What in fact is GDPR?

General Data Protection Regulation is a legislation, which becomes effective on May 25, 2018. It is related to collecting storage and processing of personal information of your customers, suppliers or any other business partners.

What does it mean in practice?

It means that since May 25, 2018, you might need to implement some changes to the way your organization handles personal information. These include e.g. collected email addresses, names, addresses or telephone numbers.

Does it mean I will have to delete any personal information of the clients I already store? No, you will only have to take some extra measures to make it more transparent in how you store and use this data.

Does it mean I won’t be able to collect and store any personal information, anymore?

No, you will still be able to gather the data of your clients, you will only need to be more transparent in the way you store the data.

Should I be afraid of GDPR?

If you want to ignore it, you probably should. The fines could go up to as much as EUR 20m or 4% of global company’s revenues, depending which one is higher. If you don’t ignore it, you shouldn’t worry too much. Implementing it in a small/medium business is not so difficult.

How much time will it take me to implement GDPR?

It largely depends on the size and scale of your organization and the way you already handle the data. We will look into the specific steps below.

Does GDPR apply to data stored offline as well?

Yes, if you store your data offline (e.g. on paper cards), you will also need to take additional measures to make the way you process data secure.

Will I need to sign any paper agreements to fulfill GDPR standards?

Probably not, most of the agreements related to making sure you’re compliant can be signed online. We’re going to cover this in the section no. 5, about Data Processing Agreements.

What is a personal information according to GDPR?

The below checklist relates a lot to the term called “personal information”. But what does it really mean? For the GDPR standards, personal information is:

• name
• email address
• photo
• telephone
• bank account
• social media posts
• computer IP address
• +any other identifiable information which relates to a specific individual

So, e.g. if you have the list of names, email addresses, and any other data for each of your clients, it’s considered as personal information.

On the other hand, if you have the statistics of how many clients are located in a specific region, it is not considered as a personal information.

Are there any activities which have been common so far but will be forbidden since the implementation of GDPR?

Lawyer’s comment

“Yes, e.g. in the recruitment process. If you want to store candidate’s CV for more than one recruitment period, e.g. to reach out to them later, you need the candidate’s permission to store it for the specified duration. Otherwise, you’d need to delete CVs from your records.” Przemysław Rogiński, Rödl & Partner legal office

GDPR implementation checklist

Implementing GDPR in each company might be different. There might be more steps required to make sure your company complies with all the required standards. There are, however a few steps, which are quite obvious and necessary.

We’ve asked companies’ founders and representatives about the most difficult steps in implementing GDPR.

Based on over 30 answers, setting up the updated privacy policy has turned out to be the biggest issue in applying new standards. However, to know what needs to be changed in the privacy policy, you’d need to first assess a few things. These relate to the way you process the data within your company.

1. Determine if GDPR applies to your organization.

GDPR regulation applies to the following entities:

• An organization/entity operating in European Union
• An organization/entity operating outside European Union but collecting any data about European Union citizens

Your company might operate outside EU but gather data about customers from EU. Then, you should set up the person which will be responsible for answering in case of the contact from the EU officials.

E.g. Let’s assume your company is located in the US but has clients in European Union and stores their personal information. You should assign the person in your company responsible for processing the data of your European customers and contacting the EU officials in case of any issues.

2. Determine if you are a data controller or a data processor.

The GDPR regulation implements different requirements, depending on your type of entity. What does it mean? It means that your organization can be either a so-called “data controller” or a “data processor”.

Who is a data controller?

Most likely it’s your company. A data controller is a person or a company which collects and manages/stores the personal data of any other entities. Probably, there aren’t many companies which don’t gather or collect any personal information. Your company is most probably a data controller.

E.g. A data controller is an e-commerce store, which collects the email addresses of its clients, their names, and addresses.

Who is a data processor?

There are also companies and entities which are not controlling the personal information themselves (have not obtained it directly from the specific person). They use data from other companies in their business activity or provide services that let other companies process the data of their customers.

E.g. A data processor is Google. It provides services like Google Spreadsheets, Google Docs or Google Analytics to process the data of your customers/clients.

3. Create the list of data you collect from your customers/users/visitors.

You can simply set up the spreadsheet, where you should list the types of data you collect in your business, including:

• the source of the data
• who you share the data with
• purpose
• duration

4. Create a Google Spreadsheet list of your databases, including the information how this data flow between them.

Similarly to the previous point, you can set up a Google Spreadsheet, where you’ll list all the places where you store the customers’ data.

