GDPR Readiness Survey for Software and SMEs

A comprehensive GDPR Readiness Survey Report on how software companies and SMEs prepared and currently operate under the GDPR.

GDPR, you’ve heard of it, probably feared it, but you cannot ignore it. If you are like us, you wanted to get everything ready for the May implementation or, in contrast, you might have thought ‘I doubt any other startup/SME will become compliant, I won’t bother yet’. Well, we wanted to put both sides of the argument to the test and so carried out extensive research on just how GDPR ready Software Industry and SMEs are, what their problems were and how they view their activities in line with GDPR.

Why did we bother?

As a GDPR Compliance Software company, we wanted to find out the state of the market and whether our solutions is useful, as well as how we can improve to offer more value.

Although we are GDPR ready ourselves, we needed to understand some of the barriers companies are facing in becoming fully compliant, where they are in the process internally and what they think of GDPR, so we set out to investigate using a number of questions to get the most out of our respondents.

Data we collected

In this GDPR Readiness Survey, we investigated 100 different software companies and startups of varying sizes, ranging from 1-250 employees in order to get varied data from all companies across the spectrum . We collected the survey in a GDPR compliant way. Here is a breakdown of some of the demographic data we employed:

  • 1-250 employee companies.
  • Worldwide locations, but operate in the EU or store EU citizens' data.
  • We opted for quantitative & qualitative data.
  • We combined open ended questions with multiple answer questions.
  • We investigated the biggest challenges SME and software companies faced in being GDPR compliant.
  • We offered different aspects of GDPR requirements and requested respondents mark with which they comply with and leave blank those that they do not comply with.
  • The respondent’s annual budget for compliance efforts.

What did we find?

Our results from GDPR Readiness Survey were quite surprising, and illustrated a fairly accurate environment surrounding GDPR in the real world.

Although GDPR can bring about heavy fines, we are yet to see any real world examples of these fines in full swing, and with 50% of our respondents indicating they managed GDPR compliance internally without the consultation of an external body or an external lawyer, we may see that change in the near future as those companies that misinterpreted the regulations come to light. Companies became compliant to serve their customers better, as indicated by Marcin from Survicate.

We do our best to implement services that fulfill our customers’ needs. One of the most important customers’ requirement is the security of their data. That is why for us it is paramount. Survicate understands how the fulfillment of GDPR obligations improves protection of our customers’ data.

In contrast 42% of respondents contacted a lawyer to advise on GDPR compliance, but it’s a likely trait of larger businesses to put more resources into legal help compared to the 50% who didn’t, who are smaller and so less likely to bring in external aid.

Since lawyers are important for GDPR compliance, Peter Sterkenburg from Leadfeeder wants a more robust way to prove GDPR compliance by external lawyers and third parties.

A healthy angle to responsibly consider using personal data. I really do miss proper certification mechanisms though. Still very little movement on that. I am also looking forward to the PECR and what that brings.

So how many companies were GDPR compliant?

What we found interesting though, was that 52% of survey respondents believed that they are fully GDPR compliant - an indicator that there is a lot of groundwork to cover up in small businesses and software companies industry wide. The reasons for this low number of that metric were also surprising, and that smaller businesses are less inclined to comply compared to the larger companies with more resources.

However, Joi, believed differently, CEO of Crankwheel. He said:

We took a mostly manual route with e.g. implementation of data subject rights and how we implement DPAs (it's a manual customer support procedure that we've trained our support folks in). If we see significantly more requests regarding data subject rights, or significantly more customers, we are likely to invest in tools to help with these, either built in-house or sourced externally. Same goes for our employee training etc., we are very small for now but when we grow we would be somewhat likely to invest in a tool that would help with training and compliance certification (even if not formal certification). We have a quarterly process in place to update procedures, training materials, perform new risk analysis etc. and for this, so far, Google Calendar + Google Drive (docs and spreadsheets) have proven to be enough.

Jim from Dynamic Signal spoke in the similar fashion.

Our GDPR efforts were comprehensive and we invested many cross functional resources as well as bringing in external consultants and legal support to ensure we were following all of the guidelines for GDPR and fully protecting our investors, employees, end users, and most of all our customers.

Of those that were compliant, the two main reasons for investing in GDPR compliance were in fact meeting the newly increased customer expectations and in order to circumvent the likelihood of lawsuits for non-compliance, especially given the nature of software companies and the amount of cyber threats they are up against daily.

What were our respondents reasons for lack of GDPR compliance?

Further to this, our GDPR Readiness Survey found 38% of companies believed the new regulations were too complicated, and rightly so. The idea of GDPR was to remove any kind of uncertainty or loophole opportunities from previous legislation, as well as unify the European stance on data handling and processing.

Olga, the Marketing Manager at Chanty, was also confused with the new regulation and she said:

GDPR is the 88-page monster that has struck fear into the hearts of companies slowing down growth and blocking effective marketing efforts. As a result, inboxes were swamped with GDPR consent emails that were deleted in bulk without even opening, not even speaking of giving consent. Companies had to delete entire blasts of emails from the databases that took years to build. As internet user, I don't feel the difference after May 25th. As a marketer, I feel GDPR definitely doesn't contribute to development and innovation in European business sector.

In our opinion the GDPR leaves too many grey areas in certain business environments where what should have been black and white rules are now open to interpretation. This is compounded the fact that most companies didn’t have a dedicated GDPR consultant or compliance team, with only 22% reporting compliance was managed by IT and legal.

Of those that were compliant, what steps had they taken?

Despite a clear lack of monetary investment in GDPR compliance, it was great to see that most companies, regardless of size, took steps and measures to comply with GDPR, with all software companies and SMEs we surveyed reporting that they updated their Privacy Policies to acknowledge GDPR and explain how they were taking steps to be compliant.

Adam from Better Proposal says about the GDPR:

GDPR is a step in the right direction. It's been a long time coming and it's good for businesses and consumers to have a standard in place. It's important to us to make sure people feel safe using our software and GDPR is a good "badge" to have to show you at least take it that seriously.

Software was the name of the game

The startup mentality was in fact in full swing here, as many respondents admitted to using a third party compliance software tool, instead of lawyers support, to quickly handle generating a new Privacy Policy and Cookie Consent document, although how accurate those policies are in line with GDPR and the businesses using the software is unknown.

Of all steps necessary for GDPR compliance, we found (without surprise) that vendor compliance was in fact the area with least focus from our respondents. We believe this to be not from a lack of effort, but from a lesser understanding of how to obtain the necessary documentation and agreements from third party services and data processors they were using in the course of providing their software or products. This is an area we would like to see improved by the GDPR committee, as obtaining the correct information from business critical third party processors (like analytics software, data enrichment services etc) is somewhat of a grey area, especially for smaller companies who cannot dedicate the time and resources to seek that information out from its partners.

Talking about the transparency & data processors with the third parties, Sander from Unless said:

Oddly enough, new privacy laws like GDPR have actually made it easier to do it right, by highlighting the need for transparency and compelling business owners to understand what kinds of data they collect and how they use it.

Additionally, in our GDPR Readiness Survey, 50% of software companies and SMEs we surveyed indicated that they had conducted Data Protection Impact Assessment and Data Mapping, which is a good foundation for compliancy but there is clearly room for improvement. As expected, due to the small size of most of our respondents, the budget to invest in GDPR compliancy was only €5000 annually, so it would be unfair to expect full compliancy soon after the regulations’ effective date.

GDPR Readiness Key Statistics

Overall, GDPR readiness in software companies and SMEs is an ever changing, dynamic landscape of variable compliance levels depending on budget, size of company and departmental dedication.

With regards to GDPR compliance in software companies and SMEs, what we gathered overall illustrated the following:

  • More than 52% of the companies surveyed think they are GDPR complaint (according to our GDPR Readiness Survey).
  • The two biggest reasons for investing in compliancy was the fear of lawsuits and meeting customer expectations.
  • 38% of companies think that the law is too complicated.
  • All customers have updated their privacy policy documentation in line with GDPR.
  • Privacy Policy and Cookie Consent documents are compiled using third party software tools instead of internally for the majority of respondents.

48% of surveyed companies think that GDPR has neither a positive nor negative impact on their business operations.

If you're still trying to learn more about the GDPR and want to become compliant. Get this free GDPR Guidebook.

Appendix:

Below are the questions and survey results from our GDPR Readiness Survey for your own interpretation

What is the employee count of your company?
Employee Size (GDPR Readiness Survey Question 1)
Where is your headquarter based?
Geographic Presence (GDPR Readiness Survey Question 2)
Do you get external help for the GDPR?
External vs Internal Help (GDPR Readiness Survey Question 3)
Which department is leading/responsible for your GDPR efforts?
Department Role in the GDPR (GDPR Readiness Survey Question 4)
Which of the following best describes your state of GDPR compliance?
Current State of GDPR Compliance (GDPR Readiness Survey Question 5)
What were your reasons for investing in GDPR compliance?
Reasons to invest in the GDPR (GDPR Readiness Survey Question 6)
What is the biggest challenge about the GDPR?
Biggest Challenge in the GDPR (GDPR Readiness Survey Question 7)
Please choose the key requirements you have already executed:
GDPR Requirements Executed (GDPR Readiness Survey Question 8)
Please choose the key requirements you have already executed with a software service:
GDPR Execution with a Software (GDPR Readiness Survey Question 9)
GDPR Budget Distribution
Annual Budget for the GDPR in SMEs (GDPR Readiness Survey Question 10)
What was the impact of GDPR Compliance?
Impact of the GDPR (GDPR Readiness Survey Question 11)
Now that the 25th May GDPR deadline has passed, how will the data privacy management change at your company?GDPR Readiness Survey Question
GDPR Importance after 25th May (GDPR Readiness Survey Question 12)
Do you plan to increase investment in technology and tools to support your ongoing GDPR compliance efforts? GDPR Readiness Survey Question
Investment in technology for the GDPR compliance efforts (GDPR Readiness Survey Question 13)

Below is a list of those companies which supported this survey and agreed to the publication of their names.

https://salesflare.com - An Intelligent Sales CRM for teams who thrive on technology

https://www.poptin.com - A Lead Conversion Platform

https://lemlist.com - A Conversational Email Outreach Platform

https://www.visitor-analytics.io/ - The friendliest way to view your website statistics

https://www.proposify.com/ - Get the business proposal software that streamlines the creation of quotes, contracts, and other sales documents

dynamicsignal.com - The Employee Communication and Engagement Platform

https://crankwheel.com/ - CrankWheel enables you to add a visual presentation to your phone call in 10 seconds flat. Any browser, any device, works every time.

https://contentstudio.io - The only platform you will ever need for your content marketing and Social media management.

https://www.growthdynasty.com - A Tech Marketing Agency

Publbox.com - Now You Can Create, Organize and Automate All Your Social Media - From One Place

AcademyOcean.com - Use Academies to get new leads and to turn them into loyal customers

www.albacross.com - Albacross tells you exactly who’s visiting your website and how to reach them..

www.sendpilot.co - You won't need a social media team if you use SendPilot

www.meetnlearn.com - Marketplace for online & offline tutoring

www.wunderx.com - Enabling Equipment Data Mining: Edge is coming.

starhunter.com - All-in-One Solution for Recruitment Agencies

https://www.heysuccess.com/ - a default platfrom for international student mobility and recruitment.

https://kyvio.com - We Help Trainers and Coaches Sell More, Sell Faster

https://www.receptive.io - Leading B2B SaaS companies use Receptive to build winning products

https://www.sendinblue.com/ - SendinBlue empowers businesses to build and grow relationships through marketing campaigns, transactional messaging and marketing automation.

ryd.one - Your Car Assistant

https://www.chanty.com - Join Chanty – simple AI-powered team chat. Get unlimited message history free forever.

https://betterproposals.io - Online Proposal Software

https://demio.com - A Webinar Platform Built for Marketing

https://www.flipsnack.com - Digital flipbook maker for stunning magazines

https://survicate.com - Survicate is the fastest way to collect feedback from customers.

