As the enforcement of General Data Protection Regulation (GDPR) approaches, Records of Processing Activities (RPAs) is a term that is being thrown around quite a bit. It is also referred to as Procedure Index, Data Mapping, Data Flows among others. It is what data protection authorities will need evidence for after May 2018. It is a daunting prospect for most companies since only 34% of the companies (vpnMentor, 2018) are on their way to compliance so far. To make it easier on you all, we are going to outline all the steps to keep your records of processing activities ready for authorities:
Think of all the functionalities you have in your company. The departments are not always divided clearly especially if you are a start-up: chances are you don’t really have organised departments. So take a moment, and think of all your functionalities and organise them in a detailed manner so that every activity that you do is put in a department.
This includes name of your company, the contact details of the person, usually the company’s Managing Director or Chief Executive Officer (CEO).
You need to decide how you want to manage all the documents together. Do you want to use Google docs and keep them all in a drive? Or do you want to make folders on your internal company network and use Microsoft Office? Or would you like a Task Management Software for GDPR? It is important that you pick an option and then stick to it since there will be lots of documents that you would need access to. Keep them in one place so finding them is not a hassle.
Visualize of all the departments in your company that utilise data in one way or another. For instance, Sales and Marketing, Product Development and Finance Department. Are these departments using any user data you obtain in any way? Make a list of these departments.
Imagine all the people who mostly manage the data related activities in each department. Make a list of all these people. It is important that the person you pick knows very well what the department does with the data and can answer questions relating to all such department activities. The person you pick does not necessarily need to be the Head of the Department but rather the one who knows the most about activities related to personal data.
Combine the two lists so that you have the name of the department and the corresponding contact person of the department.
Ideally, you need to appoint one person for your company who will act as the Data Protection Officer. This person can be anyone from your company and would later need some training or would need to read the law or at least have a functional understanding of it. Ideally, this could be your Chief Operations Officer or Head of Legal. Usually, DPO is the personal also leading the records of processing activities.
In order to officially appoint the chosen person as your DPO, you need to sign a document with them. Outlining their responsibilities and the purpose of the role in line with the Article 37 of the GDPR. Our tool provides you with the document that you can then download and request a signature for.
So ideally, each department should record the activity that uses data in any way. For instance, exchanging business cards would be one activity in the Marketing Department. Personnel Holiday Planning would be another one for the Human Resources
This is the tedious long-term task that has no short-cuts. You need to go step by step and define this activity. There are a few important points that you need to write down for each of these activities. Theses activities collectively are called records of processing activities. Let’s go over these points one by one.
This would include what the activity is and who is the contact person responsible for the activity. For example, IT for Employees and someone in the IT department would be responsible for it.
The GDPR states that you have to explicitly mention how this activity is aligned with the overarching purpose or vision of your company. If it uses personal data of people, you need to show the legal justification of how you are obtaining this data from people: is it through consent for instance? Or a processing of a contract? This is the most critical part of records of processing activities since people confuse the legal basis while adding their processing activities.
In this part, answer the question if you collect Personally Identifiable Information like name, email address, band details etc. If you do, where do you collect it and do you explicitly ask for consent before you get the information? Do you give this data to third parties? If yes, who are they and what do they do?
Whose Data is this? Is it customers, clients, employees or partners? And what is it? Names, email addresses, bank details are some examples.
This is the straightforward part if your processes for this are defined. Unfortunately, most companies do not have processes for this kind of thing. It includes how long you store the data for? What is the exact location of this storage? And when do you delete it?
The final step of records of processing activities is to reorganize all this information from different departments and people, consolidate it, make sure you are not missing an activity or details of it and put it all together in one place for the authorities.
Ecomply.io allows you to create one-click reports, provides you with all the templates as well as guidance on what information to put into the different gaps. Our Task Management Tool is based on the legal requirements of the GDPR to ensure that the guidance actually helps you understand what to do.
If you would like to check out our platform, book a free demo now.
by Hauke Holtkamp
In the last few days, after our product hunt launch, we have received questions from people who are curious about the process of compliance. How do you start? What are some of the things to keep in mind? Since the GDPR will be enforced this coming May we see a lot of companies scrambling to comply. We thought that an example of a company that is in the final stages of GDPR compliance would help. So we caught up with Woodpecker.co to find out what they have done, how they have done it and what they think could have helped them in the process. We started with the basic GDPR questions and build our way up to all the others.
We’re based in Poland, so we heard about GDPR pretty soon. We’ve tried to keep abreast with the news since the moment we heard about the changes. So, we can say that we began by keeping an eye out on the discourse around GDPR.
First, we read the whole regulation. In my opinion, there should be one person at every company who has read the regulation from start to finish. It helps a lot. Especially since there’s a lot of panic around GDPR as well as around the implications that may follow from it. Reading the whole thing clears things out for you.
Then, we found a couple of GDPR conferences. One of our colleagues, who we appointed as Data Protection Specialist, took part in those conferences and shared what she learned with the rest of us. She prepared small presentations for every department: Office Management, Sales, Marketing, and told us how GDPR will affect our work. Her input was invaluable.
We updated our Policy and Terms of Service. We reviewed our signup forms for our newsletter, downloadable marketing content and the app itself.
Then, we researched how other companies were preparing for GDPR. We decided to let our customers know what we were doing for GDPR. That’s how we created the page. It’s made to inform our customers and subscribers how we’re handling things.
The first step we took was to make sure our signup forms were clear to understand, as it is one of the requirements of GDPR. The signup forms should be free of any jargon words or windy sentences. The signees should know what they subscribe to.
The subscribers should feel their personal data is secure when they give it to us, and that they are in full control of it. Of course, they can unsubscribe from our newsletter or update their data at any point. We have made sure it’s easy for them to do that.
GDPR also calls for data limitation, collecting only the kind of personal data that’s essential. It has always been the case when it comes to our marketing communication. We don’t collect more data than necessary to send a newsletter. For instance, we’re not going to call our newsletter subscribers, thus we don’t collect phone numbers.
