A comprehensive GDPR Readiness Survey Report on how software companies and SMEs prepared and currently operate under the GDPR.
GDPR, you’ve heard of it, probably feared it, but you cannot ignore it. If you are like us, you wanted to get everything ready for the May implementation or, in contrast, you might have thought ‘I doubt any other startup/SME will become compliant, I won’t bother yet’. Well, we wanted to put both sides of the argument to the test and so carried out extensive research on just how GDPR ready Software Industry and SMEs are, what their problems were and how they view their activities in line with GDPR.
As a GDPR Compliance Software company, we wanted to find out the state of the market and whether our solutions is useful, as well as how we can improve to offer more value.
Although we are GDPR ready ourselves, we needed to understand some of the barriers companies are facing in becoming fully compliant, where they are in the process internally and what they think of GDPR, so we set out to investigate using a number of questions to get the most out of our respondents.
In this GDPR Readiness Survey, we investigated 100 different software companies and startups of varying sizes, ranging from 1-250 employees in order to get varied data from all companies across the spectrum . We collected the survey in a GDPR compliant way. Here is a breakdown of some of the demographic data we employed:
Our results from GDPR Readiness Survey were quite surprising, and illustrated a fairly accurate environment surrounding GDPR in the real world.
Although GDPR can bring about heavy fines, we are yet to see any real world examples of these fines in full swing, and with 50% of our respondents indicating they managed GDPR compliance internally without the consultation of an external body or an external lawyer, we may see that change in the near future as those companies that misinterpreted the regulations come to light. Companies became compliant to serve their customers better, as indicated by Marcin from Survicate.
We do our best to implement services that fulfill our customers’ needs. One of the most important customers’ requirement is the security of their data. That is why for us it is paramount. Survicate understands how the fulfillment of GDPR obligations improves protection of our customers’ data.
In contrast 42% of respondents contacted a lawyer to advise on GDPR compliance, but it’s a likely trait of larger businesses to put more resources into legal help compared to the 50% who didn’t, who are smaller and so less likely to bring in external aid.
Since lawyers are important for GDPR compliance, Peter Sterkenburg from Leadfeeder wants a more robust way to prove GDPR compliance by external lawyers and third parties.
A healthy angle to responsibly consider using personal data. I really do miss proper certification mechanisms though. Still very little movement on that. I am also looking forward to the PECR and what that brings.
What we found interesting though, was that 52% of survey respondents believed that they are fully GDPR compliant - an indicator that there is a lot of groundwork to cover up in small businesses and software companies industry wide. The reasons for this low number of that metric were also surprising, and that smaller businesses are less inclined to comply compared to the larger companies with more resources.
However, Joi, believed differently, CEO of Crankwheel. He said:
We took a mostly manual route with e.g. implementation of data subject rights and how we implement DPAs (it's a manual customer support procedure that we've trained our support folks in). If we see significantly more requests regarding data subject rights, or significantly more customers, we are likely to invest in tools to help with these, either built in-house or sourced externally. Same goes for our employee training etc., we are very small for now but when we grow we would be somewhat likely to invest in a tool that would help with training and compliance certification (even if not formal certification). We have a quarterly process in place to update procedures, training materials, perform new risk analysis etc. and for this, so far, Google Calendar + Google Drive (docs and spreadsheets) have proven to be enough.
Jim from Dynamic Signal spoke in the similar fashion.
Our GDPR efforts were comprehensive and we invested many cross functional resources as well as bringing in external consultants and legal support to ensure we were following all of the guidelines for GDPR and fully protecting our investors, employees, end users, and most of all our customers.
Of those that were compliant, the two main reasons for investing in GDPR compliance were in fact meeting the newly increased customer expectations and in order to circumvent the likelihood of lawsuits for non-compliance, especially given the nature of software companies and the amount of cyber threats they are up against daily.
Further to this, our GDPR Readiness Survey found 38% of companies believed the new regulations were too complicated, and rightly so. The idea of GDPR was to remove any kind of uncertainty or loophole opportunities from previous legislation, as well as unify the European stance on data handling and processing.
Olga, the Marketing Manager at Chanty, was also confused with the new regulation and she said:
GDPR is the 88-page monster that has struck fear into the hearts of companies slowing down growth and blocking effective marketing efforts. As a result, inboxes were swamped with GDPR consent emails that were deleted in bulk without even opening, not even speaking of giving consent. Companies had to delete entire blasts of emails from the databases that took years to build. As internet user, I don't feel the difference after May 25th. As a marketer, I feel GDPR definitely doesn't contribute to development and innovation in European business sector.
In our opinion the GDPR leaves too many grey areas in certain business environments where what should have been black and white rules are now open to interpretation. This is compounded the fact that most companies didn’t have a dedicated GDPR consultant or compliance team, with only 22% reporting compliance was managed by IT and legal.
Despite a clear lack of monetary investment in GDPR compliance, it was great to see that most companies, regardless of size, took steps and measures to comply with GDPR, with all software companies and SMEs we surveyed reporting that they updated their Privacy Policies to acknowledge GDPR and explain how they were taking steps to be compliant.
Adam from Better Proposal says about the GDPR:
GDPR is a step in the right direction. It's been a long time coming and it's good for businesses and consumers to have a standard in place. It's important to us to make sure people feel safe using our software and GDPR is a good "badge" to have to show you at least take it that seriously.
Of all steps necessary for GDPR compliance, we found (without surprise) that vendor compliance was in fact the area with least focus from our respondents. We believe this to be not from a lack of effort, but from a lesser understanding of how to obtain the necessary documentation and agreements from third party services and data processors they were using in the course of providing their software or products. This is an area we would like to see improved by the GDPR committee, as obtaining the correct information from business critical third party processors (like analytics software, data enrichment services etc) is somewhat of a grey area, especially for smaller companies who cannot dedicate the time and resources to seek that information out from its partners.
Talking about the transparency & data processors with the third parties, Sander from Unless said:
Oddly enough, new privacy laws like GDPR have actually made it easier to do it right, by highlighting the need for transparency and compelling business owners to understand what kinds of data they collect and how they use it.
Additionally, in our GDPR Readiness Survey, 50% of software companies and SMEs we surveyed indicated that they had conducted Data Protection Impact Assessment and Data Mapping, which is a good foundation for compliancy but there is clearly room for improvement. As expected, due to the small size of most of our respondents, the budget to invest in GDPR compliancy was only €5000 annually, so it would be unfair to expect full compliancy soon after the regulations’ effective date.
Overall, GDPR readiness in software companies and SMEs is an ever changing, dynamic landscape of variable compliance levels depending on budget, size of company and departmental dedication.
With regards to GDPR compliance in software companies and SMEs, what we gathered overall illustrated the following:
48% of surveyed companies think that GDPR has neither a positive nor negative impact on their business operations.
If you're still trying to learn more about the GDPR and want to become compliant. Get this free GDPR Guidebook.
Below are the questions and survey results from our GDPR Readiness Survey for your own interpretation
Below is a list of those companies which supported this survey and agreed to the publication of their names.
Aazar Ali Shad is the former Co-Founder of ECOMPLY, and has more than 5 years of SaaS Experience. He is a huge privacy enthusiast.
