If you are looking for the information to prepare your company for GDPR compliance, we are right here to provide you with an example. As we are working with clients around the globe, some of them are from European Union countries. That is why we want to share general information about the law, its statements, principles, etc.

GDPR compliance means that you understand the law principles and prepare all documentation basis which complies with all GDPR statements. You should make your EU customers aware of how you collect and process their data.

What Is GDPR?

GDPR is a regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. It stands for the protection of people’s personal data within European Union. According to this regulation, the data processing is carried out by a controller (company) or processor (company’s workers or representatives) not established in the Union and processing EU residents personal data. They do so if they offer goods or services to their EU clients even if the company located outside the European Union. The law extends the scope to all foreign companies processing data of EU citizens and residents.

Before it was a Data Protection Directive (95/46/EC) of 1995, and now this is a regulation that means it will be spread out to all EUMS, when it will come into force on May 25th, 2018. The regulation doesn’t need the implementation of the national law of the EU Member States.

The law consists of enacting clause with 173 points and 99 Articles. It is based on three main ideas: personal data protection, protection of rights and freedom of people in their data protection, and restriction for the displacement of personal data within EU.

GDPR Overview

It is important to define how your company should act under the GDPR law, and what should be taken into account to become GDPR compliant. The regulation is applied not only to the EU residents but for non-EU residents, who are processing personal data of natural persons due to selling and offering goods or services and monitoring of actions/ behavior of the data subjects in European Union.

From other the main factors related to websites and other sources that are published online, we can take into account the following:

  • one of the languages from the EU is used at the website;
  • the site accept payments in euro;
  • clients from EU are mentioned on the website.

If your company deal with one or more points that are described above, then you should follow the new law and protect your customer’s data according to it.

To complete the preparation of your GDPR compliance you need to define or assign the roles from Article 5. GDPR includes two key definitions of controller and processor.

A controller means that an individual (natural or legal person), agency, public authority or other body defines the goal and purpose of personal data processing.

A processor is also an individual (natural or legal person), agency, public authority or another body that works strictly with a controller’s request, maintaining records of personal data and processing activities.

If you process a significant amount of data, your company has more than 250 employees, and you are processing the data of more than 5000 data subjects, GDPR obliges you to assign Data Protection Officer who will be responsible for GDPR compliance.

From your company side, you should understand which roles you take in means of data processing

H&M Privacy NoticeAs an example, we suggest you check H&M Privacy notice as they described in details who take the roles of controller and processor, mentioning DPO for their company. If you have such a company, you can pay attention to the description of all fields where a company operates and how it interacts with customers and process their information.

GDPR Personal Data Definition

One more important note is about personal data categories. There are personal data and sensitive personal data that could be processed.

Personal data is any information about a person that will identify him directly or indirectly or by reference to an identifier. It could be a name, an identification number, location data and other factors that will identify the person.

Sensitive personal data is a special category of personal data that is described in Article 9. It includes biometric, generic data, political or religious views, and philosophical beliefs, or other specific information to identify individual uniquely. Some additional information about personal data you can check in Article 10.

One more important thing about sensitive personal data is that even if an individual permits you to process such kind of information, but the country’s law doesn’t allow you to do it, you can’t perform data processing. If you deal with such type of sensitive data, please review the international law of countries that don’t allow to process such kind of information. You should also this information to your Privacy Policy.

As well as to assign the roles and define types of data to control its collection and processing according to new rules, you should follow the principles to do it.

Principles of Data Storage and Processing

Personal data should be processed according to the following principles:

  • Processing. It should be carried out lawfully, fairly and transparently relating to the person.
  • Limitation. Data should be collected for specific, precise, and legitimate purposes and not be processed incompatibly with goals above.
  • Minimization. You should have explicit purposes for processing personal data.
  • Accuracy. Data should be processed where needed, and it should be clear that all incorrect data must be removed or changed without delay.
  • Storage limitation. Data should be kept in a way that is required to identify a data subjects for no longer than it is necessary to collect those data.
  • Integrity and Confidentiality. Data processing should ensure the proper defense of the personal data against unauthorized or unlawful processing and accidental loss, destruction or damage using technical and organizational measures.

Those principles are described in details in Chapter 2 (Articles 5-11). Also, you should pay your attention to entities who are involved in processing, carrying and usage of the personal data.

GDPR Requirements

GDPR stands for regulation of natural person’s data protection to simplify understanding and management of that information for people to control how companies use their details.

