General Data Protection Regulation is a legislation, which becomes effective on May 25, 2018. It is related to collecting storage and processing of personal information of your customers, suppliers or any other business partners.
It means that since May 25, 2018, you might need to implement some changes to the way your organization handles personal information. These include e.g. collected email addresses, names, addresses or telephone numbers.
Does it mean I will have to delete any personal information of the clients I already store? No, you will only have to take some extra measures to make it more transparent in how you store and use this data.
No, you will still be able to gather the data of your clients, you will only need to be more transparent in the way you store the data.
If you want to ignore it, you probably should. The fines could go up to as much as EUR 20m or 4% of global company’s revenues, depending which one is higher. If you don’t ignore it, you shouldn’t worry too much. Implementing it in a small/medium business is not so difficult.
It largely depends on the size and scale of your organization and the way you already handle the data. We will look into the specific steps below.
Yes, if you store your data offline (e.g. on paper cards), you will also need to take additional measures to make the way you process data secure.
Probably not, most of the agreements related to making sure you’re compliant can be signed online. We’re going to cover this in the section no. 5, about Data Processing Agreements.
The below checklist relates a lot to the term called “personal information”. But what does it really mean? For the GDPR standards, personal information is:
So, e.g. if you have the list of names, email addresses, and any other data for each of your clients, it’s considered as personal information.
On the other hand, if you have the statistics of how many clients are located in a specific region, it is not considered as a personal information.
“Yes, e.g. in the recruitment process. If you want to store candidate’s CV for more than one recruitment period, e.g. to reach out to them later, you need the candidate’s permission to store it for the specified duration. Otherwise, you’d need to delete CVs from your records.” Przemysław Rogiński, Rödl & Partner legal office
Implementing GDPR in each company might be different. There might be more steps required to make sure your company complies with all the required standards. There are, however a few steps, which are quite obvious and necessary.
We’ve asked companies’ founders and representatives about the most difficult steps in implementing GDPR.
GDPR regulation applies to the following entities:
Your company might operate outside EU but gather data about customers from EU. Then, you should set up the person which will be responsible for answering in case of the contact from the EU officials.
E.g. Let’s assume your company is located in the US but has clients in European Union and stores their personal information. You should assign the person in your company responsible for processing the data of your European customers and contacting the EU officials in case of any issues.
The GDPR regulation implements different requirements, depending on your type of entity. What does it mean? It means that your organization can be either a so-called “data controller” or a “data processor”.
Who is a data controller?
Most likely it’s your company. A data controller is a person or a company which collects and manages/stores the personal data of any other entities. Probably, there aren’t many companies which don’t gather or collect any personal information. Your company is most probably a data controller.
E.g. A data controller is an e-commerce store, which collects the email addresses of its clients, their names, and addresses.
Who is a data processor?
There are also companies and entities which are not controlling the personal information themselves (have not obtained it directly from the specific person). They use data from other companies in their business activity or provide services that let other companies process the data of their customers.
E.g. A data processor is Google. It provides services like Google Spreadsheets, Google Docs or Google Analytics to process the data of your customers/clients.
You can simply set up the spreadsheet, where you should list the types of data you collect in your business, including:
Similarly to the previous point, you can set up a Google Spreadsheet, where you’ll list all the places where you store the customers’ data.
You should write down a list of software products you use. Think which ones of them store any of your or your clients’ personal information (in other words, which ones of them are data processors — see point no. 2).
What is a DPA (Data Processing Agreement)?
DPA is a document which settles the terms of processing the data by the data processor.
You have the list of your applications, software, and apps ready. Now you would need to ask yourself which of the above processes any data you control.
What does it mean in practice? It means that e.g. if we use Salesflare to store personal information (see “What is personal information according to GDPR”) about our clients, Salesflare is our data processor (it processes the data of our clients and leads and shows it to us in a nice, manageable form). As a result, we needed to reach out to Salesflare to sign the DPA with them. Similarly, we’ve done it with all the other applications we use like Pipedrive, Hotjar or MailChimp.
How to sign DPA agreements?
E.g. this is the email we received from Pipedrive:
“Even if our business partner has only a temporary access to the personal information, you should still sign a DPA agreement. Assure that the processing party takes appropriate steps to make the data secure.” Przemysław Rogiński, Rödl & Partner legal office
So, legally, you should have a DPA signed probably with any SaaS you use. In practice, however, it’s likely that not all SaaS companies will have the DPA ready in place until 25th May. This will probably be solved gradually, with more and more companies realizing the importance of the GDPR regulation.
If you’re a data processor, you also need to make sure, you have appropriate DPA agreement with all the sub-processors you work with.
