Compliance with the GDPR, how and why ?
The GDPR came into force on 25th May 2018. By now, your company should be fully GDPR compliant. Or, at least, doing its best to be. For that, you should provide users the necessary guidelines to let them control the information they share.
If you are still a bit lost, we advise you to take action to achieve compliance and avoid fines. On our blog, we cover key aspects of the GDPR and offer a solution to help you comply with the law, easily.
In this article we are teaching you all about why it’s important for your company to GetComplied and how it works.
No worries, it’s easy!
Don’t know what GDPR is yet? Find out here
Why should I comply with the GDPR?
The GDPR is here to stay and the regulatory authorities are showing no mercy. So, you must comply or else you’ll have a bad surprise someday.
It’s a fact, companies are losing web users’ trust nowadays. If your company shows transparency in how data is treated, you’re contributing to restoring their trust.
The easiest and cheapest way for your company to become GDPR compliant is to find a flexible and powerful platform to implement. One that lets you add all of your projects (website, app, platform), and then create strong and clear policies and show all the cookies that collect data from your users.
According to the GDPR, it’s only legal to use contacts who have given consent to use their data. All users from the past, who have not updated their consent, are unusable for now.
Some companies will require a DPO to check compliance with the EU data protection law. However, we will speak of that later on.
What are the principles of the GDPR?
If you are collecting data, you need to have a purpose to use and save that data. We’ll list below some of the principles:
- Purpose Limitation
Organizations should only collect personal data for a specific purpose. In other words, they must state plainly what that purpose is, and only collect and store data while completing that purpose. Companies should obtain data by legal and fair means. Also, users need to give their consent! So, there should be limits to the collection of personal data.
- Data accuracy
Companies must take every reasonable step to rectify or remove data that is inaccurate or incomplete. Individuals can request inaccurate data to be erased or updated within a month.
- Purpose transparency
The purpose of data collection should be specified at the time of collection.Therefore, Companies should keep the promise they give users in the notice before collecting their data.
- Limitation of use
Data should not be used for any purpose other than the original one, except if the data subject or legal authority gives consent. Data subjects should be notified if there is any change.
- Safeguarding Security
Personal data must be protected by reasonable security safeguards against risks such as accidental loss, unauthorized access, destruction, misuse, modification or disclosure of data.
Companies should be open about how they handle confidential and personal data. There must be a general policy of openness about developments, practices, and policies concerning personal data.
- Individual Participation
Individuals should have the right to know whether a company has data about him/her and have access to that data. Consequently, data subjects should have the right to challenge a company by refusing to grant access to their data, in addition to challenging the accuracy of the data.
Data controllers have the responsibility to comply with the measures listed above.
How does a website GDPR form look like?
It should look like this. The form appears instantly when a new user enters your website and it shows, in detail, what data is going to be collected, the cookies you use and the third parties that also collect data (e.g. google analytics). This gives users the freedom to control what data the website collects about him/her.
Also, all marketing inputs sent to your customers must also have a GDPR form like this one, so users can easily opt-in or opt-out.
What is a DPO?
DPO stands for Data Protection Officer. It’s an enterprise security role that is responsible for overseeing data protection strategy and implementation, to ensure compliance with the GDPR.
Do I need a DPO?
Probably not. Your company will only need a DPO (Data Protection Officer) in one of these 3 scenarios:
- The data processing is carried by a public authority;
- The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale;
- The core activities of the controller or processor consist of processing sensitive data on a large scale or data relating to criminal convictions/ offenses.