Userpilot - User Onboarding & Product Adoption Software
https://salesflare.com - An Intelligent Sales CRM for teams who thrive on technology
https://www.poptin.com - A Lead Conversion Platform
https://lemlist.com - A Conversational Email Outreach Platform
https://www.visitor-analytics.io/ - The friendliest way to view your website statistics
https://www.proposify.com/ - Get the business proposal software that streamlines the creation of quotes, contracts, and other sales documents
dynamicsignal.com - The Employee Communication and Engagement Platform
https://crankwheel.com/ - CrankWheel enables you to add a visual presentation to your phone call in 10 seconds flat. Any browser, any device, works every time.
https://contentstudio.io - The only platform you will ever need for your content marketing and Social media management.
https://www.growthdynasty.com - A Tech Marketing Agency
Publbox.com - Now You Can Create, Organize and Automate All Your Social Media - From One Place
AcademyOcean.com - Use Academies to get new leads and to turn them into loyal customers
www.albacross.com - Albacross tells you exactly who’s visiting your website and how to reach them..
www.sendpilot.co - You won't need a social media team if you use SendPilot
www.meetnlearn.com - Marketplace for online & offline tutoring
www.wunderx.com - Enabling Equipment Data Mining: Edge is coming.
starhunter.com - All-in-One Solution for Recruitment Agencies
https://www.heysuccess.com/ - a default platfrom for international student mobility and recruitment.
https://kyvio.com - We Help Trainers and Coaches Sell More, Sell Faster
https://www.receptive.io - Leading B2B SaaS companies use Receptive to build winning products
https://www.sendinblue.com/ - SendinBlue empowers businesses to build and grow relationships through marketing campaigns, transactional messaging and marketing automation.
ryd.one - Your Car Assistant
https://www.chanty.com - Join Chanty – simple AI-powered team chat. Get unlimited message history free forever.
https://betterproposals.io - Online Proposal Software
https://demio.com - A Webinar Platform Built for Marketing
https://www.flipsnack.com - Digital flipbook maker for stunning magazines
https://survicate.com - Survicate is the fastest way to collect feedback from customers.
Easyecom.io - Best inventory management software, a key to rule in eCommerce industry
Vogueestates.com - The Real Estate Solution
https://competitors.app - Track Competitors Software Tool
https://rocketlink.io - Track and retarget any link you share
http://www.subbly.co/ - A subscription ecommerce platform for entrepreneurs & marketers
www.munevo.com - Munevo wants to support people with disabilities to live independently by using smart technology
https://unless.com/ - Personalize your website to give your visitors the unique experience they deserve.
www.climedo.de - The intelligent research database with integrated electronic research management
https://nightwatch.io/ - The All-in-one SEO Tool
Folder Security - NTFS Permissions Analyzer
by Aazar Shad
Nightmare, you’re thinking, right? You wouldn’t be alone in this assumption – we’re getting more and more people ask us for help, and we’ve seen hundreds of thousands scour the web for GDPR related information like how to stay compliant, establishing a GDPR legitimate interest and how the legislation affects cold calling.
Still thinking nightmare? You probably are, and that’s fair enough.
But, we are here to help – we’ve compiled some of our thoughts, advice and how to’s on establishing a GDPR legitimate interest, cold calling while staying legal and background info on the new regulations.
So, as I’m sure you know, GDPR has been on the tip of the tongue for all businesses regardless of size in the past year, with hundreds of GDPR consultants, advisors, software solutions and GDPR auditors starting up all around Europe. All of which aim to provide a solution to achieve GDPR compliance with the regulations implemented on the 25th May 2018. Let’s take a look at what GDPR actually is, the associated fines for non compliance and how it is impacting the worldwide business environment, including GDPR’s influence on cold calls and establishing a GDPR legitimate interest for outbound marketing and sales.
The General Data Protection Regulation 2016/679, commonly abbreviated as GDPR, is a set of rules and regulations that stipulate the collecting, handling and processing of personally identifiable information (PII) such as names and addresses, IP addresses, banking information and any other data type that can be used to identify a living individual. Not only this, it provides EU residents more control over the data companies store on them, offering more power to view and request the removal of that data should they decide they want to be forgotten.
The GDPR is designed to replace the antiquated Data Protection Act and other European country equivalents, GDPR acts as a blanket regulatory system governing businesses located inside the European Union, but also requires compliance by companies situated outside of Europe that collect and process the PII of citizens in Europe. Safe to say, it’s not something that can be easily avoided.
The regulation set had been in the design process for a long time, with the aim of encompassing all potential scenarios that businesses might face in order to avoid ambiguity or grey area exploitation (although, many argue the GDPR’s regulations are widely open to interpretation).
Additionally, the purpose of the new GDPR implementation is to take a much tougher stance on how companies and businesses handle the PII of individuals, with the intent to place restrictions and minimise mass marketing, automated cold calling and spam to individuals and businesses unless there is a GDPR legitimate interest for these efforts.
Additionally, data protection legislation throughout Europe had been previously broad and differing from member state to member state, resulting in a confusing process for compliance auditing internally and by external compliance processors. GDPR is designed to harmonise data protection legislation across all EU countries, resulting theoretically in a much more sustainable and straight forward road to compliance and protection of EU citizens’ data.
Meanwhile, the potential fines for non-compliance, which were previously viewed as a speeding ticket for major corporations such as Facebook, Google or other large entities, have now been greatly increased in order to displace incentives for these large corporates to abuse the rules, with the potential to take into account the company’s revenue to ensure the fine is proportional to the their wealth.
The newly enforced levels of fines has garnered a lot of media attention and will likely worry the big Fortune 500 companies – no longer can they get away with gross data protection breaches with a cheap get-out-of-jail-free card. With a maximum GDPR fine for non-compliance running at potentially 20 million Euros, or 4% of the company’s annual turnover (whichever is greater), it will be a significant loss for falling foul of the GDPR requirements.
These are of course proportional to the level of non-compliance and the GDPR governing body allows supervisory committees in EU member states to make a judgement call and enforce less severe actions such as reprimands, warnings, or smaller fines. Still, most companies should and are endeavouring to ensure compliance. On the smaller scale, fines can be 10m Euros, or 2% of a company’s annual turnover, for less critical or large scale breaches, but which still should have been prevented.
There has been much controversy and questions about how the GDPR will affect traditional sales and marketing efforts, such as cold calling. Now, if you found this article to discover how it will affect you, please be reassured – cold calling is not dead and the GDPR will not affect B2B efforts in the extreme case you are imagining. There are however, some suggested methods of GDPR cold calling you may not have previously employed which will only help you stay on the right side of the law, and we’ll investigate those below. Just a heads up – we are a GDPR documentation, auditing and service provider and selling to privacy professionals is no mean feat, so if we can’t stay compliant then how will anyone?
When cold calling with the intention to stay GDPR compliant, there are a few things to note. You need to have established that the business you are reaching out to has a legitimate interest in the business services you are offering. A legitimate business interest will allow for full compliance and will not be considered a spam or unsolicited marketing effort under GDPR, but you must really consider whether it is legitimately of value to your prospect (i.e. you can’t just say it is when you and everyone else knows it’s irrelevant, which is bad sales technique anyway). With B2C scenarios, we suggest to avoid cold calling altogether as usually these fall foul of GDPR cold calling regulations. It’s pretty much the same thing with cold email outreach.
Any kind of outbound sales efforts come with their own set of challenges when it comes to GDPR and data protection legislation, whether that is for companies governed by GDPR or other regulations like those found in the USA such as SPAM. As a company that specialises in GDPR compliance, we must always comply, usually more so than most other regular businesses, but we need to also prospect and push our sales efforts in order to survive. So, let’s take a look at some of the main pointers in how we carry out sales efforts, establish a legitimate business interest and stay GDPR compliant. Daniela Duda, one of our experts, explains legitimate interest.
This is how we prospected and conducted cold calls, while also staying compliant with GDPR:
What Was Our Success Rate?
Good question. We, luckily for you, gathered our metrics for our GDPR cold calling campaign here at ECOMPLY.io, and have some interesting results for you, have a peak below:
These metrics were taken from Steli Efti’s Close.io Blog.
Overall, we were pretty happy with these results. We have a little improvement on our pitching side to get that conversion rate up a little, bit so far it was a successful campaign and we’ll continue to invest time into GDPR cold calls – and you should too!