Easyecom.io - Best inventory management software, a key to rule in eCommerce industry

https://competitors.app - Track Competitors Software Tool

https://rocketlink.io - Track and retarget any link you share

http://www.subbly.co/ - A subscription ecommerce platform for entrepreneurs & marketers

www.munevo.com - Munevo wants to support people with disabilities to live independently by using smart technology

https://unless.com/ - Personalize your website to give your visitors the unique experience they deserve.

www.climedo.de - The intelligent research database with integrated electronic research management


We Converted 50% More Leads with Cold Calling After GDPR [Case Study]

GDPR.

Nightmare, you’re thinking, right? You wouldn’t be alone in this assumption – we’re getting more and more people ask us for help, and we’ve seen hundreds of thousands scour the web for GDPR related information like how to stay compliant, establishing a GDPR legitimate interest and how the legislation affects cold calling.

Still thinking nightmare? You probably are, and that’s fair enough.

But, we are here to help – we’ve compiled some of our thoughts, advice and how to’s on establishing a GDPR legitimate interest, cold calling while staying legal and background info on the new regulations.

Let’s jump right in!

So, as I’m sure you know, GDPR has been on the tip of the tongue for all businesses regardless of size in the past year, with hundreds of GDPR consultants, advisors, software solutions and GDPR auditors starting up all around Europe. All of which aim to provide a solution to achieve GDPR compliance with the regulations implemented on the 25th May 2018. Let’s take a look at what GDPR actually is, the associated fines for non compliance and how it is impacting the worldwide business environment, including GDPR’s influence on cold calls and establishing a GDPR legitimate interest for outbound marketing and sales.

So What is GDPR?

The General Data Protection Regulation 2016/679, commonly abbreviated as GDPR, is a set of rules and regulations that stipulate the collecting, handling and processing of personally identifiable information (PII) such as names and addresses, IP addresses, banking information and any other data type that can be used to identify a living individual. Not only this, it provides EU residents more control over the data companies store on them, offering more power to view and request the removal of that data should they decide they want to be forgotten.

The GDPR is designed to replace the antiquated Data Protection Act and other European country equivalents, GDPR acts as a blanket regulatory system governing businesses located inside the European Union, but also requires compliance by companies situated outside of Europe that collect and process the PII of citizens in Europe. Safe to say, it’s not something that can be easily avoided.

The regulation set had been in the design process for a long time, with the aim of encompassing all potential scenarios that businesses might face in order to avoid ambiguity or grey area exploitation (although, many argue the GDPR’s regulations are widely open to interpretation).

Additionally, the purpose of the new GDPR implementation is to take a much tougher stance on how companies and businesses handle the PII of individuals, with the intent to place restrictions and minimise mass marketing, automated cold calling and spam to individuals and businesses unless there is a GDPR legitimate interest for these efforts.

Additionally, data protection legislation throughout Europe had been previously broad and differing from member state to member state, resulting in a confusing process for compliance auditing internally and by external compliance processors. GDPR is designed to harmonise data protection legislation across all EU countries, resulting theoretically in a much more sustainable and straight forward road to compliance and protection of EU citizens’ data.

Meanwhile, the potential fines for non-compliance, which were previously viewed as a speeding ticket for major corporations such as Facebook, Google or other large entities, have now been greatly increased in order to displace incentives for these large corporates to abuse the rules, with the potential to take into account the company’s revenue to ensure the fine is proportional to the their wealth.

How big are the fines?

The newly enforced levels of fines has garnered a lot of media attention and will likely worry the big Fortune 500 companies – no longer can they get away with gross data protection breaches with a cheap get-out-of-jail-free card. With a maximum GDPR fine for non-compliance running at potentially 20 million Euros, or 4% of the company’s annual turnover (whichever is greater), it will be a significant loss for falling foul of the GDPR requirements.

These are of course proportional to the level of non-compliance and the GDPR governing body allows supervisory committees in EU member states to make a judgement call and enforce less severe actions such as reprimands, warnings, or smaller fines. Still, most companies should and are endeavouring to ensure compliance. On the smaller scale, fines can be 10m Euros, or 2% of a company’s annual turnover, for less critical or large scale breaches, but which still should have been prevented.

How is it affecting the world of business and cold calling?

There has been much controversy and questions about how the GDPR will affect traditional sales and marketing efforts, such as cold calling. Now, if you found this article to discover how it will affect you, please be reassured – cold calling is not dead and the GDPR will not affect B2B efforts in the extreme case you are imagining. There are however, some suggested methods of GDPR cold calling you may not have previously employed which will only help you stay on the right side of the law, and we’ll investigate those below. Just a heads up – we are a GDPR documentation, auditing and service provider and selling to privacy professionals is no mean feat, so if we can’t stay compliant then how will anyone?

When cold calling with the intention to stay GDPR compliant, there are a few things to note. You need to have established that the business you are reaching out to has a legitimate interest in the business services you are offering. A legitimate business interest will allow for full compliance and will not be considered a spam or unsolicited marketing effort under GDPR, but you must really consider whether it is legitimately of value to your prospect (i.e. you can’t just say it is when you and everyone else knows it’s irrelevant, which is bad sales technique anyway). With B2C scenarios, we suggest to avoid cold calling altogether as usually these fall foul of GDPR cold calling regulations.

GDPR Cold Calling

How We Cold Call, Establish a Legitimate Business Interest and Stay GDPR Compliant

Any kind of outbound sales efforts come with their own set of challenges when it comes to GDPR and data protection legislation, whether that is for companies governed by GDPR or other regulations like those found in the USA such as SPAM. As a company that specialises in GDPR compliance, we must always comply, usually more so than most other regular businesses, but we need to also prospect and push our sales efforts in order to survive. So, let’s take a look at some of the main pointers in how we carry out sales efforts, establish a legitimate business interest and stay GDPR compliant. Daniela Duda, one of our experts, explains legitimate interest.

What is legitimate interest?

This is how we prospected and conducted cold calls, while also staying compliant with GDPR:

  1. First, we prospected using LinkedIn and Xing in order to make use of the mass of highly targetable data they offer. We set our sights on Data Protection Agencies, who usually only have around 1-10 employees so reaching a decision making unit was likely.
  2. We did not store any personal information on our prospects. Company name and business telephone number was sufficient for us to carry out our GDPR cold calling activities.
  3. This one is interesting. Instead of directly calling an individual at the business, we called the generic line and asked the operator/switchboard to connect us with the relevant person who makes strategic decisions regarding partnerships. Although this is an extra step, it just strengthened our ability to stay compliant.
  4. Although our sole intention was to increase sales (as with any sales call), the way we pitched and structured the call was focused on establishing a mutually beneficial partnership between ECOMPLY.io and their agency.
  5. Again, as they are an agency focused on data protection compliance, and ECOMPLY.io provides GDPR Compliance Software Solution, there was a clear and indisputable legitimate business interest for them to receive our sales call and for us to reach out to them, thus preventing any GDPR related issues. We also used them as an indirect channel partner, where they could potentially promote the product to their clients or partners, meanwhile selling a license to them as well, so it was a win-win for us.
  6. We also understood their problems very well and crafted a sales pitch that they wanted to hear by addressing their problems directly. Data Protection Officers (DPOs) in Germany have many clients because the law says any company that has more than 10 employees need to have a DPO. Therefore, this role is mostly outsourced. Hence, the pitch to the problem was very targeted. External DPOs want to save time, manage multiple clients and look professional. That’s what we pitched them.
  7. Finally, and this is very important, we respected their right to refuse the call. If they were not interested, we did not follow up or continually call them to convince them, we just moved on.

What Was Our Success Rate?

Good question. We, luckily for you, gathered our metrics for our GDPR cold calling campaign here at ECOMPLY.io, and have some interesting results for you, have a peak below:

Metrics:

  • We successfully reached 29% of prospects we reached out to. This was pretty good taking into account how people usually ignore sales calls. Generally, if you’re reach rate (directly reaching the prospect you need) is below 15%, we suggest you change your approach to cold calling so as not to waste time.
  • Of those that we reached, we were able to qualify 69% of them, meaning they were a good fit for our product and we knew we solved their problem. Similarly, if your qualification rate is below 30%, you need a new list of more relevant leads (don’t go buying generic leads, please!)
  • We were then able to convert 51.7% of those that were qualified, which we were pretty happy with. Again, if your conversion rate is below 50%, you need to work on your pitch. Conversion means either demo or sign up by the prospect.

These metrics were taken from Steli Efti’s Close.io Blog.

Overall, we were pretty happy with these results. We have a little improvement on our pitching side to get that conversion rate up a little, bit so far it was a successful campaign and we’ll continue to invest time into GDPR cold calls – and you should too!

And finally, we’ve mentioned it a lot. What is a legitimate business interest, and how do I establish one in B2B sales?

Establishing a legitimate business interest is crucial for B2B sales and marketing efforts when you do not have prior opt-in consent. Although somewhat of a grey area, a legitimate business interest can be thought of similar to how a B2C organisation might think when marketing to a customer who has already purchased from them. For example, the business prospect should operate in the same niche or market as you, and you can therefore have good reason to believe that the party is interested in your services, thus giving you some ground to cold call.

Additionally, companies often list contact information for certain personnel publicly on their website in order to receive valuable business propositions (it’s hard to operate a business in complete isolation). This gives you a fairly strong indication that it’s okay to call the relevant company to discuss a legitimately business proposal without fear of repercussions. However, before doing any cold call, we do suggest doing your legitimate interest assessment. Here’s the resource for the legitimate interest assessment.

Roundup

As you can see, it’s not as scary as you first thought right? You don’t have to close down shop or look elsewhere for work – you can still carry out your sales processes and cold calling as long as you have that all important GDPR legitimate interest. Really, all it boils down to is respecting other’s privacy, not being irresponsible when it comes to personal data and making efforts to stay compliant. That way, you’ll avoid those fines!

Want to hear more from us? Give us your details, we will only use your email address to send the data protection and privacy news, updates and content. By giving your details, you are agreeing to our privacy policy.

 

 

Disclaimer: This article is not legal advice so please seek professional legal advice to discuss your specific circumstances.


GDPR Checklist

The Most Comprehensive EU GDPR Checklist

GDPR ChecklistThis GDPR checklist has been crafted in according to the GDPR compliance. Moreover, this is the only GDPR checklist you will ever need.

