now, if you found this article to discover how it will affect you, please be reassured – cold calling is not dead and the GDPR will not affect B2B efforts in the extreme case you are imagining. There are however, some suggested methods of GDPR cold calling you may not have previously employed which will only help you stay on the right side of the law, and we’ll investigate those below. Just a heads up – we are a GDPR documentation, auditing and service provider and selling to privacy professionals is no mean feat, so if we can’t stay compliant then how will anyone?

When cold calling with the intention to stay GDPR compliant, there are a few things to note. You need to have established that the business you are reaching out to has a legitimate interest in the business services you are offering. A legitimate business interest will allow for full compliance and will not be considered a spam or unsolicited marketing effort under GDPR, but you must really consider whether it is legitimately of value to your prospect (i.e. you can’t just say it is when you and everyone else knows it’s irrelevant, which is bad sales technique anyway). With B2C scenarios, we suggest to avoid cold calling altogether as usually these fall foul of GDPR cold calling regulations.

GDPR Cold Calling

How We Cold Call, Establish a Legitimate Business Interest and Stay GDPR Compliant

Any kind of outbound sales efforts come with their own set of challenges when it comes to GDPR and data protection legislation, whether that is for companies governed by GDPR or other regulations like those found in the USA such as SPAM. As a company that specialises in GDPR compliance, we must always comply, usually more so than most other regular businesses, but we need to also prospect and push our sales efforts in order to survive. So, let’s take a look at some of the main pointers in how we carry out sales efforts, establish a legitimate business interest and stay GDPR compliant. Daniela Duda, one of our experts, explains legitimate interest.

What is legitimate interest?

This is how we prospected and conducted cold calls, while also staying compliant with GDPR:

  1. First, we prospected using LinkedIn and Xing in order to make use of the mass of highly targetable data they offer. We set our sights on Data Protection Agencies, who usually only have around 1-10 employees so reaching a decision making unit was likely.
  2. We did not store any personal information on our prospects. Company name and business telephone number was sufficient for us to carry out our GDPR cold calling activities.
  3. This one is interesting. Instead of directly calling an individual at the business, we called the generic line and asked the operator/switchboard to connect us with the relevant person who makes strategic decisions regarding partnerships. Although this is an extra step, it just strengthened our ability to stay compliant.
  4. Although our sole intention was to increase sales (as with any sales call), the way we pitched and structured the call was focused on establishing a mutually beneficial partnership between ECOMPLY.io and their agency.
  5. Again, as they are an agency focused on data protection compliance, and ECOMPLY.io provides GDPR Compliance Software Solution, there was a clear and indisputable legitimate business interest for them to receive our sales call and for us to reach out to them, thus preventing any GDPR related issues. We also used them as an indirect channel partner, where they could potentially promote the product to their clients or partners, meanwhile selling a license to them as well, so it was a win-win for us.
  6. We also understood their problems very well and crafted a sales pitch that they wanted to hear by addressing their problems directly. Data Protection Officers (DPOs) in Germany have many clients because the law says any company that has more than 10 employees need to have a DPO. Therefore, this role is mostly outsourced. Hence, the pitch to the problem was very targeted. External DPOs want to save time, manage multiple clients and look professional. That’s what we pitched them.
  7. Finally, and this is very important, we respected their right to refuse the call. If they were not interested, we did not follow up or continually call them to convince them, we just moved on.

What Was Our Success Rate?

Good question. We, luckily for you, gathered our metrics for our GDPR cold calling campaign here at ECOMPLY.io, and have some interesting results for you, have a peak below:


  • We successfully reached 29% of prospects we reached out to. This was pretty good taking into account how people usually ignore sales calls. Generally, if you’re reach rate (directly reaching the prospect you need) is below 15%, we suggest you change your approach to cold calling so as not to waste time.
  • Of those that we reached, we were able to qualify 69% of them, meaning they were a good fit for our product and we knew we solved their problem. Similarly, if your qualification rate is below 30%, you need a new list of more relevant leads (don’t go buying generic leads, please!)
  • We were then able to convert 51.7% of those that were qualified, which we were pretty happy with. Again, if your conversion rate is below 50%, you need to work on your pitch. Conversion means either demo or sign up by the prospect.

These metrics were taken from Steli Efti’s Close.io Blog.

Overall, we were pretty happy with these results. We have a little improvement on our pitching side to get that conversion rate up a little, bit so far it was a successful campaign and we’ll continue to invest time into GDPR cold calls – and you should too!

And finally, we’ve mentioned it a lot. What is a legitimate business interest, and how do I establish one in B2B sales?

Establishing a legitimate business interest is crucial for B2B sales and marketing efforts when you do not have prior opt-in consent. Although somewhat of a grey area, a legitimate business interest can be thought of similar to how a B2C organisation might think when marketing to a customer who has already purchased from them. For example, the business prospect should operate in the same niche or market as you, and you can therefore have good reason to believe that the party is interested in your services, thus giving you some ground to cold call.

Additionally, companies often list contact information for certain personnel publicly on their website in order to receive valuable business propositions (it’s hard to operate a business in complete isolation). This gives you a fairly strong indication that it’s okay to call the relevant company to discuss a legitimately business proposal without fear of repercussions. However, before doing any cold call, we do suggest doing your legitimate interest assessment. Here’s the resource for the legitimate interest assessment.


As you can see, it’s not as scary as you first thought right? You don’t have to close down shop or look elsewhere for work – you can still carry out your sales processes and cold calling as long as you have that all important GDPR legitimate interest. Really, all it boils down to is respecting other’s privacy, not being irresponsible when it comes to personal data and making efforts to stay compliant. That way, you’ll avoid those fines!

Want to hear more from us? Give us your details, we will only use your email address to send the data protection and privacy news, updates and content. By giving your details, you are agreeing to our privacy policy.



Disclaimer: This article is not legal advice so please seek professional legal advice to discuss your specific circumstances.

GDPR Tools & Solutions

Top 10 Free GDPR Tools and Solutions You Didn’t Know Before

Top 10 Free GDPR Tools and Solutions You Didn’t Know Before

The internet has become one of the most important technological innovations in the history of humankind as it ushered in the coming of the Information Age. It introduced the world to an even greater sense of interconnectivity and its impact can be felt in all facets of human society. Perhaps its greatest impact can be felt in economics and marketing as it paved the way for companies to reach an even broader audience and introduce innovations that allowed them to specifically target audiences with personalized forms of advertising.

Personalized advertising has quickly become the norm for digital marketing. It, however, gave rise to questionable information-gathering tactics and has raised issues regarding consumer rights to privacy. The clamor for consumer data protection grew even greater, which led the European Union (EU) to impose legislation that would govern how consumer data is collected. This new law replaces the outdated Data Protection Directive 95/46/EC and came to be known as the General Data Protection Regulation (GDPR).

The new legislation highlighted the greater need for protection in consumer data and placed more responsibility at the hands of big businesses. In the advent of the GDPR, consumers now have greater control over their personal information. Businesses now need to perform GDPR assessment over their data-gathering policies to make sure they do not face stiff penalties.

There is now a greater need for compliance. The need to comply necessitates the use of GDPR tools and solutions to ensure that consumer data is protected. That is why we’ve come up with a list of GDPR tools and solutions to help your business adhere to the policies set by the EU. These free tools and solutions providers perform automate the process of auditing and assessment of your sites to maintain GDPR compliance.

What does GDPR mean?

The General Data Protection Regulation, or GDPR, aims to assert the rights of EU citizens on their privacy and personal data and highlights the responsibility of businesses doing business in and with the EU in handling the personal data of their citizens.

Under the GDPR, individuals have certain rights to their personal information. These are:

  • The right to access
  • The right to be forgotten
  • The right to data portability
  • The right to be informed
  • The right to have information corrected
  • The right to restrict processing
  • The right to object
  • The right to be notified      

The new regulation gives individuals, prospects, customers, contractors, and employees more power over their data and takes away power from organizations that collect data for monetary gain. Non-compliance will leave businesses facing hefty fines, which can amount to 4% of their annual global revenue, or 20 million Euros, whichever is greater.


Why is GDPR necessary?


The existence of the GDPR is the European Union’s response to public concerns over data privacy. Even before the internet became the business powerhouse it is today, the EU’s Data Protection Directive, released in 1995, was placed to protect any individual’s data with regard to their processing and free movement.

With increasing accounts of high-profile data breaches, public concern over privacy continues to escalate. In fact, an RSA Data Privacy & Security Report indicated that around 80% of consumers in Germany, France, the UK, Italy, and the U.S. have lost pertinent financial and banking data. Lost security and identity information were among those that were highlighted as areas of high concern.


The establishment of the GDPR aims to ease public concerns over the storage, sharing, and security over private information. Not only that, companies are held more accountable in handling these pieces of information. This highlights the need for GDPR solutions through GDPR assessment to


What Types of Data does the GDPR Protect?


The requirements set by the GDPR have significantly altered the way companies can gather information and make use of these pieces of information. These guidelines protect:


  • Web data such as IP addresses, locations, cookies, and RFID tags
  • Information related to a person’s identity such as the names, ID numbers, and addresses
  • Ethnic or racial information
  • Genetics and health-related information
  • Biometric information
  • Sexual orientation
  • Opinions on politics


The GDPR imposes strict penalties for those that breach the GDPR – penalties that we’ve covered above. This is why compliance with the GDPR rules and guidelines is extremely necessary.


In order to speed up the process of compliance, we’ve come up with a list of free GDPR tools to help with your company’s GDPR assessment strategies. Keep in mind that GDPR solutions like these are extremely valuable in today’s internet landscape so make sure to check them out.


Top Ten Free GDPR Solutions and Tools:

  1.      Ghostery

Ghostery is a user-friendly browser extension that allows users to browse faster and smarter by controlling ads and the way they track your data. They make use of state-of-the-art tracking technology to make sure your information is safe and secure.

        Key Features:

  • Blocks third-party data-tracking technologies
  • Removes advertisements to eliminate clutter
  • Page optimization to make pages load faster by automatically blocking and unblocking trackers to meet page quality criteria
  • Customize the information users can see to display only relevant information
  • Enhanced anti-tracking and ad-blocking technologies to create safer browsing environments
GDPR Tools and Solutions
Ghostery Product Screen Shot
  1.      Cookie Script

Cookie Script is a GDPR tool that helps websites comply with European Cookie Law and the GDPR. It incorporates various functionalities that users care for and have requested, such as an all-in-one suite to control various websites from a single account, ability to delete cookies before user opt-in, consent withdrawal, platform versatility, and a self-hosted solution to make sure sites are GDPR compliant.

        Key Features:

  • GDPR tools to help comply with the EU e-Privacy directive and the GDPR
  • Offers various design options
  • Ability to control first-party and third-party cookies
  • Data consent tracking
  • Geotargeting that shows privacy policy pop-up for users from EU countries
GDPR tools and solutions
Cooke Script Details
  1.      Let’s Encrypt

Let’s Encrypt is a global Certificate Authority (CA) that allows people and organizations around the world to obtain, renew, and manage SSL/TLS certificates. It is an automated GDPR assessment tool that makes it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate without human intervention, allowing sites to provide more security over user information while using sites.

        Key Features:

  • Can generate ECDSA root and intermediates that can be used to sign end-entity certificates.
  • Employs TLS ALPN Challenge support for users who only want to use port 443 for validation.
  • Makes use of and installs a plethora of security certificates to enforce data security and privacy.
GDPR Tools & Solutions
Let’s Encrypt Website


  1.      Activemind Privacy Policy Generator

Activemind is a consultancy agency that assists in GDPR assessment strategies to improve data protection and management and ensure that sites are compliant with the GDPR. They employ a wide variety of GDPR tools & solutions to help companies and organizations fulfill legislative requirements set by the GDPR.


  1.      CNIL

 Commission Nationale de l’Informatique et des Libertes, or CNIL, is a French data protection authority that aims to protect data and preserve individual liberties while also ensuring that innovations are supported. CNIL publishes a free Privacy Impact Assessment tool to ensure the lawfulness of processing data to enforce user rights over data. The tool is designed to build site compliance with the GDPR.

  1.      Trew Knowledge

WordPress makes available a variety of GDPR tools aimed at ensuring site compliance with the GDPR, the highest-rated of which is GDPR by Trew Knowledge. The plugin is meant to assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.

Key Features:

  • Consent management
  • Privacy Preference management for Cookies, with front-end preference UI & banner notifications
  • Rights to erasure & deletion of website data with a double opt-in confirmation email
  • Re-assignment of user data on erasure requests & pseudonymization of user Data Processor settings and publishing of contact information
  • Right to access data by admin dashboard with email lookup and export
  • Right to access data by Data Subject with front-end requests button & double opt-in confirmation email
  • Various other features that ensure GDPR compliance



  1.      AvePoint Privacy Impact Assessment (APIA) System

The Avepoint Privacy Impact Assessment (APIA) System automates the process of GDPR assessment and evaluation and keeps you updated on the process, ensuring that compliance-related efforts are going on the right direction. It helps monitor activity and progress throughout the process. It also supplies categorized suggestions to help close existing gaps with regards to people, technologies, or processes.

Key Features:

  • End-user reporting on access to site traffic, search usage, active users, checked-out documents, and top documents
  • Compliance and governance reporting to security and compliance officers for easy identification of suspicious activity
  • Office 365 support for records management to improve automated conflict resolution
  • Content archiving approval to empower end-users to review content prior to archiving
  • Virtual machine backups for improved protection on virtual elements
  1.      BayLDA

The Data Protection Authority of Bavaria for the Private Sector (BayLDA) is another data protection authority that is mandated to enforce data protection measures under the GDPR and ensure that data protection laws are followed by data controllers. They provide GDPR assessment services and inspections on existing organization policies to make sure the laws are being followed and take action when breaches are committed such as crucial data processing and sharing.