Establishing a legitimate business interest is crucial for B2B sales and marketing efforts when you do not have prior opt-in consent. Although somewhat of a grey area, a legitimate business interest can be thought of similar to how a B2C organisation might think when marketing to a customer who has already purchased from them. For example, the business prospect should operate in the same niche or market as you, and you can therefore have good reason to believe that the party is interested in your services, thus giving you some ground to cold call.
Additionally, companies often list contact information for certain personnel publicly on their website in order to receive valuable business propositions (it’s hard to operate a business in complete isolation). This gives you a fairly strong indication that it’s okay to call the relevant company to discuss a legitimately business proposal without fear of repercussions. However, before doing any cold call, we do suggest doing your legitimate interest assessment. Here’s the resource for the legitimate interest assessment.
As you can see, it’s not as scary as you first thought right? You don’t have to close down shop or look elsewhere for work – you can still carry out your sales processes and cold calling as long as you have that all important GDPR legitimate interest. Really, all it boils down to is respecting other’s privacy, not being irresponsible when it comes to personal data and making efforts to stay compliant. That way, you’ll avoid those fines!
Disclaimer: This article is not legal advice so please seek professional legal advice to discuss your specific circumstances.
This GDPR checklist has been crafted in according to the GDPR compliance. Moreover, this is the only GDPR checklist you will ever need.
Before going through the GDPR checklist, it is important to repeat some basic steps. The first starting point is to know about the general rights that your customers/users will have:
Data subject rights: these are rights of your customers and users under the General Data Protection Regulation (GDPR).
Data portability: the right of an individual under the GDPR to transfer their data to other data controllers. Essentially, this means that consumers can move from one company to another through quick and efficient data transfer
The right to be forgotten: customers/users can ask you to delete all their data
The right to prevent profiling: this can be through automated decision-making or through other forms of decision-making, that processes personal data of an individual and reaches conclusions about that individuals.
The right to object to processing: your customers can restrict you from processing any category of their data that you have.
The right to rectification and erasure: this refers to editing data and restricting access to certain types of data.
Subject access requests (“SARs”): these are requests that your customer/user can make at any point in time asking you for data that you have on them and how it is used.
First, take stock of all the data that you are collecting and processing. If you are a controller, ask yourself why you are collecting this data as a guiding principle. If you are a processor, ask yourself: on whose behalf are you collecting this data. This is the most crucial part of our GDPR checklist.
A Data Protection Officer can be internal or external to your company. If you appoint someone internally, make sure they have autonomy as well as access to the Managing Directors and upper management. This is primarily so that they can carry out their data protection duties and responsibilities independently without undue stress and blockades. Once this is done, sign an agreement with the relevant person. One prerequisite for assigning a Data Protection Officer, according to the legislation, is that it should be someone with a reasonable capacity for the job. That means your DPO should have a comprehensive understanding of the General Data Protection Regulation (GDPR).
It is necessary that you appoint a Data Protection Officer DPO:
The second most important part of the GDPR checklist is to make a map of all the data and specify all the departments that touch the data in its collection and processing. The data that is being used needs to be categorized for its legal basis to become clear. The legal basis could be consent, legitimate interest and contractual necessity among others.
To assess where data is traveling through you need to create a mind-map for it to help guide your processes of compliance.
Why was the data gathered in the first place? What is its purpose?
Upon what legal basis are you justifying holding that data? Consent or legal requirements?
Think of all the steps in your mind-mapping process. Who has access to the data at each step? Through documenting your processes, you will have a much clearer and a better understanding of your own company’s data collection and management strategies as well as what the compliance process entails for you. One definite piece of documentation that you need to do is a data protection impact assessment (DPIA).
How are you protecting that data from breaches? What else is that data being used for? Make sure you have listed all your vendors and your customers/users know that you are sharing their data with other parties.
Be honest and transparent about any data you collect. In the case of a breach, people will disclose any data they gather. Your customers need to be aware of what data you’re storing. Here you can read more about how modern businesses need to think about data: https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust
Security breaches that target the data that your company collects and processes can take place and need to be dealt with along the guidelines provided by the GDPR. The crucial point under the GDPR is to inform your user/customers of the breach. Given the importance the EU has placed on personal data, this does not come as a surprise that the relevant stakeholders be made aware when their data has been touched by, no matter how briefly, by other parties that did not have authorization through consent. In such a case, the relevant Data Protection Regulatory body must be informed within 72 hours of knowing about it at the latest.
The same time limit applies to the data subjects whose data you collect and use. The company must contact all individuals and make them aware that their data has been breached. However, companies do not need to have this measure or practice in place: if the data has been encrypted to the point of being incomprehensible or if the data controller has taken the necessary steps to make sure the breach doesn’t put rights or freedoms at risk. If it would take an unprecedented effort to contact every Data Subject individually then a public announcement would also fulfill this requirement.
This is the crucial part of the GDPR checklist since it was not available in previous data protection laws. This is one of the basic rights that the GDPR sets out for consumers. This essentially means that data subjects can at any point ask you about what data has been collected by your organization. These access requests cannot be charged for even if it takes a lot of time for you to deal with them. Moreover, they need to be responded to by the data controller within a month. The legislation also sets out the general principle for when a Data Controller can charge the subject for relevant administrative costs if it can be demonstrated that the request is “manifestly unfounded or excessive”. This way, it balances out the individual rights and the company’s rights as well to receive some protection against abuses of this provision. Here is a basic summary of this article as outlined in the GDPR:
“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
6.1. Make sure your domain names are secured. You can do this by either renewing them regularly or if you buy them from a third party then you need to make sure that the configured name server that is authoritative is your own and make sure your critical services are secured.
6.2. A lot of companies have Google Apps, Slack, Wordpress that they use in their daily business lives. These services all have default settings that should be improved to increase the security level of your organisation. You also need to ensure that all your services and apps are updated so that new security settings, as well as GDPR compliant settings, are implemented. Here’s one source you can look at for inspiration on making your Google apps more secure: https://blog.trailofbits.com/2015/07/07/how-to-harden-your-google-apps/
6.3. As tempting as it might be: Do not share Wifi Shared workplaces are quite a norm these days which consequently means sharing Wifi networks among companies, guests, students or neighbours may open you up to risks of security breaches, for example, people could gather information that is on your network, and might even allow people to access resources protected by source IP. Make it a habit to change your password periodically.
6.4. Develop and communicate a security breach incident response plan
This will allow whoever is in charge at the time of a breach to communicate accordingly about an incident and will allow the fastest response in technical / communication terms.
6.5. Incentivize finding bugs You could potentially have an external or internal bug bounty program that will incentivize external hackers as well as internal employees to report vulnerabilities. Once reported these vulnerabilities need to be checked by developers or other inside your development teams with the know how to evaluate any reports you receive
6.6. Educate your Technical and Non-technical employees
Quite often your employees and human capital will be the ones who might make you more vulnerable which is why it is imperative that you make sure they are aware of how hackers or other parties can infiltrate your company. By increasing their level of awareness, you are reducing the risk of them falling into a trap. Usually, companies forget to train their non-technical employees. However, they might be the ones you would want to train even more carefully since they lack the expertise to recognize and deal with such cyber-attacks and vulnerabilities.
6.7. Include using 2-factor authentication in your employee handbook as a rule
This would ensure that all accounts of your employees are safe and in case their password gets stolen, the attacker still cannot have access to their accounts and your company’s information in these accounts. As a CEO/CTO/CSO, your role is to make sure everyone complies with this rule. Using a complex and unique password for every website is great advice, but it can be very difficult to recall passwords
Password managers are a great way to manage these since they will remember everything for you with a master password.