Before going through the GDPR checklist, it is important to repeat some basic steps. The first starting point is to know about the general rights that your customers/users will have:

Data subject rights: these are rights of your customers and users under the General Data Protection Regulation (GDPR).

Data portability: the right of an individual under the GDPR to transfer their data to other data controllers. Essentially, this means that consumers can move from one company to another through quick and efficient data transfer

The right to be forgotten: customers/users can ask you to delete all their data

The right to prevent profiling: this can be through automated decision-making or through other forms of decision-making, that processes personal data of an individual and reaches conclusions about that individuals.

The right to object to processing: your customers can restrict you from processing any category of their data that you have.

The right to rectification and erasure: this refers to editing data and restricting access to certain types of data.

Subject access requests (“SARs”): these are requests that your customer/user can make at any point in time asking you for data that you have on them and how it is used.

Reiterating the Basic GDPR steps

First, take stock of all the data that you are collecting and processing. If you are a controller, ask yourself why you are collecting this data as a guiding principle. If you are a processor, ask yourself: on whose behalf are you collecting this data. This is the most crucial part of our GDPR checklist.

  1. Appoint a DPO:

A Data Protection Officer can be internal or external to your company. If you appoint someone internally, make sure they have autonomy as well as access to the Managing Directors and upper management. This is primarily so that they can carry out their data protection duties and responsibilities independently without undue stress and blockades. Once this is done, sign an agreement with the relevant person. One prerequisite for assigning a Data Protection Officer, according to the legislation, is that it should be someone with a reasonable capacity for the job. That means your DPO should have a comprehensive understanding of the General Data Protection Regulation (GDPR).

 

It is necessary that you appoint a Data Protection Officer DPO:

1.1. If your organization’s core business includes processing massive amounts of personal data as well as monitoring your users or as is known in GDPR lingo: Data Subjects. Personal data is the following types of data:

  • Data that allows for direct identification of information such as a person’s name, surname, phone numbers among others.
  • Pseudonymous data or data that non-directly identifies the information of a Data Subject: which does not allow the direct identification of users but allows the singling out of individual behaviors for example through targeted advertising:  to serve the right ad to the right user at the right moment.

1.2. When your organization deals with a large amount of sensitive data that is one of the following data:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health or a natural person’s sex life and/or sexual orientation

2. Data-mapping:

The second most important part of the GDPR checklist is to make a map of all the data and specify all the departments that touch the data in its collection and processing. The data that is being used needs to be categorized for its legal basis to become clear. The legal basis could be consent, legitimate interest and contractual necessity among others.

To assess where data is traveling through you need to create a mind-map for it to help guide your processes of compliance.

3. You should make sure to document all aspects of your company’s interactions with data. Here are the questions you should be able to answer:

Why was the data gathered in the first place? What is its purpose?

Upon what legal basis are you justifying holding that data? Consent or legal requirements?

3.1. Record of Processing Activities will be under this step.

Think of all the steps in your mind-mapping process. Who has access to the data at each step? Through documenting your processes, you will have a much clearer and a better understanding of your own company’s data collection and management strategies as well as what the compliance process entails for you. One definite piece of documentation that you need to do is a data protection impact assessment (DPIA).

3.2. Vendor Management

How are you protecting that data from breaches? What else is that data being used for? Make sure you have listed all your vendors and your customers/users know that you are sharing their data with other parties.

4. Data Breaches

Be honest and transparent about any data you collect. In the case of a breach, people will disclose any data they gather. Your customers need to be aware of what data you’re storing. Here you can read more about how modern businesses need to think about data: https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust

Security breaches that target the data that your company collects and processes can take place and need to be dealt with along the guidelines provided by the GDPR. The crucial point under the GDPR is to inform your user/customers of the breach. Given the importance the EU has placed on personal data, this does not come as a surprise that the relevant stakeholders be made aware when their data has been touched by, no matter how briefly, by other parties that did not have authorization through consent. In such a case, the relevant Data Protection Regulatory body must be informed within 72 hours of knowing about it at the latest.

The same time limit applies to the data subjects whose data you collect and use. The company must contact all individuals and make them aware that their data has been breached. However, companies do not need to have this measure or practice in place: if the data has been encrypted to the point of being incomprehensible or if the data controller has taken the necessary steps to make sure the breach doesn’t put rights or freedoms at risk. If it would take an unprecedented effort to contact every Data Subject individually then a public announcement would also fulfill this requirement.

5. Data Subject Access Requests:

This is the crucial part of the GDPR checklist since it was not available in previous data protection laws. This is one of the basic rights that the GDPR sets out for consumers. This essentially means that data subjects can at any point ask you about what data has been collected by your organization. These access requests cannot be charged for even if it takes a lot of time for you to deal with them. Moreover, they need to be responded to by the data controller within a month. The legislation also sets out the general principle for when a Data Controller can charge the subject for relevant administrative costs if it can be demonstrated that the request is “manifestly unfounded or excessive”. This way, it balances out the individual rights and the company’s rights as well to receive some protection against abuses of this provision. Here is a basic summary of this article as outlined in the GDPR:

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”

6. Technical Checklist
As part of GDPR checklist, this checklist will guide you through the technical steps that your organization needs to take.

6.1. Make sure your domain names are secured. You can do this by either renewing them regularly or if you buy them from a third party then you need to make sure that the configured name server that is authoritative is your own and make sure your critical services are secured.

6.2. A lot of companies have Google Apps, Slack, Wordpress that they use in their daily business lives. These services all have default settings that should be improved to increase the security level of your organisation. You also need to ensure that all your services and apps are updated so that new security settings, as well as GDPR compliant settings, are implemented. Here’s one source you can look at for inspiration on making your Google apps more secure: https://blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/

6.3. As tempting as it might be: Do not share Wifi
Shared workplaces are quite a norm these days which consequently means sharing Wifi networks among companies, guests, students or neighbours may open you up to risks of security breaches, for example, people could gather information that is on your network, and might even allow people to access resources protected by source IP. Make it a habit to change your password periodically.

6.4. Develop and communicate a security breach incident response plan

This will allow whoever is in charge at the time of a breach to communicate accordingly about an incident and will allow the fastest response in technical / communication terms.

6.5. Incentivize finding bugs
You could potentially have an external or internal bug bounty program that will incentivize external hackers as well as internal employees to report vulnerabilities. Once reported these vulnerabilities need to be checked by developers or other inside your development teams with the know how to evaluate any reports you receive

6.6. Educate your Technical and Non-technical employees

Quite often your employees and human capital will be the ones who might make you more vulnerable which is why it is imperative that you make sure they are aware of how hackers or other parties can infiltrate your company. By increasing their level of awareness, you are reducing the risk of them falling into a trap. Usually, companies forget to train their non-technical employees. However, they might be the ones you would want to train even more carefully since they lack the expertise to recognize and deal with such cyber-attacks and vulnerabilities.

6.7. Include using 2-factor authentication in your employee handbook as a rule

This would ensure that all accounts of your employees are safe and in case their password gets stolen, the attacker still cannot have access to their accounts and your company’s information in these accounts. As a CEO/CTO/CSO, your role is to make sure everyone complies with this rule. Using a complex and unique password for every website is great advice, but it can be very difficult to recall passwords

Password managers are a great way to manage these since they will remember everything for you with a master password.

6.8. Encrypt the devices

By encrypting company laptops and phones, you protect your company’s assets. Before doing this, you might want to take stock of all your company assets and perhaps segment the employees into categories of security levels needed in line with their jobs.
Here are some sources you can read on for encryption related procedures: https://support.apple.com/en-us/HT204837
https://support.microsoft.com/en-us/instantanswers/e7d75dd2-29c2-16ac-f03d-20cfdf54202f/turn-on-device-encryption

6.9. Encourage best practices like “locking” devices and strengthening passwords
Whether employees are leaving the desk for a minute or an hour, encourage them to lock their devices and make it a habit. This would protect your company assets from attacks as well as random accidents. Remember your work environment might be secured but at one point or another, you will have external guests or candidates for interviews who could potentially have access to your data sometimes even by a quick glimpse of a screen. Moreover, when your employees are traveling or go to meet-ups, this habit would help them keep company information secure. You can research password managers, pick a good one and suggest it to your employees.

HR Checklist 

This HR checklist is mostly part organizational measure and part technical measure under our GDPR checklist.

  1. Create a data log: consider what data of your employees you process and create a log as part of your Record of Processing Activities (RPA). As is stated previously you need to specify the following to document the data to be compliant:
  • the type of data (e.g. personal, or special personal (which used to be called sensitive))
  • The categories of data (e.g. recruitment information, bank details, performance information, absence details)
  • Who the data concerns (e.g. employees, next of kin, applicants for jobs etc.)
  • Who has provided the data to you (e.g. the applicant/employee themselves, credit reference agencies, recruitment agencies or other employees)
  • Specify your legal basis to process (e.g. to perform the employment contract, complying with a legal requirement or legitimate interests or other. Consent as a legal basis when it comes to HR related tasks will rarely apply. Think of the legal requirements that you need to fulfill as a legal basis to justify collection and processing (for e.g. complying with employment law or assessing the working capacity of an employee).
  • The purpose of processing (e.g. to pay the employee, for tax reporting purposes, to manage performance)
  • Where and how the data will be stored and who will have access to it for e.g. HR software, tax consultant, printed payslip files
  1. Data transfers: update your vendor list and log it separately. You should also include any events of data being transferred, including who data was transferred to, when it was transferred, where they are storing it, and how you transferred the data. If you are transferring any personal data outside of the European Union (EU) you need to specify what protections are in place and also sign the relevant Data Protection Agreement with your partners.  
  2. Specify when exactly data will be deleted: here you can segment your Data Subjects into employees, applicants or any other categories that make sense for your case. For instance, for a job applicant, you could make it a part of the policy to delete the data periodically of rejected employees every month/quarter. However, you need to be able to justify this time period.
  3. Do you carry out any automatic decision making or profiling for e.g. electronic recruitment sifting based on academic achievements, psychometric testing or other metrics? Add it to your RPA
  4. Do you need to carry out a data protection impact assessment and when you are likely to need to do so in the future (e.g. due to the fact that you carry out or will carry out high-risk processing or will be introducing new HR technology)
  5. Check your IT infrastructure allows you to be compliant Your IT infrastructure will be highly relevant to two main themes in terms of GDPR compliance – security and employees’ rights. Security issues:
  6. Consider Employee rights: Do your automated decision-making processes allow you to deal with objections and involve a human decision maker if requested?
  7. How will you respond to Data Subject Access Requests: Can you easily search for all data relating to a particular individual? This will make responding to subject access requests from your employees or prospective employees much easier. Can your employees restrict the processing of their data? Or correct errors?
  8.  What processes do you have for an employee to exercise their right of objection? Do you have the responsibility assigned to a relevant person?
  9. How will you achieve the deletion of personal data, across the business, at an employee’s request in relevant situations?
  10. Is exporting data from your system possible? .csv, .pdf, or .txt files are commonly accepted formats. This will allow you to manage the portability or in layman terms, it would allow you to transfer the data to the employee or to a future/former employer at their request.
  11. Update your data protection policies and employment contracts: Once you have made all the necessary changes it is imperative that you also inform all your employees and other stakeholders when necessary.
  • Privacy notice to staff
  • Data protection policy
  • Data breach reporting policy
  • Subject access policy
  • Data retention policy
  1. Ensure staff has the correct training Make sure all your employees receive an adequate level of training for handling personal data, specific to their job role. They must be informed of the correct policies and procedures. Training needs to be refreshed on a regular basis and you need to keep records of the training provided.
  2. Assess and take necessary measures with all your partners that in some way touch your data.

