GDPR Compliant Privacy Policy

Four Hacks To Have GDPR Compliant Privacy Policy

Four Hacks To Have GDPR Compliant Privacy Policy

Disclaimer: This editorial does not claim completeness and does not provide legal advice on the GDPR Compliant Privacy Policy.

Here’s the idea that is getting people really nervous:

Inside the law firms of the world, there are lawyers just waiting for 25 May 2018 to scan our websites and sue anyone not following the GDPR Compliant Privacy Policy. To defend ourselves against it, it is essential to make sure our websites do not reveal weaknesses of either machine scans (crawling) or superficial human inspection.

This means that we need to pay attention to the use of cookies, plugins and tracking tools to make sure we are all doing our duties and have compliant public documents.

First, take a deep breath, get some coffee and take ten minutes to read our suggestions below. You do not need a lawyer to do this for you.

In order to make sure that you don’t overlook any details of GDPR Compliant Privacy Policy just follow the four hacks which are actually steps in the process of having a GDPR compliant website.

Step 1: Encryption

The first step of owning a website that follows GDPR Compliant Privacy Policy is to make sure your website is only accessible via HTTPS (the little lock symbol in the browser). Thanks to Let’s Encrypt and other alternatives, this is an easy problem to solve.

Step 2: Changes to website content/plugins

The second step is to consider where in your website data is collected/sent (automatically or by a person). Typically, forms, plugins, tracking tools and cookies do this. The general rule is:

‘You must tell your visitors what is being tracked/collected. Ideally, you get their consent. But at least you have to give them an option to opt out.’

To understand how this step works in your favor i.e. in your efforts to be one with the GDPR Compliant Privacy Policy, let’s break this down further:

Forms

It does not matter what type of form you will be using or its purpose. Only ask the things you really need in order to provide the service you are offering. For instance, if it’s a newsletter registration make the email address a required field and keep all other fields as optional.

Plugins

For your social media plugins, add something like Shariff to give users more control over being tracked. For videos, Youtube has a data protection mode (https://support.google.com/youtube/answer/171780?hl=de). Unfortunately, Vimeo does not support that yet and should not be embedded anymore on your website.

Tracking

Like most websites, you probably use Google Analytics. Make sure you take these steps:

Cookies

Tell people that you are collecting cookies and give an option to opt-out. Hopefully, your website system has that built in otherwise you need to add it yourself. Below is a good example of cookie consent.

GDPR SaaS ChecklistStep 3: Privacy Policy

This is the most important part. As an organization, you have the obligation to be transparent about your data processing activities. How can you be transparent? Put it all in the privacy policy. It should be precise, transparent, easily accessible, and written in clear, simple language. So Do It Yourself (DIY) with the must-haves below:

  • Contact information of your organization,
  • List of data categories (‘name’, ‘visitor behavior’, …) that you collect and the purposes for that this data is collected,
  • Legal basis for this processing (ideally, either ‘consent’ or ‘performance of a contract’),
  • how long you plan to save the data,
  • A possibility for the customer to limit the processing (contact you?)
  • The email address of your Data Protection Officer (if you have one), like ‘privacy@sample.com’.
  • Where a customer can reach you for a complaint

There are some conditionals:

  • Do you use Google Analytics? Do mention it and try to offer an opt-out.
  • Do you set cookies? Mention it!
  • Do you use automated processes? You have to mention that too.
  • Do you use a company like Mailchimp to send your newsletters? Mention it, especially that you share your visitors’ email addresses or other information with them.

As you can see there is no 1-click solution for this (although we are working on one!). Doing it by hand is also not prohibited. In about a day, you should be able to cover most of this.

Below is a good example for a privacy policy snapshot

GDPR SaaS Checklist4 – The rights of Users

This is another part you need to add. Here’s an example for you:

In particular, Users have the right to do the following:

Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.

Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.

Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.

Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.

Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.

Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.

Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User’s consent, on a contract which the User is part of or on pre-contractual obligations thereof.

Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

Details about the right to object to the processing

Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.

Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.”

Text credit: Iubenda.com

In short, following this guide should get you on the right path towards compliance. If you have further questions and want to know how we can help: to get on board the GDPR compliant Privacy Policy sign up with us!

Image credit: http://thebusinessecoach.com/


GDPR SaaS Checklist

The Ultimate GDPR SaaS Checklist

The Ultimate GDPR SaaS Checklist

Before getting into the GDPR SaaS Checklist For Leaders, let’s understand why the need for it has arisen.

There is a tonne of material on the General Data Protection Regulation (GDPR) and several organizations and people claiming to be experts and throwing around advice. Moreover, there is an overwhelming amount of information regarding this topic because of the foreseeable enforcement of GDPR in sight.

We want to condense all this information into a specific point by point checklist. Therefore, we are focusing on the Software as a Service (SaaS) industry instead of giving a general list for all companies. This list will help SaaS companies keep track of what they have done and what still needs to be done.

First of all, it is important to understand that for SaaS companies a lot of these processes can be automated but it is not really necessary to do that. You need to take stock of the costs of automation or manual labor and need to decide accordingly what works for you.

Here are the rights of the Data Subjects (client/customer/user/employee in layman terms) that you need to preserve:

  • The right to erasure (the right to be forgotten/deleted from the system),
  • Under the GDPR, there is right to the restriction of processing (you have to restrict the access to the data and cannot do anything with it without further consent of the user
  • The GDPR also grants the right to data portability (provide the possibility to your users to download a machine-readable, exportable file of their data you have collected and processed)
  • The right to rectify data (have an edit button for data fields)
  • There is also the right to be informed which means you need to get rid of those long terms and conditions and provide this information in a way that is clear and concise

Here you can read the 10 Critical Steps to General Data Protection Regulation (GDPR) for SMEs that highlights the principles that you need to keep in mind.

GDPR compliance Checklist Dos:

1. Create and agree with data protection goals – Article 5

This essentially means that you need to conceptualize, write down and declare your data protection goals. You can find a pre-made template for this on ECOMPLY.io or if you are not a customer: download it here.

2. Appoint an internal DPO with no conflict of interest – Article 37

This can be anyone in the company who is aware and informed about the GDPR. The person should sign a document accepting the responsibilities and should remain impartial when it comes to questions of GDPR implementation.

3. Make a cookie policy – A perfect way of showing cookies – Article 7

Here’s the right way to go about it: https://www.cookiebot.com/en/cookie-declaration/ It has been enough till now to display that common “we use cookies” warning, however, the GDPR changes that. From the GDPR perspective, cookies essentially means you are collecting user data and need to make sure that you have legal grounds for it.

4. Add ‘cookies via any plugin’ consent – Article 7

Below is the example cookie by inc.com

GDPR SaaS Checklist

5.Update your privacy policy – Perfect Privacy Policy Article 12:

Example of short form of Privacy Policy

Below is a good example of a privacy policy snapshot

GDPR SaaS Checklist

6. Add features list

  • Consent box and record with it the Privacy Policy version – Article 7
  • Right to edit or modify feature – Article 16
  • The right to delete or forget – Article 17
  • Right object of processing & profiling feature – Article 21 & 22
  • The right to access (I want to access all my data i.e. export & import feature) – Article 15
  • Under the GDPR you need to give users the right to stop automated profiling – Article 18 & 23
  • Have double opt-in on a newsletter, lead magnets & sign up – Article 7
  • Automatic deleting or provide a timeline to delete the data feature to your users – Article 17
  • Consent checkbox on your contact form as well – Article 7

7. Create records of processing activities and maintain it:

ECOMPLY.io helps with it. You can also read our step by step blog on how to take this item off your GDPR compliance checklist.