6.8. Encrypt the devices
By encrypting company laptops and phones, you protect your company’s assets. Before doing this, you might want to take stock of all your company assets and perhaps segment the employees into categories of security levels needed in line with their jobs. Here are some sources you can read on for encryption related procedures: https://support.apple.com/en-us/HT204837 https://support.microsoft.com/en-us/instantanswers/e7d75dd2-29c2-16ac-f03d-20cfdf54202f/turn-on-device-encryption
6.9. Encourage best practices like “locking” devices and strengthening passwords Whether employees are leaving the desk for a minute or an hour, encourage them to lock their devices and make it a habit. This would protect your company assets from attacks as well as random accidents. Remember your work environment might be secured but at one point or another, you will have external guests or candidates for interviews who could potentially have access to your data sometimes even by a quick glimpse of a screen. Moreover, when your employees are traveling or go to meet-ups, this habit would help them keep company information secure. You can research password managers, pick a good one and suggest it to your employees.
This HR checklist is mostly part organizational measure and part technical measure under our GDPR checklist.
This must be new and the toughest part of the GDPR checklist, since it is takes time.
1. Check and audit your mailing lists. Basically, you need to remove anyone from whom you do not have an opt-in and or have not recorded this opt-in. For new subscribers, make sure that the potential subscriber confirms that they want to join your mailing list by sending an automated email to confirm the subscription.
2. Review the way you are collecting personal data. Are you still buying mailing lists? If so, now might be the time to start fresh with a new mailing list which you have obtained from informed customers and have a legal basis for collecting their e-mail addresses. Delete all e-mails that you haven’t obtained with the proper consent or legal basis. Some ways to still acquire users or convert visitors from your website can be done by offering visitors to your website the opportunity to add themselves to your mailing list using a pop-up on your website.
4. Educate your Sales and Marketing Teams about what is legally possible and the practices that they need to drop for instance: cold emailing/cold calling (where the e-mail address and/or phone number has not been taken through proper consent).
5. Make sure your customer data is part of your Customer Relationship Management (CRM) system. This will help you with allowing users to edit their data, review how exactly it is being used and accessing it in a machine-readable format.
6. Collect data that is necessary for your sales or marketing effort. Ask yourself, which categories of data do you actually need, and which ones can you simply delete. When it comes to signing up forms, only ask for elements you need and will use.
7. If you do not already have it, try out push notifications. Marketers can use push notifications to send a message to subscribers at any time. They are especially helpful in the post GDPR world because they do not process personal data (IP addresses are anonymized) and ask for explicit consent to opt-in and receive notifications.
8. Make sure Privacy statement is updated, easy to read (not a 1000 pages long and without any lingo).
According to the GDPR, when an organization is undertaking a new project that has considerable risks when it comes to the freedoms and rights of individuals, in particular, pertaining to data protection. When organisations identify such a risk with a new or existing operation, these are the following steps suggested:
1. Figure out if there’s a need for the DPIA – conduct an assessment and determine whether the inherent risks of the processing operation require you to undertake a DPIA. In general, these are some high-risk activities that you would probably need to conduct a DPIA for:
Large-scale processing of location data relating to individuals
2. Understand and describe the flow of information – create a map of how the information within the particular processing operation is collected, stored, used and deleted.
3. Identify all the risks – document the threats, their scope, vulnerabilities and the possible pertaining threats to the rights and freedoms of individuals whose data you collect and/or process.
4. Assess your privacy solutions – for every risk that you have identified to the personal data, do a cost-benefit analysis and decide on whether you want to accept the risk, reject the risk or accept it but with measures in place to reduce the impact of the threat.
5. Document the DPIA results – Create a report that is signed by the decision-maker. However, where there has been a high risk identified the DPIA report must be submitted to the regulatory data protection authority for consultation.
6. Incorporate the results into your project plan – make sure at every important project milestone that you refer back to your DPIA to ensure that when actions are needed to counter a risk they are actually taken.
Hope you found this comprehensive GDPR checklist useful. As a general principle, you should remember that any obscure collection and processing of data should be questioned. Educating your employees will always prove to be helpful in staying compliant with the GDPR. Is there something you find missing in this GDPR checklist? Work together with us on this checklist!
Image Credit: Pixabay mohamed_hassan-5229782/
by Hauke Holtkamp
According to the General Data Protection Regulation (GDPR), every company needs to have Data Protection Goals. These goals also need to be translated into policies in areas that heavily process data. There are numerous policies one of which is Data Protection Policy which sets some of the criteria that a Data Protection Officer has to follow.
A company needs to also ensure that the principles of the GDPR are incorporated into their organizational structure. This is a step by step guide for how an organization can have compliant GDPR policies within their organization. It will start off with a memorandum to the Board of Directors informing them of what the GDPR will entail for the company. It will then give you a basic template of how to inform your employees about the collection and processing of their data.
To the Board of Directors [add your Company Name] and its affiliates (Company):
The EU General Data Protection Regulation (GDPR) will become effective on 25 May 2018. The GDPR will bring considerable changes to data protection laws in the UK and across the European Economic Area (EEA). It will include significantly greater fines for breaches of up to €20 million or 4% of total worldwide annual group turnover. This memorandum summarises the need for a Company-wide programme (GDPR Compliance Programme), requiring the allocation of resources, for compliance with the GDPR.
Under this section of data protection policy, you should explain what type of data is being collected and processed for e.g. if personal data is held by the Company relating to customers, employees or any other parties. The second part in this section should be an example of a map of Personal Data Flow. You need to clearly lay out how the data travels within the company and record whoever touches this data no matter how briefly. If this data is to leave the borders of the country your company is located in, make sure to mention that as well since it will require signing a Data Protection Agreement with your Vendors (international and local ones).
Reiterate in concrete terms what failure to comply would mean for the Company and the Board of Directors. You should also give a brief description of “Personal Data” as defined by the GDPR.
Here’s an example of how you can add both:
Personal data is defined broadly and comprises data relating to any living individual who can be identified from that data. Personal data and includes:
There are many potential ramifications of failure to comply with the GDPR, including:
An individual has a fundamental right in the UK and across the EEA to have their personal data protected and their personal data may only be processed (that is, obtained, recorded, held, used or disclosed) under certain circumstances. This has a wide impact on Company business.
A well-constructed and comprehensive Company-wide GDPR Compliance Programme can provide a solution to these various competing interests and represents an effective risk management tool. It is essential for compliance and for the purposes of informing your employees, customers, vendors, business partners, regulators and the courts that your company is, in fact, committed to the GDPR principles of data protection.
You need to inform the board of what their duties and obligations are. Here’s an example of how you can do this in a comprehensive manner.
The Board has a duty to know about the content and operation of the GDPR Compliance Programme and to oversee its implementation and effectiveness appropriately. The GDPR’s new accountability principle requires data controllers to be able to demonstrate compliance with the GDPR by showing the supervisory authority (the Information Commissioner’s Office in the UK) and individuals how the data controller complies, on an ongoing basis, through evidence of:
Failure to comply with the accountability principle may result in the maximum fines of up to €20 million or 4% of total worldwide annual group turnover.
The pre-requisite for this section is to already have an idea of what your implementation plan will look like. If you do not yet have a plan on how you will ensure compliance within your company, make sure you make one first. You can also follow the steps below to make a skeleton of this plan. It is essential that you at least appointed a Data Protection Officer (DPO) have your Records of Processing Activities (RPAs) for both having a Data Flow Map as well as the basis of your plan. Here’s what you can do and subsequently communicate to your Board of Directors.
Under the GDPR it is now mandatory for the Company to appoint a data protection officer (DPO), reporting to the Board. The DPO’s role is to provide the knowledge, expertise, day-to-day commitment and independence to properly advise the Company of its duties and conduct compliance activities in relation to the GDPR.
