Here’s the idea that is getting people really nervous:
First, take a deep breath, get some coffee and take ten minutes to read our suggestions below. You do not need a lawyer to do this for you.
The second step is to consider where in your website data is collected/sent (automatically or by a person). Typically, forms, plugins, tracking tools and cookies do this. The general rule is:
‘You must tell your visitors what is being tracked/collected. Ideally, you get their consent. But at least you have to give them an option to opt out.’
It does not matter what type of form you will be using or its purpose. Only ask the things you really need in order to provide the service you are offering. For instance, if it’s a newsletter registration make the email address a required field and keep all other fields as optional.
For your social media plugins, add something like Shariff to give users more control over being tracked. For videos, Youtube has a data protection mode (https://support.google.com/youtube/answer/171780?hl=de). Unfortunately, Vimeo does not support that yet and should not be embedded anymore on your website.
Like most websites, you probably use Google Analytics. Make sure you take these steps:
Tell people that you are collecting cookies and give an option to opt-out. Hopefully, your website system has that built in otherwise you need to add it yourself. Below is a good example of cookie consent.
There are some conditionals:
As you can see there is no 1-click solution for this (although we are working on one!). Doing it by hand is also not prohibited. In about a day, you should be able to cover most of this.
This is another part you need to add. Here’s an example for you:
“In particular, Users have the right to do the following:
Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.
Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.
Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User’s consent, on a contract which the User is part of or on pre-contractual obligations thereof.
Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.
Details about the right to object to the processing
Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.
Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.
How to exercise these rights
Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.”
Text credit: Iubenda.com
Image credit: http://thebusinessecoach.com/
by Aazar Shad
Before getting into the GDPR SaaS Checklist For Leaders, let’s understand why the need for it has arisen.
There is a tonne of material on the General Data Protection Regulation (GDPR) and several organizations and people claiming to be experts and throwing around advice. Moreover, there is an overwhelming amount of information regarding this topic because of the foreseeable enforcement of GDPR in sight.
We want to condense all this information into a specific point by point checklist. Therefore, we are focusing on the Software as a Service (SaaS) industry instead of giving a general list for all companies. This list will help SaaS companies keep track of what they have done and what still needs to be done.
First of all, it is important to understand that for SaaS companies a lot of these processes can be automated but it is not really necessary to do that. You need to take stock of the costs of automation or manual labor and need to decide accordingly what works for you.
Here you can read the 10 Critical Steps to General Data Protection Regulation (GDPR) for SMEs that highlights the principles that you need to keep in mind.
This essentially means that you need to conceptualize, write down and declare your data protection goals. You can find a pre-made template for this on ECOMPLY.io or if you are not a customer: download it here.
This can be anyone in the company who is aware and informed about the GDPR. The person should sign a document accepting the responsibilities and should remain impartial when it comes to questions of GDPR implementation.
Below is the example cookie by inc.com
ECOMPLY.io helps with it. You can also read our step by step blog on how to take this item off your GDPR compliance checklist.
This includes basically every software and service you are using. Moreover, this means that you need to take stock of all your vendors and contact them as soon as possible. ECOMPLY.io helps you by giving you a list of common vendors and allowing you to add your custom ones.
ECOMPLY.io has following technical measures that you need to report. Below is a good example_
While it is important to conceptualize these measures, you also need to implement them.
As a SaaS Vendor, you should be able to provide a data processing agreement on behalf of your customers and promising technical measures to protect their data. Consequently, you need to have these agreements with your vendors. ECOMPLY.io will help you with that.
Have different level controls for each staff. Not everybody should have access to all the system.
If you are still confused about the GDPR and don’t know where to start, just book an appointment with us for an informal chat.
by Hauke Holtkamp
In the last few days, after our product hunt launch, we have received questions from people who are curious about the process of compliance. How do you start? What are some of the things to keep in mind? Since the GDPR will be enforced this coming May we see a lot of companies scrambling to comply. We thought that an example of a company that is in the final stages of GDPR compliance would help. So we caught up with Woodpecker.co to find out what they have done, how they have done it and what they think could have helped them in the process. We started with the basic GDPR questions and build our way up to all the others.
We’re based in Poland, so we heard about GDPR pretty soon. We’ve tried to keep abreast with the news since the moment we heard about the changes. So, we can say that we began by keeping an eye out on the discourse around GDPR.
First, we read the whole regulation. In my opinion, there should be one person at every company who has read the regulation from start to finish. It helps a lot. Especially since there’s a lot of panic around GDPR as well as around the implications that may follow from it. Reading the whole thing clears things out for you.
Then, we found a couple of GDPR conferences. One of our colleagues, who we appointed as Data Protection Specialist, took part in those conferences and shared what she learned with the rest of us. She prepared small presentations for every department: Office Management, Sales, Marketing, and told us how GDPR will affect our work. Her input was invaluable.
We updated our Policy and Terms of Service. We reviewed our signup forms for our newsletter, downloadable marketing content and the app itself.
Then, we researched how other companies were preparing for GDPR. We decided to let our customers know what we were doing for GDPR. That’s how we created the page. It’s made to inform our customers and subscribers how we’re handling things.
The first step we took was to make sure our signup forms were clear to understand, as it is one of the requirements of GDPR. The signup forms should be free of any jargon words or windy sentences. The signees should know what they subscribe to.