Next, we took care of the signatures that come at the end of our newsletter emails. We made sure there’s all the information that anyone would need. We’re working on the short notification that would inform the newsletter subscriber that they received the email, because they subscribed to the blog.
To be honest, we’re at the finishing line. We still need to polish a thing or two. We’re sure to announce it within a week or less. We’ve been working on it for a couple of months, because we process our users’ personal data and our users process personal data of prospects. We need to work our way through GDPR compliance.
Don’t try to do everything at once. It might be overwhelming. Especially since there’s a lot of contradictory advice on the Internet. Start with baby steps. That’s how we came with an idea of creating a GDPR checklist available on our blog. If you don’t know what to do, take a lawyer’s advice. But I’m sure you’ll manage to take care of GDPR compliance on your own.
Start with thinking what data you collect and where from. It is not only the pillar of conducting risk assessment. It will also help you realize what kind of data security policy you need.
Change the way you think about GDPR. It isn’t a policy which covers mistakes in the current system but policy which showcases how the system works.
That would be even better. I think the compliance took so much of our time because we didn’t have everything in one place. Have we had a solution to keep our work organized, it would have taken far less time to become GDPR compliant.
We have the GDPR documents scattered around, because there is a lot of information to keep an eye on, likewise, we have had to review our database and do everything in our power to secure the personal data of our users and newsletter subscribers. It got really hectic. If we had an app or something that would keep everything under one roof and let us collaborate, we’d be thrilled.
As a sales automation tool, Woodpecker is both, data processor and data administrator. We process personal data and allow our users to process personal data of their prospects. That’s why we needed to review how we process personal data and how others can process personal data in the app. We need to be cautious about our users’ data. And we need to make it possible for our users to process the personal data of their prospects in a way that is GDPR compliant.
An email body doesn’t change much from what it was before. There are two things that need our attention when writing a cold email though. The first thing is having a tightly targeted list of prospects. A spray-and-pray approach has never been effective, but now it’s illegal under GDPR. When we decide to send somebody a cold email, we should be able to justify why you chose a specific person to be on our cold emailing list. Our business statute should be tightly connected with theirs.
The other thing is that we should be transparent. We should include information, or at least be prepared to give it when asked to, that we’re processing our prospect’s personal data and that prospects can opt-out from receiving further emails from us any time they want. We have an example of that in our article about GDPR.
You can check out Woodpecker.co right here!
If the answers to these GDPR questions have left you confused about how to start your compliance process or if you find yourself drowning in heaps of excel sheets, book a free demo with us!
Combyne, the mobile app, solves the age-old dilemma of picking the perfect outfit for different outings and events. Now you can simply create outfits using different clothing items from your favorite brands. You can also take a photo of any of your own clothing items and add them to your outfit.
So basically, you can dress on your phone saving you the hassle of actually trying on each outfit before you decide on the perfect one.
We caught up with Christian Dienst, the Chief Operating Officer at combyne to find out why they chose to trust ECOMPLY.io to manage their GDPR compliance.
What is GDPR according to you?
Christian: I believe it gives businesses and organizations the chance to outline their internal data structures and improve their systems accordingly. In the end, it is an international standard that companies need to adhere to in order to protect their customers and employees’ data and privacy.
Why did you need to be GDPR compliant?
Christian: From day one of our GDPR journey to compliance, the most important factor for us has been to provide data protection to our users and employees. Even if we are not at all involved in large-scale processing, GDPR has given us the opportunity to organize ourselves and our internal system and also to improve our data management approach. We felt that by establishing a data-conscious environment, our user community and partners can only benefit more from our products.
Why did you choose ECOMPLY.io?
Christian: After we came up with a strategy on how to tackle our data processes, we thought that ECOMPLY’s integrated format could benefit us greatly. Given that we are still a small company (according to the GDPR guidelines), we were really happy to have found a simple, accessible platform that would allow every member of our team to understand and add information.
Who works with ECOMPLY.io? How does it fit into your own processes?
Christian: During the “mapping” stages, just a small part of the team was involved. We needed to figure out how to approach this and to select the processes that we knew for certain involved collection and use of personal information. Afterwards, we managed to bring in the whole team, and everyone’s input proved to be extremely helpful.
How did ECOMPLY.io add value to your GDPR journey?
Christian: For us, ECOMPLY has been an effective facilitator. By having access to a comprehensive list of processes, requirements, and explanations, we managed to save a lot of time and effort. After selecting the appropriate processes, we were able to add our own, internal activities. This helped us build a comprehensive database of processes, in a single format. Also, the ECOMPLY's team has always been open to answering questions when we couldn’t figure something out.
What were the alternatives?
Christian: Obviously, the alternatives would have been organizing the departmental information, creating templates and using all sorts of documents. We would have been required to spend a lot of extra time on creating an accessible format and then to add our input. That would have significantly delayed our GDPR compliance journey!
Any final thoughts?
Christian: Ecomply offers a simple, step-by-step approach to comply with the GDPR at an attractive price and with great customer service.
Inspired by combyne’s journey to compliance? Get a free demo now!
Want to Dress on Your Phone? Download combyne
by Aazar Shad
The General Data Protection Regulation (GDPR) is ripe and the market is buzzing with many different compliance tools. Some are super helpful, others are mildly so and some are simply pretending to be helpful to get some benefit out of jumping on the GDPR bandwagon.
We thought we would tell you exactly what it is that we do that helps you with compliance. So here goes!
Do you want to spend 100s of euros on document templates like the ones by Certkit?
Since you must fill out the documents and log in all your activities for all your departments anyway. Just paying money for word/excel/other templates that you will have to fill in yourself without any guidance is definitely not worth the money you will put in.
Ecomply.io has these templates with all the content as well as guidance on what is relevant for different fields. So, you won’t face any confusion about what you should write in the template.
Do you want to hire an external consultant for all the work?
It is not just the cost of the external consultant but think about all the time your company will spend on finding the right consultant or firm. Giving them a rundown of everything your company does, answering their questions, getting them to sign all the NDAs, setting up accounts for them and all the other organizational tasks that your company would have to do just to start them off.