GDPR Tools and Solutions

  1.      Webskoll

Webskoll is a cookies analyzer and helps you understand how privacy friendly your website is.  Web Privacy Check monitors privacy enhancing features on websites and helps you find out who is letting you exercise control over your privacy. We check to what extent a website monitors your behavior and how much they gossip about the monitoring to third parties. We’ve also compiled a set of recommendations for web designers and managers on how to not track or gossip in digital environments. We also suggest questions and feature requests from users of websites who want to alert webmasters to the opportunity for improvement.

Key Features:

  • Sharing cookies that the your have on your website
  • Sharing the indexes
  • If you have a secure connection

  1.    ECOMPLY.io

ECOMPLY.io provides GDPR assessment that come with an easy-to-understand, clearly-stated step-by-step plan towards creating policies that ensure compliance. Their GDPR solutions allow easy application on any platform, which incorporates features that save 70% GDPR preparation and documentation time by giving the right answers to the right questions, even without legal assistance from any lawyer.

Project management & workflow strategies employed by ECOMPLY.io provides any organization and business with a clear report of any requirements currently needed to ensure compliance. We offer a free 14-day trial that can surely bring your organization multiple steps closer to compliance. Plus, we give a FREE GDPR Gap Assessment to help identify key issues and help you come up with an action plan.

Key Features:

  • Clear instructions towards GDPR compliance
  • Saves you time on familiarization because their GDPR tools are easy to use
  • Compliance progress tracking
  • Multi-user management for every team
  • Reports are easily exportable as beautiful PDFs
  • 1-click assignment of data flows
  • Provides automatic reminders of progress
  • All data protection efforts come in an all-in-one platform
  • Automatic vendor management
  • Attachment of compliance badge as a demonstration of compliance after successful strategy adoption
  • Multitudes of templates are available to suit your needs
  • Compliance for both controllers and processors

Offer: If you make less than €1000 as a business. ECOMPLY.io is going to offer the solution for FREE.



The General Data Protection Regulation, or GDPR, has indeed changed the way data can be collected and certainly brought with it still penalties for non-compliance. Choosing not to do business with the EU in lieu of compliance is also not an option. These essential GDPR tools and service providers can surely be of immense help to businesses and organizations as they employ strategies and policies that will help them comply with the new regulation. Remember that these GDPR tools & solutions have several benefits that can make the process of compliance much easier and more efficient.

So, which free tool was your favorite? Which one are you going to use?

Do I need a Data Protection Impact Assessment to avoid GDPR fines?

Do I need a Data Protection Impact Assessment to avoid GDPR fines?

Companies due to rapid technological development can conceptualize and develop new and innovative business models. However, a lot of times companies introduce changes within their workings that requires them to process huge amounts of data. In this case, they have to do a Data Protection Impact Assessment (DPIA). If you conduct a DPIA, it will help you understand and execute compliance to avoid GDPR fines.

Everytime, you make a change, according to the General Data Protection Regulation (GDPR), you need to do an impact assessment. The change you introduce can be a technological one or a structural one. Regardless of the type of change, you need to do an impact assessment. If you fail to carry out this assessment, it can lead to GDPR fines of 20 million or 4% of revenue, whichever is higher.

In this article, we aim to provide businesses with a basic understanding of a Data Protection Impact Assessment (DPIA). We also give you the pointers you need to conduct one to avoid gdpr fines.

Who needs to do a Data Protection Impact Assessment?

We have so far in our research and experience not found an answer that experts would agree upon. GDPR enthusiasts have not been able to answer it sufficiently. We came up with some pointers to make it easy for you to understand. Here are the essentials you need to consider in order to avoid the gdpr fines:

  • If your organization processes Special Categories Data (refer to the Defining Data Categories under the GDPR to know more)
  • Companies/organizations that process data on a large scale (refer to the Defining Large Scale section to know more)
  • If your organization/company does profiling of individuals
  • Companies/organizations that directly target their service/product towards children


Article 35 of the GDPR also allows Data Protection Authorities (DPAs) to issue blacklists of Processing Activities. These lists contain all activities for which you are required to conduct a DPIA to avoid gdpr fines. You can add these in your DPIA template as well to refer to later. Here’s a list that the German Authorities have come up with.

Below is Daniela Duda’s (a renowned specialist in Germany) answer to this question.

Privacy Impact assessment

What is a Data Protection Impact Assessment?


The European Union (EU) introduced the Data Protection Impact Assessment as a tool under the General Data Protection Regulation (GDPR). The GDPR recommends it for doing a risk analysis of the threats that a processing activity in a business entails.


If you introduce a new technology in your organization which automates processing activities you need to do an assessment. You need to leverage it to assess and ultimately reduce the risks of the processing. If you reach the conclusion that it results in considerable harm for the individuals involved, consult the DPA as well.


The Data Protection Impact Assessment will help you organise your projects as well as simultaneously help you dodge gdpr fines.


What does the General Data Protection Regulation (GDPR) say about DPIA?


According to Article 35, you as a controller are responsible for carrying out an assessment:


“Where a type of processing, in particular, using new technologies, and taking into account the nature, scope, context, and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.”


Article 35(3) stated above lays out the rules for when exactly an assessment needs to be carried out. In short, it states that you have to carry out a data protection impact assessment for any type of processing. It becomes especially important when you introduce new technologies, and analyse how data will be processed using these technologies.


Moreover, you need to take into account the nature, scope, context, and purposes of the processing itself. If you recognize a high risk to the rights and freedoms of natural persons then go back to project planning. You must integrate a data protection impact assessment before you start the project. You, as the controller, also have to consult with the relevant Data Protection Authority (DPA) if there are high risks.


If you use the DPIA template or customize it for use by your company, add the article of the GDPR. This will serve as a guiding legal basis and can be referred to at any time.


Defining Nature, Scope, and Context


To make it simpler for you to understand, let’s take an example:


A hospital records and processes the health data of its patients. The nature of the processing is defined as the type of data that you are processing. For example, as a doctor you collect blood samples and the history of illnesses. You use this data to prescribe a treatment or medicine so the person can recover.


All this data, under the GDPR, is categorized as PII. The scope of the processing is defined as the scale of your processing activity. Basically, it asks who has access to data and how much data are you processing. So, in our example a doctor examines 30 patients after listening to their complaints and records their information. This data can be processed by 15 doctors who have access to the data. So nurses for instance, cannot access the data. Processing is also not automated. A doctor can look at the stored data but there is no algorithm that analyses it and suggests a diagnosis. In the future, those 15 doctors can use this data to diagnose the patients as well. You need to define how long you keep this data as well in Records of Processing Activities document. This would be the scope in our example.


The context is defined as the situation in which the data is recorded and processed. In this case, it is the hospital and the legal basis is consent. So when a patient comes in, you need to explicitly ask them for consent for their data. If it is a regular patient, you won’t need to do this every time they come in. However, if you change something in the processing then you need to inform them again.


These pointers need to be clearly mentioned and sketched out in your DPIA template.


Defining Data Categories under the GDPR

If you understand these categories, you can conduct a Data Protection Impact Assessment easily. You can also train your project managers to be able to distinguish between data categories. The General Data Protection Regulation defines personal data as any information of an individual which can help you identify them.

This data could be any professional data or any other private data that a person can have. It also includes data that is indirectly identifiable through cross referencing. An example is a matriculation number assigned to you at university or your IP address.

Special Category of data is another typology of data under the GDPR as set out by Article 9. It lays out the framework for processing of sensitive data. Sensitive data is defined as any data that could reveal the racial and ethnic origins or political or religious views. It also includes any data that reveals trade union membership, health data or other biometric data.

If you process sensitive or personal data you needs to record it under the GDPR as Records of Processing Activities documentation. You need to do this record keeping for all processing of data.

Further Data Categories

Here are some further definitions, according to Pegasystems, that you might find useful:


Data concerning health is defined by the GDPR as personal data related to physical or mental health of an individual. It includes the provision of health care services, which reveal information about his or her health status.

Genetic data is defined by the GDPR as personal data relating to inherited or acquired genetic characteristics of an individual. It includes data that gives unique information about the physiology or the health of that natural person. It’s any data that you get from an analysis of a biological sample from the natural person in question.”

Biometric data is personal data from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual. It’s any data which allows or confirms the unique identification of that natural person. Examples are facial images or dactyloscopic data. (Pegasystems, 2018)

Defining Large Scale


Processing data on a “large scale” is difficult to define and there is much ongoing debate about the legal terminology. If you process data on a large scale, you have to conduct a DPIA to not get gdpr fines. So what exactly is large scale? According to EC Europa:


“The GDPR does not define what constitutes large-scale. WP29 recommends that the following factors, in particular, be considered when determining whether the processing is carried out on a large scale:
– The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
– Volume of data and/or the range of different data items being processed
– The duration, or permanence, of the data processing activity
– Geographical extent of the processing activity.”


This is also what we know for sure:


  • If you’re processing Special Category data, then even with one data subject because you have to conduct a DPIA. Add this as a footnote in your DPIA template.
  • As a freelance practitioner, any number of data subjects more than average require a Data Protection Impact Assessment. Examples of freelancers are doctors, lawyers, or other professions dealing with clients. Any number of data subjects more than average in your particular field is considered large scale.
  • Similarly, as an organisation where data processing is an integral part of your business you need a DPIA. If it is a regular activity then based on the following factors, you can justify why or why not you are processing on a large scale: number of data subjects, the volume of personal data and geographical locations.

Here are some examples you can add in your Data Protection Impact Assessment:

“…processing of patient data in the regular course of business by a hospital, processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards), another one is processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialized in these activities, processing of customer data in the regular course of business by an insurance company or a bank  processing of personal data for behavioural advertising by a search engine processing of data (content, traffic, location) by telephone or internet service providers.

Examples that do not constitute large-scale processing include:
the processing of patient data by an individual physician
processing of personal data relating to criminal convictions and offences by an individual lawyer” (EC Europa, 2018)


As a form of guide and for your Data Protection Impact Assessment to effectively help you avoid fines, you can add these examples to your DPIA template to serve as a tool for understanding the process.  Different Project Managers then can refer to the same document.

When is it necessary to conduct one?

You need to carry out a Data Protection Impact Assessment (DPIA) when you do systematic and extensive profiling. You also need to carry it out when you do significant decision-making about people. Especially, when it is done through automated processes or algorithms. When you use new technologies to process data on a large scale you need to do a Data Protection Impact Assessment.

Moreover, if you use technology that processes special category data or criminal offence data an assessment needs to be carried out.  Any technology with which you process personal data and criminal offence data, you need to have a pertaining DPIA for it.

When you use profiling, automated decision making and processing of special category data do a DPIA. Especially when you use these processes to make decisions on opportunities and access to these opportunities, services or benefits. For example, getting a phone or network contract from a carrier or getting a loan.

Regular and Systematic Processing

When your organisation indulges in regular and systematic monitoring, a Data Protection Impact Assessment becomes necessary. EC Europa sums up the notion of systematic monitoring:


“The notion of regular and systematic monitoring of data subjects is not defined in the GDPR. But clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment.”


If you are combining and accessing data from multiple sources to compare or match, a DPIA is also recommended. For instance, making shopper’s profiles from data you get from their social media public profiles or online shopping behaviour. If you are tracking the online or offline location and generate data through it, then a DPIA is also essential.


In case your company is processing children’s personal data you need to do an assessment. Even if you do this through automated decision-making or for marketing it requires a Data Protection Impact Assessment. You will also need a consultation with the DPA if the service or product is being marketed directly to them.


If you identify that processing of personal data could result in a risk of physical harm an assessment is required. Physical harm under the GDPR is considered very serious in nature.


How to conduct a Data Protection Impact Assessment?


Companies need to conduct a Data Protection Impact Assessment before the start of the project especially before the start of processing.


Step 1: Describe the Processing

You need to describe in detail the nature, scope, context and purposes of the processing. Make sure that you ask your data processors to collaborate with you in order to fully understand and document their processing activities and identify any associated risks.


For instance, if you are tracking shopping behaviour, you would define the scope of the tracking. What exactly do you track? Do you track what consumers buy, the products they look at, how long they look at a product? This needs to be stated clearly.


You also need to state why exactly you are doing the tracking: to make useful, personalised, recommendations. Answer the question of how you protect the data. Where the servers are located, what’s the necessity of the processing activity and basically answer all the questions that you would look at when you do your standard records of processing activity. You need to document all of this for your processing activity.


Step 2: Identify the risks of the processing activity

Work together with your team to identify all the risks that this activity might have for the rights and freedoms of the individuals from whom you are collecting the data. We check that the processing is necessary for and proportionate to our purposes, and describe how we will ensure data protection compliance. The assessment of severity of risks to individuals rights and interests needs to be done as objectively as possible.


Step 3: Document everything!

You need to document all of this for your DPIA including any disagreements you have with your Data Protection Officer (DPO). After documentation, you can move forward to implementing the measures you have integrated into your project planning.


Hauke Holtkamp advices companies to “…track statistics as opposed to making profiles.” He elaborates by giving the example of ECOMPLY.io:


“We want to understand how our users go through each step to comply with the GDPR. To see how much time our users spend on each step so we can make the app better by analysing further the steps where more users get stuck. It can easily be done anonymously by not making profiles of our users but just by looking at statistics of each step. This way we incorporating the principles of privacy within our app.”