Sales & Marketing Activities related to the GDPR Checklist

This must be new and the toughest part of the GDPR checklist, since it is takes time.

1. Check and audit your mailing lists. Basically, you need to remove anyone from whom you do not have an opt-in and or have not recorded this opt-in. For new subscribers, make sure that the potential subscriber confirms that they want to join your mailing list by sending an automated email to confirm the subscription.

2. Review the way you are collecting personal data. Are you still buying mailing lists? If so, now might be the time to start fresh with a new mailing list which you have obtained from informed customers and have a legal basis for collecting their e-mail addresses. Delete all e-mails that you haven’t obtained with the proper consent or legal basis. Some ways to still acquire users or convert visitors from your website can be done by offering visitors to your website the opportunity to add themselves to your mailing list using a pop-up on your website.

3. When taking consent to make sure you provide a link to your privacy policy to ensure compliance that tells people exactly what you will do with the data.

4. Educate your Sales and Marketing Teams about what is legally possible and the practices that they need to drop for instance: cold emailing/cold calling (where the e-mail address and/or phone number has not been taken through proper consent).

5. Make sure your customer data is part of your Customer Relationship Management (CRM) system. This will help you with allowing users to edit their data, review how exactly it is being used and accessing it in a machine-readable format.

6. Collect data that is necessary for your sales or marketing effort. Ask yourself, which categories of data do you actually need, and which ones can you simply delete. When it comes to signing up forms, only ask for elements you need and will use.

7. If you do not already have it, try out push notifications. Marketers can use push notifications to send a message to subscribers at any time. They are especially helpful in the post GDPR world because they do not process personal data (IP addresses are anonymized) and ask for explicit consent to opt-in and receive notifications.

8. Make sure Privacy statement is updated, easy to read (not a 1000 pages long and without any lingo).

GDPR Checklist for Data Protection Impact Assessment for Projects

According to the GDPR, when an organization is undertaking a new project that has considerable risks when it comes to the freedoms and rights of individuals, in particular, pertaining to data protection. When organisations identify such a risk with a new or existing operation, these are the following steps suggested:

1. Figure out if there’s a need for the DPIA  – conduct an assessment and determine whether the inherent risks of the processing operation require you to undertake a DPIA. In general, these are some high-risk activities that you would probably need to conduct a DPIA for:

Large-scale processing of location data relating to individuals

  • General big data analytics
  • Large-scale processing of HR data with potential for significant effects on employees
  • Video/audio analysis tools
  • Creating large-scale individual profiles
    Analytics with significant effects for individuals
  • Reward programs that generate profiles
  • Fitness wearables and apps

2. Understand and describe the flow of information – create a map of how the information within the particular processing operation is collected, stored, used and deleted.

3. Identify all the risks – document the threats, their scope, vulnerabilities and the possible pertaining threats to the rights and freedoms of individuals whose data you collect and/or process.

4. Assess your privacy solutions – for every risk that you have identified to the personal data, do a cost-benefit analysis and decide on whether you want to accept the risk, reject the risk or accept it but with measures in place to reduce the impact of the threat.

5. Document the DPIA results – Create a report that is signed by the decision-maker. However, where there has been a high risk identified the DPIA report must be submitted to the regulatory data protection authority for consultation.

6. Incorporate the results into your project plan – make sure at every important project milestone that you refer back to your DPIA to ensure that when actions are needed to counter a risk they are actually taken.

Hope you found this comprehensive GDPR checklist useful. As a general principle, you should remember that any obscure collection and processing of data should be questioned. Educating your employees will always prove to be helpful in staying compliant with the GDPR. Is there something you find missing in this GDPR checklist? Work together with us on this checklist!

 

Image Credit: Pixabay mohamed_hassan-5229782/


Data Protection Policy

A Guide To Developing Your Data Protection Policy

A Guide toDeveloping a Data Protection Policy

According to the General Data Protection Regulation (GDPR), every company needs to have Data Protection Goals. These goals also need to be translated into policies in areas that heavily process data. There are numerous policies one of which is Data Protection Policy which sets some of the criteria that a Data Protection Officer has to follow.

A company needs to also ensure that the principles of the GDPR are incorporated into their organizational structure. This is a step by step guide for how an organization can have compliant GDPR policies within their organization. It will start off with a memorandum to the Board of Directors informing them of what the GDPR will entail for the company. It will then give you a basic template of how to inform your employees about the collection and processing of their data.

Memorandum to Board of Directors

To the Board of Directors [add your Company Name] and its affiliates (Company):

The EU General Data Protection Regulation (GDPR) will become effective on 25 May 2018. The GDPR will bring considerable changes to data protection laws in the UK and across the European Economic Area (EEA). It will include significantly greater fines for breaches of up to €20 million or 4% of total worldwide annual group turnover. This memorandum summarises the need for a Company-wide programme (GDPR Compliance Programme), requiring the allocation of resources, for compliance with the GDPR.

Issues Concerning Data Protection Under The GDPR:

Under this section of data protection policy, you should explain what type of data is being collected and processed for e.g. if personal data is held by the Company relating to customers, employees or any other parties.  The second part in this section should be an example of a map of Personal Data Flow. You need to clearly lay out how the data travels within the company and record whoever touches this data no matter how briefly. If this data is to leave the borders of the country your company is located in, make sure to mention that as well since it will require signing a Data Protection Agreement with your Vendors (international and local ones).

Reiterate in concrete terms what failure to comply would mean for the Company and the Board of Directors. You should also give a brief description of “Personal Data” as defined by the GDPR.

Here’s an example of how you can add both:

Personal data is defined broadly and comprises data relating to any living individual who can be identified from that data. Personal data and includes:

  • Social security numbers.
  • Telephone numbers.
  • Health information of, for example, customers and employees.

There are many potential ramifications of failure to comply with the GDPR, including:

  • Prosecution of or regulatory enforcement action against the Company, resulting in substantial penalties in European Economic Area (EEA) jurisdictions, including the UK, of up to 4% of an annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater).
  • Adverse publicity, potentially leading to reputational damage and lost customer trust.
  • Missed opportunities and wasted resources.
  • A variety of sanctions in different jurisdictions.
  • Increased scrutiny from data protection authorities whose confidence and powers are increasing substantially under the GDPR.
  • Civil liability or punitive damages for employment-related breaches.
  • Criminal liability for directors and senior managers resulting in imprisonment and substantial penalties.
  • Critical system delays and failures.
  • Orders issued by the Information Commissioner’s Office in the UK, and data protection authorities in other key markets, that seriously impact business. Investigative powers include a power to carry out audits, as well as to require information to be provided, and to obtain access to premises.
  • Business continuity issues.
  • Becoming embroiled in litigation and its attendant time, effort and expense.

An individual has a fundamental right in the UK and across the EEA to have their personal data protected and their personal data may only be processed (that is, obtained, recorded, held, used or disclosed) under certain circumstances. This has a wide impact on Company business.

The GDPR Compliance Programme:

A well-constructed and comprehensive Company-wide GDPR Compliance Programme can provide a solution to these various competing interests and represents an effective risk management tool. It is essential for compliance and for the purposes of informing your employees, customers, vendors, business partners, regulators and the courts that your company is, in fact, committed to the GDPR principles of data protection.

Board’s duty to know about and oversee the GDPR Compliance Programme:

You need to inform the board of what their duties and obligations are. Here’s an example of how you can do this in a comprehensive manner.

The Board has a duty to know about the content and operation of the GDPR Compliance Programme and to oversee its implementation and effectiveness appropriately. The GDPR’s new accountability principle requires data controllers to be able to demonstrate compliance with the GDPR by showing the supervisory authority (the Information Commissioner’s Office in the UK) and individuals how the data controller complies, on an ongoing basis, through evidence of:

  • Internal policies and processes that comply with the GDPR’s requirements.
  • The implementation of the policies and processes into the organization’s activities.
  • Effective internal compliance measures.
  • External controls.

Failure to comply with the accountability principle may result in the maximum fines of up to €20 million or 4% of total worldwide annual group turnover.

Implementing the GDPR Compliance Programme:

The pre-requisite for this section is to already have an idea of what your implementation plan will look like. If you do not yet have a plan on how you will ensure compliance within your company, make sure you make one first. You can also follow the steps below to make a skeleton of this plan. It is essential that you at least appointed a Data Protection Officer (DPO) have your Records of Processing Activities (RPAs) for both having a Data Flow Map as well as the basis of your plan. Here’s what you can do and subsequently communicate to your Board of Directors.

Data Protection Officer (DPO)

Under the GDPR it is now mandatory for the Company to appoint a data protection officer (DPO), reporting to the Board. The DPO’s role is to provide the knowledge, expertise, day-to-day commitment and independence to properly advise the Company of its duties and conduct compliance activities in relation to the GDPR.

However, taking into account the complexity and risks associated with the GDPR, we should consider carefully whether we should appoint a DPO, in any case, to report to the Board. The DPO would be responsible for providing the knowledge, expertise, day-to-day commitment and independence to properly advise the Company of its duties and conduct compliance activities in relation to the GDPR.

Organisational Culture

A co-ordinated chain of command (in which the Board is designated as having ultimate responsibility) will need to be developed, together with written reporting procedures, authority levels, and protocols, including seeking and complying with legal advice.

The Company should consider the establishment of a working group, drawing on stakeholders from across the business, to take responsibility for the day-to-day management of the GDPR Compliance Programme.

Standards and Procedures

The privacy policy, Data Protection Policy, IT Security Policy and Data Retention Policy [List any others] are key elements of the GDPR Compliance Programme. Amendments are likely to be needed to the existing policies. Separate policies may be appropriate where the Company collects different types of personal data for different purposes, such as marketing and recruitment. In each case, the policy needs to be accessible at every relevant personal data collection point, for example:

  • Call-center conversations.
  • Online account and job application forms.
  • Business acceptance procedures.

The Company will need to carefully review existing procedures in relation to obtaining an individual’s consent as a legal basis for processing personal data. For example, it will need to ensure that any consent obtained indicates affirmative agreement from the individual (opt-in) (for example, ticking a blank box). Mere acquiescence (for example, failing to un-tick a pre-ticked box) does not constitute valid consent under the GDPR. Furthermore, the Company must demonstrate that this explicit consent has been obtained, ensure that an individual can easily withdraw their consent at any time.

The Company must also be in a position at all times to respond quickly to any data subject’s request (such as for a copy of all of the personal data held or to erase all such personal data). This is likely to require substantial modifications to the Company’s technological infrastructure and its organizational processes.

Other channels may be needed in certain circumstances, for example, the staff handbook regarding personal data collected from employee monitoring.

A written and comprehensive information security programme is needed to protect the security, confidentiality, and integrity of personal data held. It should set out action plans for any security breach, disaster recovery, and data restoration.

The Company should develop appropriate contractual strategies and have access to appropriate templates as a risk management tool.

Under the GDPR, the Company will also be required to implement “privacy by design” (for example, when creating new products, services or other data processing activities) and “privacy by default” (for example, data minimization). It must also carry out “privacy impact assessments” before carrying any processing that uses new technologies (and taking into account the nature, scope, context, and purposes of the processing) that is likely to result in a high risk to data subjects, takes place.

The GDPR also requires businesses to notify the supervisory authority of all data breaches without undue delay and where feasible within 72 hours. The Company will, therefore, need to look carefully at its data breach response plans and procedures.

The above represents only a short synopsis of the requirements under the GDPR. There are many more that are not included in this note for the sake of brevity. Getting prepared for compliance with all the compliance requirements will need considerable planning across the Company.

Adequate Resources

Financial, technological and human resources should be sufficient to reasonably prevent and detect non-compliance and promote compliance with the GDPR.

Taking into account the number of employees, assets, turnover, Company business activities, a budget for [Insert Year] of £[Insert Amount] is proposed, broken down as follows: [Insert Breakdown Of Budget].

  1. Training and Enforcement

Effective compliance training programmes are required for personnel at all levels, including directors, heads of departments and key Company service providers. Bearing in mind the above factors, a formally documented training programme with employee evaluation and attendance certification should be put in place as soon as possible.

Serious misconduct should be addressed with appropriate disciplinary action, regardless of seniority. An anonymous whistle-blowing mechanism should be considered, but legal a should be sought before implementation in the UK and any other countries in which the Company carries on business.

Regular Reviews

From time to time, the GDPR Compliance Programme should be reviewed and updated in the light of new laws and business activities and changes to data flows and the introduction of new processing activities.

Informing your Employees

To establish data protection as a pillar of the organization and to ensure that all employees are on board and aware would set the premise for the culture and workings of the company in general. After informing your Board of Directors, it is also important that you conceptualize and get your agreements signed by your employees. This would work both as an agreement as well as an awareness step.

Here’s a template for your employees:

Privacy Notice to Staff

  1. What is the purpose of this document (Data Protection Policy)?

You have legal rights about the way your personal data is handled by us, [Insert Name]. We are committed to protecting the privacy and security of your personal information.

This privacy notice describes how we collect and use personal information about you during and after your working relationship with us. It applies to all employees, workers, and contractors. This notice does not form part of any contract of employment or another contract to provide services. We may update this notice at any time.

During your employment or engagement by us, we collect, store and process personal data about you. To comply with the law and to maintain confidence in our business, we acknowledge the importance of correct and lawful treatment of this data.

It is important that you read this notice, along with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you. This gives you information about how and why we are using such information. All people working in or with our business are obliged to comply with this policy when processing personal data.

  1. Our Role

We are a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. Data protection legislation requires to give you the information contained in this privacy notice.

  1. Data protection principles

We will comply with data protection law. This says that the personal information we hold about you must be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes that we have explained to you clearly and not used in any way that is incompatible with those purposes.
  • Relevant to the purposes we have told you about and limited to those purposes only.
  • Accurate and kept up to date.
  • Kept only for such time as is necessary for the purposes we have told you about.
  • Kept securely.
  1. The kind of information we hold about you

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are “special categories” of more sensitive personal data that require a higher level of protection.

We may collect, store, and use the following categories of personal information about you:
[add all categories]

  1. How is your personal information collected?

Usually, we collect personal information about employees, workers, and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies [list them here, if any].

We will collect additional personal information during work-related activities throughout the period of you working for us.

  1. How we will use information about you

We will use your personal information only when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform the contract that applies to our working relationship.
  • Where we need to comply with a legal obligation.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal information in the following situations, which are likely to be rare:

  • Where we need to protect your interests (or someone else’s interests).
  • Where it is needed in the public interest or for official purposes.
  1. Situations in which we will use your personal information

We need all the categories of information in the list above (see the kind of information we hold about you) primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases, we may use your personal information for our legitimate interests or those of third parties, provided that your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are as follows [add all the situations in which you will use this data. Some examples would be ascertaining the terms of work, deciding about employment or monitoring equal opportunities metric].

Some of the above grounds for processing will overlap and there may be several grounds that justify our use of your personal information.

  1. If you fail to provide personal information

If you do not provide certain information when we ask for it, we may not be able to perform the contract that applies to our working relationship with you (such as paying you or providing a benefit), or we may not be able to comply with our legal obligations (such as to ensure the health and safety of our workers).

  1. Change of purpose

We will only use your personal information for the purposes that we have collected it for unless we need to use it for another reason and that reason is reasonable and compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.

We may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or allowed by law.

  1. How we use particularly sensitive personal information

“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the situations below:

  • In limited circumstances, with your clear written consent.
  • Where we need to carry out our legal obligations and in line with our data protection policy or other policy that applies to such information.
  • Where it is needed in the public interest, such as for equal opportunities monitoring [or in relation to our occupational pension scheme], and in line with our data protection policy or other policy that applies to such information.
  • Where it is needed to assess your working capacity on health grounds, subject to appropriate confidentiality safeguards.

Very occasionally, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

  1. Our obligations as an employer

We will use your particularly sensitive personal information in the following ways:

  • We will use information relating to leaves of absence, which may include sickness absence or family-related leave and related pay, to comply with employment and other laws.
  • We will use information about your physical or mental health, or disability status, to ensure your health and safety in the workplace and to assess your fitness to work, to provide appropriate workplace adjustments, to monitor and manage sickness absence and to administer benefits.
  • We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sex life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
  • We will use trade union membership information to pay trade union premiums, register the status of a protected employee and comply with employment law obligations.
  • List any other circumstances where you may process personal data that reveals Racial or ethnic origin; political opinions; religious and philosophical beliefs; trade union membership; genetic data; biometric data; health data; or data about an individual’s sex life and sexual orientation.
  1. Do we need your consent?

We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will give you full details of the information that we would like and the reason we need it, so that you can consider carefully whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.

  1. Information about criminal convictions

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy or other policy that applies to such information.

Very occasionally, we may use information relating to criminal convictions where it is necessary, in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public

We [envisage OR do not envisage] that we will hold information about criminal convictions.

[We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so.] [Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly from you while you are working for us.] [We will use information about criminal convictions and offences in the following ways: [add the list here]

  1. Automated decision-making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We can use automated decision-making in the following circumstances:

  • Where we have notified you of the decision and given you 21 days to request a reconsideration.
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

If we make an automated decision based on any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

In case, no automated decision is made at your company, use this: [We do not envisage that any decisions will be taken about you using automated means, however, we will notify you in writing if this position changes.]

  1. Data sharing

We may have to share your data with third parties, including third-party service providers and other entities in the group.

We require third parties to respect the security of your data and to treat it in accordance with the law.

We may transfer your personal information outside the EU.

If we do, you can expect a similar degree of protection in respect of your personal information

  • Why might you share my personal information with third parties?

We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

  • Which third-party service providers process my personal information?

“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers: payroll, pension administration, benefits provision and administration, IT services OR The following third-party service providers process personal information about you for the following purposes: [add purposes].

  • How secure is my information with third-party service providers and other entities in our group?

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

  • When might you share my personal information with other entities in the group?

We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganization or group restructuring exercise, for system maintenance support and the hosting of data [Describe other known activities].

  • What about other third parties?

We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.

  • Transferring information outside the EU (use only if it applies to your company)

We may transfer the personal information we collect about you to the following country/countries outside the EU [List companies here] to perform our contract with you. There [is OR is not] an adequacy decision by the European Commission in respect of [that OR those] [country OR countries]. This means that the [country OR countries] to which we transfer your data are [deemed OR not deemed] to provide an adequate level of protection for your personal information.

However, to ensure that your personal information does receive an adequate level of protection we have put in place the following appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection: [Specify measure, for example, Binding corporate rules]. If you require further information about [this OR these] protective measure[s], [you can request it from [Position] OR it is available [On the intranet/Provide link here].

  1. Data security

We have put in place measures to protect the security of your information. Details of these measures are available [upon request OR on the intranet].

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. [Details of these measures may be obtained from [Position].]

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

  1. Data retention

  2. How long will you use my information for?

We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. [Details of retention periods for different aspects of your personal information are available in our retention policy which is available from [[Position] OR [The intranet/Provide Link]]. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances, we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with [our data retention policy OR applicable laws and regulations].

  1. Rights of access, correction, erasure, and restriction

  2. Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

  1. Your rights in relation to personal information

Under certain circumstances, by law, you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request that your personal information is erased. This allows you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to stop processing personal information where we are relying on a legitimate interest and there is something about your situation that makes you want to object to processing on this ground.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data or request that we transfer a copy of your personal information to another party, please contact [Position] in writing.

  1. No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

  1. What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

  1. Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing, and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact [Position]. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

  1. [Data protection officer]

[We have appointed a [data protection officer (DPO) OR data privacy manager] to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the [DPO OR data privacy manager]. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.]

  1. Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

If you have any questions about this privacy notice, please contact [Position and Contact Details].

 

I, ___________________________ (employee/worker/contractor name), acknowledge that on _________________________ (date), I received a copy of [EMPLOYER]’s Privacy Notice for employees, workers and contractors and that I have read and understood it.

 

Signature:         _________________________

Name:                _________________________


Hiring a DPO

A Complete Guide For Hiring A GDPR Data Protection Officer (DPO)

A Complete Guide For Hiring A GDPR Data Protection Officer (DPO)

General Data Protection Regulation has been enforced since 25th May 2018. So if you have still not hired a data protection officer, this guide should help you. It is a complete guide for hiring a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR). We’ll go step by step to help you with all the questions regarding a Data Protection Officer.

Who is a Data Protection Officer (DPO)?Data Protection Officer for GDPR Compliance

Data Protection Officer is the professional responsible for the data protection activities and implementation of measures inside the company. They hold the security leadership role in charge of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. They directly report to the senior management, managing directors, and CEO of the company.

Who needs a Data Protection Officer?

According to the text, you need a data protection officer if:

  • You have more than 250 employees in your company
  • You are processing data on a large scale basis. This would mean that the data you collect, process, store or use affects a large number of people. It could be a city population or processing of personal data for behavioral advertising by a search engine
  • Your processing is carried out by a public authority or body
  • You are processing  sensitive data such as health, trade union membership, geolocation, sexual orientation, genetic, or children data
  • You are monitoring, and tracking systematically. For example, if you are monitoring users video data systematically or tracking internet users systematically to review television rating points
  • You are processing special categories of data that could be related to a criminal offense
  • If you are a processor and systematically monitoring data such as internet traffic, IP address or visitors etc.

What are the basic responsibilities of a Data Protection Officer?

