The GDPR came into force in 25th May 2018. By now your company should already be fully compliant. Or at least doing its best.
By compliant we mean, have the necessary steps for your users to control the information they share with you.
If you still lost or don’t really know what to do we advise you to take action in order to achieve compliance and avoid fines in the future. On our blog, we try to cover the key aspects of GDPR and offer a solution to help comply with the laws, easily.
Don’t know what GDPR is yet? Here we explain you
Why should I comply with GDPR?
Since GDPR is here to stay and the regulators’ entities are showing no mercy, you must comply or else you’ll have a bad surprise some day.
Also, web users are losing trust in companies. If your company show transparency in treating data, you’re contributing to restoring user trust.
The easiest and cheapest way for your company to become GDPR compliant is to find a flexible and powerful platform you can implement.
One that let you add all of your projects (website, app, platform), and then create strong and clear policies and show all the cookies that collect data from your users.
You must get consent from the users you already have in order to update the privacy terms accordingly to GDPR. It’s only legal now to use contacts who have consented to use their data, all users from the past who have not updated their consent are not usable for now.
Some companies will require a DPO to protect the data, we will speak of that later on.
What are the principles to GDPR?
If you are collecting data you need to have a motive to use and save that data, so we put below some of the principles:
-There should be limits to the collection of personal data. Dat should be obtained by legal and fair means. Also, the data subject must be aware of the use of data and given consent to it.
-Personal data must be relevant for the purposes of which it is to be used and, to the extent necessary for such purposes, must be accurate, complete and up-to-date.
– The purpose of data collection should be specified at the time of collection and the data should not be used for any purpose other than the original, and further notification is required if there is a change.
Limitation of Use
– Personal data should not be used for purposes other than the intended and specified original purpose, except with the consent of the data subject or legal authority.
– Personal data must be protected by reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification or disclosure of data.
– There must be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should have easy access to information about their personal data, who is responsible for the custody and what they use.
– An individual should have the right to know whether a controller has data about him and to have access to that data in an intelligible manner. An individual should also have the right to challenge a controller by refusing to grant access to their data, in addition to challenging the accuracy of the data. If these data are considered inaccurate, the data should be erased or rectified.
– Data controllers shall be responsible for complying with the measures detailed above.
How a website GDPR form look like?
Should look like this. Appear in the first plane of your website and show in detail what data is going to be collected, the cookies you use, third parties that collect data too, like for example google analytics. this gives the user the freedom to control what the website is collect about him.
All marketing inputs sent to your customers must also have a GDPR form like this on them. So users can easily opt-in or opt-out
What is a DPO?
DPO stands for Data Protection Officer, is an enterprise security role that is responsible for overseeing data protection strategy and implementation, to ensure compliance with the GDPR
Do I need a DPO?
Probably not. You only need a DPO (Data Protection Officer) if you are in one of these 3 scenarios:
- The processing is carried by a public authority;
- The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
- The core activities of the controller or processor consist of processing on a large scale of sensitive data or data relating to criminal convictions/ offenses.