The Lawful Base for Data Processing

Firstly, you must act on a lawful basis for data processing, and you should define yours one from six existed. Each of them is equal to each other, and most of them require to substantiate the necessity of information processing. By having the lawful basis, you correspond to the first principle of transparency, lawfulness, and appropriate data processing.

To identify your lawful basis for processing the data check the Article 6. There are six GDPR Lawfuls Bases available. You should choose your one by defining the purposes for the data processing.

Consent means that an individual gives their permission (consent) for you to process their data for a specific goal.

Contract means that agreement is necessary because you’ve been asked to take specific steps before signing the contract.

Legal Obligation means that the processing is needed for you to comply with the law.

Vital Interests mean that by processing the data, you will protect someone’s life.

Public Task means that you need to perform a task for your official functions in the public interest and this task has a clear basis in law.

Legitimate Interests means that data processing is needed for your or third-party legitimate interests to protect the individual’s data which could override those legitimate interests. (but please take into account that this couldn’t be applied if you are a public authority processing data to perform your official duties and tasks).

However, if your goals change, you may go on and process the information under your previously chosen lawful basis if your new purpose is compatible with the initial one.

You can use a helpful ICO Lawful basis interactive guidance tool to come up with the lawful basis for your company. If you are processing special category of data (sensitive personal data, criminal conviction data), you need to identify lawful basis and additional condition of handling the specific type of data.

After you define a lawful basis that is suitable for your company and purposes of processing, you need to write or revise a Privacy policy and Cookie policy to confirm that your company is ready to act according to the lawful base, type of your company, and the way you collect all the information from individuals.

GDPR Key Points

As we mentioned before it is important to understand which information is protected by the law. Let’s look at GDPR key points that will help you to prepare your official documents, website, and the channels of communication with customers.

Individual Rights

Before you describe to your customers how you collect their information and document all the actions that you take with the information processing, you should understand the natural persons’ rights according to the law.

These are eight rights that individuals have:

  • the right to be informed,
  • the right of access,
  • the right to rectification,
  • the right to erasure,
  • the right to restrict processing,
  • the right to data portability,
  • the right to object,
  • rights about automated decision making and profiling.

You can familiarize yourself with all these rights in detail by reading the Chapter 3 (Articles 12-23) of GDPR law.

Right to Be Informed

Let’s start with the first statement. The right to be informed means that person has a right to have the information about the collection and use of their personal data (Articles 13 and 14, GDPR). This could be achieved through explanation it to users in your Privacy Policy and Cookie Policy.

Right of Access

The second right is right for individuals to access the information you have about them. That means that a person could ask you to provide the information, i.e., to make a subject access request. In the law, there is no strict rule about how a person is supposed to ask the information. Therefore, your employees or representatives that deal with the information gathering and processing should define when the request of information happens and provide a person with the data.

You can collect information electronically, and you should provide information in standard electronic format. The information you will send as a response to the request when you deal with an individual about the personal data should be understandable and accessible, using clear and plain language.

Right to Rectification

Article 16 describes the right to rectification. In this case, if you receive the request that you have incomplete data, you should be able to complete it and solve the argument provided by the data subject.

Right to Erasure

The next one is the right to get the personal information deleted from the database (right to erasure individual personal data). You can solve the request no later than one month, and it will apply only in certain circumstances.

The information should be erased if it is no longer necessary for the purposes you’ve collected it or if you are relying on consent as your lawful basis to hold the data, but user withdraws their consent. Also, you need to erase data if it is not processed lawfully, and if you want to use data for some purposes, but it is not compliant with a legal obligation, or you have processed the personal data to offer some information society services to a child.

Right to Restrict Processing

Individuals have the right to restrict processing of their data. It has close links to the right to rectification (Article 16) and the right to object (Article 21). You have to solve the request in one calendar month. People control the accuracy of their personal data and if the data has been unlawfully processed or you no longer need it than you might be dealing with a request to restrict processing it.

Right to Data Portability

The next right is data portability, and it allows individuals to obtain and reuse their personal data for their own purposes. Usually, it happens across different services. It will enable them to copy, transfer or move their personal data in a secure way. It helps to interact with applications and services that can use this data to understand user habits.

The right only applies to information provided by an individual to a controller. However, not just personal, but pseudonymous data can be linked back to an individual within the scope of the right. The data should be structured, commonly used, and machine-readable.

The Right to Object

Article 21 gives individuals the right to object to the processing of their data. This allows individuals to ask you to stop processing their personal data. The request should be solved within one calendar month.