8. Ask your third-party vendors to be compliant i.e suppliers and subcontractors:

This includes basically every software and service you are using. Moreover, this means that you need to take stock of all your vendors and contact them as soon as possible. ECOMPLY.io helps you by giving you a list of common vendors and allowing you to add your custom ones.

9. Technical Measures for IT: 

  • Add anonymization or pseudonymization if a user is no longer using your system
  • Add encryption in your system
  • Have authentication mechanisms for modifying data
  • Double authentication or 2 step verification
  • Focus on data minimization if you don’t need it
  • Show the system has a strong backup and data can’t be lost
  • Web Application Security such TLS, SSL
  • Data Centres and its protection. It should be in Europe or US mostly (if possible)
  • Encrypted passwords for all the systems
  • Internal hard drive or cloud drive should be protected and have a different access level

ECOMPLY.io has following technical measures that you need to report. Below is a good example_

GDPR SaaS Checklist10. Organizational Measures: 

While it is important to conceptualize these measures, you also need to implement them.

  • Educate your team about the privacy and data protection
  • Physical access to your office should always be protected with keys
  • Laptop and other devices of the staff should be protected as well.

11. Sales & Marketing:

  • GDPR SaaS ChecklistTake consent in all your marketing magnets and contact form and record it
  • Inform customers about your CRMs, automatic tools, and analytics tool
  • Always have an opt-out button

12. Data Processing Agreement:

As a SaaS Vendor, you should be able to provide a data processing agreement on behalf of your customers and promising technical measures to protect their data. Consequently, you need to have these agreements with your vendors. ECOMPLY.io will help you with that.

13. Human Resources (HR):

Have different level controls for each staff. Not everybody should have access to all the system.

GDPR compliance Checklist Don’ts:

  1. All your vendors might not be compliant! Don’t assume that they are
  2. Don’t assume that privacy shield or ISO 27001 already makes you compliant
  3. Writing a cold email to customers on their personal email is not a compliant way to reach out to them
  4. Documentation alone will not save you. You need to actually do those changes
  5. Don’t keep your laptops open in an open space and people can see those data
  6. It is not a one-time project. You need to keep making sure that your documentation is correct and updated. Also, you follow all those guidelines and check frequently.

If you are still confused about the GDPR and don’t know where to start, just book an appointment with us for an informal chat.


Stock Photo - Laptop

10 GDPR questions answered for SaaS Companies

In the last few days, after our product hunt launch, we have received questions from people who are curious about the process of compliance. How do you start? What are some of the things to keep in mind? Since the GDPR will be enforced this coming May we see a lot of companies scrambling to comply. We thought that an example of a company that is in the final stages of GDPR compliance would help. So we caught up with Woodpecker.co to find out what they have done, how they have done it and what they think could have helped them in the process. We started with the basic GDPR questions and build our way up to all the others.

1) How did you get started with the GDPR?

We’re based in Poland, so we heard about GDPR pretty soon. We’ve tried to keep abreast with the news since the moment we heard about the changes. So, we can say that we began by keeping an eye out on the discourse around GDPR.

2) What were your first steps? Please feel free to mention your steps

First, we read the whole regulation. In my opinion, there should be one person at every company who has read the regulation from start to finish. It helps a lot. Especially since there’s a lot of panic around GDPR as well as around the implications that may follow from it. Reading the whole thing clears things out for you.

Then, we found a couple of GDPR conferences. One of our colleagues, who we appointed as Data Protection Specialist, took part in those conferences and shared what she learned with the rest of us. She prepared small presentations for every department: Office Management, Sales, Marketing, and told us how GDPR will affect our work. Her input was invaluable.

We updated our Policy and Terms of Service. We reviewed our signup forms for our newsletter, downloadable marketing content and the app itself.

Then, we researched how other companies were preparing for GDPR. We decided to let our customers know what we were doing for GDPR. That’s how we created the page. It’s made to inform our customers and subscribers how we’re handling things.

3) How did you change your email marketing for the GDPR?