The Data Protection Officer should have the following responsibilities:

  • to inform and advise the controller or the processor as well as the employees who carry out processing pursuant to this Regulation and to other Union or Member State data protection provisions
  • to monitor compliance with this Regulation or with other Union or Member State data protection provisions. This also includes compliance with the policies of the controller or processor in relation to the protection of personal data: the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits
  • to provide advice when requested with  regards to the data protection impact assessment and monitor its performance pursuant to Article 35
  • to cooperate with the supervisory authority;
  • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36,
  • The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context, and purposes of processing.

This means a data protection officer is a coordinator between the controller/processor and the supervisory authority. They are also responsible to respond to data subjects that is the consumers/customers of the company. Under the GDPR, Data Subjects can request access to their data that is collected and processed.

What are the basic tasks of your Data Protection Officer?

In line with the responsibilities mentioned above, this section now highlights how the responsibilities mentioned above turn into tasks. The DPO has to ensure that the data protection rules are respected in cooperation with the data protection authority (for the EU institutions and bodies, this is the EDPS). In the EU institution and bodies, the DPO must:

  • Ensure that controllers and data subjects are informed about their data protection rights, obligations, and responsibilities and raise awareness about them;
  • Create data protection goals and principles based on the GDPR and make sure the controller i.e. the company follows it
  • Give advice and recommendations to the institution about the interpretation and/application of the data protection rules;
  • Create records of processing activities within the institution and notify the EDPS of those that present specific risks (so-called prior checks);
  • Ensure data protection compliance within their institution and help the latter to be accountable
  • Handle queries or complaints on request by the institution, the controller, other person(s), or on their own initiative;
  • Cooperate with responding to requests about investigations, complaint handling and inspections conducted by the authorities
  • Draw the institution’s attention to any failure to comply with the applicable data protection rules
  • Conduct a Data Protection Impact Assessment if required and review it monthly, quarterly and yearly
  • Create Data Processing Agreement and coordinate with the third-parties
  • Create and update privacy policy, cookie policy and other data protection related policies
  • Train staff involved in data processing
  • Conduct audits to ensure compliance

Qualifications for Data Protection Officer

There are no exact qualifications written in the law. But the law does say, “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. The data protection officer should have at least 30-60 hours of training to understand the law and its requirements. You can get your Data Protection Officer trained at the following places:

 

  1. IAPP Certifications
  2. TÜV in Germany
  3. IT Governance in the UK

Since there is no exact criteria, our suggestion is that adequate training or certification of a certain number of hours should help you. If your data protection officer is a lawyer by profession it would make training easier.

What do we have to do to support the DPO?

 

You must ensure that:

  • the DPO is involved, closely and in a timely manner, in all data protection matters;
  • the DPO reports to the highest management level of your organization, i.e. the board;
  • the DPO operates independently and is not dismissed or penalized for performing their tasks;
  • you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge;
  • you give the DPO appropriate access to personal data and processing activities;
  • you give the DPO appropriate access to other services within your organization so that they can receive essential support, input or information;
  • you seek the advice of your DPO when carrying out a DPIA; and
  • you record the details of your DPO as part of your records of processing activities.

This shows the importance of the DPO to your organization and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn’t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.

 

10 Best Practices for Hiring a Data Protection Officer

As a controller or processor, the following are the best practices for hiring a data protection officer:

  1. You can find data protection officers on LinkedIn & Facebook Groups with the search term GDPR for groups
  2. IAPP has their own groups where you can find 40,000 different privacy professionals
  3. Conferences on GDPR like Summits and gatherings are a good place to find such data protection officers
  4. Hire a data protection certified specialist or a lawyer specialized in the  field
  5. Make sure your data protection officer understands your IT infrastructure and your application
  6. You can hire an external DPO
  7. A DPO should have great managerial and negotiation skills. They should also have a comprehensive understanding of the controller/processor, the data subjects, and the law
  8. Many experts give tutorial and content on the GDPR. If you are planning to hire an external DPO then see their webinars, blogs and public profiles
  9. Do your due diligence and ask for at least 3 references from their previous customers. If you are hiring someone internally, then ask their immediate supervisors
  10. If you are hiring an external data protection officer, make sure that you go with someone who does not have a lot of clients. If this data protection officer has a lot of clients, then your work is probably going to get ignored if you don’t pay them based on packages

 

Should I hire an external or internal Data Protection Officer?

Internal vs. External Data Protection Officer

In principle, a company can appoint a Data Protection Officer both internally by assigning the role to an employee and externally in the person of a service provider. The decisive criterion should always be the necessary expertise and reliability that a DPO needs in order to be able to properly fulfill the intended tasks. But what distinguishes an internal from an external data protection officer? We would like to explain the differences on the basis of essential dimensions such as competence, liability and dismissal protection. In addition, to enable you to directly compare the costs of an internal and external data protection officer, we use a fictional calculation to show you how your company’s investment in data protection could be structured.

 

Internal Data Protection Officer

If you assign an Internal Company Data Protection Supervisor (DPO), the managing director hands over the task of DPO to an employee of the company. If an internal employee meets all the necessary requirements, they can be appointed as an internal data protection officer. After the appeal to the internal DPO, the employee is under protection against dismissal and has rights to further claims, such as their own equipment or training. However, if a company data protection officer is appointed, who does not have the required skills, this is treated by law as if no privacy officer would be present in the company.

 

External Data Protection Officer

In contrast to the internal data protection officer, the external DPO is a certified data protection expert who is available to your company as a service provider. The high level of expertise of an external data protection officer guarantees the best protection for your company. With a transparent cost structure, contractually agreed prices and a variable contract period, the external data protection officer takes care of your business quickly and efficiently, thus protecting you from high fines.

 

Differences between external and internal data protection officer

First of all, internal and external DPOs can be distinguished with regard to the costs incurred. While for internal data protection officers the company has to pay for education and training, as well as the acquisition of literature from the company, in addition to the regular salary. Your company benefits from the transparent cost structure in the case of an external DPO since all services and costs are contractually defined.

 

In terms of competence, an internal DPO first has to undergo time-consuming and costly further training measures to gain the specialist knowledge if they are not already specialized in the field. An external DPO, on the other hand, can showcase certified and immediately retrievable expertise from the beginning of the cooperation. In contrast, however, the internal DPO has advantages in terms of training, as the operating procedures are generally already known, while an external DPO must first familiarize themselves with the operational procedures and processes.

 

If there is a momentous error based on the consultation with the data protection officer, for e.g.misuse of customer data, an internal DPO is liable with the limited employee liability which results in the full liability of the manager. In contrast, an external DPO is liable for its advice and thus minimizes risks for the company.

 

Already with the order of an operational data protection officer already a possible, later notice should be considered. An internal DPO is subject to special protection against dismissal, which is comparable to the position of the works council. However, the commissioning of the external data protection officer can be terminated on time.

 

We would like to explain this to you in more detail with a table:

 

Item Internal DPO External DPO
Cost In addition to the regular salary, costs for education and training, as well as acquisition of literature, must be borne by the company Transparent cost structure through contractually agreed prices
Competence Time-consuming and complex further education measures to obtain the technical knowledge Certified, existing and immediately retrievable expertise
Liability Partially transfers the liability Liability for the correct advice by the external DSB. Risk minimization for the company
Data Control All the data stays within the company All the data and company understanding stays with an external

 

Time Commitment 100% committed to the project Partially committed to project and most likely involved with many other companies

 

Time to understand the business It won’t take much time to understand the business and process since the internal DPO was a part of the company It takes time for an external DPO to understand the company and mostly like you’ll pay for an audit

 

Response time Much faster since already part of the company Much slower because the external DPO was not part of the company

 

Cancellation of employment contract An internal data protection officer is protected by law. Basically, you can’t fire him/her An external DPO can be easily replaced based on the contract terms and timelines

 

How much does a data protection officer cost?

Based on our experience of talking to hundreds of data protection officers, the average cost in Europe for a data protection officer depends on the hourly rate. The data protection officer without a legal background would cost around 100-200€ per hour. If your data protection officer is a lawyer, then they would cost around 300-500€ per hour. There are many data protection officers who work based on the hourly rate in a year or package basis per month. If you are hiring an external data protection officer, keep in mind that if the rate is really low then remember either that they have many clients so you won’t get individual attention or consulting. If they’re a big brand then, probably you’re paying a lot but still getting less attention.

 

Common Mistakes to avoid while hiring a DPO

  1. Don’t hire cheap data protection officers. They’re not worth it and probably won’t take your case seriously
  2. If all the work is done by the company’s internal lead, and the external DPO is only for the  purposes of the website then don’t hire that DPO
  3. Don’t hire someone internally in your company as a DPO if the role has an inherent conflict of interest. For example, don’t hire a marketing or customer support person as a DPO because they might be biased. Here’s what the working party suggests regarding hiring an internal DPO and avoiding a conflict of interests:
    1. to identify the positions which would be incompatible with the function of a DPO,draw up internal rules to this effect in order to avoid conflict of interests
    2. to include a more general explanation about conflict of interests  
    3. to declare that the DPO has no conflict of interest with regards to its function as a DPO, as a way of raising awareness of this requirement
    4. to include safeguards in the internal rules of the organisation and to ensure that the vacancy notice for the position of DPO or the service contract is sufficiently precise and detailed in order to avoid a conflict of interests. In this context, it should also be kept in mind that conflicts of interests may take various forms depending on whether the DPO is recruited internally or externally
  4. The following roles are in conflicting positions: chief executive officer, chief operating officer, chief financial officer, chief medical officer, head of the marketing department, head of Human Resources or head of IT department
  5. Hiring a full-time data protection officer, when you only need a part-time data protection officer

 

Here’s a sample Appointment Letter for a DPO from ECOMPLY.io

Sample Appointment Letter for Data Protection Officer:

 

Ms. Sample                                                               – Data Protection Officer –

Sample Street 2

23456 Sample City

Appointing Mr. / Ms. ### as Operational Data Protection Officer

The ACME LLC herewith and with immediate effect appoints Ms Sample as the Data Protection Officer – as stipulated in Article 37 GDPR referencing § 38 BDSG-neu for our company. To facilitate the execution of this role as Data Protection Officer, he/she shall report directly to management, specifically NAME_MANAGING_DIRECTOR.

Ms. Sample is entrusted with providing consultancy services and ad-hoc spot checks to ensure company-wide adherence to the provisions of the GDPR and to further data protection regulations.

In concrete terms, his/her duties shall be derived from the GDPR and shall, specifically, be aligned with Article 39 GDPR.

Ms. Sample shall act without being subject to supervisory instruction in the application of expertise in the area of data protection and shall be supported by management in his/her executional endeavors. To this end, he/she may consult the data protection regulatory authority responsible for our company whenever clarification is required.

Representing the management:

_______________________________      ______________________________

Place, Date                                                    Signature Managing Director

                                                                    NAME_MANAGING_DIRECTOR

                                                                  

I approve of my appointment to Data Protection Officer:

_______________________________

Signature Data Protection Officer

Ms Sample

 

If you have any further questions or want to know how we can help your DPO, book a demo with us!


GDPR Compliance

The Only Guide - GDPR Compliance to build a Social Media Strategy

The Only Guide – GDPR Compliance to build a Social Media Strategy

If you’re not hiding in a cave, or haven’t decided to skip over press articles, then you must have come across the General Data Protection Regulation (GDPR). GDPR compliance is now incumbent on all of your marketing efforts and other business operations. This article will help you gain an understanding of what GDPR compliance means for your social media strategy.