Data Protection Impact Assessment

Challenges of conducting a DPIA


When companies use external parties to conduct a Data Protection Impact Assessment, the challenges they face are that the clients do not want to carry out the Data Protection Impact Assessment due to lack of awareness of what it constitutes and what its consequences might be. Therefore, usually there’s a fear that somehow carrying out one would result in restricted business practices and options.


Another issue is the lack of information to enable a Data Protection Impact Assessment to be carried out fully. This is due to two reasons, first because the GDPR is relatively new and only a small percentage of the companies are somewhat compliant. This means that they are not fully aware of their data pathways and trajectories making the documentation in the DPIA a bit difficult to complete.


There’s also a negative connotation attached to the Data Protection Impact Assessment that it is extremely arduous and time-consuming. This puts off companies from embarking on any such assessment or investing time or financial resources into it even if it means huge gdpr fines.


Hauke Holtkamp, Cofounder of ECOMPLY.io, having talked to their customers says that the:


“The biggest challenge for our customers is to figure out where to start since right now there’s not much reference material. Also, a lot of business model depends on some non-compliant processes. However, a DPIA is a good instrument for realizing where in your business you have non-compliant processes.”


Benefits of a Data Protection Impact Assessment


Conducting a Data Protection Impact Assessment before the start of a project will allow you to be aware of the information flow within the project from the very beginning.


  • It will improve your communication regarding data privacy to different stakeholders
  • You can garner confidence among your user-base and customers that you process their data responsibly
  • Your organization can ensure that your users are not at risk and reduce the costs for when a security breach does take place
  • It will also help you reduce operational costs by optimising the flow of information
  • You will avoid gdpr fines by maintaining compliance




The GDPR is still a relatively new legislation and the DPIA has not been conducted by businesses at this point. It is firstly, extremely important to map all your business data flow and train your staff to understand how data flows through your business and is processed.


Your organization should also train staff to assess when a DPIA is needed and how to conduct it. You should see this as an integral part of compliance. In general,you should conduct a DPIA for any new process, employee or organization measure that you change.


According to Hauke Holtkamp:  


A Data Protection Impact Assessment to avoid GDPR fines is incredibly hard to do as a business. First thing you should do is get structure of your processes. If you can formulate an ordered list of processes and go through it like a checklist stating which one is “harmful” and which is “harmless”. This will make it easy to structure the carrying out of the assessment if you have a good understanding of your processes. In the end, if you identify high risks for certain processes, make sure you implement measures to reduce those risks.”

PH Launch

How Startups Can Have a Successful Product Hunt Launch

How Startups Can Have a Successful Product Hunt Launch

As a start-up, it can be hard to launch when you are still trying to create a space for yourself in the market. On top of that, as a new start-up, you are probably low on employee days and might even be lacking some skills. If you do not have a skilled marketer or content creator, then you need to either spend the time to acquire these skills or use finances to hire a freelancer or a skilled employee. All in all, if you plan it correctly and involve your whole team in it, you can pull it off without any big hitches. We were a group of 5 people and we made it to the top ten products of the day on Product Hunt! Here’s what we learned out of the experience:

  1. Getting a popular hunter can help

We decided to go without a popular hunter which meant that we had to spend considerable effort on marketing material and activities. If you have a popular hunter launch your product, it
gets traction more easily. Since the hunters usually have a huge following, every time they launch a product their followers get a notification.

  1. Engage with communities

Two weeks before the launch, you should look for all the groups on social media channels like Facebook, LinkedIn and even Slack Open channels. Join the channels and start engaging with the members there. You can either do this by posting relevant questions or content
in the group. Be genuinely interested in that groups’ owner, their purpose, their interests and their members. As a start-up, it’s also good to attend some meetups and engage with people. Divide the work according to fields and functionalities of your team members. For instance, our developers engaged with all the development groups while our sales team members talked to other
sales reps.

  1. Tease before Product Hunt

Make sure you build up a pre-launch hype! As a start-up, your product, of course, is not as well-known as those of established companies. Use this launch to create awareness around your product/service.

Product Hunt

  1. Algorithms of Product Hunt –  This is what we know with some certainty about the PH Algorithm:

Contributors and Makers upvote count more
Recommendations and comments count more
Only upvotes don’t count as much especially coming from new members

So, make sure you target your pre-launch hype and marketing efforts at existing Product Hunt contributors. Becoming a contributor also takes a while so if you are getting your friends, family, colleagues or acquaintances to upvote, make sure you start telling them a week
or two before launch so that they can at least become contributors. Have a plan to get at least 100 genuine upvotes from the contributors. Not someone who just signed up. This goal will help you guide your launch.

  1. Find a way to reward your customers and educate them about Product Hunt

    Early adopter FOMO (fear of missing out) is a thing and you need to use it! Get all the techies excited about it especially your customers. No matter how many customers you have, make sure you inform them of your reward scheme if they support you in your launch. Make a good
    offer: discount or a good deal should always do the trick. Also, something like an ‘early bird’ discount or early access works.

  2. Get customer testimonial videos to post on maker story

If you already have some customers who are happy with your product, find a way to market their testimonials via a photo, video or some other way. You can either add this to your Maker Story or use it as part of your pre-launch marketing.

  1. Involve the whole team and GET YOUR MARKETING READY!

Your whole team should be aware of the launch! Make sure you have your whole company on board. As a start-up, you will need all hands on deck!

Product Hunt

You need GIFS, thumbnails, a well-written maker story, Facebook cover photo and profile photos as well as Twitter and LinkedIn banner. The most important thing is that you have tested different channels beforehand and know which ones work for your target audience. Whether it’s social media or Google advertisement, you need to figure this out for your marketing efforts to be impactful. Give yourself 4-5 weeks to prepare in advance for the launch and keep all your messages simple and to the point. If you have a big customer, you should get them on board to support you. Ask them to launch your product on their website and to their users/customers as well.

  1. Don’t ask people to upvote

This cannot be reiterated enough! You have probably already come across this piece of advice through several different channels and that’s essential because it is extremely important that you only ask for feedback and assessments. Asking for upvotes will impact your ranking negatively. Don’t be sad if you don’t become Product Hunt’s product of the day. Sometimes one of the big companies launches a product on the same day catching you unaware.

  1. Product Hunt is not a one-time thing!

You can keep launching free or smaller products depending on what you are doing. New updates and features are always something that you can create a launch around. Make sure your Product Development and Sales teams are aligned on the launches. What you are launching and when! Your whole company should be a part of the launch’s preparation and execution. You can even schedule several launches with your product team.

  1. Set smart goals and measure them

Product Hunt is not just about launching a new product, it can have several goals. You can get feedback on your prototype through a launch, make your product better or simply gain customers, gain more traction for your website or simply get the word out there about your product. Set the goal before you start with your marketing and planning. Come up with relevant metrics in line with the goal so you can concretely measure your performance and what you can do better in the next launch.

Here you can check out our first launch on Product Hunt and we have another smaller one too!

Take half a minute to sign up with us and make your business GDPR compliant to avoid all those big fines!

GDPR Compliance

25 GDPR Compliant Software Companies - The Trustworthy Vendors

25 GDPR Compliant Software Companies – The Trustworthy Vendors

Many software companies claim to be the GDPR Compliant Software. But it takes a lot for companies embedded in our current structures to fundamentally change their business practices and processes to comply with a change in legislation. When the General Data Protection Regulation (GDPR) was introduced, it required exactly this kind of strenuous effort and commitment from companies in order to be compliant. The process of GDPR compliance is, of course, a long-term and continuous process.


Companies do not only have to internally modify the way they work but also have to pay attention to the vendors they pick and work with. The vendors basically include all the softwares that you will use whether it for sending marketing emails or a Customer Relationship Management (CRM) System. To make your life easier and also to celebrate the hard work of companies who have successfully embarked on the GDPR compliance process, we decided to compile a list of vendors who are GDPR compliant. So here it goes in no particular order:

GDPR Compliance Software



Basically, a Marketing software that allows you to analyse, optimise and personalise your website with different tools all in one place.

They have clearly thought out their GDPR compliance process since they have all the essentials of a responsible data processor. To offer GDPR compliant services for A/B Testing and heatmaps is not an easy feat but they have proven that it is in fact achievable! They have an opt-out button that you can use and their privacy policy from their parent company: Freshwords is quite comprehensive. This GDPR compliant software has the most detailed information about their practices.

For more information, check out: Freshmarketer


This software allows you to make surveys with a high completion rate due to the conversational nature of their surveys. Our favourite part is their empowering approach to the GDPR where they state:

“We are the facilitators who make data processing and management simple for you. You control and own your data!”

They also transparently give you a short checklist of everything they have done to comply with the GDPR.

For more information, check out: Survey Sparrow


Another automated sales email outreach software for your business that allows for integration with your Google account, Exchange account and Office 365 account among many others.

We love that they already had an effective GDPR program starting 01.01.2018 where they provided the status of their different GDPR related activities. Not only that, their GDPR compliance page follows a simple question-answer format to make it simpler for anyone to read as well as answer any questions people might have. They also have a GDPR e-book that they have created from their own experience!

For more information, check out: Woodpecker


If you have a huge number of subscribers whom you want to reach out to then this is the GDPR compliant software that you should get. It offers integrations, automation through time-based onboarding and drip sequences among other features.

They have added Full GDPR compliance in their Added Features List. All their servers are based in the European Union (EU) and they also have a checklist of what they have done and one for you to know how they keep you compliant as a Vendor.

For more information, check out: EmailOctopus


This service allows you to make your own creative pop-ups that can effectively pop-up at intervals that would increase conversion for you.

They have followed ECOMPLY.io’s steps and are endorsed by us in their GDPR compliance efforts. They have comprehensively done all their Records of Processing Activities as well as have an updated privacy policy and Data Protection Agreements with vendors. And they did such a great job of completing all the steps in our app that they earned a Badge! Well done, Poptin!

For more information, check out: Poptin


This Conversion software allows you to personalise your content by segmenting your website visitors and providing them the relevant content accordingly. And of course, they do this in a GDPR compliant way.

According to the GDPR, they are a processor and their “Data Processing” description on their dedicated GDPR page shows that they really have thought through their compliance. Their customer can understand how they are keeping their data secure as well as who is their sub-processor. Their page and privacy policy is comprehensive making them another transparent and compliant vendor.

For more information, check out: Unless


Another Marketing vendor that has clearly made considerable efforts to become GDPR compliant. These are the features they provide: Powerful Retargeting, Custom Domains, Branding, Smooth Link Shortening and even QR codes for your marketing efforts.

Their GDPR compliance seems very consumer oriented and empowering. This can be seen in their headline for the contact form that goes straight to their Data Protection Officer. It reads:

“Exercise your rights under GDPR”

You can submit your request by choosing it from the drop-down box and then submitting it. Very interactive compliance!

For more information, check out: RocketLink


This one is all about driving up your conversion through effective link shortening and sharing for various advertisement activities. It even allows you to personalise your 404 error when one of your links doesn’t work.

They help their European Customers gain consent for their advertising activities very simply! Here’s how they do it:

“Display a customized CTA only to your European visitors and automatically fire the pixel based on your visitor’s choice.”

Their updated privacy policy informs their customers of their rights under the GDPR!

For more information, check out: PixelMe


Are you a tweeting marketer looking for followers? Then this is the tool for you. It finds you followers from your target market.

It’s privacy policy and GDPR compliance is so well-structured that if you are looking for a specific piece of information or have a particular question, you can simply click on the relevant question headline and it takes you to that part.

For more information, check out: Jooicer


This one is for marketing agencies and managers who collaborate with teams and clients regularly. You can create, share, get feedback and get approved the content that you create for your company or other companies easily.

It is a US based company but they have an updated privacy policy that reflects their GDPR efforts. Their privacy policy tells you exactly the type of data they collect through their service but also through cookies and other tracking technologies. They also have a dedicated email address where you can submit your Data Subject Access Requests and they promise to acknowledge and process them in 30 days.

For more information, check out: Gain


Another US based company for Retail Marketing Automation via Facebook Messenger. Basically, it helps with closing sales and building valuable long term relationships.

Their Privacy Policy is pretty straightforward and because they work with Facebook as their main partner (which we can imagine isn’t easy given the loss of trust they recently faced from consumers), they do a pretty good job of effectively providing links to privacy initiatives from their partners. They provided their customers with the GDPR compliant policies of all their big partners like Amazon and Shopify!

For more information, check out: Shopmessage


For content marketing, optimization and social media marketing: Elokenz offers a range of these services to bloggers and content marketers.

We have to say that its Privacy Policy in line with the GDPR is absolutely on point! They provide you with a policy summary that is easy to go through and then just below it you can delve into details if you need to. Not only that we love that they have little icons in the summary. Talk about marketing the privacy policy!

For more information, check out: Elokenz


GDPR Compliant Software


If your business is based on a huge volume of calls, this is your software to optimise the distribution and attendance rates of your calls. You can use the data from marketing initiatives check which campaign made your phone ring or how your call agents are doing.

Since they will clearly be dealing with a lot of data, we were very curious to find out what efforts they had made to be GDPR compliant. Their privacy policy is updated in line with the GDPR and they also guide the reader to the relevant part:

“If you are a visitor of a site which is running services provided by Ringostat (“Ringostat Enabled Site”), the ‘End Users’ section of this Privacy Policy applies to you.”

For more information, check out: Ringostat


Designed for Small and Medium Businesses, Reply is a comprehensive Sales Platform that helps you take your sales to the next level. The platform also automates outreach to potential employees and bloggers as well as influencers for PR purposes.

We find their little GDPR Ready icon at the top of their page absolutely brilliant! Once you click on this icon, they give you a detailed overview of their responsibilities and the contact people in case of any issues. They serve as an example of how GDPR actually increases trust among your customers if your business remains transparent about their data collection activities.