However, taking into account the complexity and risks associated with the GDPR, we should consider carefully whether we should appoint a DPO, in any case, to report to the Board. The DPO would be responsible for providing the knowledge, expertise, day-to-day commitment and independence to properly advise the Company of its duties and conduct compliance activities in relation to the GDPR.
A co-ordinated chain of command (in which the Board is designated as having ultimate responsibility) will need to be developed, together with written reporting procedures, authority levels, and protocols, including seeking and complying with legal advice.
The Company should consider the establishment of a working group, drawing on stakeholders from across the business, to take responsibility for the day-to-day management of the GDPR Compliance Programme.
The Company will need to carefully review existing procedures in relation to obtaining an individual’s consent as a legal basis for processing personal data. For example, it will need to ensure that any consent obtained indicates affirmative agreement from the individual (opt-in) (for example, ticking a blank box). Mere acquiescence (for example, failing to un-tick a pre-ticked box) does not constitute valid consent under the GDPR. Furthermore, the Company must demonstrate that this explicit consent has been obtained, ensure that an individual can easily withdraw their consent at any time.
The Company must also be in a position at all times to respond quickly to any data subject’s request (such as for a copy of all of the personal data held or to erase all such personal data). This is likely to require substantial modifications to the Company’s technological infrastructure and its organizational processes.
Other channels may be needed in certain circumstances, for example, the staff handbook regarding personal data collected from employee monitoring.
A written and comprehensive information security programme is needed to protect the security, confidentiality, and integrity of personal data held. It should set out action plans for any security breach, disaster recovery, and data restoration.
The Company should develop appropriate contractual strategies and have access to appropriate templates as a risk management tool.
Under the GDPR, the Company will also be required to implement “privacy by design” (for example, when creating new products, services or other data processing activities) and “privacy by default” (for example, data minimization). It must also carry out “privacy impact assessments” before carrying any processing that uses new technologies (and taking into account the nature, scope, context, and purposes of the processing) that is likely to result in a high risk to data subjects, takes place.
The GDPR also requires businesses to notify the supervisory authority of all data breaches without undue delay and where feasible within 72 hours. The Company will, therefore, need to look carefully at its data breach response plans and procedures.
The above represents only a short synopsis of the requirements under the GDPR. There are many more that are not included in this note for the sake of brevity. Getting prepared for compliance with all the compliance requirements will need considerable planning across the Company.
Financial, technological and human resources should be sufficient to reasonably prevent and detect non-compliance and promote compliance with the GDPR.
Taking into account the number of employees, assets, turnover, Company business activities, a budget for [Insert Year] of £[Insert Amount] is proposed, broken down as follows: [Insert Breakdown Of Budget].
Effective compliance training programmes are required for personnel at all levels, including directors, heads of departments and key Company service providers. Bearing in mind the above factors, a formally documented training programme with employee evaluation and attendance certification should be put in place as soon as possible.
Serious misconduct should be addressed with appropriate disciplinary action, regardless of seniority. An anonymous whistle-blowing mechanism should be considered, but legal a should be sought before implementation in the UK and any other countries in which the Company carries on business.
From time to time, the GDPR Compliance Programme should be reviewed and updated in the light of new laws and business activities and changes to data flows and the introduction of new processing activities.
To establish data protection as a pillar of the organization and to ensure that all employees are on board and aware would set the premise for the culture and workings of the company in general. After informing your Board of Directors, it is also important that you conceptualize and get your agreements signed by your employees. This would work both as an agreement as well as an awareness step.
Here’s a template for your employees:
You have legal rights about the way your personal data is handled by us, [Insert Name]. We are committed to protecting the privacy and security of your personal information.
This privacy notice describes how we collect and use personal information about you during and after your working relationship with us. It applies to all employees, workers, and contractors. This notice does not form part of any contract of employment or another contract to provide services. We may update this notice at any time.
During your employment or engagement by us, we collect, store and process personal data about you. To comply with the law and to maintain confidence in our business, we acknowledge the importance of correct and lawful treatment of this data.
It is important that you read this notice, along with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you. This gives you information about how and why we are using such information. All people working in or with our business are obliged to comply with this policy when processing personal data.
We are a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. Data protection legislation requires to give you the information contained in this privacy notice.
We will comply with data protection law. This says that the personal information we hold about you must be:
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are “special categories” of more sensitive personal data that require a higher level of protection.
We may collect, store, and use the following categories of personal information about you: [add all categories]
Usually, we collect personal information about employees, workers, and contractors through the application and recruitment process, either directly from candidates or sometimes from an employment agency or background check provider. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies [list them here, if any].
We will collect additional personal information during work-related activities throughout the period of you working for us.
We will use your personal information only when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
We may also use your personal information in the following situations, which are likely to be rare:
We need all the categories of information in the list above (see the kind of information we hold about you) primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases, we may use your personal information for our legitimate interests or those of third parties, provided that your interests and fundamental rights do not override those interests. The situations in which we will process your personal information are as follows [add all the situations in which you will use this data. Some examples would be ascertaining the terms of work, deciding about employment or monitoring equal opportunities metric].
Some of the above grounds for processing will overlap and there may be several grounds that justify our use of your personal information.
If you do not provide certain information when we ask for it, we may not be able to perform the contract that applies to our working relationship with you (such as paying you or providing a benefit), or we may not be able to comply with our legal obligations (such as to ensure the health and safety of our workers).
We will only use your personal information for the purposes that we have collected it for unless we need to use it for another reason and that reason is reasonable and compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis that allows us to do so.
We may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or allowed by law.
“Special categories” of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the situations below:
Very occasionally, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
We will use your particularly sensitive personal information in the following ways:
We do not need your consent if we use special categories of your personal information in accordance with our written policy to carry out our legal obligations or exercise specific rights in the field of employment law. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will give you full details of the information that we would like and the reason we need it, so that you can consider carefully whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided we do so in line with our data protection policy or other policy that applies to such information.
Very occasionally, we may use information relating to criminal convictions where it is necessary, in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public
We [envisage OR do not envisage] that we will hold information about criminal convictions.
[We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so.] [Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly from you while you are working for us.] [We will use information about criminal convictions and offences in the following ways: [add the list here]
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We can use automated decision-making in the following circumstances:
If we make an automated decision based on any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.
In case, no automated decision is made at your company, use this: [We do not envisage that any decisions will be taken about you using automated means, however, we will notify you in writing if this position changes.]
We may have to share your data with third parties, including third-party service providers and other entities in the group.
We require third parties to respect the security of your data and to treat it in accordance with the law.
We may transfer your personal information outside the EU.
If we do, you can expect a similar degree of protection in respect of your personal information
We may share your personal information with third parties where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
“Third parties” includes third-party service providers (including contractors and designated agents) and other entities within our group. The following activities are carried out by third-party service providers: payroll, pension administration, benefits provision and administration, IT services OR The following third-party service providers process personal information about you for the following purposes: [add purposes].
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganization or group restructuring exercise, for system maintenance support and the hosting of data [Describe other known activities].
We may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.
We may transfer the personal information we collect about you to the following country/countries outside the EU [List companies here] to perform our contract with you. There [is OR is not] an adequacy decision by the European Commission in respect of [that OR those] [country OR countries]. This means that the [country OR countries] to which we transfer your data are [deemed OR not deemed] to provide an adequate level of protection for your personal information.
However, to ensure that your personal information does receive an adequate level of protection we have put in place the following appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection: [Specify measure, for example, Binding corporate rules]. If you require further information about [this OR these] protective measure[s], [you can request it from [Position] OR it is available [On the intranet/Provide link here].
We have put in place measures to protect the security of your information. Details of these measures are available [upon request OR on the intranet].
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. [Details of these measures may be obtained from [Position].]