It would easily be a week of just onboarding them! And what’s more: even the externals suggest to use us!
Ecomply.io replaces 75% of the work of external consultants. The left over 25% is basically writing new policies in accordance with the GDPR.
Do you want to sit down in countless back to back meetings to fill everything out?
Think of all the meetings you will have to have if you were to fill out everything yourself. First, prepare and organise for a kick-off meeting. This would entail understanding the GDPR with all its intricacies and being able to condense it into a workshop for the rest of the departments and people. After your initial meeting, you would still have to force people to write down or record in one way or another all the ways that they use data in. Then follow-up meetings, ensuring everyone does it on time, clarification meetings and what not. This would be the norm!
With ECOMPLY.io, you can simply add people from different departments to work on their activities and track the overall progress.
Do you want Excel sheets and more Excel sheets and more Excel Sheets?
Don’t forget that this means an unimaginable amount of excel sheets. Imagine every department filling out all their activities, all the details they collect ranging from name of their user or consumer to their login dates and what not. Then you will have to extract the relevant information from all these specific department/functionalities reports and combine them together according to the requirements of the Data Protection Authorities.
With ECOMPLY.io, you can generate this report with one single click.
Here is a table we compiled that can further help you with the comparison:
If you have any questions about the GDPR, book a free demo with us now!
GDPR is here. We hear a lot of companies wondering how long it takes to actually be compliant. This is the omnipresent question that you will find companies, executives and pretty much everyone else asking these days. So we decided to try and answer this question for you. We surveyed about 15 experts to help us answer this question. We’ll now learn how long GDPR implementation takes according to the survey.
The first thing to realize is that compliance is a step by step process and depends on a number of factors like the number of employees and processing activities among others. Here are some basic assumptions that we have made:
1): We are excluding big multinational firms from this survey since they have complex structures and estimating the time for them would require extensive research into these structures.
2): The parameters around the size of the company that we have set for this blog is a small or medium-sized company with 50 to 250 employees in total.
3) We exclude financial, health, recruitment and market research companies since they are more complicated.
However, the experts whom we surveyed were able to tell us from the get-go that the amount of time needed to become GDPR compliant depends on a lot of different factors. Some of these are:
Moreover, what everyone needs to understand is that GDPR implementation and its compliance is a step by step process that also requires long-term commitment and integration into the existing structures and processes of the company.
And let’s break down this big term into some basic, simple steps you can consider this as your GDPR implementation guide:
So before you start going down the compliance & GDPR implementation path, you need to assess a few things. First, you need to take stock of what your current state of compliance is. Make yourself aware of the General Data Protection Regulation (GDPR) in detail. The pre-assessment depends heavily on the size of your company and the processes you have. The aim is usually to figure out the resource commitment that your company needs to actually comply.
In our survey, the experts we interviewed had different estimations for GDPR compliance implementation. Half of the experts estimated that for a company between 50 and 250 employees, it would take on average 15 hours to complete a pre-assessment.
The important thing to remember here is to set the scope and ensure commitment to your assessment. The extent of prior knowledge you have will also play a determining role in how long pre-assessment will take.
Keeping Records of Processing Activities (RPA) is a stipulation of Article 30 of the GDPR explicitly requiring businesses to document their processing activities and recording the processing purposes, data sharing, and retention. These records need to be made available upon the Information Commissioner’s Office (ICO). In short, every periodic step that the data is processed through has to be documented for the authorities. If you are confused about the RPA, you can check out this video and get this cleared out.
This is of course, highly dependent on what the company actually does and its pertaining activities. For instance, a headhunter has sensitive data that they have to document. This could include the candidates’ names, current position, company, date of birth and many others. Every step that this data goes through has to be documented so that if the Data Subject inquires about how their data is used, the headhunter is ready to answer that.
Opinions of the experts whom we surveyed were quite dispersed and estimated that it could take on average 40 hours in this part of GDPR implementation.
This is a critical step in being GDPR compliant and one that needs special attention since outsourcing and having several vendors is such an integral part of most businesses today. Vendor risk management (VRM) from a GDPR perspective is basically to make sure that all the services you use for your business do not violate your data protection regulations and create disruptions for you.
This, according to our experts, could take you on average 30 hours and depends again on the type of work your company does and the number of vendors you have.
Data Protection Impact Assessment refers to estimating the entire risk for the company and it pertaining operations. Essentially, it means that an external person helps the organization to identify, assess and minimize the risk of their processing activities. An overwhelming majority of the experts whom we surveyed were of the opinion that for an external consultant to do that for a client could take from 25 hours on average based on our GDPR implementation survey.
If you thought it was a one-time thing, then you were…WRONG.
Because being compliant is a process which changes as your company grows, evolves and modifies its operations. It’s important to think of it as an ever-present goal for your company.
Our experts estimate the number of hours per year that you would need to keep complying would take on average 75 hours. Moreover, some of them were also of the opinion that the company’s Data Protection Officer (DPO) should actually calculate the hours based on the Data Protection Impact Assessment.
To conduct an annual Data Protection Audit, our experts were once again very divided. The average response came to about 10 days a year.
We think that automating your compliance process will actually save you a lot of hassle and will replace the external consultants that you would otherwise have to hire (the cost of which could be on average about 150 euros per hour, according to our experts). So in short, we suggest to really estimate the time you need in your pre-assessment holistically taking into account all your activities.
1) If someone is cheaper than 100 euros per hour: think if they really want to sell their services or actually want you to be compliant?
2) Automating compliance will definitely make this GDPR compliance 5x faster since it will reduce the need for prior knowledge that you need to collect and assess
3) Having a software will also make compliance easier to manage in the future since you will be able to track your progress and be able to see what still needs to be done
4) Overall the GDPR project takes more than 200 hours if you have done nothing at all
“Execution is key but endangered by overthinking.” (Lisa, Scalable Capital)
Book a Demo with us to learn more about how we can help you comply!