For more information, check out: Reply.io


Taskdrive allows you to outsource your lead research so you can focus on other tasks. The service is pretty straightforward and so is their GDPR compliance. They have the consent checkbox for their forms that prospective customers provide their data through. They also clearly state that “consent is voluntary”. Their privacy policy is updated and they also provide the link to their data retention policy.

For more information, check out: Taskdrive


Here’s a tool that combines different tools all in one. It offers CRM, HRM, invoices, reports, contacts and projects all in one platform. It makes collaboration easy and makes managing projects very convenient too.

Their GDPR efforts are clear through their updated privacy policy and their dedicated GDPR page. They clearly have incorporated the principles of the GDPR in their business and this is our favourite part:

Revisiting GDPR compliance regularly.

As part of our commitment to remaining GDPR compliant and respecting the privacy of our users, we will revisit this document at least once per year to ensure that all of the information is accurate and up-to-date.”

For more information, check out: Teamwave


This tool helps you create and automate your sales funnel. It allows for a range of different integrations with mailboxes and also helps your Sales team collaborate.

Their GDPR compliance can be seen in their Privacy Policy which has detailed content on all their GDPR related efforts. Not only that their CEO personally was involved in all their compliance activities. The have divided their privacy policy by content and function so it is easy for their business customers to see. They also link the privacy policies of all their vendors so their customers can trust their services. 

We are also using Salesflare because their focus on GDPR compliance is a priority. We also believe that they are the GDPR Compliant Software company because we regularly see their documentation.

For more information, check out: Salesflare


This International Google mail oriented Customer Relation Management (CRM) System allows for carrying out sales, support and hiring activities all from your inbox.

Their commitment to data protection is evident in the fact that they comply with both the California Online Privacy Protection Act and the GDPR. Not only that their dramatic Privacy Policy sub-heading gives us goosebumps:

“We never share potentially dangerous information. We stand by our no-spam policy.”

For more information, check out: Streak


If you are looking for a Customer Relationship Management tool that is built on the basic principles of GDPR and allows you to take consent before recording any information through webforms and opt-in check boxes, but also it allows you to deal with all the Data Subject Requests that you might get.

“Freshsales makes it easy to view, export, and delete records in a single click!”

This is in line with the rights that the GDPR empowers users with to ask for their data at any point.

For more information, check out: Freshsales


This Belgium based Sales automation platform has warmed our Data-Protection-crazed hearts. Not only do they have an updated Security Policy, they also have a Privacy Policy with all the vendors as well as the right information to make their users aware of their rights. And they don’t stop there! They even help their customers understand the GDPR with the frequently asked questions on a dedicated GDPR Page. They even clarify the role of cold e-mailing under the GDPR, which has been on the minds of a lot of businesses:

“The GDPR does not outlaw the use of cold emailing, as long as the emails you are sending are directed to people who will find their content useful. Certain requirements also need to be fulfilled nonetheless:

  • The topic of the email must be clearly identified.
  • There must be a clear way to opt out from future emails.
  • A genuine physical address must be included in the email.
  • The sender must be clearly identified.”

For more information, check out: Prospect.io

GDPR Compliant Software


Another subsidiary of Freshworks: it provides its customers with an automated IT help desk which combines IT Project and IT Asset Management. Freshservice shows its commitment to the principles of the GDPR through a dedicated page that informs its users of the steps Freshservice has taken to be compliant as well as the specific features they provide to make their help desk and consequently your business (if you use them) GDPR compliant. Not only that, Freshservice seems to have mastered Privacy by Design as they themselves claim:

“Programs, projects, and processes at Freshservice are aligned to Privacy Principles right from the inception of an idea or project…”

For more information, check out: Fresh Service


Crankwheel is a screen sharing tool that works on any device and apparently also with a bad network connection.

Within their privacy policy, they have divided their sub-processors into function based categories and they link their respective privacy policies. Their headings are concise and add value to the content of the privacy policy. They even give advice on how their customers can comply in their privacy policy:

“How Data Controllers Using CrankWheel as a Data Processor (Sub-Processor) Should Prepare”

For more information, check out: Crankwheel


This workflow management tool simplifies your daily work tasks by helping you create a process list and a checklist to see what has been done and what still needs to be done for certain repetitive tasks at work. It basically simplifies your work by allowing for integrations as well as reusing checklists and procedure documents.

It comes as no surprise then that their GDPR compliance is succinctly explained in an article: GDPR Statement. Simple and easy just like the gist of their service.

For more information, check out: Process.st


An ecommerce platform that enables entrepreneurs and marketers to focus on growing their business. It allows you to use drag and drop to build your website, build your payment system and also collect data in a GDPR compliant manner. They have a dedicated page with a checklist for their GDPR efforts as well. Our favourite part about their checklist is the transparency that they show. Take a look at this pointer:

“Thoroughly test all of the changes to verify & validate compliance with GDPR – IN PROGRESS – ETA 8th June 2018”

Not only are they making efforts to be compliant, they even have a goal set for the time that they want to reach it in. #lifegoals

For more information, check out: Subbly


This Bulgarian company provides a Google Mail tool for task management making project management tools necessary for your business. You can do it all from your Google mailbox.

Their GDPR compliant Privacy Policy is structured by their apps and services. They have divided it into what each of their different applications collect and do with the data. For instance, their Android mobile app, their extension, their default settings. They concisely mention all the relevant and important information.

For more information, check out: Yanado

In this article, we have on our own picked 25 different tools that have taken measures to be GDPR compliant software. We have not reached out to these companies because we wanted to be unbiased in our evaluation of their GDPR efforts. Of course, there is no guarantee what they actually do in practice but if their privacy policies and information about the GDPR to its users is any indication, our guess is that they really do care about their customers data. So if you are looking for Sales and Marketing or Productivity related tools, just click on the link in the article and buy them! We recommend using one of these tools instead of one that might or might not be GDPR compliant.

Disclaimer: We do not claim that these are a 100% GDPR compliant software. We have not done an internal audit. We researched 100 SaaS Startups. The information on their website is the only information we used to assess their GDPR compliance.

And if you need to do any GDPR related documentation for your company, sign up now! It takes less than a minute.

GDPR Regulation

GDPR Regulation - What Are the Long Term Implications?

GDPR Regulation Long-Term Implications

The General Data Protection Regulation (GDPR) was created on 14 April 2016 but the new regulations were enforced starting 25 May 2018. So far, the new laws and regulations focus on protecting personal data, yet the long-term impact i.e. GDPR Regulation Implication is still relatively unknown.

However, it provides more control to the users over their data, potentially create a different digital infrastructure and new businesses will be established following its introduction.

In this article, I’ll shortly introduce the GDPR regulation, why the European Union wanted such regulations and the long-term implications for businesses as well as the long-term implications for EU citizens, once all the dust has settled around its introduction.

Let’s get started.

What Is the GDPR?

The European Parliament’s intentions by introducing the GDPR is to enhance the privacy protection of European citizens by making sure the people and businesses that handle personal data do so in a proper and secure way.

The GDPR is a regulation enacted by European countries and it therefore, applies to any data subject who is residing in the European Union, but it doesn’t stop there. Any cross-border and internationally operating company that processes data of EU residents are obliged to comply with the new GDPR regulations. For example, Facebook, Google, Twitter and Aliexpress are included but also a digital marketing firm in the U.S. handling social campaigns targeting German customers.


Why was the GDPR Introduced?

This GDPR was introduced as most businesses failed to protect data properly and personal data was abused by companies without the customer even having the slightest idea about it.

Something similar occurred during the 2006, 2007 and 2008 financial crisis attributed to the banks. The banks also “promised” to self-regulate, the banks didn’t need any third-party influence or regulations, they could do the regulations alone – not.

Europe is experienced and saw banks fail to self-regulate. Internet companies are now in the same position roughly 10 years later. The amount of legal jibber-jabber in privacy and terms of service statements on websites was the norm. It was specifically designed so that only a person with a legal background could make something of it. It was so vague that any legal action against the website owner could be avoided.

Thus, the EU decided that companies needed the GDPR in order to comply with a certain set of laws and regulations as they wouldn’t do this by themselves. The fines for not following the GDPR regulations are pretty serious too.

There are two different levels: lower level and upper level. GDPR EUs website stated the following in regards to the fines:

Lower level

Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher.

Upper level

Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher,

To put that into perspective, Facebook generated an annual revenue of 40.653 billion USD. So, in any case of infringement, Facebook would receive a 1.63 billion USD in fine.


Businesses Shift Focus

An important aspect of the long-term implications of the GDPR regulation is to emphasize on the outcome of the legislation.

Simply put, the focus will most likely shifting in the direction of giving the internet-users more power and control over their own data. And in return, individuals and businesses must in fact improve their privacy statements, compliance and governance procedures and terms of service.

Many companies have already made the required changes to their privacy and terms of service statements, which many of us received emails about – yet editing some statements is just the beginning.

This means that new companies will also rise from the implementation of the GDPR regulation in order to help customer to select a service or product tailored to their specific privacy needs. I’m talking about services such as an internet explorer or a phone contract that doesn’t only depend on quality, speed or price but also your privacy values.


Online Advertising Market

Online advertising will definitely change in the future, especially if the GDPR regulation model is adopted by more countries – the U.S. could have a huge impact.

Currently, the major players in the advertising field like Facebook, Instagram and Google Adwords are dependent on data sharing of their users, tracking cookies, shadow profiles and other tracking techniques that create profiles of each user. These profiles are then used to offer the most relevant ads to the customer.

However, that model might need innovations and improvements once people start to block tracking cookies. At this point, Facebook is still creating shadow profiles of people who don’t even have Facebook, but this might change in the future. Also, people could disable companies to use their data to target relevant ads.


ePrivacy in GDPRs Footsteps

Shortly after the enforcement of the GDPR regulation, the European Union started working on a new set of regulations called ePrivacy. But what is ePrivacy exactly?

AtInternet defines the new ePrivacy regulation as follows:

“The proposed Regulation on Privacy and Electronic Communications, also known as the ePrivacy regulation, is a proposal from the EU Commission designed to strengthen the protection of EU citizens’ private lives, and create new opportunities for business.”

The regulation will follow closely after the GDPR regulation and will regulate electronic communications, non-personal data (cookies law) and it has different legal precedents. The regulations will mostly battle against browser cookies, their function and controls – from websites to the browser.

The ePrivacy regulations aren’t enacted yet, however, it’s expected to be introduced rather sooner than later. As this is only the first set of new regulations to follow the GDPR, I won’t be surprised if more regulations follow. And, especially if other countries follow Europe’s example of designing new privacy laws because most countries have extremely outdated online privacy laws and regulations.


Privacy Groups Exploit GDPR

As briefly mentioned before, new businesses will establish themselves following the introduction of the GDPR regulation. The new legislation also provides the ability to file class-action complaints, which is a rather uncommon style of filing complaints in Europe. These type of court filings are mainly common in the U.S.

Simply put, people or groups can join forces and file data privacy complaints as a group rather than as an individual. I expect companies to establish themselves as mediators for these groups and they’ll carry the legal workload for a certain percentage of the fine.

For example, take a look at flight compensation businesses like AirHelp. As stated on AirHelp website:

“Flight delays happen, but that doesn’t mean you have to accept them. You may be entitled to as much as $700 in compensation if your flight has been delayed, canceled or overbooked within the last three years.” 

99% of the people won’t be able to or don’t have time to file a case against an airline to receive compensation. But it’s incredibly easy through a company like AirHelp, where you input the flight details, your story and it’s processed through already established funnels to get your money back. It’s almost like an automated machine.


Who Might Get Caught: Enforcing Legislation

Facebook has been on the news relatively often in the wake of the GDPR regulation and especially Mark Zuckerberg’s performance in front of the U.S. Congress and European Parliament, which was, well… interesting. Many people might consider Facebook as one of the first to receive a huge fine by the GDPR regulators. I believe this to be incorrect.

Facebook has “limitless” resources for legal teams and other experts who can help the company to comply with all the new rules and regulations. Therefore, I think the first companies to be fined are small U.S. webshops, cloud tools, advertising application vendors and so on.

These businesses handle, store and use a lot of EU citizens’ personal data to either run their business or optimize their business models. Due to the large quantity of EU data involved and potentially little budgets to follow the new regulations, the first victims may fall in this industry.

It’s going to be interesting how companies are going to be fined, how quickly, how many and how often in the future. It’s yet to be seen how many regulators are going to go after businesses that fail to comply.


My Final Thoughts

At the of the day, it’s a bit too soon to tell what’s really going to happen in the future. It might not really provide a satisfying answer to the very core of this article, however, it’s simply too hard to predict right now and it’s mostly speculation.

There are also a lot of other factors at play that may or may not have a huge impact on the further development of the GDPR regulation, and potentially other regulations by the European Union as well as other countries.

Personally, I’m especially interested to see whether the U.S. government is going to take any actions in regards to U.S. data privacy and data protection. If so, what regulations might be introduced? Also, it’s hard to tell whether the new regulations are going to strengthen the tech-giants or weaken them.

It’ll largely depend on how strictly EU regulators enforce the new regulations and whether they’ll get bigger budgets in the future.

Yet, are people prepared to trade their online privacy for convenience, and if so, up to what point? Only time will tell.

Pixel Privacy

Bill here from PixelPrivacy.com. My blog is all about making the world of online security accessible to everyone. I pride myself in writing guides that I’m certain even my own mom could read! Be sure to head over to my blog if you’re interested in keeping your private information just that: Private!

GDPR Checklist

The Most Comprehensive EU GDPR Checklist

GDPR ChecklistThis GDPR checklist has been crafted in according to the GDPR compliance. Moreover, this is the only GDPR checklist you will ever need.