This past month, you probably observed a number of emails asking for permissions. These are mostly from companies, moving towards GDPR compliance, asking to be on their mailing lists. It’s a small part of what post-GDPR world for Marketing looks like. For advice on Sales, give this guide a read.

The European Union enforced the GDPR in May 2018 although the EU has been working on it for the past couple of years. If your company disregard the GDPR and you put off compliance, you can get fined for up to 20 million euros or 4% in revenue: whichever number is higher. So, what does it mean for your marketing department?

GDPR Compliance and Digital Marketing Platforms

In general, people think social media is just about posting memes, or relationships, or engagement & interactivity. If you want to build your compliant Social Media Strategy don’t care about data privacy or online security, then maybe the recent Congressional Testimony of the CEO Mark Zuckerberg will make you think again.

Soon after the enforcement of the GDPR, compliance became a trending topic in digital marketing. Many marketers are concerned with how GDPR compliance will shape their new campaigns. Another concerning point is how to use the social media tools & platforms effectively. Getting worried about asking for consent from followers, users or connections is totally natural. Thinking about how to store or use data in a gdpr compliant way is the last thing a social media marketer wants to worry about.

AREAS OF CONCERN WHEN BUILDING A SOCIAL MEDIA STRATEGY

·       Google Analytics

Google Analytics is the most common tool used by many digital marketers to analyse performance. It collects users’ ID data, does behaviour profiling and has cookies. To be GDPR compliant with this tool, one can either add an overlay to the site which gives users a notification of the usage of cookies & asks for permission for entering the site.

·       Re-targeting Ads and Tracking Pixels

If your website is using re-marketing ads, i.e. Facebook pixel, you should inform the visitors as soon as they enter the site & obtain their consent.  For publishing sponsored content & affiliate links, you need to ask the client if they use tracking pixels or cookies for capturing the personal information & if they do, then get the consent from the visitors.

·       Email Opt-In

To be GDPR compliant with opt-in emails, first, verify if the email service provider is offering GDPR tools. Second, add a checkbox for the visitors to consent to everything, in the subscription form. Put a visible disclaimer, if the newsletter is using tracking pixels to keep an eye on when they open it.

·       Display Ads

If your website runs an ad from a third-party ad server, then your users should consent to the third-party server for using their data for advertising & marketing purposes upon entering the site. You need to inform your visitors if you use the cookies for targeting purposes.

·       Contact Forms

You should get explicit consent with a checkbox before you ask people to submit their information in any contact form.

·       Comments

Before a user leaves a comment they should give consent by a checkbox. You should also inform your users how you will use their information & which information are you going to display publicly.

·       Product Sales Takeaway

When selling products or services to EU residents, you should collect only the necessary information from the customers. You should also let them know how you will use their information. Make sure to get the consent for every purpose of data collection.

 

How GDPR applies to Social Media Marketing?

 

There are two main changes which are considered to be the biggest for the social media marketers. First, as a social media marketer you won’t be able to send opt-in emails or letters. Second, you won’t be allowed to drop cookies automatically without clear permission from the prospect. To be able to have a GDPR compliant Strategy, social media strategists are required to:

  • Perform a complete audit of the website to determine the hold of data.
  • Get to know about the information of EU residents they have connected to.
  • Prepare an action plan on how to update the privacy policy for obtaining permission.

There are many social media management tools available for building your Social Media Strategy. Agencies, strategists & managers use them to get support with scheduling, analysing and building campaigns. These tools assist companies/brands to come closer to their users and help them generate leads and establish a strong customer base.

Social Champ – A GDPR compliant tool

Social Champ is one example of a compliant, easy to use social management tool which gives you the power of scheduling, repeating & analysing your content & helps users and brands to increase their audience reach by 75%. You can easily build your Social Media Strategy with it.

Since the users produce the content on social media, it means that GDPR applies to both content and its users. This is because it contains personal information of the users shared.

All the products & services of Social Champ are GDPR equipped. It provides a Data Protection Agreement (DPA) for all the users who are signing-in. According to the GDPR, Social Champ is not a “Data Controller”, but a “Data Processor” organization. This means it “only practices content according to the instructions given by the users through Social Champ’s features.”

The users have the complete right to control, collect, & use their content however they wish to. As a matter of fact, the users are the data controllers (in legal terms) of the content they process through Social Champ. In short, make sure your tools and processes for Social Media Marketing are GDPR compliant.

If you would like to know more about how you can comply with the GDPR, book a demo with us!


GDPR Compliant Privacy Policy

Four Hacks To Have GDPR Compliant Privacy Policy

Four Hacks To Have GDPR Compliant Privacy Policy

Disclaimer: This editorial does not claim completeness and does not provide legal advice on the GDPR Compliant Privacy Policy.

Here’s the idea that is getting people really nervous:

Inside the law firms of the world, there are lawyers just waiting for 25 May 2018 to scan our websites and sue anyone not following the GDPR Compliant Privacy Policy. To defend ourselves against it, it is essential to make sure our websites do not reveal weaknesses of either machine scans (crawling) or superficial human inspection.

This means that we need to pay attention to the use of cookies, plugins and tracking tools to make sure we are all doing our duties and have compliant public documents.

First, take a deep breath, get some coffee and take ten minutes to read our suggestions below. You do not need a lawyer to do this for you.

In order to make sure that you don’t overlook any details of GDPR Compliant Privacy Policy just follow the four hacks which are actually steps in the process of having a GDPR compliant website.

Step 1: Encryption

The first step of owning a website that follows GDPR Compliant Privacy Policy is to make sure your website is only accessible via HTTPS (the little lock symbol in the browser). Thanks to Let’s Encrypt and other alternatives, this is an easy problem to solve.

Step 2: Changes to website content/plugins

The second step is to consider where in your website data is collected/sent (automatically or by a person). Typically, forms, plugins, tracking tools and cookies do this. The general rule is:

‘You must tell your visitors what is being tracked/collected. Ideally, you get their consent. But at least you have to give them an option to opt out.’

To understand how this step works in your favor i.e. in your efforts to be one with the GDPR Compliant Privacy Policy, let’s break this down further:

Forms

It does not matter what type of form you will be using or its purpose. Only ask the things you really need in order to provide the service you are offering. For instance, if it’s a newsletter registration make the email address a required field and keep all other fields as optional.

Plugins

For your social media plugins, add something like Shariff to give users more control over being tracked. For videos, Youtube has a data protection mode (https://support.google.com/youtube/answer/171780?hl=de). Unfortunately, Vimeo does not support that yet and should not be embedded anymore on your website.

Tracking

Like most websites, you probably use Google Analytics. Make sure you take these steps:

Cookies

Tell people that you are collecting cookies and give an option to opt-out. Hopefully, your website system has that built in otherwise you need to add it yourself. Below is a good example of cookie consent.

GDPR SaaS ChecklistStep 3: Privacy Policy

This is the most important part. As an organization, you have the obligation to be transparent about your data processing activities. How can you be transparent? Put it all in the privacy policy. It should be precise, transparent, easily accessible, and written in clear, simple language. So Do It Yourself (DIY) with the must-haves below:

  • Contact information of your organization,
  • List of data categories (‘name’, ‘visitor behavior’, …) that you collect and the purposes for that this data is collected,
  • Legal basis for this processing (ideally, either ‘consent’ or ‘performance of a contract’),
  • how long you plan to save the data,
  • A possibility for the customer to limit the processing (contact you?)
  • The email address of your Data Protection Officer (if you have one), like ‘privacy@sample.com’.
  • Where a customer can reach you for a complaint

There are some conditionals:

  • Do you use Google Analytics? Do mention it and try to offer an opt-out.
  • Do you set cookies? Mention it!
  • Do you use automated processes? You have to mention that too.
  • Do you use a company like Mailchimp to send your newsletters? Mention it, especially that you share your visitors’ email addresses or other information with them.

As you can see there is no 1-click solution for this (although we are working on one!). Doing it by hand is also not prohibited. In about a day, you should be able to cover most of this.

Below is a good example for a privacy policy snapshot

GDPR SaaS Checklist4 – The rights of Users

This is another part you need to add. Here’s an example for you:

In particular, Users have the right to do the following:

Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.

Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.

Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.

Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.

Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.

Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.

Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User’s consent, on a contract which the User is part of or on pre-contractual obligations thereof.

Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.

Details about the right to object to the processing

Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.

Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.

How to exercise these rights

Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.”

Text credit: Iubenda.com

In short, following this guide should get you on the right path towards compliance. If you have further questions and want to know how we can help: to get on board the GDPR compliant Privacy Policy sign up with us!

Image credit: http://thebusinessecoach.com/


Let's bust 10 the biggest GDPR Myths many believe today!

Only 2 weeks left before the enforcement of the General Data Protection Regulations (GDPR) and there is FEAR! And fuelled by it there is paranoia surrounding what needs to be done.  Rumors. Assertions. And crazy ideas. In this blog: we will bust all the ridiculous GDPR Myths we have heard so far.

Myth 1: GDPR is a European Union (EU)  law and only applies to European companies

This particular myth challenges the parameters of the application of the GDPR. It certainly does not apply to only European companies. It applies to ALL companies who in any way collect, receive and process data of people residing in the EU. Moreover, any company that offers goods or services to EU Data Subjects or monitors their behavior in any way has to comply, regardless of the company’s location. It is, in fact, possible that a European company only processes data of American residents. In that case, the GDPR does not actually apply to the company. Essentially, it does not matter where the company is based or originated from, the criteria that should be used to assess whether the GDPR applies or not is “whose data do you touch?”

Myth 2: GDPR was made to punish companies by imposing fines

The principles around which the GDPR is based is not to punish companies but rather to empower people with more control over their data and to ensure responsible collection and processing of data. The potential fines that could be imposed have just been stated over and over again to reiterate the importance of compliance for companies. However, at this point, no one can predict how strictly the authorities will impose these fines, if at all. They will most likely allow companies extension and a lot of leeway if they see efforts being made to comply. Fines will not be imposed for every little non-compliance issue. This is because in essence, the nature of GDPR is empowering rather than punitive.

Myth 3: GDPR is only for the IT departments and senior management

Every time people think of Data Protection they usually immediately jump to the conclusion that it is something for the IT department. However, in the case of the GDPR this is not the case at all. The GDPR is to reform the way companies handle data which is why it applies to and add responsibilities to every department and every person within a company. Processes need to be created but also employees need to be educated about the GDPR. For instance, recording all processing activities will entail the involvement of representatives from all departments of a company.

Myth 4: All breaches no matter how little need to be reported to the Data Protection Authorities

Breaches need to be reported to the relevant Authorities however, this only applies to those breaches where it’s likely to result in a risk to people’s rights and freedoms. So not every breach needs to be reported.

Myth 5: All details need to be provided the minute a breach occurs within a company

If there is a breach within a company, details of it are sometimes not available immediately. Companies themselves need to investigate before they can collect all the necessary information. The GDPR takes this into account and allows 72 hours to report such instances when feasible. Once reported details can also be provided after the allotted 72 hours if needed.