Some of the experts helped us to collect this data and wished to be mentioned here. If you want to connect with the experts, feel free to contact them on LinkedIn:
Christian Schmoll, g3s Rechtsanwälte
Jodi Daniels, Red Clover Advisors
Lisa Gradow, Scalable Capital
Mandy Webster of Data Protection Consulting Limited
Since the news broke of what Cambridge Analytica had done, there has been a media frenzy of different stakeholders reacting, accusations being thrown around and public outrage of what is considered a gross breach of trust of consumers. Suffice it to say, that Facebook has a lot of assurances to hand out to their angry consumers.
With the adoption of the General Data Protection Regulation (GDPR) and its long overdue enforcement, will incidents like this be deterred?
Let’s make some sense out of all the noise surrounding the issue and answer this question.
Cambridge Analytica (if you visit their webpage: https://ca-political.com/) as a company claims that they lead data-driven political campaigns which given the political arena today seems like a rather smart thing to do. However, the question arises: How do they get access to this data and how do they collect it?
This is where the problem lies: because in 2014 Cambridge Analytica acquired data from 50 million Facebook users and THEIR FRIENDS without them being made aware of it to build psychological profiles of consumers to effectively target them with content to carry out political campaigns.
The primary issue within data privacy in this case as well as in general has been about getting informed consent. The fact that the people, or Data Subjects as they are referred to by the GDPR terminology, did not know that their data and their friends’ data was used for exactly the purpose it was used for aka: political campaigning is problematic. And this is where the GDPR steps in.
GDPR makes it incumbent for companies to gain the informed consent of the person whose data is being used in three ways:
Another thing that the GDPR does is that it makes it mandatory for companies to list their processes, document their processing activities and make maps to ensure transparency for their consumers as well as the authorities.
Did Facebook have Technical and Organizational Measures in place to deter these kinds of incidents? Who knows? But if they did, clearly they were not effective enough since a third party aka Cambridge Analytica was able to harvest it to their advantage through their application. The enforcement of the GDPR ensures that the path that data and their related processing takes in the corporation is documented so that the Data Subject knows exactly what their information is being used for.
It also puts the pressure on C-level executives to take proper measures to comply since they are held personally liable for breaches. So yes, it is in the personal interests of CEOs to make sure that slips like these do not happen.
In short, after the enforcement of the GDPR incidents like these will be heavily penalized as well as prevented to a degree due to the documentation of processes as well as the imposition of heavy penalties. In a post GDPR world, what Cambridge Analytica did, for all intents and purposes will be illegal. The failure of Facebook’s processes would essentially be severely punished as well.
So yes, we definitely believe that the GDPR will be a hero of sorts and will empower people through greater autonomy over their data.
If you want to know how we can be the Robin to your GDPR, book a demo with us!
Disclaimer: the picture in the featured images has been taken from AIB (http://allindiabakchod.in/)
Description: How the recruitment process of companies in search for talent is impacted by the GDPR, and what HR teams should be aware of regarding the regulation that aims to protect personal data from individuals in the EU.
With the proximity of the enforcement of the General Data Protection Regulation (GDPR) in May, there is a rising awareness that many companies will be impacted in different ways and for many reasons, and the recruitment process in each company is one of them. If you are a recruiter or an HR manager, there are some aspects that you should be aware of. Consider focusing on talent acquisition procedures before costly fines and sanctions reach your business. Until now, the exploration of personal and sensitive data of potential candidates during talent acquisition is expected and generally accepted, both online in social networks and through other channels such as headhunters and partners’ networks. Everybody shares their photos, experiences, family moments, job/academic history and even opinions online, which means their performance and behavior in past jobs are often shared among companies, without the subject’s knowledge is how potential employers pre-analyze applicants for a job offer.
What does the regulation say?
The GDPR is a broad regulation, but it is very specific regarding the exploration of personal data, despite being publicly available on social networks – without explicit consent and purpose, it might be dangerous.
The arbitrary collection and processing of personal data for companies’ commercial or recruitment purposes should not be assumed by recruiters only because it is publicly available. There must be a legal basis for that collection, analyzing whether it is exposed in a business related platform, if the interest and the purpose for the collection is legitimate and if that data is relevant to the classification and performance of the function related to the job application.
From the company’s side of the recruitment process, it is important to get consent from the candidate, subject of that data, with a clear explanation of the purpose of the collection and processing activities to be performed with it. Also, it is important when taking consent to make it clear for how long that data will be held (ideally until the end of the recruitment process). It should be properly erased as soon as the agreed purpose and time is finalized. Friend requests and acceptance on social networks are not a form of expressing consent.
To make it more clear, there are a number of practices that should be taken into account if you want to make sure your recruitment process is compliant with GDPR:
1 – When reaching out or collecting information from a candidate, ask for consent and record it;
2 – Keep the candidate’s data confidential and secure in your system;
3 – Take good care of who has access to printed CVs. For example, leaving CVs lying on a desk in a shared office is often considered a breach of data protection.
4 – Ask for Data Processing Agreements (DPA) with your hiring, recruiting, training and headhunting companies;
5 – Find out how long can you keep the data (depends on the type of data, purpose and which country you are) for;
6 – Maintain a Records of Processing Activities (RPA) – find out more here.
7 – In the employment contract, ask for consent to use photos and details with fellow company colleagues, and the potential to share outside as well;
8 – When screening a candidate for a background check, make sure you do not violate any personal rights of the candidate;
9 – Use HR software & application tracking systems that are GDPR compliant;
10 – Implement an easy unsubscribe button (opt-out) if you send marketing or job option emails.
11 – After hiring, ask for the written consent from the newly hired to share his or her PII (Personally Identifiable Information) with the company colleagues and if you need to use it anywhere else.
These practices will ensure that your process is compliant with the regulation, but there are other important aspects to be taken care of, such as the appointment of a Data Protection Officer (DPO). We suggest you stay tuned to our posts and look for professional guidance!
Extra: As a social network user, stay aware!