Can I use the service of SaaS providers, having their physical servers located outside EU?
Actually, you should not use the service providers, who store the data on the physical servers located outside EU, unless specific conditions are met (adequacy, authorized contractual relationship, etc.).
What does it mean in practice? SaaS service providers use cloud services of additional data processors (sub-processors). They should likely give you the option to choose between the location where your data is stored. The best legally secure option would be to contact each of your service providers to make sure your data is stored in the location within European Union.
Apart from the information about the type of cookies you use, you need to include the information about the reason for using cookies on your website.
You should assign the person responsible within your company for maintaining any GDPR standards. This person should:
This person does not necessarily have to be a lawyer. It should be somebody, who is aware of processes within the company related to the flow of data. He/she should be the ultimate point of contact for authorities or users reporting issues about their personal information. The best option would be to assign the person who already has a vast knowledge of the company’s operations, e.g. a Chief Operations Officer (COO).
One of the elements of complying with the GDPR is making sure your team is aware of the way you process personal information.
If you’re a small company, it might be smart to organize a small gathering. Let your appointed Data Protection Officer explain how the data flow within your company. If you’re a data processor, it is highly recommended to organize the training session for your employees. Address any issues related to the processing of personal information.
E.g. Let’s say you have a support and sales team co-operating with each other. Usually, they will be using some tool to communicate with each other, like Slack. But your team might write down the email addresses manually somewhere in their own notes. You’d need to make sure that this data is not stored somewhere for a longer time and show your employees which tools to use to keep all the personal information.
Still, the best way to protect yourself in case of any control would be to send an email to all employees. Tell them who is the Data Protection Officer and attaching any information you’d like to add.
“The most important element in implementing any processes within the company is to assure the execution of legal rights of people whose data is processed. These are access to data and the right to modify or delete it from any records.” Przemysław Rogiński, Rödl & Partner legal office
If you’re a technological company (e.g. a SaaS), you should better make sure that your product is technically secured, as any data leakage might result in huge fines, in case you haven’t applied appropriate GDPR compliance standards. The steps you need to take depend significantly on each company but the most important thing is to make sure there aren’t any significant loopholes in your software which would make your data prone to leakage. You can always use this list as a reference.
“Getting compliant with GDPR will be not only an obligation. It is also a great opportunity to dust off the documentation and catch up with modern trends.” Justyna, LiveChat Inc.
If you’re a technological company, you’d also need to analyze specific technological aspects of your business. The product might need to be modified to assure compliance. E.g. Hotjar had to make numerous changes in the product’s features to make sure its analytical tool features are in line with the new standards.
Under the new GDPR standards, your users, clients, and partners can always:
There are probably many requests you could receive from the people who don’t want the information to be stored in your company (especially in the early days of GDPR in place). It would be smart to set up a communication flow related to these changes.
E.g. you can set up a Typeform, where users will be able to submit any requests for deleting this data in your database. You could then send this data automatically to Monday project management app, and your Data Protection Officer could then easily the handle. Or, you could use a GDPR Form solution.
Also, under GDPR, it is no longer possible to set any checkboxes as “ticked” by default. Make sure, you don’t use this “growth hack”, anymore.
Additionally, if you’re doing any email marketing campaigns, you should make sure your users can easily unsubscribe from your mailings. This, however, is probably something you already have set up in your email software.
What does it mean in practice? You can ask yourself the following questions:
You should list the events which are going to happen in all the above cases in one accessible document. E.g. a request for deleting the data -> email forwarded to data protection officer-> data protection officer makes sure the data is deleted from all the databases like Salesflare, Monday, MailChimp, etc.
Also, in case of any data breach, under the new rule, you have 24 hours to report it to the European officials, so it’s really important to make sure the above processes are quick and efficient.
According to GDPR, you should not store any personal information if there is no specific reason for doing so. So, e.g. if you have some old emailing list hidden somewhere in your documents, just erase it. After all, if you haven’t been using it for years, why would you use it now?
Also, you can make sure that your customers’ data is deleted regularly from any data processors’ databases. e.g., you can ask your live chat provider to delete all your chat data once per month.
There is a lot of noise and panic about GDPR. It’s fully justified and you should probably do everything you can to become compliant as soon as possible. GDPR, however, is mostly about being transparent, fair and serious towards your customers and business partners.
Keep your data secure and make sure you treat any customer’s requests seriously. Also, implement some necessary documentation changes on your website. Then, GDPR will likely not hurt your business.
“The most important thing in GDPR is assuring the execution of proper data processing rights to users. Any tools might be quite helpful in this process, but they cannot fully substitute the involvement of legal office.” Przemysław Rogiński, Rödl & Partner legal office