Myth 6: Consent needs to be taken for every activity

The general perception among companies is that consent is at the center of the GDPR. Without consent, no data processing activity can be carried out. This perception is extremely misleading. The GDPR allows for several different ways of justifying a processing activity of which consent is ONLY ONE. Some others can be seen below from the ECOMPLY app where you can just pick one to form the legal basis for an activity:

Myth 7: Under the GDPR, you need to get consent again from all stakeholders!

So having busted the first of the GDPR myths about consent under the GDPR, the second one is specifically about asking for consent under the GDPR. Most companies think this needs to be done from scratch to be GDPR compliant. However, consent obtained under the Data Protection Directive suffices under GDPR standards. Just review the consent and the standard that GDPR sets for it.

Myth 8: New data portability rules apply to all businesses

Data portability requirements apply only when the legal basis of a processing activity is based on consent or contractual necessity.  When the legal basis is legitimate interest or public interest or another provision allowed under the GDPR the requirements don’t apply.

Myth 9: Data center needs to be in the EU!

This is another common misconception. A company’s data center doesn’t have to be in the EU. It can also be in one of the third countries that GDPR allows for. Basically, it cannot be in a country that doesn’t have regulations on data protection. Here’s what we found helpful on this topic.

Myth 10: Biometric data is sensitive data under the GDPR

This is the most understandable misconception that has developed regarding the GDPR. Biometric data that a company collects just like any other data is sensitive only if it is actively used for identification purposes. It is predominantly collected for purposes of identification but if that is not the case then Biometric data doesn’t have to be treated as sensitive data.  


GDPR SaaS Checklist

The Ultimate GDPR SaaS Checklist

The Ultimate GDPR SaaS Checklist

Before getting into the GDPR SaaS Checklist For Leaders, let’s understand why the need for it has arisen.

There is a tonne of material on the General Data Protection Regulation (GDPR) and several organizations and people claiming to be experts and throwing around advice. Moreover, there is an overwhelming amount of information regarding this topic because of the foreseeable enforcement of GDPR in sight.

We want to condense all this information into a specific point by point checklist. Therefore, we are focusing on the Software as a Service (SaaS) industry instead of giving a general list for all companies. This list will help SaaS companies keep track of what they have done and what still needs to be done.

First of all, it is important to understand that for SaaS companies a lot of these processes can be automated but it is not really necessary to do that. You need to take stock of the costs of automation or manual labor and need to decide accordingly what works for you.

Here are the rights of the Data Subjects (client/customer/user/employee in layman terms) that you need to preserve:

  • The right to erasure (the right to be forgotten/deleted from the system),
  • Under the GDPR, there is right to the restriction of processing (you have to restrict the access to the data and cannot do anything with it without further consent of the user
  • The GDPR also grants the right to data portability (provide the possibility to your users to download a machine-readable, exportable file of their data you have collected and processed)
  • The right to rectify data (have an edit button for data fields)
  • There is also the right to be informed which means you need to get rid of those long terms and conditions and provide this information in a way that is clear and concise

Here you can read the 10 Critical Steps to General Data Protection Regulation (GDPR) for SMEs that highlights the principles that you need to keep in mind.

GDPR compliance Checklist Dos:

1. Create and agree with data protection goals – Article 5

This essentially means that you need to conceptualize, write down and declare your data protection goals. You can find a pre-made template for this on ECOMPLY.io or if you are not a customer: download it here.

2. Appoint an internal DPO with no conflict of interest – Article 37

This can be anyone in the company who is aware and informed about the GDPR. The person should sign a document accepting the responsibilities and should remain impartial when it comes to questions of GDPR implementation.

3. Make a cookie policy – A perfect way of showing cookies – Article 7

Here’s the right way to go about it: https://www.cookiebot.com/en/cookie-declaration/ It has been enough till now to display that common “we use cookies” warning, however, the GDPR changes that. From the GDPR perspective, cookies essentially means you are collecting user data and need to make sure that you have legal grounds for it.

4. Add ‘cookies via any plugin’ consent – Article 7

Below is the example cookie by inc.com

GDPR SaaS Checklist

5.Update your privacy policy – Perfect Privacy Policy Article 12:

Example of short form of Privacy Policy

Below is a good example of a privacy policy snapshot

GDPR SaaS Checklist

6. Add features list

  • Consent box and record with it the Privacy Policy version – Article 7
  • Right to edit or modify feature – Article 16
  • The right to delete or forget – Article 17
  • Right object of processing & profiling feature – Article 21 & 22
  • The right to access (I want to access all my data i.e. export & import feature) – Article 15
  • Under the GDPR you need to give users the right to stop automated profiling – Article 18 & 23
  • Have double opt-in on a newsletter, lead magnets & sign up – Article 7
  • Automatic deleting or provide a timeline to delete the data feature to your users – Article 17
  • Consent checkbox on your contact form as well – Article 7

7. Create records of processing activities and maintain it:

ECOMPLY.io helps with it. You can also read our step by step blog on how to take this item off your GDPR compliance checklist.

8. Ask your third-party vendors to be compliant i.e suppliers and subcontractors:

This includes basically every software and service you are using. Moreover, this means that you need to take stock of all your vendors and contact them as soon as possible. ECOMPLY.io helps you by giving you a list of common vendors and allowing you to add your custom ones.

9. Technical Measures for IT: 

  • Add anonymization or pseudonymization if a user is no longer using your system
  • Add encryption in your system
  • Have authentication mechanisms for modifying data
  • Double authentication or 2 step verification
  • Focus on data minimization if you don’t need it
  • Show the system has a strong backup and data can’t be lost
  • Web Application Security such TLS, SSL
  • Data Centres and its protection. It should be in Europe or US mostly (if possible)
  • Encrypted passwords for all the systems
  • Internal hard drive or cloud drive should be protected and have a different access level

ECOMPLY.io has following technical measures that you need to report. Below is a good example_

GDPR SaaS Checklist10. Organizational Measures: 

While it is important to conceptualize these measures, you also need to implement them.

  • Educate your team about the privacy and data protection
  • Physical access to your office should always be protected with keys
  • Laptop and other devices of the staff should be protected as well.

11. Sales & Marketing:

  • GDPR SaaS ChecklistTake consent in all your marketing magnets and contact form and record it
  • Inform customers about your CRMs, automatic tools, and analytics tool
  • Always have an opt-out button

12. Data Processing Agreement:

As a SaaS Vendor, you should be able to provide a data processing agreement on behalf of your customers and promising technical measures to protect their data. Consequently, you need to have these agreements with your vendors. ECOMPLY.io will help you with that.

13. Human Resources (HR):

Have different level controls for each staff. Not everybody should have access to all the system.

GDPR compliance Checklist Don’ts:

  1. All your vendors might not be compliant! Don’t assume that they are
  2. Don’t assume that privacy shield or ISO 27001 already makes you compliant
  3. Writing a cold email to customers on their personal email is not a compliant way to reach out to them
  4. Documentation alone will not save you. You need to actually do those changes
  5. Don’t keep your laptops open in an open space and people can see those data
  6. It is not a one-time project. You need to keep making sure that your documentation is correct and updated. Also, you follow all those guidelines and check frequently.

If you are still confused about the GDPR and don’t know where to start, just book an appointment with us for an informal chat.


GDPR Ready

Who is GDPR Ready?

Who is GDPR Ready? This article was written before 25th May 2018.

Given all this hype surrounding the General Data Protection Regulations (GDPR), among companies and consumers alike, we just could not help but get curious. So who out of the big, famous companies are actually GDPR Ready?

Data Protection Officer

So we did a little, cheeky experiment and e-mailed these companies to find out if they were aware of the legislation and what data they had on us.

Due to the enforcement of the GDPR, you can request companies to give you all the data they have on you. You can also ask them to delete it and forget you. This is primarily how GDPR empowers us as consumers. For companies to be GDPR ready, they need to have processes in place to deal with these requests.

Essentially, in GDPR terminology, we made a Data Subject Request to check which companies were aware of the coming GDPR and subsequently preparing for it.

In total, we reached out to 200 companies and tested them on two things: awareness and readiness. We assigned six people to write to different companies. One of them wrote to companies from Spain, three from Germany and one from United Kingdom (UK). So let’s summarise the results by geographic location.

United Kingdom

We wrote to companies in the United Kingdom (UK) recently.

From their replies, we gauged that 50% of these companies were aware of the coming regulation however, only 10% of them were ready to cope with the Data Subject Requests. So we got a full excel sheet with our entire data sent to us from the ones that were ready. However, after the initial response the excel sheet was usually sent to us later which is acceptable under the GDPR (note: GDPR allows the company 40 days to respond).

Also, one of the “aware” companies clearly explained that they were engaged in a variety of activities to become GDPR compliant and at the moment could not provide a machine-readable format of the data. This was definitely a sign that the company was well aware and in the process of preparing for the GDPR.

 

Spain

We reached out to ten companies which include names like Vodafone, Santander, and Groupon among others. We found that 28% of these companies were ambiguously aware of it but none of these companies were ready for the enforcement of the GDPR. It could be and is rather likely that since then, they have at least made progress in awareness of the GDPR and are in the process of preparing for it.

However, we only say ambiguously aware because the responses we got from them indicated that out of those who were aware of it: they either only had a specialized email address for GDPR related queries which ended up bouncing anyway or asked to show up in person. Therefore, the awareness that they did have was not clearly translated.

Germany

Before we start, here it is important to consider that we reached out to a lot more companies in Germany than anywhere else. We are based in Germany and of course, are knowingly a little biased.

The hub of data protection and the place is known to be the most sensitive to data privacy lived up to its reputation.

Almost 63% of the companies, were actually ready for the GDPR. These companies included the big automotive companies like Mercedes, BMW, and Porsche. Moreover, 5% of these companies were aware of the GDPR and working towards it. So all in all, the German market seems to be quite aware of what the GDPR entails and are working towards it.

On average the response time of these companies was about 3 days and the latest one was not any later than 7 days. This was definitely a positive indicator on readiness.

We also sent an email to companies like Whatsapp, Snapchat, Booking.com, Disney and Instagram to find out if these popular companies were ready. However, we found out that none of them were ready and we were unable to assess if they were aware or not. Keep in mind that these Data Subject Requests were sent to them early 2018 so it is possible that they are by now compliant. Time needed to be fully compliant actually depends on several factors including but not limited to company size and number or processes.

These companies either did not reply to our request or we got a general automated message from them.

We also realised that no response could either mean that these companies are either in the middle of their blazing GDPR activities (quite unlikely), or they do not know of the GDPR and its implications (quite unlikely and sad if true) or that they just do not care enough at this point (likely).

To be fair, a lot of companies are still in the process of researching and figuring out exactly to do with the GDPR. For instance, we asked Woodpecker and one of our customers: Combyne on how they went about the process. Moreover, training and development of the employees especially in the field of customer service is on-going for most companies. So that in itself could be a factor why we assessed the companies as unaware since we only judged it through the replies we got.

Compliance will most likely be a high priority for companies if after enforcement, data authorities actually crack down on non-compliant companies and issue the dreaded fines.

Is your country GDPR ready?