Whether an HR professional or not, today virtually everybody uses social networks. It is important to understand that the GDPR aims to protect the rights of data subjects and diminish the extent of commercial exploration of that data. Religious beliefs, ethnic aspects, political views and health data are sensitive, and the harm caused by the exposure of them can go beyond commercial profiteering.
Many people kept asking GDPR Faqs. We compiled those frequently asked to help you out.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
The GDPR was approved on April 2016 with a transition period of two years. On May 25th of 2018, this regulation comes into effect.
This regulation is for the individuals, the data subjects. It focuses on protecting people’s personal data and on a simpler regulatory environment for businesses. The purpose is to ensure that the data subject is the rightful owner of their personal data and its rights are ensured, whenever it is.
Every company that collects, holds and processes personal data by any means and for any purposes, either it is from its customers, employees or partners. Virtually every company, since even the most simple business, makes use of digital payments and uses data for HR purposes.
If you answer YES to at least one of these questions, then you should comply with GDPR.
Do your company collect data from its customers?
Do your company collect data from its employees?
Do your company processes digital payments? (Credit cards)
Do your company reach out to customers, partners or employees by email?
Do your company reach out to customers, partners or employees by mail?
Do your company reach out to customers, partners or employees by telephone?
Do your company send products to customers, vendors or partners by post mail?
The Spatial Scope is regulated in Art. 3 GDPR. It states that the General Data Protection Regulation applies to all 28 EU Member States and to companies and organizations outside the EU, as far as the processing of data concerns EU citizens. It does not matter if the person is in the EU in the short or long term. Citizenship or status as a Union citizen does not matter here. This spatial scope of application can’t be subsequently changed by contract. Also, it does not matter what kind of service or products companies or organizations offer. The only decisive factor is whether personal data is collected and processed by EU citizens.
The General Data Protection Regulation applies to individuals and entities of all sizes who process personal data of EU residents, regardless of where the processor is located. These rules also apply to data processors and data processors, including third parties such as cloud providers.
The GDPR does not differentiate between B2B and B2C, it applies equally to both. The background to this is that the General Data Protection Regulation applies to the protection of individuals rather than legal persons.
The above part was genericGDPR Faqs. We’ll dive deeper now into specific questions.
After May 25th, 2018, organizations that fail to comply with GDPR can be audited and suffer sanctions due to claims from data subjects that feel their personal data rights were or are being violated – or used for different purposes than the ones consented – by that organization. Moreover, those audits can happen randomly or by complaints, depending on the approach taken by each European Union member, which is responsible for the businesses established on its country and is under the European Commission supervision.
Every European Union and the EFTA member assigns a national organization/commission/agency/bureau/authority that is in responsible for GDPR enforcement inside each country’s border by providing information and support, but also auditing and issuing sanctions and fines. Their status was formalized by the Data Protection Directive. Here you find the list of all the websites for each and every National Authority in EU:
Andorra: https://www.apda.ad/ Austria: https://www.dsb.gv.at/ Belgium: http://www.privacycommission.be/ Bulgaria: https://www.cpdp.bg/ Croatia: http://azop.hr/ Cyprus: http://www.dataprotection.gov.cy/ Czech: Republic https://www.uoou.cz/ Denmark: https://www.datatilsynet.dk/ Estonia: http://www.aki.ee/en Finland: http://www.tietosuoja.fi/en/ France: https://www.cnil.fr/en/home Germany: https://www.bfdi.bund.de/ Greece: http://www.dpa.gr/ Hungary: https://naih.hu/ Iceland: https://www.personuvernd.is/ Ireland: https://www.dataprotection.ie/ Italy: http://www.gpdp.it/ Latvia: http://www.dvi.gov.lv/en/ Liechtenstein: http://www.dss.llv.li/ Lithuania: http://www.dvi.gov.lv/en/ Luxembourg: https://cnpd.public.lu/ Macedonia: https://www.dzlp.mk/ Malta: https://idpc.org.mt/ Monaco: https://www.ccin.mc/ The Netherlands: https://autoriteitpersoonsgegevens.nl/ Norway: https://www.datatilsynet.no/ Poland: http://www.giodo.gov.pl/ Portugal: https://www.cnpd.pt/ Romania: http://www.dataprotection.ro/ Russia: http://eng.rkn.gov.ru/ Serbia: https://www.poverenik.rs/sr/ Slovakia: https://dataprotection.gov.sk/ Slovenia: https://www.ip-rs.si/ Spain: https://www.agpd.es/ Sweden: https://www.datainspektionen.se/ Switzerland: https://www.edoeb.admin.ch/ United Kingdom: https://ico.org.uk/ Whatever violation happens, the authority from the country where the company involved is established physically or legally is responsible. For example, anyone who sells internationally as an online retailer may already have heard something about the new one-stop shop. This allows EU citizens to always turn to their own data protection authority for complaints – the data protection authority in their country. ATTENTION: This applies regardless of where the privacy violation happened.
The above part was generic GDPR frequently asked questions on authorities. We’ll dive deeper now into specific questions for data subject.
Initially, the only way companies can have access and control over any data is by consent. Then, the subject of that data have three main rights granted:
Right to access: Every EU resident has the right to know what personal data any company is holding and/or processing, by request.
Right to erasure: Every EU resident has the right to require the deletion of all the data – which it has granted access – held or processed by any company.
Right to data portability: If a data subject wants to change to a new service provider, it can ask for the former to send all its personal data its data to the new one in a standard, machine-readable format.
While collecting data, the company has to make it clear the purpose it is doing so. Any activities performed with that data has to be described on the terms of the consent, which has to be accepted by the data subject will be the legal basis for any processing.
The consent must be explicit for data collected and the purposes data is used for (Article 7; defined in Article 4). Consent for children must be given by the child’s parent or custodian, and verifiable.
Data controllers must be able to prove “consent” (opt-in), and consent may be withdrawn whenever the data subject asks for.
In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the easiest or most appropriate.
You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives.
It’s your responsibility to identify a lawful basis for processing under the GDPR
The above part was generic GDPR Faqs on data subjects. We’ll dive deeper now into specific questions for GDPR measures.