The first step we took was to make sure our signup forms were clear to understand, as it is one of the requirements of GDPR. The signup forms should be free of any jargon words or windy sentences. The signees should know what they subscribe to.

The subscribers should feel their personal data is secure when they give it to us, and that they are in full control of it. Of course, they can unsubscribe from our newsletter or update their data at any point. We have made sure it’s easy for them to do that.

GDPR also calls for data limitation, collecting only the kind of personal data that’s essential. It has always been the case when it comes to our marketing communication. We don’t collect more data than necessary to send a newsletter. For instance, we’re not going to call our newsletter subscribers, thus we don’t collect phone numbers.

Next, we took care of the signatures that come at the end of our newsletter emails. We made sure there’s all the information that anyone would need. We’re working on the short notification that would inform the newsletter subscriber that they received the email, because they subscribed to the blog.

4) What are 10 simple changes & advice for a marketer who is reading this blog?

  1. Don’t panic. GDPR wasn’t made to kill all of your marketing activities. It was written to protect the rights of consumers. Not to harass marketers or make their job harder.
  2. Don’t trust everything you’ve read about GDPR. A lot of stuff out there is just somebody’s interpretation of the regulation. Learn to separate the wheat from the chaff.
  3. Appoint one person at your company who’ll review the way personal data is being handled. Are you sure you know what happens with the data? Who has access to it? Is the process secure? If you have no idea, it’s time to come up with a plan to make it as secure as you can.
  4. Review opt-in forms. All opt-in forms should be short and easy to understand. They shouldn’t be written in fine print nor should they be in hard-to-see colors.
  5. Ask for the information you really need. GDPR stresses out that the personal data you collect should be adequate and relevant to the purpose of its processing. So don’t ask for the company address, if you’re not going to mail the company anything.
  6. Keep your database clean. Do the major cleaning of your contact lists from time to time. If you don’t know how the subscriber ended up on your list, it’s better to either delete them or ask them whether they want to opt in for your marketing communication. Similarly, if a person unsubscribes, cross them out.
  7. Be transparent – Tell your subscribers in what ways you’re going to process their personal data. GDPR calls for transparency. The customers and newsletter subscribers should understand in what ways you’re processing their personal data and what kind of data you keep.
  8. Keep your word – if you say you’re processing personal data to send them a weekly newsletter, don’t send email twice a week. If you say you delete them from your list, do that. Now it’s even more important to keep your word.
  9. Learn how GDPR is interpreted in your own country. EU member states differ in their interpretation when it comes to the regulation.
  10. Inform your newsletter subscribers and customers about what you did to be GDPR compliant. We still receive some questions about whether we think App A or B is GDPR compliant. And we can’t say unless this company released a GDPR statement.

5) How long did it take for you guys to be GDPR compliant?

To be honest, we’re at the finishing line. We still need to polish a thing or two. We’re sure to announce it within a week or less. We’ve been working on it for a couple of months, because we process our users’ personal data and our users process personal data of prospects. We need to work our way through GDPR compliance.

6) What piece of advice – would you give to the readers who are starting now?

Don’t try to do everything at once. It might be overwhelming. Especially since there’s a lot of contradictory advice on the Internet. Start with baby steps. That’s how we came with an idea of creating a GDPR checklist available on our blog. If you don’t know what to do, take a lawyer’s advice. But I’m sure you’ll manage to take care of GDPR compliance on your own.

Start with thinking what data you collect and where from. It is not only the pillar of conducting risk assessment. It will also help you realize what kind of data security policy you need.

Change the way you think about GDPR. It isn’t a policy which covers mistakes in the current system but policy which showcases how the system works.

7) Would a step-by-step and simple to use GDPR solution make sense if people are starting now?

That would be even better. I think the compliance took so much of our time because we didn’t have everything in one place. Have we had a solution to keep our work organized, it would have taken far less time to become GDPR compliant.

8) How much did you hate using spreadsheets for the GDPR?