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. [Details of retention periods for different aspects of your personal information are available in our retention policy which is available from [[Position] OR [The intranet/Provide Link]]. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances, we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker or contractor of the company we will retain and securely destroy your personal information in accordance with [our data retention policy OR applicable laws and regulations].
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.
Under certain circumstances, by law, you have the right to:
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data or request that we transfer a copy of your personal information to another party, please contact [Position] in writing.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
In the limited circumstances where you may have provided your consent to the collection, processing, and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact [Position]. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
[We have appointed a [data protection officer (DPO) OR data privacy manager] to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the [DPO OR data privacy manager]. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.]
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy notice, please contact [Position and Contact Details].
I, ___________________________ (employee/worker/contractor name), acknowledge that on _________________________ (date), I received a copy of [EMPLOYER]’s Privacy Notice for employees, workers and contractors and that I have read and understood it.
General Data Protection Regulation has been enforced since 25th May 2018. So if you have still not hired a data protection officer, this guide should help you. It is a complete guide for hiring a Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR). We’ll go step by step to help you with all the questions regarding a Data Protection Officer.
Data Protection Officer is the professional responsible for the data protection activities and implementation of measures inside the company. They hold the security leadership role in charge of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. They directly report to the senior management, managing directors, and CEO of the company.
According to the text, you need a data protection officer if:
What are the basic responsibilities of a Data Protection Officer?
The Data Protection Officer should have the following responsibilities:
This means a data protection officer is a coordinator between the controller/processor and the supervisory authority. They are also responsible to respond to data subjects that is the consumers/customers of the company. Under the GDPR, Data Subjects can request access to their data that is collected and processed.
In line with the responsibilities mentioned above, this section now highlights how the responsibilities mentioned above turn into tasks. The DPO has to ensure that the data protection rules are respected in cooperation with the data protection authority (for the EU institutions and bodies, this is the EDPS). In the EU institution and bodies, the DPO must:
There are no exact qualifications written in the law. But the law does say, “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. The data protection officer should have at least 30-60 hours of training to understand the law and its requirements. You can get your Data Protection Officer trained at the following places:
Since there is no exact criteria, our suggestion is that adequate training or certification of a certain number of hours should help you. If your data protection officer is a lawyer by profession it would make training easier.
What do we have to do to support the DPO?
You must ensure that:
This shows the importance of the DPO to your organization and that you must provide sufficient support so they can carry out their role independently. Part of this is the requirement for your DPO to report to the highest level of management. This doesn’t mean the DPO has to be line managed at this level but they must have direct access to give advice to senior managers who are making decisions about personal data processing.
As a controller or processor, the following are the best practices for hiring a data protection officer:
In principle, a company can appoint a Data Protection Officer both internally by assigning the role to an employee and externally in the person of a service provider. The decisive criterion should always be the necessary expertise and reliability that a DPO needs in order to be able to properly fulfill the intended tasks. But what distinguishes an internal from an external data protection officer? We would like to explain the differences on the basis of essential dimensions such as competence, liability and dismissal protection. In addition, to enable you to directly compare the costs of an internal and external data protection officer, we use a fictional calculation to show you how your company’s investment in data protection could be structured.
If you assign an Internal Company Data Protection Supervisor (DPO), the managing director hands over the task of DPO to an employee of the company. If an internal employee meets all the necessary requirements, they can be appointed as an internal data protection officer. After the appeal to the internal DPO, the employee is under protection against dismissal and has rights to further claims, such as their own equipment or training. However, if a company data protection officer is appointed, who does not have the required skills, this is treated by law as if no privacy officer would be present in the company.
In contrast to the internal data protection officer, the external DPO is a certified data protection expert who is available to your company as a service provider. The high level of expertise of an external data protection officer guarantees the best protection for your company. With a transparent cost structure, contractually agreed prices and a variable contract period, the external data protection officer takes care of your business quickly and efficiently, thus protecting you from high fines.
First of all, internal and external DPOs can be distinguished with regard to the costs incurred. While for internal data protection officers the company has to pay for education and training, as well as the acquisition of literature from the company, in addition to the regular salary. Your company benefits from the transparent cost structure in the case of an external DPO since all services and costs are contractually defined.
In terms of competence, an internal DPO first has to undergo time-consuming and costly further training measures to gain the specialist knowledge if they are not already specialized in the field. An external DPO, on the other hand, can showcase certified and immediately retrievable expertise from the beginning of the cooperation. In contrast, however, the internal DPO has advantages in terms of training, as the operating procedures are generally already known, while an external DPO must first familiarize themselves with the operational procedures and processes.
If there is a momentous error based on the consultation with the data protection officer, for e.g.misuse of customer data, an internal DPO is liable with the limited employee liability which results in the full liability of the manager. In contrast, an external DPO is liable for its advice and thus minimizes risks for the company.
Already with the order of an operational data protection officer already a possible, later notice should be considered. An internal DPO is subject to special protection against dismissal, which is comparable to the position of the works council. However, the commissioning of the external data protection officer can be terminated on time.
We would like to explain this to you in more detail with a table:
Based on our experience of talking to hundreds of data protection officers, the average cost in Europe for a data protection officer depends on the hourly rate. The data protection officer without a legal background would cost around 100-200€ per hour. If your data protection officer is a lawyer, then they would cost around 300-500€ per hour. There are many data protection officers who work based on the hourly rate in a year or package basis per month. If you are hiring an external data protection officer, keep in mind that if the rate is really low then remember either that they have many clients so you won’t get individual attention or consulting. If they’re a big brand then, probably you’re paying a lot but still getting less attention.
Here’s a sample Appointment Letter for a DPO from ECOMPLY.io
Ms. Sample – Data Protection Officer –
Sample Street 2
The ACME LLC herewith and with immediate effect appoints Ms Sample as the Data Protection Officer – as stipulated in Article 37 GDPR referencing § 38 BDSG-neu for our company. To facilitate the execution of this role as Data Protection Officer, he/she shall report directly to management, specifically NAME_MANAGING_DIRECTOR.
Ms. Sample is entrusted with providing consultancy services and ad-hoc spot checks to ensure company-wide adherence to the provisions of the GDPR and to further data protection regulations.
In concrete terms, his/her duties shall be derived from the GDPR and shall, specifically, be aligned with Article 39 GDPR.
Ms. Sample shall act without being subject to supervisory instruction in the application of expertise in the area of data protection and shall be supported by management in his/her executional endeavors. To this end, he/she may consult the data protection regulatory authority responsible for our company whenever clarification is required.
Representing the management:
Place, Date Signature Managing Director
I approve of my appointment to Data Protection Officer:
Signature Data Protection Officer
If you have any further questions or want to know how we can help your DPO, book a demo with us!
If you’re not hiding in a cave, or haven’t decided to skip over press articles, then you must have come across the General Data Protection Regulation (GDPR). GDPR compliance is now incumbent on all of your marketing efforts and other business operations. This article will help you gain an understanding of what GDPR compliance means for your social media strategy.
This past month, you probably observed a number of emails asking for permissions. These are mostly from companies, moving towards GDPR compliance, asking to be on their mailing lists. It’s a small part of what post-GDPR world for Marketing looks like. For advice on Sales, give this guide a read.
The European Union enforced the GDPR in May 2018 although the EU has been working on it for the past couple of years. If your company disregard the GDPR and you put off compliance, you can get fined for up to 20 million euros or 4% in revenue: whichever number is higher. So, what does it mean for your marketing department?
In general, people think social media is just about posting memes, or relationships, or engagement & interactivity. If you want to build your compliant Social Media Strategy don’t care about data privacy or online security, then maybe the recent Congressional Testimony of the CEO Mark Zuckerberg will make you think again.
Soon after the enforcement of the GDPR, compliance became a trending topic in digital marketing. Many marketers are concerned with how GDPR compliance will shape their new campaigns. Another concerning point is how to use the social media tools & platforms effectively. Getting worried about asking for consent from followers, users or connections is totally natural. Thinking about how to store or use data in a gdpr compliant way is the last thing a social media marketer wants to worry about.
