Disclaimer: This article contains only some general information about GDPR. In order to make sure that your business is GDPR compliant, you should get professional assistance of a lawyer.
GDPR has been with us for almost a week now and it seems like we’re handling it somehow. In the previous post, we explained how to make sure that your application is GDPR compliant and now we want to provide you with a set of must-haves that will help you see whether you’ve taken care of implementing the right procedures that will help your organization.
By now probably most of you know what changes GDPR brought us. The definition of personal data expanded, the way users give consent is different, the data users are required to provide must be actually necessary for the purpose of performing the activities stated in the contract (for more details on some of the most important changes, read our previous blog post: What is GDPR and how does it affect my business?). Now, taking all this knowledge in at once may be an arduous task, so we’ve got a basic checklist that will help you identify anything you may have overlooked, or just confirm that you’re all set.
So what exactly do you have to do to be certain your business really is GDPR compliant?
1. Privacy Policy
Privacy Policy, meaning one document containing all the ways a company gathers, uses, discloses, and manages personal information. Everything that happens to the subject’s (e.g. client’s) personal information from the moment it is provided to you as a company should be there. If you don’t have any privacy policy of your own, it’s high time you develop one. Our suggestion: don’t take shortcuts and use policy generators. They are a useful tool, sure, but under the new GDPR provisions, it’s crucial you make everything clear and comprehensible to your clients. Create a list of all the key points you need to make users aware of (information you collect, cookie policy, the ways you use, share, and disclose information, the users’ rights, etc.). Explain the lawful basis for processing personal information. No legal jargon needed, though you may use some help of a lawyer.
2. Terms of Use
Also known as Terms of Service or Terms and Conditions. Not all websites need these. Terms of Use constitute an agreement between the service provider and the user, where the user has to accept all the provisions in order to be able to make full use of the product or service. This will be important for web applications – Terms of Use may need to be updated and, additionally, now they should be easily understandable to every user. This means that some of the dreadful gobbledygook has to be gone. Make sure that your ToU are written in plain language so that there’s no ambiguity.
3. Checkboxes
You need them by every form that’s used to collect users’ information. We’ve already covered the topic of checkboxes in our previous article: How to make sure that your app is GDPR compliant?
4. Database
All of us already have a base of data of our current or former customers and all the people who want to stay in touch. According to GDPR, companies should now contact these people to inform them that their email addresses are in the database and they can change or erase their personal information at any time.
Initially, it was believed that GDPR requires us to inform the subject of the fact we have their data and ask whether we can manage it. In the event of getting no response (meaning there’s no active consent), companies would have to delete all the personal information of these people from their databases. Now, however, we can observe that many companies do provide their network (clients, followers, etc.) with a message explaining how the new rules work and informing that the user’s email is in the database, but in order to delete it, the user has either to reply to the said email, or go to the privacy settings to change the chosen option or withdraw their consent.
5. Procedures inside your company
Remember that you’re responsible for keeping the data secure. To ensure security, you must take certain precautions to avoid the information being accessed by any unauthorized person. You need to make sure that documents containing personal data are stored in a safe place. How can you make sure that the place is safe? There are quite a few options:
- surveillance cameras,
- limited access to the room where data is processed or stored (locked doors, use of prox cards),
- security alarms,
- secure lockers.
It’s important your staff know how data is handled and only authorized people have access to the information. They should be well aware of the fact that they’re responsible for keeping the keys safe, passwords should be changed on a regular basis, and computer screens should be locked when no one’s by the computer. What’s more, a company that stores and processes big amounts of data is required to appoint a Data Protection Officer. In such a company, the DPO is the person responsible for educating and training the staff, as well as conducting regular audits. A DPO also serves as a point of contact between the company and GDPR Supervisory Authorities.
Apart from the means of physical security listed above, you must also take care of the logical security of the data stored online, so don’t forget about authorization, authentication, encryption, and passwords. A list of all the authorized staff members should be made and kept up to date. If any new person is given access to the data, they should be added to the list as well. You should also prepare a written data protection plan as an official document including all of the procedures that you have implemented, and sign it.
6. Emailing
Every email sent from the sales or marketing department should begin with an inquiry whether you can share the offer or a presentation with the recipient. Same goes for getting in touch with someone whose business card you got at a conference or some other event: even if you’re just following up on some matter, you still need to pop the question first. This may seem a little unnatural, especially when it’s not the first time you’re contacting a given person, but again: active consent. GDPR is trying to minimize the number of spam emails and unwanted offers and presentations
7. Contractor agreements
If you share any identifiable personal information with third parties, make sure you’ve got the contracts signed. You may be using the services of other companies and the services may require the personal data of your clients or employees (e.g. accounting, marketing). In such a scenario, you really should have a binding agreement. Each company should do their best to ensure data security but imagine that there’s some data breach in your subcontractor’s company. Now, the contract will not take the liability off of you but if things get nasty and you’ll be facing some legal proceedings, having a contract is a must. Hopefully, this dark scenario will never happen to you, but you know what they say: better safe than sorry!
When disclosing personal information of your clients to third-party service providers, you may also want to list them in your Privacy Policy. Remember that the users (data subjects) should be well-informed as to why their data is collected and how it is processed, so they should also be made aware of who’s going to have access to the information they provide.
Being GDPR compliant is an ongoing process and there’s no definite checklist that will help you define whether you’ve done everything right. The most important part is that you actually pay utmost attention to data security within your organization. Creating new procedures, adapting to the new rules, and training your staff or coworkers is time-consuming and may be tedious, but once you’ve got these things settled, you have the knowledge necessary to deal with GDPR. If there’s still something worrying you when it comes to your application being GDPR compliant, don’t hesitate – drop us a line.
Disclaimer: this article contains only some general information about GDPR. In order to make sure that your business is GDPR compliant, you should get professional assistance of a lawyer.