We have the GDPR documents scattered around, because there is a lot of information to keep an eye on, likewise, we have had to review our database and do everything in our power to secure the personal data of our users and newsletter subscribers. It got really hectic. If we had an app or something that would keep everything under one roof and let us collaborate, we’d be thrilled.

9) You mentioned here – “make a list of all the in-app areas that need to be taken care of to comply with the regulation (COMPLETED)” – What were those changes?

As a sales automation tool, Woodpecker is both, data processor and data administrator. We process personal data and allow our users to process personal data of their prospects. That’s why we needed to review how we process personal data and how others can process personal data in the app. We need to be cautious about our users’ data. And we need to make it possible for our users to process the personal data of their prospects in a way that is GDPR compliant.

10) Do you have an example of a cold email you write to your business contacts based on the GDPR who have not opted in?

An email body doesn’t change much from what it was before. There are two things that need our attention when writing a cold email though. The first thing is having a tightly targeted list of prospects. A spray-and-pray approach has never been effective, but now it’s illegal under GDPR. When we decide to send somebody a cold email, we should be able to justify why you chose a specific person to be on our cold emailing list. Our business statute should be tightly connected with theirs.

The other thing is that we should be transparent. We should include information, or at least be prepared to give it when asked to, that we’re processing our prospect’s personal data and that prospects can opt-out from receiving further emails from us any time they want. We have an example of that in our article about GDPR.

You can check out Woodpecker.co right here!

If the answers to these GDPR questions have left you confused about how to start your compliance process or if you find yourself drowning in heaps of excel sheets, book a free demo with us!


Image Question Mark

GDPR Compliance Tools: Why ECOMPLY.io?

The General Data Protection Regulation (GDPR) is ripe and the market is buzzing with many different compliance tools. Some are super helpful, others are mildly so and some are simply pretending to be helpful to get some benefit out of jumping on the GDPR bandwagon.

We thought we would tell you exactly what it is that we do that helps you with compliance. So here goes!

Do you want to spend 100s of euros on document templates like the ones by Certkit?

Since you must fill out the documents and log in all your activities for all your departments anyway. Just paying money for word/excel/other templates that you will have to fill in yourself without any guidance is definitely not worth the money you will put in.

Ecomply.io has these templates with all the content as well as guidance on what is relevant for different fields. So, you won’t face any confusion about what you should write in the template.

Do you want to hire an external consultant for all the work?

It is not just the cost of the external consultant but think about all the time your company will spend on finding the right consultant or firm. Giving them a rundown of everything your company does, answering their questions, getting them to sign all the NDAs, setting up accounts for them and all the other organizational tasks that your company would have to do just to start them off.

It would easily be a week of just onboarding them! And what’s more: even the externals suggest to use us!

Ecomply.io replaces 75% of the work of external consultants. The left over 25% is basically writing new policies in accordance with the GDPR.

 

Do you want to sit down in countless back to back meetings to fill everything out?

Think of all the meetings you will have to have if you were to fill out everything yourself. First, prepare and organise for a kick-off meeting. This would entail understanding the GDPR with all its intricacies and being able to condense it into a workshop for the rest of the departments and people. After your initial meeting, you would still have to force people to write down or record in one way or another all the ways that they use data in. Then follow-up meetings, ensuring everyone does it on time, clarification meetings and what not. This would be the norm!

With ECOMPLY.io, you can simply add people from different departments to work on their activities and track the overall progress.

Do you want Excel sheets and more Excel sheets and more Excel Sheets?

Don’t forget that this means an unimaginable amount of excel sheets. Imagine every department filling out all their activities, all the details they collect ranging from name of their user or consumer to their login dates and what not. Then you will have to extract the relevant information from all these specific department/functionalities reports and combine them together according to the requirements of the Data Protection Authorities.

With ECOMPLY.io, you can generate this report with one single click.

 

Here is a table we compiled that can further help you with the comparison:

If you have any questions about the GDPR, book a free demo with us now!