Google Analytics is the most common tool used by many digital marketers to analyse performance. It collects users’ ID data, does behaviour profiling and has cookies. To be GDPR compliant with this tool, one can either add an overlay to the site which gives users a notification of the usage of cookies & asks for permission for entering the site.
If your website is using re-marketing ads, i.e. Facebook pixel, you should inform the visitors as soon as they enter the site & obtain their consent. For publishing sponsored content & affiliate links, you need to ask the client if they use tracking pixels or cookies for capturing the personal information & if they do, then get the consent from the visitors.
To be GDPR compliant with opt-in emails, first, verify if the email service provider is offering GDPR tools. Second, add a checkbox for the visitors to consent to everything, in the subscription form. Put a visible disclaimer, if the newsletter is using tracking pixels to keep an eye on when they open it.
If your website runs an ad from a third-party ad server, then your users should consent to the third-party server for using their data for advertising & marketing purposes upon entering the site. You need to inform your visitors if you use the cookies for targeting purposes.
You should get explicit consent with a checkbox before you ask people to submit their information in any contact form.
Before a user leaves a comment they should give consent by a checkbox. You should also inform your users how you will use their information & which information are you going to display publicly.
When selling products or services to EU residents, you should collect only the necessary information from the customers. You should also let them know how you will use their information. Make sure to get the consent for every purpose of data collection.
There are two main changes which are considered to be the biggest for the social media marketers. First, as a social media marketer you won’t be able to send opt-in emails or letters. Second, you won’t be allowed to drop cookies automatically without clear permission from the prospect. To be able to have a GDPR compliant Strategy, social media strategists are required to:
There are many social media management tools available for building your Social Media Strategy. Agencies, strategists & managers use them to get support with scheduling, analysing and building campaigns. These tools assist companies/brands to come closer to their users and help them generate leads and establish a strong customer base.
Social Champ is one example of a compliant, easy to use social management tool which gives you the power of scheduling, repeating & analysing your content & helps users and brands to increase their audience reach by 75%. You can easily build your Social Media Strategy with it.
Since the users produce the content on social media, it means that GDPR applies to both content and its users. This is because it contains personal information of the users shared.
All the products & services of Social Champ are GDPR equipped. It provides a Data Protection Agreement (DPA) for all the users who are signing-in. According to the GDPR, Social Champ is not a “Data Controller”, but a “Data Processor” organization. This means it “only practices content according to the instructions given by the users through Social Champ’s features.”
The users have the complete right to control, collect, & use their content however they wish to. As a matter of fact, the users are the data controllers (in legal terms) of the content they process through Social Champ. In short, make sure your tools and processes for Social Media Marketing are GDPR compliant.
If you would like to know more about how you can comply with the GDPR, book a demo with us!
Here’s the idea that is getting people really nervous:
First, take a deep breath, get some coffee and take ten minutes to read our suggestions below. You do not need a lawyer to do this for you.
The second step is to consider where in your website data is collected/sent (automatically or by a person). Typically, forms, plugins, tracking tools and cookies do this. The general rule is:
‘You must tell your visitors what is being tracked/collected. Ideally, you get their consent. But at least you have to give them an option to opt out.’
It does not matter what type of form you will be using or its purpose. Only ask the things you really need in order to provide the service you are offering. For instance, if it’s a newsletter registration make the email address a required field and keep all other fields as optional.
For your social media plugins, add something like Shariff to give users more control over being tracked. For videos, Youtube has a data protection mode (https://support.google.com/youtube/answer/171780?hl=de). Unfortunately, Vimeo does not support that yet and should not be embedded anymore on your website.
Like most websites, you probably use Google Analytics. Make sure you take these steps:
Tell people that you are collecting cookies and give an option to opt-out. Hopefully, your website system has that built in otherwise you need to add it yourself. Below is a good example of cookie consent.
There are some conditionals:
As you can see there is no 1-click solution for this (although we are working on one!). Doing it by hand is also not prohibited. In about a day, you should be able to cover most of this.
This is another part you need to add. Here’s an example for you:
“In particular, Users have the right to do the following:
Withdraw their consent at any time. Users have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data.
Object to processing of their Data. Users have the right to object to the processing of their Data if the processing is carried out on a legal basis other than consent. Further details are provided in the dedicated section below.
Access their Data. Users have the right to learn if Data is being processed by the Owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the Data undergoing processing.
Verify and seek rectification. Users have the right to verify the accuracy of their Data and ask for it to be updated or corrected.
Restrict the processing of their Data. Users have the right, under certain circumstances, to restrict the processing of their Data. In this case, the Owner will not process their Data for any purpose other than storing it.
Have their Personal Data deleted or otherwise removed. Users have the right, under certain circumstances, to obtain the erasure of their Data from the Owner.
Receive their Data and have it transferred to another controller. Users have the right to receive their Data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. This provision is applicable provided that the Data is processed by automated means and that the processing is based on the User’s consent, on a contract which the User is part of or on pre-contractual obligations thereof.
Lodge a complaint. Users have the right to bring a claim before their competent data protection authority.
Details about the right to object to the processing
Where Personal Data is processed for a public interest, in the exercise of an official authority vested in the Owner or for the purposes of the legitimate interests pursued by the Owner, Users may object to such processing by providing a ground related to their particular situation to justify the objection.
Users must know that, however, should their Personal Data be processed for direct marketing purposes, they can object to that processing at any time without providing any justification. To learn, whether the Owner is processing Personal Data for direct marketing purposes, Users may refer to the relevant sections of this document.
How to exercise these rights
Any requests to exercise User rights can be directed to the Owner through the contact details provided in this document. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.”
Text credit: Iubenda.com
Image credit: http://thebusinessecoach.com/
Only 2 weeks left before the enforcement of the General Data Protection Regulations (GDPR) and there is FEAR! And fuelled by it there is paranoia surrounding what needs to be done. Rumors. Assertions. And crazy ideas. In this blog: we will bust all the ridiculous GDPR Myths we have heard so far.
Myth 1: GDPR is a European Union (EU) law and only applies to European companies
This particular myth challenges the parameters of the application of the GDPR. It certainly does not apply to only European companies. It applies to ALL companies who in any way collect, receive and process data of people residing in the EU. Moreover, any company that offers goods or services to EU Data Subjects or monitors their behavior in any way has to comply, regardless of the company’s location. It is, in fact, possible that a European company only processes data of American residents. In that case, the GDPR does not actually apply to the company. Essentially, it does not matter where the company is based or originated from, the criteria that should be used to assess whether the GDPR applies or not is “whose data do you touch?”
Myth 2: GDPR was made to punish companies by imposing fines
The principles around which the GDPR is based is not to punish companies but rather to empower people with more control over their data and to ensure responsible collection and processing of data. The potential fines that could be imposed have just been stated over and over again to reiterate the importance of compliance for companies. However, at this point, no one can predict how strictly the authorities will impose these fines, if at all. They will most likely allow companies extension and a lot of leeway if they see efforts being made to comply. Fines will not be imposed for every little non-compliance issue. This is because in essence, the nature of GDPR is empowering rather than punitive.
Myth 3: GDPR is only for the IT departments and senior management
Every time people think of Data Protection they usually immediately jump to the conclusion that it is something for the IT department. However, in the case of the GDPR this is not the case at all. The GDPR is to reform the way companies handle data which is why it applies to and add responsibilities to every department and every person within a company. Processes need to be created but also employees need to be educated about the GDPR. For instance, recording all processing activities will entail the involvement of representatives from all departments of a company.