Before going through the GDPR checklist, it is important to repeat some basic steps. The first starting point is to know about the general rights that your customers/users will have:

Data subject rights: these are rights of your customers and users under the General Data Protection Regulation (GDPR).

Data portability: the right of an individual under the GDPR to transfer their data to other data controllers. Essentially, this means that consumers can move from one company to another through quick and efficient data transfer

The right to be forgotten: customers/users can ask you to delete all their data

The right to prevent profiling: this can be through automated decision-making or through other forms of decision-making, that processes personal data of an individual and reaches conclusions about that individuals.

The right to object to processing: your customers can restrict you from processing any category of their data that you have.

The right to rectification and erasure: this refers to editing data and restricting access to certain types of data.

Subject access requests (“SARs”): these are requests that your customer/user can make at any point in time asking you for data that you have on them and how it is used.

Reiterating the Basic GDPR steps

First, take stock of all the data that you are collecting and processing. If you are a controller, ask yourself why you are collecting this data as a guiding principle. If you are a processor, ask yourself: on whose behalf are you collecting this data. This is the most crucial part of our GDPR checklist.

  1. Appoint a DPO:

A Data Protection Officer can be internal or external to your company. If you appoint someone internally, make sure they have autonomy as well as access to the Managing Directors and upper management. This is primarily so that they can carry out their data protection duties and responsibilities independently without undue stress and blockades. Once this is done, sign an agreement with the relevant person. One prerequisite for assigning a Data Protection Officer, according to the legislation, is that it should be someone with a reasonable capacity for the job. That means your DPO should have a comprehensive understanding of the General Data Protection Regulation (GDPR).


It is necessary that you appoint a Data Protection Officer DPO:

1.1. If your organization’s core business includes processing massive amounts of personal data as well as monitoring your users or as is known in GDPR lingo: Data Subjects. Personal data is the following types of data:

  • Data that allows for direct identification of information such as a person’s name, surname, phone numbers among others.
  • Pseudonymous data or data that non-directly identifies the information of a Data Subject: which does not allow the direct identification of users but allows the singling out of individual behaviors for example through targeted advertising:  to serve the right ad to the right user at the right moment.

1.2. When your organization deals with a large amount of sensitive data that is one of the following data:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health or a natural person’s sex life and/or sexual orientation

2. Data-mapping:

The second most important part of the GDPR checklist is to make a map of all the data and specify all the departments that touch the data in its collection and processing. The data that is being used needs to be categorized for its legal basis to become clear. The legal basis could be consent, legitimate interest and contractual necessity among others.

To assess where data is traveling through you need to create a mind-map for it to help guide your processes of compliance.

3. You should make sure to document all aspects of your company’s interactions with data. Here are the questions you should be able to answer:

Why was the data gathered in the first place? What is its purpose?

Upon what legal basis are you justifying holding that data? Consent or legal requirements?

3.1. Record of Processing Activities will be under this step.

Think of all the steps in your mind-mapping process. Who has access to the data at each step? Through documenting your processes, you will have a much clearer and a better understanding of your own company’s data collection and management strategies as well as what the compliance process entails for you. One definite piece of documentation that you need to do is a data protection impact assessment (DPIA).

3.2. Vendor Management

How are you protecting that data from breaches? What else is that data being used for? Make sure you have listed all your vendors and your customers/users know that you are sharing their data with other parties.

4. Data Breaches

Be honest and transparent about any data you collect. In the case of a breach, people will disclose any data they gather. Your customers need to be aware of what data you’re storing. Here you can read more about how modern businesses need to think about data: https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust

Security breaches that target the data that your company collects and processes can take place and need to be dealt with along the guidelines provided by the GDPR. The crucial point under the GDPR is to inform your user/customers of the breach. Given the importance the EU has placed on personal data, this does not come as a surprise that the relevant stakeholders be made aware when their data has been touched by, no matter how briefly, by other parties that did not have authorization through consent. In such a case, the relevant Data Protection Regulatory body must be informed within 72 hours of knowing about it at the latest.

The same time limit applies to the data subjects whose data you collect and use. The company must contact all individuals and make them aware that their data has been breached. However, companies do not need to have this measure or practice in place: if the data has been encrypted to the point of being incomprehensible or if the data controller has taken the necessary steps to make sure the breach doesn’t put rights or freedoms at risk. If it would take an unprecedented effort to contact every Data Subject individually then a public announcement would also fulfill this requirement.

5. Data Subject Access Requests:

This is the crucial part of the GDPR checklist since it was not available in previous data protection laws. This is one of the basic rights that the GDPR sets out for consumers. This essentially means that data subjects can at any point ask you about what data has been collected by your organization. These access requests cannot be charged for even if it takes a lot of time for you to deal with them. Moreover, they need to be responded to by the data controller within a month. The legislation also sets out the general principle for when a Data Controller can charge the subject for relevant administrative costs if it can be demonstrated that the request is “manifestly unfounded or excessive”. This way, it balances out the individual rights and the company’s rights as well to receive some protection against abuses of this provision. Here is a basic summary of this article as outlined in the GDPR:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”

6. Technical Checklist
As part of GDPR checklist, this checklist will guide you through the technical steps that your organization needs to take.

6.1. Make sure your domain names are secured. You can do this by either renewing them regularly or if you buy them from a third party then you need to make sure that the configured name server that is authoritative is your own and make sure your critical services are secured.

6.2. A lot of companies have Google Apps, Slack, Wordpress that they use in their daily business lives. These services all have default settings that should be improved to increase the security level of your organisation. You also need to ensure that all your services and apps are updated so that new security settings, as well as GDPR compliant settings, are implemented. Here’s one source you can look at for inspiration on making your Google apps more secure: https://blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/

6.3. As tempting as it might be: Do not share Wifi
Shared workplaces are quite a norm these days which consequently means sharing Wifi networks among companies, guests, students or neighbours may open you up to risks of security breaches, for example, people could gather information that is on your network, and might even allow people to access resources protected by source IP. Make it a habit to change your password periodically.

6.4. Develop and communicate a security breach incident response plan

This will allow whoever is in charge at the time of a breach to communicate accordingly about an incident and will allow the fastest response in technical / communication terms.

6.5. Incentivize finding bugs
You could potentially have an external or internal bug bounty program that will incentivize external hackers as well as internal employees to report vulnerabilities. Once reported these vulnerabilities need to be checked by developers or other inside your development teams with the know how to evaluate any reports you receive

6.6. Educate your Technical and Non-technical employees

Quite often your employees and human capital will be the ones who might make you more vulnerable which is why it is imperative that you make sure they are aware of how hackers or other parties can infiltrate your company. By increasing their level of awareness, you are reducing the risk of them falling into a trap. Usually, companies forget to train their non-technical employees. However, they might be the ones you would want to train even more carefully since they lack the expertise to recognize and deal with such cyber-attacks and vulnerabilities.

6.7. Include using 2-factor authentication in your employee handbook as a rule

This would ensure that all accounts of your employees are safe and in case their password gets stolen, the attacker still cannot have access to their accounts and your company’s information in these accounts. As a CEO/CTO/CSO, your role is to make sure everyone complies with this rule. Using a complex and unique password for every website is great advice, but it can be very difficult to recall passwords

Password managers are a great way to manage these since they will remember everything for you with a master password.

6.8. Encrypt the devices

By encrypting company laptops and phones, you protect your company’s assets. Before doing this, you might want to take stock of all your company assets and perhaps segment the employees into categories of security levels needed in line with their jobs.
Here are some sources you can read on for encryption related procedures: https://support.apple.com/en-us/HT204837

6.9. Encourage best practices like “locking” devices and strengthening passwords
Whether employees are leaving the desk for a minute or an hour, encourage them to lock their devices and make it a habit. This would protect your company assets from attacks as well as random accidents. Remember your work environment might be secured but at one point or another, you will have external guests or candidates for interviews who could potentially have access to your data sometimes even by a quick glimpse of a screen. Moreover, when your employees are traveling or go to meet-ups, this habit would help them keep company information secure. You can research password managers, pick a good one and suggest it to your employees.

HR Checklist 

This HR checklist is mostly part organizational measure and part technical measure under our GDPR checklist.

  1. Create a data log: consider what data of your employees you process and create a log as part of your Record of Processing Activities (RPA). As is stated previously you need to specify the following to document the data to be compliant:
  • the type of data (e.g. personal, or special personal (which used to be called sensitive))
  • The categories of data (e.g. recruitment information, bank details, performance information, absence details)
  • Who the data concerns (e.g. employees, next of kin, applicants for jobs etc.)
  • Who has provided the data to you (e.g. the applicant/employee themselves, credit reference agencies, recruitment agencies or other employees)
  • Specify your legal basis to process (e.g. to perform the employment contract, complying with a legal requirement or legitimate interests or other. Consent as a legal basis when it comes to HR related tasks will rarely apply. Think of the legal requirements that you need to fulfill as a legal basis to justify collection and processing (for e.g. complying with employment law or assessing the working capacity of an employee).
  • The purpose of processing (e.g. to pay the employee, for tax reporting purposes, to manage performance)
  • Where and how the data will be stored and who will have access to it for e.g. HR software, tax consultant, printed payslip files
  1. Data transfers: update your vendor list and log it separately. You should also include any events of data being transferred, including who data was transferred to, when it was transferred, where they are storing it, and how you transferred the data. If you are transferring any personal data outside of the European Union (EU) you need to specify what protections are in place and also sign the relevant Data Protection Agreement with your partners.  
  2. Specify when exactly data will be deleted: here you can segment your Data Subjects into employees, applicants or any other categories that make sense for your case. For instance, for a job applicant, you could make it a part of the policy to delete the data periodically of rejected employees every month/quarter. However, you need to be able to justify this time period.
  3. Do you carry out any automatic decision making or profiling for e.g. electronic recruitment sifting based on academic achievements, psychometric testing or other metrics? Add it to your RPA
  4. Do you need to carry out a data protection impact assessment and when you are likely to need to do so in the future (e.g. due to the fact that you carry out or will carry out high-risk processing or will be introducing new HR technology)
  5. Check your IT infrastructure allows you to be compliant Your IT infrastructure will be highly relevant to two main themes in terms of GDPR compliance – security and employees’ rights. Security issues:
  6. Consider Employee rights: Do your automated decision-making processes allow you to deal with objections and involve a human decision maker if requested?
  7. How will you respond to Data Subject Access Requests: Can you easily search for all data relating to a particular individual? This will make responding to subject access requests from your employees or prospective employees much easier. Can your employees restrict the processing of their data? Or correct errors?
  8.  What processes do you have for an employee to exercise their right of objection? Do you have the responsibility assigned to a relevant person?
  9. How will you achieve the deletion of personal data, across the business, at an employee’s request in relevant situations?
  10. Is exporting data from your system possible? .csv, .pdf, or .txt files are commonly accepted formats. This will allow you to manage the portability or in layman terms, it would allow you to transfer the data to the employee or to a future/former employer at their request.
  11. Update your data protection policies and employment contracts: Once you have made all the necessary changes it is imperative that you also inform all your employees and other stakeholders when necessary.
  • Privacy notice to staff
  • Data protection policy
  • Data breach reporting policy
  • Subject access policy
  • Data retention policy
  1. Ensure staff has the correct training Make sure all your employees receive an adequate level of training for handling personal data, specific to their job role. They must be informed of the correct policies and procedures. Training needs to be refreshed on a regular basis and you need to keep records of the training provided.
  2. Assess and take necessary measures with all your partners that in some way touch your data.

Sales & Marketing Activities related to the GDPR Checklist

This must be new and the toughest part of the GDPR checklist, since it is takes time.

1. Check and audit your mailing lists. Basically, you need to remove anyone from whom you do not have an opt-in and or have not recorded this opt-in. For new subscribers, make sure that the potential subscriber confirms that they want to join your mailing list by sending an automated email to confirm the subscription.

2. Review the way you are collecting personal data. Are you still buying mailing lists? If so, now might be the time to start fresh with a new mailing list which you have obtained from informed customers and have a legal basis for collecting their e-mail addresses. Delete all e-mails that you haven’t obtained with the proper consent or legal basis. Some ways to still acquire users or convert visitors from your website can be done by offering visitors to your website the opportunity to add themselves to your mailing list using a pop-up on your website.

3. When taking consent to make sure you provide a link to your privacy policy to ensure compliance that tells people exactly what you will do with the data.

4. Educate your Sales and Marketing Teams about what is legally possible and the practices that they need to drop for instance: cold emailing/cold calling (where the e-mail address and/or phone number has not been taken through proper consent).

5. Make sure your customer data is part of your Customer Relationship Management (CRM) system. This will help you with allowing users to edit their data, review how exactly it is being used and accessing it in a machine-readable format.

6. Collect data that is necessary for your sales or marketing effort. Ask yourself, which categories of data do you actually need, and which ones can you simply delete. When it comes to signing up forms, only ask for elements you need and will use.

7. If you do not already have it, try out push notifications. Marketers can use push notifications to send a message to subscribers at any time. They are especially helpful in the post GDPR world because they do not process personal data (IP addresses are anonymized) and ask for explicit consent to opt-in and receive notifications.

8. Make sure Privacy statement is updated, easy to read (not a 1000 pages long and without any lingo).

GDPR Checklist for Data Protection Impact Assessment for Projects

According to the GDPR, when an organization is undertaking a new project that has considerable risks when it comes to the freedoms and rights of individuals, in particular, pertaining to data protection. When organisations identify such a risk with a new or existing operation, these are the following steps suggested:

1. Figure out if there’s a need for the DPIA  – conduct an assessment and determine whether the inherent risks of the processing operation require you to undertake a DPIA. In general, these are some high-risk activities that you would probably need to conduct a DPIA for:

Large-scale processing of location data relating to individuals

  • General big data analytics
  • Large-scale processing of HR data with potential for significant effects on employees
  • Video/audio analysis tools
  • Creating large-scale individual profiles
    Analytics with significant effects for individuals
  • Reward programs that generate profiles
  • Fitness wearables and apps

2. Understand and describe the flow of information – create a map of how the information within the particular processing operation is collected, stored, used and deleted.