Initially, look for professional advice. It does not need to be a lawyer, there are plenty of other professionals specialized in the GDPR that can help you comply. Moreover, online solutions for GDPR compliance like Ecomply’s will help you with guidance and can simplify the work very easily.
For GDPR compliance, one of the main requirements is that every company shall maintain a detailed description of every activity that somehow processes personal data. These descriptions are called “records” and will provide an overview of all data processing activities within your organization. It enables the company to understand what kind of data categories are being processed, by whom and for which purposes. It is called records of processing activities.
Data Protection Officer is the professional responsible for the data protection activities and measures inside the company. He/she holds the security leadership role in charge of overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. Here is our complete guide on how to hire a data protection officer.
It is an external Data Protection Officer that provide online assistance to a company. It can be one or a group of people with different specialties offering the service as a unit. In this approach, a specific person should be nominated as the lead of the DPO function.
When the processing activities are outsourced, which means it is performed by other than the controller’s company -, there must be set a contract between the parties called the Data Processing Agreement. The agreement must set out the subject matter and duration of the processing, the nature, and purpose of the processing, the type of personal data to be processed, the categories of data subjects and the obligations and rights of the controller.
A process inside the company or a software developed or purchased by the company will be “secure by design” when, in the process of its development, data protection was taken as a key aspect and requisite, and all the data that goes through it can be tracked, the processing is understandable and under control and has tools that grant the rights of access, deletion and portability for data subjects.
Recordings of videos are under GDPR regulations because it can be used to track and identify persons. It is important to have a clear purpose for that matter, as well as consent from the persons being recorded.
Each email account of each employee is private and contains personal data. For the company to have deliberate access to it, the employee must give explicit consent. When an employee leaves the company, the company can either forward incoming messages to a particular address appointed by that user or ask for permission (consent) to access that those new messages.
The above part was generic GDPR Faqs on measures. We’ll dive deeper now into specific questions of data classification.
Personal data is referred to any information related to the data subject, that can be used to directly or indirectly reveal his/her identity.
Sensitive data is referred to the information related to the data subject’s fundamental rights, intimacy, and free will. Examples of these are health records, religious beliefs, political opinion, biometric data or genetic data.
Under Article 83 (5) GDPR, the maximum penalty for companies and organizations for failure to comply with the General Data Protection Regulation can amount to up to € 20 million or 4% of the annual worldwide turnover, whichever is greater. According to Art. 83 (4) GDPR, there is a graduated approach to fines, for example, a company can be convicted with 2% because it does not keep its records in the correct order (Article 28).
A controller is a “natural or legal person, agency, institution or another body” that processes personally identifiable information for its own purposes. It decides “on the purposes and means of personal processing data” (Article 4 (7) DS-BER). However, the decision on the purposes and the protective measures must be within the framework of the provisions of the DS-BER. In general, the data processing purposes are based on the business case, e.g. For example, in the context of accounts payable and accounts receivable. The protective measures for the personal data must be selected according to the respective protection needs. The controller must ensure the lawfulness and purposefulness of the data processing as well as the rights of data subjects whose data is processed. He must also demonstrate compliance with the GDPR.
A processor is a ‘natural or legal person, public authority, body or organization other body processing personal data on behalf of the controller “(Article 4 (8) DS-GMO). The processor processes the personal data only in the context of instructions of the person responsible. He takes appropriate technical and organizational measures to protect the data.
A processor is a ‘natural or legal person, public authority, body or organization other body processing personal data on behalf of the controller “(Article 4 (8) DS-GMO). The processor processes the personal data only in the context of Instructions of the person responsible. He takes appropriate technical and organizational Measures to protect the data.
Already existing data protection principles such as earmarking, data minimization and Transparency is preserved. From 2018 on, data processing will continue to have a legal basis, eg. “Contract fulfillment” or “consent of the person concerned” necessary. The essential legal bases for data processing remain: One today permissible data processing is also expected from 2018.
No, the new regulation includes all existing and new data and applications. That means the GDPR also uses data stored in advance. Compliance with the regulations must, therefore, be checked for all – old as well as new – processing. The following issues should be considered, for example:
– Does the existing documentation of the data processing processes correspond to the new data protection requirements?
– Are the formal requirements for informed consent complied with?
– Does the existing risk management process take into account the demands to determine suitable technical-organizational protective measures?
According to the current status, a data protection officer will continue to be needed in Germany if at least ten people in the company are engaged in automated data processing.
Even if a data protection officer is appointed, the responsibility for compliance lies with the GDPR exclusively. The data protection officer (DPO) advises and supports only in the implementation.
Does GDPR apply to Small business (SMEs)? Will SMEs get fined? Are you scared about a €20 Million fine for your company? There is a solution to this.
This year GDPR is coming that is binding to all companies and organizations handling data of all individuals within the EU. From now on, your company can be held liable for the data it collects and uses. Fines up to €20 Million or 4% of annual turnover can be imposed. This company was fined $250 Million, even before the GDPR was in place. But this can be totally avoided!
Are you ready for GDPR? If yes, read more to see if you have everything in place.
Not ready yet? Follow the steps below to be GDPR ready!
GDPR is a regulation of the Parliament and of the Council which comes into force on May 25th. As a regulation it affects companies and their customers as much as a national law. Decision makers and key people in the organization must now identify what processes of the company are not GDPR compliant and should analyze the kind of resources that will be required to tackle this in time for the GDPR implementation. UK’s ICO provides in-depth information of what the GDPR is and all that you must know regarding it. If you are a small business owner (SMEs) than GDPR affects you as well.
Our GDPR-glossary would help you to understand the various terminologies that is relevant. You must also know where your company stands in relation to the GDPR compliance. You can take this gap assessment to find out!
GDPR requires you to maintain records of processing activities. GDPR does not take SME owners out. You have to do this.
Your organization must document all the data that it holds, where it came from and how it uses that data if it somehow refers to an identifiable person. Furthermore, your organization must be able to submit up-to-date reports, so called records of processing activities (RPA), to the competent data protection authority at all times.