5. Create a list of any data processors you use (software) and sign a Data Processing Agreement with them.

You should write down a list of software products you use. Think which ones of them store any of your or your clients’ personal information (in other words, which ones of them are data processors — see point no. 2).

What is a DPA (Data Processing Agreement)?
DPA is a document which settles the terms of processing the data by the data processor.

You have the list of your applications, software, and apps ready. Now you would need to ask yourself which of the above processes any data you control.

What does it mean in practice? It means that e.g. if we use Salesflare to store personal information (see “What is personal information according to GDPR”) about our clients, Salesflare is our data processor (it processes the data of our clients and leads and shows it to us in a nice, manageable form). As a result, we needed to reach out to Salesflare to sign the DPA with them. Similarly, we’ve done it with all the other applications we use like Pipedrive, Hotjar or MailChimp.

How to sign DPA agreements?
DPA agreements can be signed electronically, using the legally accepted signature system. Most SaaS providers support this option, so there is no need to send paper documents back and forth. However, as for the date of this article, some of them offer only the .pdf file available to be downloaded, with the printed signature. This means that it might require downloading the DPA and keeping the signed paper copy somewhere in your storage. The approach to signing a DPA depends on the company. Sometimes, SaaS companies “embed” the DPA in their privacy policy, so signing a privacy policy is equal to signing a DPA agreement.

E.g. this is the email we received from Pipedrive:

“According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article). This is where our Terms of Service and Privacy Policy come in. These two documents also serve as your data processing contract, setting out the instructions that you are giving to Pipedrive with regard to processing the personal data you control and establishing the rights and responsibilities of both parties.”

which indicates that their data processing agreement has been included in their Privacy Policy.

Lawyer’s comment

“Even if our business partner has only a temporary access to the personal information, you should still sign a DPA agreement. Assure that the processing party takes appropriate steps to make the data secure.” Przemysław Rogiński, Rödl & Partner legal office

So, legally, you should have a DPA signed probably with any SaaS you use. In practice, however, it’s likely that not all SaaS companies will have the DPA ready in place until 25th May. This will probably be solved gradually, with more and more companies realizing the importance of the GDPR regulation.

If you’re a data processor, you also need to make sure, you have appropriate DPA agreement with all the sub-processors you work with.

Can I use the service of SaaS providers, having their physical servers located outside EU?
Actually, you should not use the service providers, who store the data on the physical servers located outside EU, unless specific conditions are met (adequacy, authorized contractual relationship, etc.).

What does it mean in practice? SaaS service providers use cloud services of additional data processors (sub-processors). They should likely give you the option to choose between the location where your data is stored. The best legally secure option would be to contact each of your service providers to make sure your data is stored in the location within European Union.

6. Update your privacy policy

Most likely, you already have a privacy policy put in place, so what you’ll need to do is to add specific points related to GDPR. You should add the following elements to your privacy policy:

• How you collect personal data
• How do you use collected data
• List any parties you share the data with
• An email address users can contact in case they want to access or delete their personal information
• Email address of your Data Protection Officer (see point 8)

In your new privacy policy, you need to be as transparent about the way you process the data, as possible. List all the places you store your users’ data. Let your visitors know how they can contact your company to delete or change their information. This will make sure, your users can execute all their rights related to GDPR.

Lawyer’s comment

‍“GDPR does not specify particular elements which require an update in a documentation/privacy policy. What needs to be changed varies case-by-case, so the key issue is being as transparent in the way you handle data, as possible.” Przemysław Rogiński, Rödl & Partner legal office

7. Update your cookie policy

Apart from the information about the type of cookies you use, you need to include the information about the reason for using cookies on your website.

E.g. you can add the below line to your cookie policy, like in Woodpecker’s cookie policy:

“We use cookies for your best browsing experience, site traffic analysis, and targeted advertisement management.”

8. Employ/assign Data Protection Officer

You should assign the person responsible within your company for maintaining any GDPR standards. This person should:

• have knowledge about GDPR standards and data processes within the company
• be the person responsible for contact with authorities in case of any request or data breach

This person does not necessarily have to be a lawyer. It should be somebody, who is aware of processes within the company related to the flow of data. He/she should be the ultimate point of contact for authorities or users reporting issues about their personal information. The best option would be to assign the person who already has a vast knowledge of the company’s operations, e.g. a Chief Operations Officer (COO).

9. Send an email to your employees and decision makers about the way you address GDPR

One of the elements of complying with the GDPR is making sure your team is aware of the way you process personal information.

If you’re a small company, it might be smart to organize a small gathering. Let your appointed Data Protection Officer explain how the data flow within your company. If you’re a data processor, it is highly recommended to organize the training session for your employees. Address any issues related to the processing of personal information.