3. Identify all the risks – document the threats, their scope, vulnerabilities and the possible pertaining threats to the rights and freedoms of individuals whose data you collect and/or process.

4. Assess your privacy solutions – for every risk that you have identified to the personal data, do a cost-benefit analysis and decide on whether you want to accept the risk, reject the risk or accept it but with measures in place to reduce the impact of the threat.

5. Document the DPIA results – Create a report that is signed by the decision-maker. However, where there has been a high risk identified the DPIA report must be submitted to the regulatory data protection authority for consultation.

6. Incorporate the results into your project plan – make sure at every important project milestone that you refer back to your DPIA to ensure that when actions are needed to counter a risk they are actually taken.

Hope you found this comprehensive GDPR checklist useful. As a general principle, you should remember that any obscure collection and processing of data should be questioned. Educating your employees will always prove to be helpful in staying compliant with the GDPR. Is there something you find missing in this GDPR checklist? Work together with us on this checklist!


Image Credit: Pixabay mohamed_hassan-5229782/

A Beginner's Guide To School Data Protection Policy

As an educational institution, you will have unique stakeholders who will be impacted by the General Data Protection Regulation (GDPR). The School Data Protection Policy guide will take you, step by step through the necessary actions you need to think about and conceptualise your compliance around.

Who will be impacted by this Data Collection?

The first step is for you to understand, as with any Organisation taking their first steps to comply, how data travels in your Organisation and who is it touched by through this process. The questions to think about here are the following:

Whose data are you collecting?

This for a typical school would include contracts of your teachers, teaching assistants, administrative staff, Principals and Vice Principals but also of caretakers and students. This will all be categorised as Personal information. This would also include any digital or other pseudonyms that a person can be identified with.

These are the types of data you must map:

Personally-Identifiable Information

Any data that can help identify an individual. It is also examples of personal data include name, location, personal identification number, the colour of your hair, the list of customers (parents, students) names and their addresses, IT usage data, traffic data, information about education, income and license plate.

Sensitive personal data

Like personal data because its main purpose is to help identify an individual, but more dangerous if breached or vulnerable to privacy. Examples of sensitive personal data include religious beliefs, race, political opinions, sexual orientation, physical and mental health conditions, biometric data or genetic data.

Biometric data

Any data that is used to identify a human being by his/her unique characteristics. Digital fingerprints are one example of biometric data. The GDPR states that the processing of such data is prohibited unless the data subject (user/consumer) has provided the consent and the processing is necessary for specific reasons such as protecting the vital interests of the individual.

Updating the parents

As a school, you will naturally have a lot of students who will be too young to give you qualified consent. This essentially means that you have to inform the parents about all your data processing activities and obtain consent from them.

As providers of childcare as well as providers of education, it is important for you to create an atmosphere of trust and build up your reliability among parents pertaining to Data Protection. Steps to ensure that the parents and their families’ data is being adequately protected will reduce the subject access requests later.

Below are the important points you need to mention in your letter to the parents. Make sure you customize it to your need that is if you are a kindergarten, you will have different data collection and processing methods than if you are only a high school.

You should start off with a brief description of what The General Data Protection Regulation (GDPR), is. In this part, you should also inform the parents of their rights:

The rights of the data subject (individual):

  • information about the processing of your personal data;
  • obtain access to the personal data held about you;
  • ask for incorrect, inaccurate or incomplete personal data to be corrected;
  • request that personal data be erased when it’s no longer needed or if processing it is unlawful;
  • object to the processing of your personal data for marketing purposes or on grounds relating to your situation;
  • request the restriction of the processing of your personal data in specific cases;
  • receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
  • request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right, in this case, to express your point of view and to contest the decision. (EU GDPR, 2018)

Access for Parents

How they can access your privacy notice and data protection policy (this could include a link to your website). How you are complying with the new regulations:

  • what data you are storing
  • how you are storing it
  • how you are sharing it and with whom
  • how long it is retained for
  • how it is destroyed and when

Ideally, you should inform them who they need to contact (Ideally your Data Protection Officer) regarding any questions they may have on data protection or to request access to information.

A link to your Data Protection Authority website so parents can learn more about GDPR if they are interested.

You could also ask parents to review the information that you are storing on them/their child and to confirm if it is still current or make amendments as appropriate. Or to revisit consent for use of photographs of their child.

You may use this communication as an opportunity to ask parents to sign a new contract with your organisation that includes new data protection wording compliant with the GDPR

Using Online Tools in Schools under The GDPR
Check source here.

The GDPR and Data Protection Act 2018 says that only children aged 13 and above are able to provide their own consent for commercial internet services to process their personal data.

Online service is the only context in which the GDPR and DPA 2018 define the age at which children can provide consent.

A Child’s Consent Under the GDPR

Conditions applicable to child’s consent in relation to information society services

  1.   Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

  1.   The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
  2.   Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

Services provided ‘directly to a child’

This rule applies specifically to services which are considered to be provided “directly” to children, and where consent is the lawful basis for processing the child’s personal data.

“Directly to a child” means that a child can access the service independently – for example, via an app store. This is irrespective of whether the child signs up independently or whether the service is provided to them under a contract between the service and their school (or another organisation).

These services are referred to as “information society services” in the regulations, and include social media, educational apps and online platforms.

The rule described above is primarily directed at providers of such services. Typically, a child signs up and submits their personal data directly, so the provider needs a lawful basis to process this data.

Prerequisites for your Organisation’s Compliance

Document all personal data your Organisation holds

GDPR requires you to maintain records of processing activities. If you want a detailed guide on how to do this, read our blog on it.

Your organization must document all the data that it holds, where it came from and how it uses that data if it somehow refers to an identifiable person. Furthermore, your organization must be able to submit up-to-date reports, so-called records of processing activities (RPA), to the competent data protection authority at all times.

The development of the records of processing activities is also a key step because it enables the Organisation to evaluate the whole process and understand where corrective measures have to be taken. Without such a record, no compliance to any further requirement of GDPR can ever be achieved!

Checking if your data processing adheres to the individual rights

Now that you have sorted your data, you have to legally review all procedures concerning personal data. Are they compliant to GDPR or not? The answer is complex and usually work of a lawyer. Generally, you must keep in mind that processing activities concerning personal related data might affect the rights of the individuals. Those processing activities therefore always have to be justified.

Requests for subject access

Your organisation should update the procedures and must plan how you will handle subject access requests to take account of the new rules. In most cases, you will not be able to charge for complying with a request.

You will have a month to comply, rather than the current 40 days.

You can refuse or charge for requests that are excessive, but you will need to provide the requests with a machine-readable format of their data. If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.

Data Protection Officer (DPO)

Probably your organisation has to appoint a DPO to take responsibility for the regulatory compliance.

This DPO will report to the highest position in the firm and has to make sure the Organisation will take the needed measures to have its processes and information flow according to the GDPR. Some special aspects regard to the mandatory need of a DPO apply, however, it is a good idea to have a specialized role within the organization.

Another option is a virtual DPO, that can help your Organisation be GDPR compliant. The best part is that it costs much less and reduces Organisation man-hours involved by 75%!

Data Protection Impact Assessment and Protection by Default and Design

Your Organisation has to evaluate deeply the type of processing activities it will require for each data it collects to analyze the risks it may cause to the data subject. Every software used, activity performed and measure taken must have protection by design. It ensures that there will be no breaches and no vulnerability regarding the security of this data and no harm to the rights of the data subject.

If the processing activities or the data is susceptible to high risks, an impact assessment must be performed to evaluate the right measures to be taken to minimize this risk. Important aspects to grant this security are pseudonymizing, minimization of the data, ensuring the erasure of data according to the consent deadlines, and granting access to the data subject.

Data breaches and notifications

Your Organisation must adopt internal procedures and require the same to third-party partners, in order to deal with data breaches.

Those procedures should include identification of the actual data breach, investigation of the circumstances of the breach, and assessment of the implications it may cause both to the Organisation and to the data subject regarding his privacy.

One thing to remember is that the information should be notified to the Supervisory Authority in no more than 72 hours when the data subjects are exposed to some kind of risk, and in those cases, the data subject also have to be notified.

Applying the rule in a school setting

The rule becomes more complicated to apply in a school setting if you’re using this type of service because consent will be between the child/parents and the service provider. So, if consent is refused, you won’t be able to use the service with those children.

Steps to take before you use any online service with pupils

  1. Determine whether pupils’ use of the service is necessary for educational purposes (see below). This will inform what lawful basis you can use if the school itself will be processing any personal data, and the measures you put in place to protect pupils’ data
  2. Conduct a data protection impact assessment to identify and minimize the data protection risks and determine whether you should proceed
  3. Look into the service provider to establish, to the best of your ability, whether it complies with data protection regulations.

What counts as necessary for educational purposes?

It’s up to you to determine this in your own context, but Forbes suggested that, typically, a service will be considered necessary where the nature of it will require the school and service provider to share pupils’ personal data between them.

For example, an online platform that supports or enables standardised assessments and decision-making will help to achieve learning objectives and is likely to need to receive personal data from the school and send personal data back in return – such as pupils’ scores. This may be considered necessary for educational purposes. Similar principles are likely to apply to a homework portal.

However, if you want to use a social media platform to research photos in class, this may be considered more of a ‘convenience’, with a higher risk to children’s privacy if you do not have a data sharing agreement in place with the provider. There may also be alternative approaches available with less risk to children’s privacy. This would be harder to justify as necessary for educational purposes.

Identifying a lawful basis

If pupils’ use of the service will require the school to process any personal data – i.e. if you need to collect and share data with the service provider, or will receive data back from the provider – you’ll need to identify a lawful basis for this.

If you can demonstrate that the service is necessary, then it’s most likely that you’ll need to justify this processing under the public task basis. Otherwise you’ll have to rely on consent if using the service isn’t necessary for educational purposes.

If the school will not need to process any personal data in order for pupils to use the service – i.e. if pupils will sign up independently and the school will not receive any data from the provider – then you’re not acting as a data controller and will not need to identify a lawful basis. However, this carries more risk and, as we explain later, you must not require pupils to use an online service where this is the case.

If the outcome of the data protection impact assessment is that you can proceed, take the steps below. If not, consider alternative ways to achieve the same aim with less risk to children’s data privacy.

Additional actions if the service is necessary for educational purposes

Note: this will be the safest option for you, and most likely the only justifiable one if you require pupils to use the online service.

Where you have determined and can demonstrate that using the online service is necessary for the education of a child, and justifiable under the public task basis, you should:

  • Enter into an agreement/contract with the service provider. This means you’ll retain control of the personal data and therefore minimize any data protection risks. Make sure your contract covers the terms and information about data protection required by the GDPR
  • Share only the personal data that the provider needs to perform the services
  • Incorporate information about your use of the service and the personal data you exchange with the provider in relevant privacy notices. You can also link to any privacy information from the provider

Additional actions if the service is not necessary for educational purposes

In this situation, you cannot require pupils to sign up for the service.

Where you’ll need to process personal data in order to use the service

You’ll need to rely on consent as your lawful basis if you’ll need to collect and share any personal data with the service provider, and/or receive personal data back when pupils are using the service.

Pupils or their parents/carers must be able to give or refuse consent freely.

You must:

  • Request consent, ensuring that your request meets the requirements of the GDPR, before using the service with the pupil.
  • Provide a privacy notice explaining what the programme or service does, why and how the school uses it, what data it will require from pupils, and what rights pupils have. You can do this by incorporating information on sharing data with third parties in your privacy notices, and by linking to privacy notices for the services you use in an appropriate place

You should also put in place a written data sharing agreement with the provider.

Where the exchange of personal data will only be between the pupil and the provider

In situations where a pupil will be signing up directly with the service, and no personal data will be exchanged between the school and the provider, the issue of consent and providing relevant privacy information will be between the provider and the pupil.

There will be no useful reason for you to obtain pupil or parental consent for this, as you’ll not be processing any personal data in relation to the pupils’ use of the service.

As stated above, you will not be able to require pupils to use services in this case.

If the purpose of using a service where the exchange of personal data will be between the pupil and the provider is to support the delivery of the curriculum, you should seek safer alternatives. For example, using social media such as Instagram and Pinterest in school to research, and share, images is difficult to regulate and monitor. In this instance, the curriculum could be delivered using other resources such as search engines for researching images and secure cloud storage to enable students to upload and share images.

If you decide to use social media platforms, you should ensure that parents are fully informed as to how it will be used and the potential risks associated with its use. Mark suggested that you seek parental consent in this instance due to the potential safeguarding risks. As explained above, parental consent will not be needed for the processing of personal data.

As a school, your responsibility lies towards your students which would usually mean getting parents on board. This law is essentially empowering for both organizations and consumers. It allows for you to garner trust among parents as well as build an organization based on the principles of Data Protection.


If you have any questions or concerns as a school about the GDPR, book a time with us.

Data Protection Policy

A Guide To Developing Your Data Protection Policy

A Guide toDeveloping a Data Protection Policy

According to the General Data Protection Regulation (GDPR), every company needs to have Data Protection Goals. These goals also need to be translated into policies in areas that heavily process data. There are numerous policies one of which is Data Protection Policy which sets some of the criteria that a Data Protection Officer has to follow.