The subscribers should feel their personal data is secure when they give it to us, and that they are in full control of it. Of course, they can unsubscribe from our newsletter or update their data at any point. We have made sure it’s easy for them to do that.
GDPR also calls for data limitation, collecting only the kind of personal data that’s essential. It has always been the case when it comes to our marketing communication. We don’t collect more data than necessary to send a newsletter. For instance, we’re not going to call our newsletter subscribers, thus we don’t collect phone numbers.
Next, we took care of the signatures that come at the end of our newsletter emails. We made sure there’s all the information that anyone would need. We’re working on the short notification that would inform the newsletter subscriber that they received the email, because they subscribed to the blog.
To be honest, we’re at the finishing line. We still need to polish a thing or two. We’re sure to announce it within a week or less. We’ve been working on it for a couple of months, because we process our users’ personal data and our users process personal data of prospects. We need to work our way through GDPR compliance.
Don’t try to do everything at once. It might be overwhelming. Especially since there’s a lot of contradictory advice on the Internet. Start with baby steps. That’s how we came with an idea of creating a GDPR checklist available on our blog. If you don’t know what to do, take a lawyer’s advice. But I’m sure you’ll manage to take care of GDPR compliance on your own.
Start with thinking what data you collect and where from. It is not only the pillar of conducting risk assessment. It will also help you realize what kind of data security policy you need.
Change the way you think about GDPR. It isn’t a policy which covers mistakes in the current system but policy which showcases how the system works.
That would be even better. I think the compliance took so much of our time because we didn’t have everything in one place. Have we had a solution to keep our work organized, it would have taken far less time to become GDPR compliant.
We have the GDPR documents scattered around, because there is a lot of information to keep an eye on, likewise, we have had to review our database and do everything in our power to secure the personal data of our users and newsletter subscribers. It got really hectic. If we had an app or something that would keep everything under one roof and let us collaborate, we’d be thrilled.
As a sales automation tool, Woodpecker is both, data processor and data administrator. We process personal data and allow our users to process personal data of their prospects. That’s why we needed to review how we process personal data and how others can process personal data in the app. We need to be cautious about our users’ data. And we need to make it possible for our users to process the personal data of their prospects in a way that is GDPR compliant.
An email body doesn’t change much from what it was before. There are two things that need our attention when writing a cold email though. The first thing is having a tightly targeted list of prospects. A spray-and-pray approach has never been effective, but now it’s illegal under GDPR. When we decide to send somebody a cold email, we should be able to justify why you chose a specific person to be on our cold emailing list. Our business statute should be tightly connected with theirs.
The other thing is that we should be transparent. We should include information, or at least be prepared to give it when asked to, that we’re processing our prospect’s personal data and that prospects can opt-out from receiving further emails from us any time they want. We have an example of that in our article about GDPR.
You can check out Woodpecker.co right here!
If the answers to these GDPR questions have left you confused about how to start your compliance process or if you find yourself drowning in heaps of excel sheets, book a free demo with us!
The General Data Protection Regulation (GDPR) is ripe and the market is buzzing with many different compliance tools. Some are super helpful, others are mildly so and some are simply pretending to be helpful to get some benefit out of jumping on the GDPR bandwagon.
We thought we would tell you exactly what it is that we do that helps you with compliance. So here goes!
Do you want to spend 100s of euros on document templates like the ones by Certkit?
Since you must fill out the documents and log in all your activities for all your departments anyway. Just paying money for word/excel/other templates that you will have to fill in yourself without any guidance is definitely not worth the money you will put in.
Ecomply.io has these templates with all the content as well as guidance on what is relevant for different fields. So, you won’t face any confusion about what you should write in the template.
Do you want to hire an external consultant for all the work?
It is not just the cost of the external consultant but think about all the time your company will spend on finding the right consultant or firm. Giving them a rundown of everything your company does, answering their questions, getting them to sign all the NDAs, setting up accounts for them and all the other organizational tasks that your company would have to do just to start them off.
It would easily be a week of just onboarding them! And what’s more: even the externals suggest to use us!
Ecomply.io replaces 75% of the work of external consultants. The left over 25% is basically writing new policies in accordance with the GDPR.
Do you want to sit down in countless back to back meetings to fill everything out?
Think of all the meetings you will have to have if you were to fill out everything yourself. First, prepare and organise for a kick-off meeting. This would entail understanding the GDPR with all its intricacies and being able to condense it into a workshop for the rest of the departments and people. After your initial meeting, you would still have to force people to write down or record in one way or another all the ways that they use data in. Then follow-up meetings, ensuring everyone does it on time, clarification meetings and what not. This would be the norm!
With ECOMPLY.io, you can simply add people from different departments to work on their activities and track the overall progress.
Do you want Excel sheets and more Excel sheets and more Excel Sheets?
Don’t forget that this means an unimaginable amount of excel sheets. Imagine every department filling out all their activities, all the details they collect ranging from name of their user or consumer to their login dates and what not. Then you will have to extract the relevant information from all these specific department/functionalities reports and combine them together according to the requirements of the Data Protection Authorities.
With ECOMPLY.io, you can generate this report with one single click.
Here is a table we compiled that can further help you with the comparison:
If you have any questions about the GDPR, book a free demo with us now!