E.g. Let’s say you have a support and sales team co-operating with each other. Usually, they will be using some tool to communicate with each other, like Slack. But your team might write down the email addresses manually somewhere in their own notes. You’d need to make sure that this data is not stored somewhere for a longer time and show your employees which tools to use to keep all the personal information.

Still, the best way to protect yourself in case of any control would be to send an email to all employees. Tell them who is the Data Protection Officer and attaching any information you’d like to add.‍

Lawyer’s comment

‍“The most important element in implementing any processes within the company is to assure the execution of legal rights of people whose data is processed. These are access to data and the right to modify or delete it from any records.” Przemysław Rogiński, Rödl & Partner legal office

10. Make sure the technical security is up to date

If you’re a technological company (e.g. a SaaS), you should better make sure that your product is technically secured, as any data leakage might result in huge fines, in case you haven’t applied appropriate GDPR compliance standards. The steps you need to take depend significantly on each company but the most important thing is to make sure there aren’t any significant loopholes in your software which would make your data prone to leakage. You can always use this list as a reference.

“Getting compliant with GDPR will be not only an obligation. It is also a great opportunity to dust off the documentation and catch up with modern trends.” Justyna, LiveChat Inc.

If you’re a technological company, you’d also need to analyze specific technological aspects of your business. The product might need to be modified to assure compliance. E.g. Hotjar had to make numerous changes in the product’s features to make sure its analytical tool features are in line with the new standards.

11. Create a response scheme for users who request access to their data

Under the new GDPR standards, your users, clients, and partners can always:

• ask for the information about their data stored to be delivered to them or any 3rd party
• update their personal data in your database
• delete their personal data from your database
• want you to stop processing the data

There are probably many requests you could receive from the people who don’t want the information to be stored in your company (especially in the early days of GDPR in place). It would be smart to set up a communication flow related to these changes.

E.g. you can set up a Typeform, where users will be able to submit any requests for deleting this data in your database. You could then send this data automatically to Monday project management app, and your Data Protection Officer could then easily the handle. Or, you could use a GDPR Form solution.

12. Add “accept” formula below any data collection forms

You need to make sure that the visitors accept your updated privacy policy. This should happen as soon as he/she subscribes to your mailing list or leaves any personal information on your website.

E.g. add the following formula below the email subscribe form on your website: “By subscribing, you agree to join our mailing list and to our privacy policy”.

Also, under GDPR, it is no longer possible to set any checkboxes as “ticked” by default. Make sure, you don’t use this “growth hack”, anymore.

Additionally, if you’re doing any email marketing campaigns, you should make sure your users can easily unsubscribe from your mailings. This, however, is probably something you already have set up in your email software.

13. Set processes within the company which will make sure you can execute your users’ rights

What does it mean in practice? You can ask yourself the following questions:

• What happens when somebody requests access to his/her information?
• What happens when somebody requests the deletion of his/her data?
• What happens if in my company, there will be a data leak and somebody gets access to my customers’ personal information?

You should list the events which are going to happen in all the above cases in one accessible document. E.g. a request for deleting the data -> email forwarded to data protection officer-> data protection officer makes sure the data is deleted from all the databases like Salesflare, Monday, MailChimp, etc.

Also, in case of any data breach, under the new rule, you have 24 hours to report it to the European officials, so it’s really important to make sure the above processes are quick and efficient.

14. If you don’t need to store the personal data, then just erase it

According to GDPR, you should not store any personal information if there is no specific reason for doing so. So, e.g. if you have some old emailing list hidden somewhere in your documents, just erase it. After all, if you haven’t been using it for years, why would you use it now?

Also, you can make sure that your customers’ data is deleted regularly from any data processors’ databases. e.g., you can ask your live chat provider to delete all your chat data once per month.

Late with implementing GPDR?

There is a lot of noise and panic about GDPR. It’s fully justified and you should probably do everything you can to become compliant as soon as possible. GDPR, however, is mostly about being transparent, fair and serious towards your customers and business partners.

Keep your data secure and make sure you treat any customer’s requests seriously. Also, implement some necessary documentation changes on your website. Then, GDPR will likely not hurt your business.

Lawyer’s comment on the released “GDPR support apps” like GDPR Tracker or Ecomply.io

“The most important thing in GDPR is assuring the execution of proper data processing rights to users. Any tools might be quite helpful in this process, but they cannot fully substitute the involvement of legal office.” Przemysław Rogiński, Rödl & Partner legal office