A company needs to also ensure that the principles of the GDPR are incorporated into their organizational structure. This is a step by step guide for how an organization can have compliant GDPR policies within their organization. It will start off with a memorandum to the Board of Directors informing them of what the GDPR will entail for the company. It will then give you a basic template of how to inform your employees about the collection and processing of their data.

Memorandum to Board of Directors

To the Board of Directors [add your Company Name] and its affiliates (Company):

The EU General Data Protection Regulation (GDPR) will become effective on 25 May 2018. The GDPR will bring considerable changes to data protection laws in the UK and across the European Economic Area (EEA). It will include significantly greater fines for breaches of up to €20 million or 4% of total worldwide annual group turnover. This memorandum summarises the need for a Company-wide programme (GDPR Compliance Programme), requiring the allocation of resources, for compliance with the GDPR.

Issues Concerning Data Protection Under The GDPR:

Under this section of data protection policy, you should explain what type of data is being collected and processed for e.g. if personal data is held by the Company relating to customers, employees or any other parties.  The second part in this section should be an example of a map of Personal Data Flow. You need to clearly lay out how the data travels within the company and record whoever touches this data no matter how briefly. If this data is to leave the borders of the country your company is located in, make sure to mention that as well since it will require signing a Data Protection Agreement with your Vendors (international and local ones).

Reiterate in concrete terms what failure to comply would mean for the Company and the Board of Directors. You should also give a brief description of “Personal Data” as defined by the GDPR.

Here’s an example of how you can add both:

Personal data is defined broadly and comprises data relating to any living individual who can be identified from that data. Personal data and includes:

  • Social security numbers.
  • Telephone numbers.
  • Health information of, for example, customers and employees.

There are many potential ramifications of failure to comply with the GDPR, including:

  • Prosecution of or regulatory enforcement action against the Company, resulting in substantial penalties in European Economic Area (EEA) jurisdictions, including the UK, of up to 4% of an annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater).
  • Adverse publicity, potentially leading to reputational damage and lost customer trust.
  • Missed opportunities and wasted resources.
  • A variety of sanctions in different jurisdictions.
  • Increased scrutiny from data protection authorities whose confidence and powers are increasing substantially under the GDPR.
  • Civil liability or punitive damages for employment-related breaches.
  • Criminal liability for directors and senior managers resulting in imprisonment and substantial penalties.
  • Critical system delays and failures.
  • Orders issued by the Information Commissioner’s Office in the UK, and data protection authorities in other key markets, that seriously impact business. Investigative powers include a power to carry out audits, as well as to require information to be provided, and to obtain access to premises.
  • Business continuity issues.
  • Becoming embroiled in litigation and its attendant time, effort and expense.

An individual has a fundamental right in the UK and across the EEA to have their personal data protected and their personal data may only be processed (that is, obtained, recorded, held, used or disclosed) under certain circumstances. This has a wide impact on Company business.

The GDPR Compliance Programme:

A well-constructed and comprehensive Company-wide GDPR Compliance Programme can provide a solution to these various competing interests and represents an effective risk management tool. It is essential for compliance and for the purposes of informing your employees, customers, vendors, business partners, regulators and the courts that your company is, in fact, committed to the GDPR principles of data protection.

Board’s duty to know about and oversee the GDPR Compliance Programme:

You need to inform the board of what their duties and obligations are. Here’s an example of how you can do this in a comprehensive manner.

The Board has a duty to know about the content and operation of the GDPR Compliance Programme and to oversee its implementation and effectiveness appropriately. The GDPR’s new accountability principle requires data controllers to be able to demonstrate compliance with the GDPR by showing the supervisory authority (the Information Commissioner’s Office in the UK) and individuals how the data controller complies, on an ongoing basis, through evidence of:

  • Internal policies and processes that comply with the GDPR’s requirements.
  • The implementation of the policies and processes into the organization’s activities.
  • Effective internal compliance measures.
  • External controls.

Failure to comply with the accountability principle may result in the maximum fines of up to €20 million or 4% of total worldwide annual group turnover.

Implementing the GDPR Compliance Programme:

The pre-requisite for this section is to already have an idea of what your implementation plan will look like. If you do not yet have a plan on how you will ensure compliance within your company, make sure you make one first. You can also follow the steps below to make a skeleton of this plan. It is essential that you at least appointed a Data Protection Officer (DPO) have your Records of Processing Activities (RPAs) for both having a Data Flow Map as well as the basis of your plan. Here’s what you can do and subsequently communicate to your Board of Directors.

Data Protection Officer (DPO)

Under the GDPR it is now mandatory for the Company to appoint a data protection officer (DPO), reporting to the Board. The DPO’s role is to provide the knowledge, expertise, day-to-day commitment and independence to properly advise the Company of its duties and conduct compliance activities in relation to the GDPR.

However, taking into account the complexity and risks associated with the GDPR, we should consider carefully whether we should appoint a DPO, in any case, to report to the Board. The DPO would be responsible for providing the knowledge, expertise, day-to-day commitment and independence to properly advise the Company of its duties and conduct compliance activities in relation to the GDPR.

Organisational Culture

A co-ordinated chain of command (in which the Board is designated as having ultimate responsibility) will need to be developed, together with written reporting procedures, authority levels, and protocols, including seeking and complying with legal advice.

The Company should consider the establishment of a working group, drawing on stakeholders from across the business, to take responsibility for the day-to-day management of the GDPR Compliance Programme.

Standards and Procedures

The privacy policy, Data Protection Policy, IT Security Policy and Data Retention Policy [List any others] are key elements of the GDPR Compliance Programme. Amendments are likely to be needed to the existing policies. Separate policies may be appropriate where the Company collects different types of personal data for different purposes, such as marketing and recruitment. In each case, the policy needs to be accessible at every relevant personal data collection point, for example:

  • Call-center conversations.
  • Online account and job application forms.
  • Business acceptance procedures.

The Company will need to carefully review existing procedures in relation to obtaining an individual’s consent as a legal basis for processing personal data. For example, it will need to ensure that any consent obtained indicates affirmative agreement from the individual (opt-in) (for example, ticking a blank box). Mere acquiescence (for example, failing to un-tick a pre-ticked box) does not constitute valid consent under the GDPR. Furthermore, the Company must demonstrate that this explicit consent has been obtained, ensure that an individual can easily withdraw their consent at any time.

The Company must also be in a position at all times to respond quickly to any data subject’s request (such as for a copy of all of the personal data held or to erase all such personal data). This is likely to require substantial modifications to the Company’s technological infrastructure and its organizational processes.

Other channels may be needed in certain circumstances, for example, the staff handbook regarding personal data collected from employee monitoring.

A written and comprehensive information security programme is needed to protect the security, confidentiality, and integrity of personal data held. It should set out action plans for any security breach, disaster recovery, and data restoration.

The Company should develop appropriate contractual strategies and have access to appropriate templates as a risk management tool.

Under the GDPR, the Company will also be required to implement “privacy by design” (for example, when creating new products, services or other data processing activities) and “privacy by default” (for example, data minimization). It must also carry out “privacy impact assessments” before carrying any processing that uses new technologies (and taking into account the nature, scope, context, and purposes of the processing) that is likely to result in a high risk to data subjects, takes place.

The GDPR also requires businesses to notify the supervisory authority of all data breaches without undue delay and where feasible within 72 hours. The Company will, therefore, need to look carefully at its data breach response plans and procedures.

The above represents only a short synopsis of the requirements under the GDPR. There are many more that are not included in this note for the sake of brevity. Getting prepared for compliance with all the compliance requirements will need considerable planning across the Company.

Adequate Resources

Financial, technological and human resources should be sufficient to reasonably prevent and detect non-compliance and promote compliance with the GDPR.

Taking into account the number of employees, assets, turnover, Company business activities, a budget for [Insert Year] of £[Insert Amount] is proposed, broken down as follows: [Insert Breakdown Of Budget].

  1. Training and Enforcement

Effective compliance training programmes are required for personnel at all levels, including directors, heads of departments and key Company service providers. Bearing in mind the above factors, a formally documented training programme with employee evaluation and attendance certification should be put in place as soon as possible.

Serious misconduct should be addressed with appropriate disciplinary action, regardless of seniority. An anonymous whistle-blowing mechanism should be considered, but legal a should be sought before implementation in the UK and any other countries in which the Company carries on business.

Regular Reviews

From time to time, the GDPR Compliance Programme should be reviewed and updated in the light of new laws and business activities and changes to data flows and the introduction of new processing activities.

Informing your Employees

To establish data protection as a pillar of the organization and to ensure that all employees are on board and aware would set the premise for the culture and workings of the company in general. After informing your Board of Directors, it is also important that you conceptualize and get your agreements signed by your employees. This would work both as an agreement as well as an awareness step.

Here’s a template for your employees:

Privacy Notice to Staff

  1. What is the purpose of this document (Data Protection Policy)?

You have legal rights about the way your personal data is handled by us, [Insert Name]. We are committed to protecting the privacy and security of your personal information.

This privacy notice describes how we collect and use personal information about you during and after your working relationship with us. It applies to all employees, workers, and contractors. This notice does not form part of any contract of employment or another contract to provide services. We may update this notice at any time.

During your employment or engagement by us, we collect, store and process personal data about you. To comply with the law and to maintain confidence in our business, we acknowledge the importance of correct and lawful treatment of this data.

It is important that you read this notice, along with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you. This gives you information about how and why we are using such information. All people working in or with our business are obliged to comply with this policy when processing personal data.

  1. Our Role

We are a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. Data protection legislation requires to give you the information contained in this privacy notice.

  1. Data protection principles

We will comply with data protection law. This says that the personal information we hold about you must be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have explained to you clearly and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited to those purposes only.
  • Accurate and kept up to date.
  • Kept only for such time as is necessary for the purposes we have told you about.
  • Kept securely.
  1. The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are “special categories” of more sensitive personal data that require a higher level of protection.

We may collect, store, and use the following categories of personal information about you:
[add all categories]

  1. How is your personal information collected?

Usually, we collect personal information about employees, workers, and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies [list them here, if any].

We will collect additional personal information during work-related activities throughout the period of you working for us.

  1. How we will use information about you

We will use your personal information only when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform the contract that applies to our working relationship.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  • Where we need to protect your interests (or someone else’s interests).
  • Where it is needed in the public interest or for official purposes.
  1. Situations in which we will use your personal information

We need all the categories of information in the list above (see the kind of information we hold about you) primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases, we may use your personal information for our legitimate interests or those of third parties, provided that your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are as follows [add all the situations in which you will use this data. Some examples would be ascertaining the terms of work, deciding about employment or monitoring equal opportunities metric].

Some of the above grounds for processing will overlap and there may be several grounds that justify our use of your personal information.

  1. If you fail to provide personal information

If you do not provide certain information when we ask for it, we may not be able to perform the contract that applies to our working relationship with you (such as paying you or providing a benefit), or we may not be able to comply with our legal obligations (such as to ensure the health and safety of our workers).

  1. Change of purpose

We will only use your personal information for the purposes that we have collected it for unless we need to use it for another reason and that reason is reasonable and compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.

We may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or allowed by law.

  1. How we use particularly sensitive personal information

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the situations below:

  • In limited circumstances, with your clear written consent.
  • Where we need to carry out our legal obligations and in line with our data protection policy or other policy that applies to such information.
  • Where it is needed in the public interest, such as for equal opportunities monitoring [or in relation to our occupational pension scheme], and in line with our data protection policy or other policy that applies to such information.
  • Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.

Very occasionally, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

  1. Our obligations as an employer

We will use your particularly sensitive personal information in the following ways:

  • We will use information relating to leaves of absence, which may include sickness absence or family-related leave and related pay, to comply with employment and other laws.
  • We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
  • We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sex life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
  • We will use trade union membership information to pay trade union premiums, register the status of a protected employee and comply with employment law obligations.
  • List any other circumstances where you may process personal data that reveals Racial or ethnic origin; political opinions; religious and philosophical beliefs; trade union membership; genetic data; biometric data; health data; or data about an individual’s sex life and sexual orientation.
  1. Do we need your consent?

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will give you full details of the information that we would like and the reason we need it, so that you can consider carefully whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

  1. Information about criminal convictions

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy or other policy that applies to such information.

Very occasionally, we may use information relating to criminal convictions where it is necessary, in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public

We [envisage OR do not envisage] that we will hold information about criminal convictions.

[We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so.] [Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly from you while you are working for us.] [We will use information about criminal convictions and offences in the following ways: [add the list here]

  1. Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We can use automated decision-making in the following circumstances:

  • Where we have notified you of the decision and given you 21 days to request a reconsideration.
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision based on any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

In case, no automated decision is made at your company, use this: [We do not envisage that any decisions will be taken about you using automated means, however, we will notify you in writing if this position changes.]

  1. Data sharing

We may have to share your data with third parties, including third-party service providers and other entities in the group.

We require third parties to respect the security of your data and to treat it in accordance with the law.

We may transfer your personal information outside the EU.

If we do, you can expect a similar degree of protection in respect of your personal information

  • Why might you share my personal information with third parties?

We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

  • Which third-party service providers process my personal information?

“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers: payroll, pension administration, benefits provision and administration, IT services OR The following third-party service providers process personal information about you for the following purposes: [add purposes].

  • How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

  • When might you share my personal information with other entities in the group?

We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganization or group restructuring exercise, for system maintenance support and the hosting of data [Describe other known activities].

  • What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.

  • Transferring information outside the EU (use only if it applies to your company)

We may transfer the personal information we collect about you to the following country/countries outside the EU [List companies here] to perform our contract with you. There [is OR is not] an adequacy decision by the European Commission in respect of [that OR those] [country OR countries]. This means that the [country OR countries] to which we transfer your data are [deemed OR not deemed] to provide an adequate level of protection for your personal information.