The development of the records of processing activities is also a key step because it enables the company to evaluate the whole process and understand where corrective measures have to be taken. Without such a record, no compliance to any further requirement of GDPR can ever be achieved!
Need help with organizing your data for GDPR compliance?)
If you need help figuring out how you can record processing activities, this tool will help you organize your data.
The individuals whose data your company uses must be informed through a privacy notice detailing in simple terms what kind of data you obtain, in what ways you obtain it, for which purposes you need it and, in case, if you are transferring the data to countries outside the EEG.
Do you need a privacy notice? With this tool you can create a first draft that meets the legal requirements.
Now that you have sorted your data, you have to legally review all procedures concerning personal data. Are they compliant to GDPR or not? The answer is complex and usually work of a lawyer. Generally, you must keep in mind that processing activities concerning personal related data might affect the rights of the individuals. Those processing activities therefore always have to be justified.
The normal way to justify proceedings is also the most important pillar of data protection: consent! Your company should review how you seek, record, and manage consent.It is important that the consents meet the new GDPR standard, so your company must perhaps review and refresh all consents. SMEs owners have to also do this and all the time.
For example, it is necessary to keep the grammar and content of the consent easy and in an understandable format which can be understood by anyone. UK’s ICO provides a consent guidance guide that is a useful tool in defining consents as per the GDPR.
Your company should update the procedures and must plan how you will handle subject access requests to take account of the new rules. In most cases, you will not be able to charge for complying with a request.
You will have a month to comply, rather than the current 30 days.
You can refuse or charge for requests that are excessive, but you will need to provide the requests with a machine-readable format of their data. If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.
When your company works with a data processor, it should review the outsourcing contracts of data processing to comply with the GDPR. First, make sure you own those contracts, which is not always the case with free cloud services. At the latest on request of the competent data protection authority, you must be able to present the contracts. After all, these contracts must also be compliant with the GDPR and there is a high probability that they have to be adjusted.
Probably your company has to appoint a DPO to take responsibility for the regulatory compliance.
This DPO will report to the highest position in the firm and has to make sure the company will take the needed measures to have its processes and information flow according to the GDPR. Some special aspects regard to the mandatory need of a DPO apply, however, it is a good idea to have a specialized role within the organization.
Another option is a virtual DPO, that can help your company be GDPR compliant. The best part is that it costs much lesser and reduces company man-hours involved by 75%!
GDPR for SMEs might not directly have a DPO requirement but if SMEs process special category of data such as health data. It would good to hire a DPO externally or part-time internally.
Your company has to evaluate deeply the type of processing activities it will require for each data it collects to analyze the risks it may cause to the data subject. Every software used, activity performed and measure taken must have protection by design. It ensures that there will be no breaches and no vulnerability regarding the security of this data and no harm to the rights of the data subject.
If the processing activities or the data is susceptible to high risks, an impact assessment must be performed to evaluate the right measures to be taken to minimize this risks. Important aspects to grant this security are pseudonymization, minimization of the data, ensuring the erasure of data according to the consent deadlines, and granting access to the data subject.
Your company must adopt internal procedures and require the same to third-party partners, in order to deal with data breaches.
Those procedures should include identification of the actual data breach, investigation of the circumstances of the breach, and assessment of the implications it may cause both to the company and to the data subject regarding his privacy.
One thing to remember is that the information should be notified to the Supervisory Authority in no more than 72 hours when the data subjects are exposed to some kind of risk, and in those cases, the data subject also have to be notified.
Data Protection Authorities in EU countries
This list provides the websites of the Data Protection Authorities in your country. You can find more specific content for your region from the corresponding website.
If you want to find out more about preparing for the GDPR, you should take a look at our GDPR webinar series. Each presentation covers a different aspect of the Regulation, such as data flow mapping, risk assessments, and data protection by design.
If you’re a small business (SME) owner, you need help with GDPR and just starting, get this guidebook to start with.
This is a commonly used General Data Protection Regulation Glossary. Since GDPR is written by lawyers and we wanted to help you to understand these difficult terms in a more easy way. Below are the most important ones to keep an eye on.
The is a regulation on the protection of individuals within the European Union with regard to the processing and movement of personal data in this era of increased online data sharing. It was adopted on 27 April 2016 and it shall be applied from 25 May 2018.
It is a legal act adopted by the European Union that can be immediately applied in the Member States and does not need further adopting the national law. This means that the GDPR will come into effect in all the Member States of the European Union starting from 25 May 2018.
Any data that can help identify an individual. It is also called Personally Identifiable Information.Examples of personal data include name, location, personal identification number, the color of your hair, the list of customers names and their addresses, IT usage data, traffic data, information about education, income, license plate.
Similar to personal data because its main purpose is to help identify an individual, but more dangerous if breached or vulnerable to privacy.Examples of sensitive personal data include religious beliefs, race, political opinions, sexual orientation, physical and mental health conditions, biometric data or genetic data.
Any data that is used to identify a human being by his/her unique characteristics.Fingerprints are one example of biometric data. The GDPR states that the processing of such data is prohibited unless the data subject (user/consumer) has provided the consent and the processing is necessary for specific reasons such as protecting the vital interests of the individual.
Any data that refers to genetic characteristics of a data subject. This data is unique and individual. Protecting the genetic data is very important, as health insurance companies in possession of genetic data regarding the health of a subject may increase the cost of insurance based on this information.
Any data that can offer information about the physical and mental state of a data subject.
For example, medical records about a mental disorder such as depression are considered to be data concerning health.
An individual to which the data refers to. In simpler terms, it could be a user or consumer.
For example, a student is a data subject, as the university possesses data about him/her which include name, address, nationality, date of birth, etc.
Furthermore, the processing of data may affect employees, managers, contractual partners, suppliers, etc
All the operations that are performed on the personal data, such as collecting, recording, transferring or storing.
When users create new accounts or do online-shopping using their credit cards, the websites process their personal data.
The protection of personal data that has the purpose of ensuring the confidentiality and integrity of the data and making it unreadable and from those who do not have a special access to this data.
