Disclaimer: This article contains only some general information about GDPR. In order to make sure that your business is GDPR compliant, you should get professional assistance of a lawyer.
GDPR has been with us for almost a week now and it seems like we’re handling it somehow. In the previous post, we explained how to make sure that your application is GDPR compliant and now we want to provide you with a set of must-haves that will help you see whether you’ve taken care of implementing the right procedures that will help your organization.
By now probably most of you know what changes GDPR brought us. The definition of personal data expanded, the way users give consent is different, the data users are required to provide must be actually necessary for the purpose of performing the activities stated in the contract (for more details on some of the most important changes, read our previous blog post: What is GDPR and how does it affect my business?). Now, taking all this knowledge in at once may be an arduous task, so we’ve got a basic checklist that will help you identify anything you may have overlooked, or just confirm that you’re all set.
So what exactly do you have to do to be certain your business really is GDPR compliant?
You need them by every form that’s used to collect users’ information. We’ve already covered the topic of checkboxes in our previous article: How to make sure that your app is GDPR compliant?
All of us already have a base of data of our current or former customers and all the people who want to stay in touch. According to GDPR, companies should now contact these people to inform them that their email addresses are in the database and they can change or erase their personal information at any time.
Initially, it was believed that GDPR requires us to inform the subject of the fact we have their data and ask whether we can manage it. In the event of getting no response (meaning there’s no active consent), companies would have to delete all the personal information of these people from their databases. Now, however, we can observe that many companies do provide their network (clients, followers, etc.) with a message explaining how the new rules work and informing that the user’s email is in the database, but in order to delete it, the user has either to reply to the said email, or go to the privacy settings to change the chosen option or withdraw their consent.
5. Procedures inside your company
Remember that you’re responsible for keeping the data secure. To ensure security, you must take certain precautions to avoid the information being accessed by any unauthorized person. You need to make sure that documents containing personal data are stored in a safe place. How can you make sure that the place is safe? There are quite a few options:
- surveillance cameras,
- limited access to the room where data is processed or stored (locked doors, use of prox cards),
- security alarms,
- secure lockers.
It’s important your staff know how data is handled and only authorized people have access to the information. They should be well aware of the fact that they’re responsible for keeping the keys safe, passwords should be changed on a regular basis, and computer screens should be locked when no one’s by the computer. What’s more, a company that stores and processes big amounts of data is required to appoint a Data Protection Officer. In such a company, the DPO is the person responsible for educating and training the staff, as well as conducting regular audits. A DPO also serves as a point of contact between the company and GDPR Supervisory Authorities.
Apart from the means of physical security listed above, you must also take care of the logical security of the data stored online, so don’t forget about authorization, authentication, encryption, and passwords. A list of all the authorized staff members should be made and kept up to date. If any new person is given access to the data, they should be added to the list as well. You should also prepare a written data protection plan as an official document including all of the procedures that you have implemented, and sign it.
Every email sent from the sales or marketing department should begin with an inquiry whether you can share the offer or a presentation with the recipient. Same goes for getting in touch with someone whose business card you got at a conference or some other event: even if you’re just following up on some matter, you still need to pop the question first. This may seem a little unnatural, especially when it’s not the first time you’re contacting a given person, but again: active consent. GDPR is trying to minimize the number of spam emails and unwanted offers and presentations
7. Contractor agreements
If you share any identifiable personal information with third parties, make sure you’ve got the contracts signed. You may be using the services of other companies and the services may require the personal data of your clients or employees (e.g. accounting, marketing). In such a scenario, you really should have a binding agreement. Each company should do their best to ensure data security but imagine that there’s some data breach in your subcontractor’s company. Now, the contract will not take the liability off of you but if things get nasty and you’ll be facing some legal proceedings, having a contract is a must. Hopefully, this dark scenario will never happen to you, but you know what they say: better safe than sorry!
Being GDPR compliant is an ongoing process and there’s no definite checklist that will help you define whether you’ve done everything right. The most important part is that you actually pay utmost attention to data security within your organization. Creating new procedures, adapting to the new rules, and training your staff or coworkers is time-consuming and may be tedious, but once you’ve got these things settled, you have the knowledge necessary to deal with GDPR. If there’s still something worrying you when it comes to your application being GDPR compliant, don’t hesitate – drop us a line.
Disclaimer: this article contains only some general information about GDPR. In order to make sure that your business is GDPR compliant, you should get professional assistance of a lawyer.