However, to ensure that your personal information does receive an adequate level of protection we have put in place the following appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection: [Specify measure, for example, Binding corporate rules]. If you require further information about [this OR these] protective measure[s], [you can request it from [Position] OR it is available [On the intranet/Provide link here].

  1. Data security

We have put in place measures to protect the security of your information. Details of these measures are available [upon request OR on the intranet].

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. [Details of these measures may be obtained from [Position].]

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

  1. Data retention

  2. How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. [Details of retention periods for different aspects of your personal information are available in our retention policy which is available from [[Position] OR [The intranet/Provide Link]]. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances, we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with [our data retention policy OR applicable laws and regulations].

  1. Rights of access, correction, erasure, and restriction

  2. Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

  1. Your rights in relation to personal information

Under certain circumstances, by law, you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request that your personal information is erased. This allows you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to stop processing personal information where we are relying on a legitimate interest and there is something about your situation that makes you want to object to processing on this ground.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data or request that we transfer a copy of your personal information to another party, please contact [Position] in writing.

  1. No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

  1. What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

  1. Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing, and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact [Position]. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

  1. [Data protection officer]

[We have appointed a [data protection officer (DPO) OR data privacy manager] to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the [DPO OR data privacy manager]. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.]

  1. Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

If you have any questions about this privacy notice, please contact [Position and Contact Details].


I, ___________________________ (employee/worker/contractor name), acknowledge that on _________________________ (date), I received a copy of [EMPLOYER]’s Privacy Notice for employees, workers and contractors and that I have read and understood it.


Signature:         _________________________

Name:                _________________________

Hiring a DPO

A Complete Guide For Hiring A GDPR Data Protection Officer (DPO)

A Complete Guide For Hiring A GDPR Data Protection Officer (DPO)

General Data Protection Regulation has been enforced since 25th May 2018. So if you have still not hired a data protection officer, this guide should help you. It is a complete guide for hiring a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR). We’ll go step by step to help you with all the questions regarding a Data Protection Officer.

Who is a Data Protection Officer (DPO)?Data Protection Officer for GDPR Compliance

Data Protection Officer is the professional responsible for the data protection activities and implementation of measures inside the company. They hold the security leadership role in charge of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. They directly report to the senior management, managing directors, and CEO of the company.

Who needs a Data Protection Officer?

According to the text, you need a data protection officer if:

  • You have more than 250 employees in your company
  • You are processing data on a large scale basis. This would mean that the data you collect, process, store or use affects a large number of people. It could be a city population or processing of personal data for behavioral advertising by a search engine
  • Your processing is carried out by a public authority or body
  • You are processing  sensitive data such as health, trade union membership, geolocation, sexual orientation, genetic, or children data
  • You are monitoring, and tracking systematically. For example, if you are monitoring users video data systematically or tracking internet users systematically to review television rating points
  • You are processing special categories of data that could be related to a criminal offense
  • If you are a processor and systematically monitoring data such as internet traffic, IP address or visitors etc.

What are the basic responsibilities of a Data Protection Officer?

The Data Protection Officer should have the following responsibilities:

  • to inform and advise the controller or the processor as well as the employees who carry out processing pursuant to this Regulation and to other Union or Member State data protection provisions
  • to monitor compliance with this Regulation or with other Union or Member State data protection provisions. This also includes compliance with the policies of the controller or processor in relation to the protection of personal data: the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits
  • to provide advice when requested with  regards to the data protection impact assessment and monitor its performance pursuant to Article 35
  • to cooperate with the supervisory authority;
  • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36,
  • The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context, and purposes of processing.

This means a data protection officer is a coordinator between the controller/processor and the supervisory authority. They are also responsible to respond to data subjects that is the consumers/customers of the company. Under the GDPR, Data Subjects can request access to their data that is collected and processed.

What are the basic tasks of your Data Protection Officer?

In line with the responsibilities mentioned above, this section now highlights how the responsibilities mentioned above turn into tasks. The DPO has to ensure that the data protection rules are respected in cooperation with the data protection authority (for the EU institutions and bodies, this is the EDPS). In the EU institution and bodies, the DPO must:

  • Ensure that controllers and data subjects are informed about their data protection rights, obligations, and responsibilities and raise awareness about them;
  • Create data protection goals and principles based on the GDPR and make sure the controller i.e. the company follows it
  • Give advice and recommendations to the institution about the interpretation and/application of the data protection rules;
  • Create records of processing activities within the institution and notify the EDPS of those that present specific risks (so-called prior checks);
  • Ensure data protection compliance within their institution and help the latter to be accountable
  • Handle queries or complaints on request by the institution, the controller, other person(s), or on their own initiative;
  • Cooperate with responding to requests about investigations, complaint handling and inspections conducted by the authorities
  • Draw the institution’s attention to any failure to comply with the applicable data protection rules
  • Conduct a Data Protection Impact Assessment if required and review it monthly, quarterly and yearly
  • Create Data Processing Agreement and coordinate with the third-parties
  • Create and update privacy policy, cookie policy and other data protection related policies
  • Train staff involved in data processing
  • Conduct audits to ensure compliance

Qualifications for Data Protection Officer

There are no exact qualifications written in the law. But the law does say, “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. The data protection officer should have at least 30-60 hours of training to understand the law and its requirements. You can get your Data Protection Officer trained at the following places:


  1. IAPP Certifications
  2. TÜV in Germany
  3. IT Governance in the UK

Since there is no exact criteria, our suggestion is that adequate training or certification of a certain number of hours should help you. If your data protection officer is a lawyer by profession it would make training easier.

What do we have to do to support the DPO?


You must ensure that:

  • the DPO is involved, closely and in a timely manner, in all data protection matters;
  • the DPO reports to the highest management level of your organization, i.e. the board;
  • the DPO operates independently and is not dismissed or penalized for performing their tasks;
  • you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge;
  • you give the DPO appropriate access to personal data and processing activities;
  • you give the DPO appropriate access to other services within your organization so that they can receive essential support, input or information;
  • you seek the advice of your DPO when carrying out a DPIA; and
  • you record the details of your DPO as part of your records of processing activities.

This shows the importance of the DPO to your organization and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn’t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.


10 Best Practices for Hiring a Data Protection Officer

As a controller or processor, the following are the best practices for hiring a data protection officer:

  1. You can find data protection officers on LinkedIn & Facebook Groups with the search term GDPR for groups
  2. IAPP has their own groups where you can find 40,000 different privacy professionals
  3. Conferences on GDPR like Summits and gatherings are a good place to find such data protection officers
  4. Hire a data protection certified specialist or a lawyer specialized in the  field
  5. Make sure your data protection officer understands your IT infrastructure and your application
  6. You can hire an external DPO
  7. A DPO should have great managerial and negotiation skills. They should also have a comprehensive understanding of the controller/processor, the data subjects, and the law
  8. Many experts give tutorial and content on the GDPR. If you are planning to hire an external DPO then see their webinars, blogs and public profiles
  9. Do your due diligence and ask for at least 3 references from their previous customers. If you are hiring someone internally, then ask their immediate supervisors
  10. If you are hiring an external data protection officer, make sure that you go with someone who does not have a lot of clients. If this data protection officer has a lot of clients, then your work is probably going to get ignored if you don’t pay them based on packages


Should I hire an external or internal Data Protection Officer?

Internal vs. External Data Protection Officer

In principle, a company can appoint a Data Protection Officer both internally by assigning the role to an employee and externally in the person of a service provider. The decisive criterion should always be the necessary expertise and reliability that a DPO needs in order to be able to properly fulfill the intended tasks. But what distinguishes an internal from an external data protection officer? We would like to explain the differences on the basis of essential dimensions such as competence, liability and dismissal protection. In addition, to enable you to directly compare the costs of an internal and external data protection officer, we use a fictional calculation to show you how your company’s investment in data protection could be structured.


Internal Data Protection Officer

If you assign an Internal Company Data Protection Supervisor (DPO), the managing director hands over the task of DPO to an employee of the company. If an internal employee meets all the necessary requirements, they can be appointed as an internal data protection officer. After the appeal to the internal DPO, the employee is under protection against dismissal and has rights to further claims, such as their own equipment or training. However, if a company data protection officer is appointed, who does not have the required skills, this is treated by law as if no privacy officer would be present in the company.


External Data Protection Officer

In contrast to the internal data protection officer, the external DPO is a certified data protection expert who is available to your company as a service provider. The high level of expertise of an external data protection officer guarantees the best protection for your company. With a transparent cost structure, contractually agreed prices and a variable contract period, the external data protection officer takes care of your business quickly and efficiently, thus protecting you from high fines.


Differences between external and internal data protection officer

First of all, internal and external DPOs can be distinguished with regard to the costs incurred. While for internal data protection officers the company has to pay for education and training, as well as the acquisition of literature from the company, in addition to the regular salary. Your company benefits from the transparent cost structure in the case of an external DPO since all services and costs are contractually defined.


In terms of competence, an internal DPO first has to undergo time-consuming and costly further training measures to gain the specialist knowledge if they are not already specialized in the field. An external DPO, on the other hand, can showcase certified and immediately retrievable expertise from the beginning of the cooperation. In contrast, however, the internal DPO has advantages in terms of training, as the operating procedures are generally already known, while an external DPO must first familiarize themselves with the operational procedures and processes.


If there is a momentous error based on the consultation with the data protection officer, for e.g.misuse of customer data, an internal DPO is liable with the limited employee liability which results in the full liability of the manager. In contrast, an external DPO is liable for its advice and thus minimizes risks for the company.


Already with the order of an operational data protection officer already a possible, later notice should be considered. An internal DPO is subject to special protection against dismissal, which is comparable to the position of the works council. However, the commissioning of the external data protection officer can be terminated on time.


We would like to explain this to you in more detail with a table:


Item Internal DPO External DPO
Cost In addition to the regular salary, costs for education and training, as well as acquisition of literature, must be borne by the company Transparent cost structure through contractually agreed prices
Competence Time-consuming and complex further education measures to obtain the technical knowledge Certified, existing and immediately retrievable expertise
Liability Partially transfers the liability Liability for the correct advice by the external DSB. Risk minimization for the company
Data Control All the data stays within the company All the data and company understanding stays with an external


Time Commitment 100% committed to the project Partially committed to project and most likely involved with many other companies


Time to understand the business It won’t take much time to understand the business and process since the internal DPO was a part of the company It takes time for an external DPO to understand the company and mostly like you’ll pay for an audit


Response time Much faster since already part of the company Much slower because the external DPO was not part of the company


Cancellation of employment contract An internal data protection officer is protected by law. Basically, you can’t fire him/her An external DPO can be easily replaced based on the contract terms and timelines


How much does a data protection officer cost?

Based on our experience of talking to hundreds of data protection officers, the average cost in Europe for a data protection officer depends on the hourly rate. The data protection officer without a legal background would cost around 100-200€ per hour. If your data protection officer is a lawyer, then they would cost around 300-500€ per hour. There are many data protection officers who work based on the hourly rate in a year or package basis per month. If you are hiring an external data protection officer, keep in mind that if the rate is really low then remember either that they have many clients so you won’t get individual attention or consulting. If they’re a big brand then, probably you’re paying a lot but still getting less attention.


Common Mistakes to avoid while hiring a DPO

  1. Don’t hire cheap data protection officers. They’re not worth it and probably won’t take your case seriously
  2. If all the work is done by the company’s internal lead, and the external DPO is only for the  purposes of the website then don’t hire that DPO
  3. Don’t hire someone internally in your company as a DPO if the role has an inherent conflict of interest. For example, don’t hire a marketing or customer support person as a DPO because they might be biased. Here’s what the working party suggests regarding hiring an internal DPO and avoiding a conflict of interests:
    1. to identify the positions which would be incompatible with the function of a DPO,draw up internal rules to this effect in order to avoid conflict of interests
    2. to include a more general explanation about conflict of interests  
    3. to declare that the DPO has no conflict of interest with regards to its function as a DPO, as a way of raising awareness of this requirement
    4. to include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be kept in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally
  4. The following roles are in conflicting positions: chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of the marketing department, head of Human Resources or head of IT department
  5. Hiring a full-time data protection officer, when you only need a part-time data protection officer


Here’s a sample Appointment Letter for a DPO from ECOMPLY.io

Sample Appointment Letter for Data Protection Officer:


Ms. Sample                                                               – Data Protection Officer –

Sample Street 2

23456 Sample City

Appointing Mr. / Ms. ### as Operational Data Protection Officer

The ACME LLC herewith and with immediate effect appoints Ms Sample as the Data Protection Officer – as stipulated in Article 37 GDPR referencing § 38 BDSG-neu for our company. To facilitate the execution of this role as Data Protection Officer, he/she shall report directly to management, specifically NAME_MANAGING_DIRECTOR.

Ms. Sample is entrusted with providing consultancy services and ad-hoc spot checks to ensure company-wide adherence to the provisions of the GDPR and to further data protection regulations.

In concrete terms, his/her duties shall be derived from the GDPR and shall, specifically, be aligned with Article 39 GDPR.

Ms. Sample shall act without being subject to supervisory instruction in the application of expertise in the area of data protection and shall be supported by management in his/her executional endeavors. To this end, he/she may consult the data protection regulatory authority responsible for our company whenever clarification is required.

Representing the management:

_______________________________      ______________________________

Place, Date                                                    Signature Managing Director



I approve of my appointment to Data Protection Officer:


Signature Data Protection Officer

Ms Sample


If you have any further questions or want to know how we can help your DPO, book a demo with us!