It is about the direct marketing, specific public task, why you process the information and legitimate interests. If you use personal information for the research, you also can notify individuals of this action. It is about the direct marketing, specific public task, why you process the information and legitimate interests. If you use personal information for the research, you also can notify individuals of this action.

Rights in Relation to Automated Decision Making and Profiling

Article 22 has additional rights to protect individuals if you are carrying out automated decision-making including profiling that has legal or similarly significant effects on them.

For something that is solely automated there must be no human involvement in the decision-making process, and you can use the information if you have the individual’s explicit consent or it is necessary for reasons of substantial public interest.

It is important to read and understand all the individual’s rights to write your Privacy and Cookie Policy according to statements above. Afterall, a user could read policies, and it could be a proof that their personal data is safe and you are acting under the new GDPR law.

Privacy Policy

Privacy Policy is a document (and a section on your website) which describes how you collect, process, and protect the Personal Data and for what purposes.

For example, Google collects lots of information from its users that is why there is a full guide describes all types of data it receives, why they do it and privacy controls along with user’s rights to give and restrict the amount of information and the kind of info that they provide. You can check the Google’s Privacy Policy for the details. You can make a video description along with a text. Let’s take a look at the awesome video on Google’s Youtube channel:

If you receive the information from other sources, you must provide your users with privacy information within an appropriate period of obtaining the data and no later than one month. You don’t need to give the data when the individual already has it, or it would be disproportionate forces to give it to them.

As well as the example above, there are several types of presenting the privacy policy to people.

It could be a layered approach as Google made. It includes general information and additional layers of the detailed information. We also used this approach to present all of our policies on the main page. You can check our Data Protection Policy by following the link.

The second approach is a dashboard. Mostly, these are management tools that inform people of how you use their data and allow them to operate what happens with it.

Just-in-time notices – there could be some parts of focused privacy information delivered at the time you gather individual pieces of data about people.

Icons – meaning symbols that define the existence of a specific type of processing the data.

You can choose any option you find appropriate, and update your Privacy Policy statements according to GDPR. Also, don’t forget to notify your clients and partners about these changes.

Cookies Requirements

Cookie policy

At your online store or website, you can place notification messages, such as pop-ups, voice alerts, and mobile device gestures. It is related to mobile and smart device functionality and how you can access people through them.

We at WEB4PRO have a pop-up reminding that we use cookies, and the information is collected to them. As well as that, we wrote everything regarding collecting the data by cookies in our Cookie Policy.

WEB4PRO Cookie Policy Checkbox

Let’s move further to the Cookie requirements question. Not all people know that cookie is a small file that is downloaded from the user computer when he visits a website. Cookies are used for user identification, storage of the personal preferences, settings, and analytics. Websites with limited access require cookies, so you can use the site by accepting them. They could be dangerous in the way of deanonymization and tracking user actions.

The most important thing to consider is that user must have a choice. Even if you have a cookie at your website, users should have an option to agree with cookies usage or by settings to revoke their consent. You also should mention that declining cookies could cause limited or restricted access to your site if it requires cookies. In this case, people will know cookies requirements. It’s a great idea to describe all this information in Cookie Policy section on your website and include a link to this section to all notification messages.

As well as just understanding of the right to be informed your goals of collecting and processing the data could differ from the actions you perform with these data. If you sell, buy, obtain personal data from publicly accessible sources or, for example, you apply AI to personal data; you need to tell people the specific information according to what you are doing with their data.

Consider all the sides of the law and your clients’ interaction and use a blended approach to deliver the information to individuals in a transparent way.

Children’s Data Protection

If you deal with processing information of children who is under 16 or less, it should be particular protection for them. According to the Data Protection Bill, only children aged 13 or over can provide their consent.

Privacy by Design

It is an approach to projects that promote data protection and privacy from the beginning. It means that before even start to create a particular product, you should think about privacy policy and how to meet legal obligations. Technical security measures should support all development processes. Learn more about this GDPR requirement in ICO guide.

Data Processing for Marketing Purposes

An important part for all businesses is the restriction of data processing for marketing purposes. Article 21 says that individuals have a right to refuse to process their data for direct marketing and profiling. However, processing could have a place, that is mentioned in Recital 47 of the GDPR when it preserves the justified interests of the person.

Email marketing is allowed only if a person gives you permission to the data processing. However, there are some exceptions regarding this type of marketing. You can send emails to your existing customers or have a reasonable interest in sale or negotiations for a sale of product/services through email marketing to your potential clients.