Myth 4: All breaches no matter how little need to be reported to the Data Protection Authorities
Breaches need to be reported to the relevant Authorities however, this only applies to those breaches where it’s likely to result in a risk to people’s rights and freedoms. So not every breach needs to be reported.
Myth 5: All details need to be provided the minute a breach occurs within a company
If there is a breach within a company, details of it are sometimes not available immediately. Companies themselves need to investigate before they can collect all the necessary information. The GDPR takes this into account and allows 72 hours to report such instances when feasible. Once reported details can also be provided after the allotted 72 hours if needed.
Myth 6: Consent needs to be taken for every activity
The general perception among companies is that consent is at the center of the GDPR. Without consent, no data processing activity can be carried out. This perception is extremely misleading. The GDPR allows for several different ways of justifying a processing activity of which consent is ONLY ONE. Some others can be seen below from the ECOMPLY app where you can just pick one to form the legal basis for an activity:
Myth 7: Under the GDPR, you need to get consent again from all stakeholders!
So having busted the first of the GDPR myths about consent under the GDPR, the second one is specifically about asking for consent under the GDPR. Most companies think this needs to be done from scratch to be GDPR compliant. However, consent obtained under the Data Protection Directive suffices under GDPR standards. Just review the consent and the standard that GDPR sets for it.
Myth 8: New data portability rules apply to all businesses
Data portability requirements apply only when the legal basis of a processing activity is based on consent or contractual necessity. When the legal basis is legitimate interest or public interest or another provision allowed under the GDPR the requirements don’t apply.
Myth 9: Data center needs to be in the EU!
This is another common misconception. A company’s data center doesn’t have to be in the EU. It can also be in one of the third countries that GDPR allows for. Basically, it cannot be in a country that doesn’t have regulations on data protection. Here’s what we found helpful on this topic.
Myth 10: Biometric data is sensitive data under the GDPR
This is the most understandable misconception that has developed regarding the GDPR. Biometric data that a company collects just like any other data is sensitive only if it is actively used for identification purposes. It is predominantly collected for purposes of identification but if that is not the case then Biometric data doesn’t have to be treated as sensitive data.
Before getting into the GDPR SaaS Checklist For Leaders, let’s understand why the need for it has arisen.
There is a tonne of material on the General Data Protection Regulation (GDPR) and several organizations and people claiming to be experts and throwing around advice. Moreover, there is an overwhelming amount of information regarding this topic because of the foreseeable enforcement of GDPR in sight.
We want to condense all this information into a specific point by point checklist. Therefore, we are focusing on the Software as a Service (SaaS) industry instead of giving a general list for all companies. This list will help SaaS companies keep track of what they have done and what still needs to be done.
First of all, it is important to understand that for SaaS companies a lot of these processes can be automated but it is not really necessary to do that. You need to take stock of the costs of automation or manual labor and need to decide accordingly what works for you.
Here you can read the 10 Critical Steps to General Data Protection Regulation (GDPR) for SMEs that highlights the principles that you need to keep in mind.
This essentially means that you need to conceptualize, write down and declare your data protection goals. You can find a pre-made template for this on ECOMPLY.io or if you are not a customer: download it here.
This can be anyone in the company who is aware and informed about the GDPR. The person should sign a document accepting the responsibilities and should remain impartial when it comes to questions of GDPR implementation.
Below is the example cookie by inc.com
ECOMPLY.io helps with it. You can also read our step by step blog on how to take this item off your GDPR compliance checklist.
This includes basically every software and service you are using. Moreover, this means that you need to take stock of all your vendors and contact them as soon as possible. ECOMPLY.io helps you by giving you a list of common vendors and allowing you to add your custom ones.
ECOMPLY.io has following technical measures that you need to report. Below is a good example_
While it is important to conceptualize these measures, you also need to implement them.
As a SaaS Vendor, you should be able to provide a data processing agreement on behalf of your customers and promising technical measures to protect their data. Consequently, you need to have these agreements with your vendors. ECOMPLY.io will help you with that.
Have different level controls for each staff. Not everybody should have access to all the system.
If you are still confused about the GDPR and don’t know where to start, just book an appointment with us for an informal chat.
Given all this hype surrounding the General Data Protection Regulations (GDPR), among companies and consumers alike, we just could not help but get curious. So who out of the big, famous companies are actually GDPR Ready?
So we did a little, cheeky experiment and e-mailed these companies to find out if they were aware of the legislation and what data they had on us.
Due to the enforcement of the GDPR, you can request companies to give you all the data they have on you. You can also ask them to delete it and forget you. This is primarily how GDPR empowers us as consumers. For companies to be GDPR ready, they need to have processes in place to deal with these requests.
Essentially, in GDPR terminology, we made a Data Subject Request to check which companies were aware of the coming GDPR and subsequently preparing for it.
In total, we reached out to 200 companies and tested them on two things: awareness and readiness. We assigned six people to write to different companies. One of them wrote to companies from Spain, three from Germany and one from United Kingdom (UK). So let’s summarise the results by geographic location.
We wrote to companies in the United Kingdom (UK) recently.
From their replies, we gauged that 50% of these companies were aware of the coming regulation however, only 10% of them were ready to cope with the Data Subject Requests. So we got a full excel sheet with our entire data sent to us from the ones that were ready. However, after the initial response the excel sheet was usually sent to us later which is acceptable under the GDPR (note: GDPR allows the company 40 days to respond).
Also, one of the “aware” companies clearly explained that they were engaged in a variety of activities to become GDPR compliant and at the moment could not provide a machine-readable format of the data. This was definitely a sign that the company was well aware and in the process of preparing for the GDPR.
We reached out to ten companies which include names like Vodafone, Santander, and Groupon among others. We found that 28% of these companies were ambiguously aware of it but none of these companies were ready for the enforcement of the GDPR. It could be and is rather likely that since then, they have at least made progress in awareness of the GDPR and are in the process of preparing for it.
However, we only say ambiguously aware because the responses we got from them indicated that out of those who were aware of it: they either only had a specialized email address for GDPR related queries which ended up bouncing anyway or asked to show up in person. Therefore, the awareness that they did have was not clearly translated.
Before we start, here it is important to consider that we reached out to a lot more companies in Germany than anywhere else. We are based in Germany and of course, are knowingly a little biased.
The hub of data protection and the place is known to be the most sensitive to data privacy lived up to its reputation.
Almost 63% of the companies, were actually ready for the GDPR. These companies included the big automotive companies like Mercedes, BMW, and Porsche. Moreover, 5% of these companies were aware of the GDPR and working towards it. So all in all, the German market seems to be quite aware of what the GDPR entails and are working towards it.
On average the response time of these companies was about 3 days and the latest one was not any later than 7 days. This was definitely a positive indicator on readiness.
We also sent an email to companies like Whatsapp, Snapchat, Booking.com, Disney and Instagram to find out if these popular companies were ready. However, we found out that none of them were ready and we were unable to assess if they were aware or not. Keep in mind that these Data Subject Requests were sent to them early 2018 so it is possible that they are by now compliant. Time needed to be fully compliant actually depends on several factors including but not limited to company size and number or processes.
These companies either did not reply to our request or we got a general automated message from them.
We also realised that no response could either mean that these companies are either in the middle of their blazing GDPR activities (quite unlikely), or they do not know of the GDPR and its implications (quite unlikely and sad if true) or that they just do not care enough at this point (likely).
To be fair, a lot of companies are still in the process of researching and figuring out exactly to do with the GDPR. For instance, we asked Woodpecker and one of our customers: Combyne on how they went about the process. Moreover, training and development of the employees especially in the field of customer service is on-going for most companies. So that in itself could be a factor why we assessed the companies as unaware since we only judged it through the replies we got.
Compliance will most likely be a high priority for companies if after enforcement, data authorities actually crack down on non-compliant companies and issue the dreaded fines.
Is your country GDPR ready?