For example, encrypted data may seem like meaningless information unless you are using the correct key to decrypt it.
The entity who decides which data will be processed and by what means.
Examples of data controllers include individuals, legal persons, government departments or companies. The GDPR creates an obligation to provide information to the data subject regarding any personal data being processed and to allow access to the personal data.
The DC must also inform in the quickest time possible the purpose of the processing, the category of personal data being processed, who the recipient of the personal data was etc.
The entity responsible for the processing of personal data on behalf of the Data Controller.
Examples of Data Processor include IT service providers or market research companies.
Only the processors providing sufficient guarantees in regard to the GDPR will be chosen by the Data Controller.
The entity that receives the data processed by the DP.
These entities can be public ( for example tax offices, governmental agencies etc.) or private ( for example departments regarding their own employees – like marketing, personnel, accounting etc., banks, telecommunications companies etc.)
When a DC appoint a DP, they must create this legal act called data protection agreement ( DPA) in order to determine in a written form all the conditions of the processing such as subjects of processing, duration, purpose, means used etc.
The obligations and rights of the processor have to be clearly determined ( for example the duty of confidentiality or the obligation to take all the technical measures possible to avoid breaches).
Also referred to as ‘right to be forgotten’, it secures the individual’s right to have the DC erase without delay their personal data, inform other controllers that the individual has requested the erasure of data and cease further dissemination of the data.
For example, search engines are expected upon a request from the individual to delete the links to certain web pages that are linked to the individual’s name.
The right of the individual to have the DC restrict the processing of the data if it is inaccurate, unlawful or the controller doesn’t need the personal data for processing anymore.
If this right is used by the data subject, the DC has the obligation to inform further data controllers processing the data.
It enables the data subject to obtain any personal data from the controller in a format that is readable by another data controller.
This right may have a higher applicability in the banking industry if a data subject requests to see his/her transactions and to obtain them in a readable format.
Two or more data controllers decide together which data will be processed and by which means. The process has to be realized in a transparent manner, with regards to the rights of the data subject.
For example, a company which produces certain goods and its authorized dealer can decide to share the personal data of their customers.
An individual or a legal person who represents the controller in matters regarding the compliance with the GDPR.
All the processing activities regarding personal data of enterprises with more than 250 persons or with a risk to the rights and freedoms of the data subjects shall be recorded.
For example, if an organization is using either employee data or customer data. They have to record it and present in a documentation form that is called records of processing activity.
If the data being processed possesses a risk to the rights and freedoms of data subjects, the controller has the obligation to evaluate the risk before starting the processing. The Data Protection Officer may offer assistance in this matter.
If the result of the assessment shows a high risk, the process shall be reviewed every 6 months. For medium risk, the process will be reviewed every 9 months and for low every 12 months.
A public authority with whom the data controllers and processors are required to cooperate if necessary.
Each State of the EU will designate at least one independent supervisory authority.
In Germany, there are 15 supervisory authorities, responsible for the different regions of the country (for example the Bavarian Data Protection Authority – BayLDA, responsible for the state of Bavaria)
A body of the European Union established by the GDPR composed of the head of one supervisory authority from each State of the EU.
The main purpose of the Board is to ensure the application of the Regulation.
A security issue leading to unlawful access, use, dissemination etc. of personal data.
For example, 3 million encrypted customer credit card records have been stolen from Adobe in 2013 following a data breach.
The DC shall notify the supervisory authority within 72 hours of becoming aware of the breach and disclose the nature of the breach, the personal data affected, the likely consequences and the possible measures that can be taken to repair the damage created.
If the breach is considered to be a risk to the rights and freedoms of the individual, the data subject must be notified as well.
In order to avoid such problems, the controller is asked to analyze the risk of potential data breaches and to try to strengthen the security where possible. The risk is evaluated on a scale from 1(low risk) to 3 (high risk).
An individual whose main task is to monitor the compliance of an enterprise with the GDPR and to advise on data protection measures.
A DP Officer shall be designated if the organization is a public authority, carries large-scale monitoring of data subjects or processes data related to criminal convictions.
A process encouraged by the GDPR in which the data cannot be attributed to an individual and cannot help identify him/her without additional information. This method is designed to improve the security of the data and reduce the risk of breaches. The DCs are encouraged to use this process in order to meet the GDPR security requirements.
An exemption of a law or a rule.
In the context of the European Union Regulations, derogation can mean that a Member State may not implement a new law immediately.
The agreement given by an individual regarding the processing of personal data.
For example, when registering on a website or taking part in an online contest, you have to tick a box saying that you agree that the company may use and process the data you have provided.
A method that uses the provided personal data to predict behavior in the future.
For example, social media websites use the data an individual has provided in order to offer him/her targeted advertising, based on likes, hobbies, viewed pages etc.
A system that is designed to organize the personal data and make it accessible using some specific criteria.
For example, choosing personal data of subjects in one geographical area or of a specific age.
Moving personal data from the 28 EU countries and the three EEA countries (Norway, Liechtenstein, and Iceland) to a third country. The GDPR allows this process only if the country in matter complies with the conditions of the Regulation. A commission will evaluate the level of data protection in that specific country and approve or disapprove to the data transfer.
Until now the Commission has stated that the following countries provide sufficient data protection: Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
If the UK shall leave the European Union and the EEA, it shall become a third country.
European Economic Area, an area in which free movement of persons, services, goods and capital is allowed.
There are currently 28 EU states which are part of the EEA plus Norway, Liechtenstein and Iceland.
the set of internal rules used by multinational companies which regulate the transfers of personal data within the group to companies that are not in the EEA and do not provide the level of data protection required.
The BCRs need to be approved by the EU and will then provide sufficient protection guarantee to allow this international transfers to take place.
For example, eBay has adopted a set of Binding Corporate Rules approved by the Luxembourg National Data Commission.
Punishments imposed for not complying with the GDPR. The fines for data breaches can be as high as €20 million or 4% of global gross revenue (whichever is higher).
As a result of these very high penalties, many companies which do not comply with the Regulations or are subject to data breaches may face insolvency.