In general, you need to provide an opt-in box, to give a choice to receive or refuse to receive messages or emails. As well as that you should ask for consent to pass details to third parties and write when and how people should agree or disagree with receiving your emails or other materials by emails, phone or another way to perform your marketing goals.

Documentation

Controllers and processors each have their documentation obligations. If you have 250 or more employees, you must document all your processing activities. If you have less than 250 employees, you need to record information that is not occasional or could cause a risk to the rights and freedom of individuals.

One more important part of the GDPR law is the Article 30 that describe what information you need to document your company’s actions in your Privacy Policy, and official documents to work with data:

  • The name and contact details of your organization and of other controllers, representatives, and data protection officer, where applicable.
  • The purposes of processing the information.
  • Description of types of personal data and categories of individuals.
  • The categories of recipients of personal data.
  • Your Lawful basis.
  • Description of your technical and organizational security measures.
  • Retention Schedules.
  • Transfer details to third countries if you have them, including documenting the transfer path safeguards in place.

Fines for Violation

If data breach happened, by the law you should report to the special authority about this issue within 72 hours from the moment it arrived.

Article 83 covered conditions for administrative fines. You should remember that by a violation of the law from your representatives (controller, processor) side you will pay up to € 10 million, or, in the case of a company, up to 2% of the global turnover of the previous fiscal year.

In case of violation of the controller or processor according to the law obligations for these parties you can lose up to € 20 million and 4% from the global turnover of the previous fiscal year. This will help you to build your work transparently and lawfully.

How WEB4PRO Prepared to GDPR

First of all, we went to the official source with GDPR law. It has 99 Articles and covers all the questions regarding personal data protection and how companies should proceed the information from users.

If you find the official document as a quite complex and you won’t have enough time to go deep into it, we suggest you one more professional source that covers up GDPR aspects. The Information Commissioner’s Office is the UK’s independent authority that posts relevant information about the information rights in the public interest. There you also will find checklists and preparation guide to GDPR.

We defined our lawful basis as Contract and described how we collect data and what do we use to communicate with our clients. We only collect name; email; Skype ID; and as it is a contact form we have a question/request field as optional.

However, please notice that you could have a different type of information you collect from your site visitors according to the initial settings, windows you have. An average eCommerce store collects lots of personal data, so you need to make sure that you’ve mentioned all of the points in your Privacy Policy.

These are the features we implemented on our website to comply with GDPR:

Data Protection Policy. We revised our Data Protection Policy. It includes the Privacy Policy, Cookie Policy, Compliance & Security, and Terms of Use. You can find this section here. Now this section contains all necessary information about our data protection measures, individual rights, and our law base for data processing.

Pop-up notification about the collection of cookies. We implemented the pop-up window which notifies our website users that we collect cookies. The guest of the site has the right to accept our Cookie Policy or use browser settings to decline cookies. The user can also use some programs to clear cookie history from their browser.

Checkboxes for contact forms. We added a checkbox to our Contact form to notify website visitors that he could send us his data only if he reads and accept our Privacy Policy.

WEB4PRO Contact Form with a Checkbox

All the notes in checkboxes should be put by a user manually. Please note, that you can’t set the configuration of the checkbox by default.

WEB4PRO Subscribe Form with a Checkbox

The same we added to our Subscribe form. If you have more ways where you collect personal data, you should add a checkbox with a link to your policies to it.

GDPR Summary

As we mentioned before it is important to make several vital steps:

  • understand which information is protected by the law;
  • assign the roles to control the process of processing;
  • define the purpose of personal data processing;
  • choose a lawful basis of corresponding the law;
  • respect individual rights regarding their personal data;
  • implement data security measures in your company;
  • assign the roles for personal data processing;
  • revise and update Privacy Policy notes, Cookies policy, Terms of Use;
  • include the information about the purpose for personal data processing and lawful basis to contracts and official documents;
  • add some data protection features to your company website;
  • inform your clients, customers, and subscribers about the changes in your Data Protection Policies.

You should never:

  • Sell Personal Data to third-party companies;
  • Offer services to children under the age of 16;
  • Send marketing newsletter to people who didn’t subscribe to it;
  • Violate Individuals Rights described in GDPR.

As you can see the new GDPR law has covered all the main points regarding individual’s personal data protection. We tried to describe the main aspects of each company to perform the right documentation and follow all principles of collecting and processing the information safely and transparently. We hope that our company completely meets GDPR requirements and this guide will be helpful for you as well. Please remember that GDPR law comes into force on May 25th, 2018, so make sure that you’ve covered all the points highlighted above.

Also, there are great additional sources for you to check: