OmniCyber has put together the most comprehensive GDPR guide on the web, over 25 questions and 8000 words! Understanding and implementing GDPR is crucial for your business, company, or organisation. Read the ultimate guide to GDPR and find out more.
Find what you are looking for
GDPR stands for General Data Protection Regulation and this is a European Union law governing data privacy and protection. GDPR was implemented to safeguard the personal data of citizens of the EU and citizens of the European Economic Area (EEA). GDPR replaces the Data Protection Directive.
GDPR is the EU’s General Data Protection Regulation, the directive lays out one set of data protection rules, for all organisations that operate within the EU.
GDPR applies to any entity that operates in the EU, regardless of where they are based. This means that businesses located outside of the EU must also comply with GDPR if they wish to bring services or products to EU citizens.
The purpose of GDPR is to enforce a stronger set of rules governing data protection, giving people greater control over their personal data. GDPR replaces the Data Protection Directive 95/46/EC.
Under GDPR governance, all businesses operate on a level playing field. Businesses must have a concrete consent management process and an effective data rights management system.
General Data Protection Regulation brings into effect new rights for people, such as:
- The right to be forgotten – Organisations must delete a person’s data, under certain circumstances, on the request of an individual.
- The right to access – Organisations have to supply users with a copy of all data that they have collected on them.
- The right to data portability – Under certain circumstances, an organisation must transfer user data to another organisation of the user.
- The right to rectification – Organisations must update inaccurate or incomplete data.
- A legal basis for data processing – Organisations must clearly justify the need to process data. There are several legal bases for this, outlined in Article 6, Lawfulness of Processing.
Under Article 6, the processing of data by organisations is only lawful if one of the following applies:
- If a person has given explicit consent to process their data for a specific purpose.
- If processing is necessary to comply with legal obligations.
- If processing is needed to perform a contract, or prior to entering a contract, with the individual.
- If processing is needed to protect the vital interests of the person or another natural person.
- If processing is necessary for performing tasks carried out in the public interest or by an official authority vested in the organisation.
- If processing is required for a legitimate interest of the organisation, or a third party, except in the case where interests override the freedoms, fundamental rights, or interests of the person.
When did GDPR come into force?
The debate and preparation for GDPR took place over four years. GDPR was approved by the EU Parliament on the 14th of April 2016. GDPR came into force on the 25th of May 2018.
What is GDPR compliance?
GDPR compliance is a regularity standard that organisations must meet if they control or process the personal data of EU residents. There are two main areas to consider to ensure your organisation is compliant, including cookies and an information audit.
Cookies: Cookies are a useful tool for companies and can give them insights into their users’ activity online. Cookies are small text files that are put on a user’s device when they browse a business’s website. They are stored and processed by the user’s web browser.
Cookies are easy to view and delete and they serve a vital function. They are harmless and businesses use them to track the online activity of users, with the purpose of targeting the user with specific adverts, relevant to what they search for.
Under GDPR, cookies can be considered as personal data. This is due to the amount of information that they may contain, which could potentially identify a user, without their consent.
Organisations can process this data if they acquire cookie consent. This is usually achieved by adding a pop-up, as laid out in the ePrivacy Directive (EPD), known as the cookie law.
For GDPR cookie compliance, organisations must:
- In plain language, provide specific and accurate information on the data each cookie tracks prior to receiving consent.
- Acquire a user’s consent prior to using any cookies, except those that are strictly necessary.
- Make withdrawing a user’s consent as easy as giving consent.
- Document and save consent from users.
- Permit users to access their services, regardless of if they give cookie consent.
The rules that govern cookies are changing and being adapted all of the time. Because of this, maintaining compliance under GDPR will be a continuous job.
Information audit: If your organisation conducts higher-risk personal data processing or has more than 250 employees, then it should conduct an information audit. These companies should keep an up-to-date list of processing activities they undertake. They should be ready to show their processing activity list to regularity authorities at any time.
One of the easiest ways to achieve GDPR compliance is to make a data protection impact assessment (DPIA). If your business introduces new projects that involve high risks to personal data, then an additional DPIA should be conducted.
If your business is unsure as to whether it needs to conduct a DPIA, then the list below gives examples of when a DPIA is needed:
- You track people’s behaviour or their location.
- You are introducing new technologies.
- You are monitoring, on a large scale, a publicly accessible place.
- You are processing children’s data.
- You are making automated decisions by processing people’s data that could have legal effects.
- You process data that could result in physical harm to a person if the data is leaked.
- You process data such as ethnic origin, racial origin, religious beliefs, political opinions, philosophical beliefs, genetic data, union membership, or biometric data, for the purpose of identifying a natural person. Health data and sexual orientation also fall under this condition.
A DPIA should include several elements that are outlined in Article 35 of GDPR. These elements include:
- An assessment of the proportionality and necessity of the data processing to the purpose.
- An assessment of the risks to the freedoms and rights of data subjects.
- A description of the processing operations and the purpose of processing the data. This should include, where relevant, the legitimate interest pursued by the data controller.
- What security measures are to be put into place to safeguard personal data. This should show compliance to GDPR and take into account the interests and rights of the data subject.
It is vital to ensure that your DPIA is prepared before you start any type of data processing. The DPIA should form part of your project planning and if you have a data protection officer (DPO), then they should be included.
The Information Commissioner’s Office, who are the UK’s regulatory authority overseeing GDPR, has produced a handy template. You can view the Data Protection Impact Assessment Template and this will help your company decide if your processing activities require a DPIA. The template includes a series of questions that you consider, to help you determine the security protections you should put in place.
Does GDPR apply to individuals?
GDPR does not apply to data processing carried out by individuals, solely for household and personal activities. This means that you can keep personal contacts’ information on a computer or a smartphone. You can also store footage from CCTV cameras, that you may have placed on or in your house to deter intruders.
GDPR compliance is only required for any company, business, or organisation that holds or processes personal data in some way. It does not matter if these organisations are located in the EU. If they hold or process the personal data of an EU citizen, then GDPR applies.
Who is responsible for enforcing GDPR?
Every EU Member State has designated an independent public authority, to be responsible for enforcing GDPR compliance. The authority is known as a DPA (Data Protection Authority) or supervisory authority.
The DPA in each country is tasked to do the following:
- Monitor and enforce GDP compliance.
- Promote awareness of the obligations of processors and controllers.
- Publicly promote the data subjects’ risks and rights.
- Manage and investigate complaints.
- Document GDPR infringements and what corrective actions are given.
- Cooperate with other data protection authorities.
- Exercise corrective and advisory power.
- Investigate GDPR application in the form of data protection reviews and audits.
In the UK, the ICO (Information Commissioner’s Office) is an independent body that has been set up to uphold information rights. The ICO works with the European Commission and the European Data Protection Board to implement and enforce GDPR compliance.
Businesses and public authorities that have core activities centred on the regular processing of personal data are required to have a DPO (Data Protection Office). The DPO is responsible for managing the business’s GDPR compliance.
Does GDPR apply to me?
If your organisation processes the personal data of EU residents, then GDPR applies to you. GDPR applies to any business that processes, stores, or shares personal data. It is vital to recognise that GDPR applies to companies located anywhere, including companies outside of the European Union. It essential affects any entity that is engaged in economic activity within the EU or with EU citizens.
Companies of all sizes are expected to comply with the EU’s GDPR. However, there are a few exceptions for organisations that have less than 250 employees. Firstly, organisations with less than 250 employees are not required to keep a record of processing activities unless:
- The processing of data is not occasional.
- The processing of data could result in a risk to people’s rights and freedoms.
- The data being processed includes special categories of data, such as offenses and criminal convictions.
The EU’s GDPR also does not apply to people who process personal data at home and exclusively for household activities. An excellent example of this is the data captured by CCTV cameras, as a deterrent to criminals.
If GDPR applies to your organisation, then you must find out what your obligations are, to achieve GDPR compliance.
Does GDPR replace DPA?
Replacing the Data Protection Act 1998, DPA 2018 modernises and lays out a framework for the UK’s data protection law. GDPR does not replace DPA 2018 but instead sits alongside side it, defining how GDPR applies in the UK. Both the DPA and GDPR were introduced on the 25th of May 2018.
The DPA affects many things, such as exemptions, and it sets out the powers and functions of the Information Commissioner’s Office (ICO). The ICO is the UK’s independent body that is tasked with upholding information rights.
The Data Protection Act 2018 covers several functions that GDPR does not, making it a necessary bill. DPA includes legislation that is solely specific to the United Kingdom. This means that it applies rules to the parts of GDPR that are left up to the individual EU Member State.
- Provides certain exemptions from GDPR.
- Allows children aged 13 to consent to data processing, instead of 16, as set out in GDPR.
- Gives different rules to law enforcement authorities.
- Extends data protection to national security and defence.
- Sets out the powers of the UK’s Information Commissioner’s Office (ICO).
What does GDPR cover?
GDPR affects charities, businesses, and startups that process, collect, or control personal data of EU citizens. A controller is an organisation that determines the means of and purpose of processing personal data. A processor is an organisation that is responsible for, on behalf of the controller, processing data.
Personal data is any piece of information that can be used to identify a living person. Examples of personal data include:
- Name or surnames
- Home addresses
- Location data
- Identification card numbers
- IP (Internet Protocol) addresses
- Cookie IDs
- Data held by doctors or hospitals
- Advertising identifiers on phones
GDPR also covers sensitive personal data, such as sexual orientation, political views, and religious views.
GDPR does not cover data such as company registration numbers, anonymised data, and generic business email addresses (firstname.lastname@example.org). GSPR also doesn’t cover data processed for personal reasons, in one’s home, where there isn’t a connection to commercial or professional activity.
GDPR changes the rights of EU citizens giving them the right to:
- Information on the processing of their personal data.
- Object to the processing of their data for marketing purposes.
- Restrict the processing of their personal data under certain circumstances.
- Obtain access to the personal data that is being held.
- Request that their personal data be corrected if it is incomplete or inaccurate.
- Request for their personal data to be deleted, when it isn’t needed any longer for processing.
- Request their personal data in a machine-readable format, and send it to another controller.
- Request that decisions made using automated processing be made by natural persons and not just by computers.
What is a privacy notice GDPR?
- Inform EU citizens about how you will use, process, and collect their personal data.
- Be presented at the first point of data collection.
- Use clear, transparent, and plain language, be free of charge and be created in an accessible format.
If you collect personal data then you must create a privacy notice that includes the following elements:
- The legal basis and purpose for processing the citizen’s personal data.
- The identity and contact details of the data controller.
- If you are required to have a data protection officer (DPO), the details of this person.
- The length of time that you will hold the citizen’s personal data.
- What the legitimate interest is for legally processing the citizen’s data.
- The right of the citizen to withdraw consent at any time.
- Who, including categories of recipients and named parties, you will share the citizen’s personal data with.
- Any third-countries that you may transfer data to, and what safeguards are in place.
- The right of the citizen to make a complaint to the Information Commissioner’s Office (ICO).
- The existence of the individual’s rights also referred to as data subject rights.
- If you carry out automated decision making, such as profiling, how these decisions are made, their significance, and any possible consequences.
- Contractual or statutory requirements, if they exist, for the citizen to provide their personal data and any consequences of not proving their data.
If you happen to collect data from a third-party (any source other than the data subject), then in your privacy notice, you must also include:
- The data source and if that source is publicly available.
- The categories of personal data.
Your organisation’s GDPR privacy notice should be located on your website. You must link to this whenever you ask an EU citizen to register with your service, sign up to a newsletter, or provide any personal information, in any other way. You should also be aware that your GDPR privacy notice must be available orally, to ensure comprehension and to assist the visually impaired.
When you create a privacy notice for your organisation, you should answer the following questions and cover the following topics:
- What data do we collect?
- How do we store your data?
- How we use your data?
- How we collect your data?
- What are cookies?
- What types of cookies do we collect?
- How to manage your cookies.
- What are your data protection rights?
- How to contact the appropriate authorities.
- The privacy policies of other websites.
- How to contact us.
The EU’s GDPR guidelines also suggest a series of phrases that you either shouldn’t use or you should add an explanation to, in order to clarify what and why. These words include research, services, and personalisation.
Does GDPR apply to business contacts?
EU GDPR compliance is a must for any organisation that is a controller or processor of personal data. GDPR covers the personal data of EU citizens and there is no difference between business-to-customer and business-to-business personal data.
What we mean here, is that business contacts are still covered by the GDPR guidelines, if the details include those of a natural person. For example, there is no difference between email addresses such as email@example.com and firstname.lastname@example.org. This is because both types of email address include the name (personal data) of the person who uses that email address.
However, if the email address does not identify a person, then it is not covered by GDPR. For example, email@example.com, does not include a person’s personal details. This email address could be for anyone within the company.
Does GDPR apply to sole traders?
Sole traders must also comply with GDPR. All businesses that handle personal data are advised to designate a person to oversee GDPR compliance. Compliance is required because all businesses, including sole traders, are vulnerable to data breaches. These breaches can be of a malicious nature or may simply occur because of minor negligence.
Cybercriminals often attack small business and sole traders, because their cybersecurity may be weak. Businesses must report any breach to the authorities within 72 hours.
The breach notification must include:
- The type of breach and the number of personal data records that are affected.
- A description of the consequences that might occur, due to the breach.
- The name and contact information of the person responsible for overseeing GDPR compliance.
- A description of the proposed measures or the measures already taken to respond to the breach.
How many GDPR principles are there?
Under GDPR, organisations must follow seven principals (sometimes referred to as six plus one) when collecting, managing, or processing the personal data of EU citizens. GDPR must be followed regardless of where the organisation is located. Many of the principals are like those outlined in the Data Protection Directive (DPD), so some organisations will simply need to make adjustments to fall in line with GDPR compliance.
The GDPR principles offer companies a fundamental guide to their data protection responsibilities. The principles outlined in Article 5 of the regulation include:
- Lawfulness, fairness, and transparency – Personal data must be processed lawfully, fairly, and with transparency, in relation to the data subject.
- Purpose limitation – Personal data should be collected only for an explicit, legitimate, and specified purpose, while not being further processed in a manner that is incompatible with the initial purposes.
- Data minimisation – The personal data that is being collected must be limited, relevant, and adequate only for the purposes of which the data is being processed.
- Accuracy – Personal data must be accurate and kept current. Your organisation will need to make every reasonable step to ensure the data is accurate. Regard for the purpose of which data is processed should be considered and data should be rectified or deleted without delay.
- Storage limitation – Personal data should be kept in a form that makes the identification of data subjects possible, for no longer than is necessary, for the purposes of the processing. However, personal data may be stored for longer when it is needed for archiving purposes that are in the public interest, historical or scientific research or for statistical purposes. This should be in accordance with Article 89(1) and subject to proper safeguarding of the rights and freedoms of the data subject.
- Integrity and confidentiality (security) – Personal data should be processed in a way that guarantees the security of personal data. This should include protection against accidental loss, unlawful and unauthorised processing, and damage and destruction, using appropriate organisational and technical measures.
- Accountability – The controller (the organisation that decides what and how data is processed) is responsible for and must able to demonstrate compliance as defined under paragraph 1.
How to report GDPR breach?
Personal data breaches under GDPR compliance must be reported within 72 hours of your company becoming aware of the breach. GDPR breaches must be reported to the appropriate authority, which is the ICO in the United Kingdom.
Individuals must be informed of the data breach without delay if the breach is likely to result in a high risk of negatively affecting their individual freedoms and rights. Your organisation should retain a record of any personal data breach, even if you are not required to report it.
For GDPR compliance, your organisation must have robust breach detection, reporting, and investigation procedures. This will aid the decision-maker as to whether or not the breach should be reported to the affected individuals or the supervisory authority (ICO).
In order to prepare for a GDPR personal data breach your organisation should:
- Understand that a breach isn’t solely about the theft or loss of personal data.
- Know how to identify a personal data breach.
- Have allocated the responsibility for the management of data breaches to a dedicated team or person.
- Have prepared a response plan for handling personal data breaches.
- Have trained your staff to know how to escalate a security breach to the appropriate team or person in your company that determines if a data breach has occurred.
There are several things you will need to know or put in place, for responding to a personal data breach. You should:
- Have a process in place to assess the possible risks to individuals affected by the breach.
- Know who the supervisory authority is for your processing activities.
- Know what information you will need to give to the supervisory authority, regarding the breach.
- Have a process in place that will inform the ICO within 72 hours, even if your organisations doesn’t yet have all of the details.
- Have a process in place that will inform affected data subjects about the breach and what is likely to be the result, when there is a high risk to their freedoms and rights.
- Know what information to provide to individuals in the case of a breach. You should also be able to provide the individual with advice on how they can protect themselves, from the effects of the data breach.
- Be prepared to establish which European data protection authority to report to when the affected individuals are from different EU countries.
What is a data controller GDPR?
GDPR specifically defines a data controller as “a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.” This means that the data controller is the entity that determines the means by which and the purpose for which personal data is processed.
If your business decides how and why personal data is processed, then it is the data controller. Employees are not data controllers, they simply process personal data within your company to complete the tasks your company has set out, as the data controller.
Your organisation might also be classed as a joint controller. A joint controller is an organisation that, along with another organisation, jointly determines how and why personal data is processed. If the joint controller label fits your company, then you must enter into an arrangement that clearly sets out the respective responsibilities for GDPR compliance. It is the main aspects of this arrangement that should be communicated to the person whose personal data is being processed.
An organisation may fit into a third group known as the data processor. A data processor only processes the personal data of EU citizens, on behalf of a data controller. Data processors are typically third-party external companies.
The data processor’s duties toward the data controller should be set out in a legal act or a contract. The contract should clarify certain important points, such as what happens to the data if the contract between the controller and the processor is terminated. It is vital to recognise, that if your company is a processor, then written authorisation is needed from the controller under certain circumstances. This could be if personal data is to be processed by a further sub-contractor or if the processor wishes to appoint a joint processor.
What is GDPR training?
Following the GDPR coming into effect, the need for training to help companies fully understand and become compliant has become necessary. Many companies offer training courses, or you can provide training to your staff members in-house. Ensuring staff are trained appropriately and have a more comprehensive understanding of GDPR will reduce the risk of non-compliance.
Staff training has become an essential part of GDPR; these will be the people collecting and processing data from individuals. Not all staff members will need to know the full legislation of GDPR. It is essential, however, to make sure that all staff members know about GDPR and data protection issues.
GDPR training will usually cover the rights of the individuals that the data is about, the data controller’s responsibilities, and compliance rules. Each company will have different requirements when it comes to GDPR training. An assessment of which staff members will need training and the depth of knowledge and understanding required will have to be determined.
The person who will ultimately be responsible for overseeing compliance should also be considered. Any training carried out for staff members should cover:
- Basic concepts of GDPR
- Key staff members obligated under GDPR
- Data subjects rights
- Compliance measures
Providing GDPR training will help to reduce the risk of data breaches as each member of staff is made aware of their responsibilities within the regulations. Not only this, but training will also be a demonstration of compliance with GDPR. A record of training will show that the necessary steps have been taken to prevent a data breach. Should a problem occur, a training record will prove that GDPR was taken seriously within the organisation.
Empowering staff with the appropriate training will help them to identify and report any potential GDPR issues in the day-to-day handling of data. GDPR training can be completed using online tools initially; however, face-to-face training is recommended to make sure staff members fully understand. Following up with this kind of training will allow employees to ask any questions relating to their specific job role and the daily scenarios they encounter.
While it may take time to train all staff members, it’s essential to make sure that the organisation is working towards GDPR training for everyone. Members of staff more directly involved in collecting and processing of data should be the priority. As a whole, companies should make sure that staff members have a general understanding of GDPR. This should include their responsibilities related to these regulations, and what they need to do if they believe there is a problem.
How does GDPR affect small business?
The implementation of GDPR affects all businesses data practices, whether big or small. These new regulations will determine how big or small businesses collect, store, and use personal data. However, the GDPR does recognise the fact that not all activities are the same. Smaller companies are not bound by GDPR if:
- The business has 250 employees or less, and
- No sensitive data is handled, and
- Data processing doesn’t affect the freedoms and rights of individuals
A company would have to fit all of these criteria to be exempt. For example, if a business has less than 250 employees and collects individuals sensitive data, it would have to be GDPR compliant.
If a company has more than 250 employees, they are automatically included in GDPR and will have to appoint a Data Protection Officer (DPO). The DPO can not work in certain professions, such as IT or Marketing, as this will be considered a conflict of interest. Within these roles, employees are involved in the processing of data, and a DPO can’t be involved in both handling and protecting data.
While conducting the daily operations of a business, employees, and the departments within a company will likely be collecting and processing information. The GDPR covers sensitive information; a company will have to be GDPR compliant if it collects:
- Genetic data
- Health information
- Religious information
- Sexual orientation or activity
- Ethnic or racial origin
- Trade union membership
- Biometric identification information
There are some exceptions, such as non-profits, customer service, or public health.
The “Rights and freedoms” of individuals is a primary focus of GDPR. The regulations are designed around protecting the rights and freedoms of individuals with regards to their personal data and the protection of their information. Any business conduct in regards to personal information that will affect a person’s rights and freedoms would be a GDPR violation.
GDPR compliance is an ongoing process for each business and will require diligent monitoring. The regulations enforce serious consideration to individuals data protection, and this will affect small businesses too.
How long can personal data be stored under GDPR?
The main elements of the GDPR focus on minimising data held both in regards to the volume of information and the length of time the data is stored. Article 5 (e) of GDPR covers the amount of time that data is permitted to be held about individuals. This part of the GDPR states that personal data can only be stored for the necessary amount of time for which it is being processed. Some circumstances allow data to be stored for more extended periods such as for scientific research purposes or for archiving in the public interest.
Personal information should be stored for a strictly limited amount of time. The data controller of a business will need to determine the time limit for data storage. When this time has lapsed, organisations have a duty to ensure that the data is securely erased. These imposed limits and strict timetables are aimed at reducing the risk of data becoming irrelevant or inaccurate.
Although this may seem a vague ruling when it comes to time periods that data may be kept for, there are reasons for this. “No longer than necessary” simply means that organisations can only process and save data for the amount of time it takes to complete the process for which it has been collated. This can present some challenges as data is not always collected for a single purpose that is completed within a defined time.
Online retailers, for example, may collect order and payment data for an individuals purchase. Once the order has been dispatched, and the customer receives the goods, the process is essentially completed. However, if the retailer was to delete the information, it could cause potential problems. The customer may have a complaint and request a refund, or the records may be needed for accounting purposes.
Other information such as HR records or sales records for marketing purposes will also need to be kept for various periods. Data retention has to be assessed on an individual basis with each organisation looking at what reasons they will have to keep any data. These will have to be acceptable justifications under the GDPR. Each business will have to create a data retention plan that will be applicable to any personal information collected.
Is my website GDPR compliant?
The EU’s GDPR Is relevant to all websites that have users residing in the EU. If your website isn’t GDPR compliant, then it may be subject to hefty fines.
There are two main messages that GDPR gives to organisations:
- Organisations should make marketing communications as clear as is possible.
- Organisations need to secure customer data.
Not sure your website is GDPR compliant? Contact Omni Cyber Security.
Below is the guidance that you should follow to ensure that your website is GDPR compliant.
Online contact forms: It is now mandatory for your website to have a checkbox where the user can confirm acceptance of using your website, as well as how they agree to be contacted. Your organisation should justify why you are asking for user details. For compliance, it is useful to have a pop-up next to the phone number, email, or address box, that states that this is how you will contact the customer in the future. It is also mandatory to have a checkbox if you intend to send out subsequent marketing messages. Checkboxes must be unticked at the start to rule out the possibility of accidental subscription when no action is taken by the user.
Email marketing: EU residents now have the right to not receive unsolicited emails from organisations that both know, and don’t know. Prior to the GDPR coming into force, companies were encouraged to email all of their subscribers again. This was to ask them to opt-in to receiving further promotions, updates, and newsletters. Subscribers that didn’t respond, should have been automatically unsubscribed.
For GDPR compliance, websites must now make it easy for users to unsubscribe. You must also only send out marketing emails to users who officially opt-in. Failure to follow these regulations will result in possible prosecution by the ICO.
Data handling: EU citizens now have the right to be forgotten. This gives them the right to request that you remove their personal data from your website or database. A process should be put in place in order to cater to this. All customer data must be held in an encrypted environment. To highlight the security of the personal data that you hold, your website must add an HTTPS protocol.
Furthermore, GDPR states that all data must be held in the EU. So, it is vital that you check if software providers you use are GDPR compliant, for example, WordPress, Google, GoDaddy, MongoDB, or Zoho.
What does DPO stand for GDPR?
DPO stands for Data Protection Officer and many companies are required to appoint a DPO under GDPR. DPOs are independent data protection experts and they work as a contact point between the company and the supervisory authority, which in the UK is the Information Commissioner’s Office (ICO).
The DPO is responsible for advising companies of their data protection obligations. DPOs also monitor the organisation’s GDPR compliance. The DPO reports directly to top-level management and their tasks include:
- Acting as a contact point on privacy matters for data subjects.
- Acting as a contact point for the ICO.
- Reporting data breaches to the ICO.
- Informing companies and employees of their data protection obligations.
- Monitoring a company’s GDPR compliance, including awareness training and data protection procedures and policies.
- Advising if a data protection impact assessment (DPIA) is required. The DPO will also instruct the company on how to conduct a DPIA and the outcome the company should expect.
Companies of any size may need to appoint a DPO and this applies to small and medium-sized enterprises (SMEs) as well. Assigning a DPO is mandatory if:
- The entity is a public body or public authority.
- A company’s core activities include the large-scale processing of sensitive data, such as personal information on criminal offenses, criminal convictions, health, sexual orientation, or race.
- An organisation’s core activities include data processing operations that monitor data subjects on a large scale.
If your company needs to assign a DPO, then this person can be appointed internally or externally. This means that a DPO can be a member of staff or a contractor. Outsourcing a DPO can be the right decision for companies that want to stay focused on their core business activities.
What does ICO stand for GDPR?
ICO stands for the Information Commissioner’s Office and this is an independent regulatory office that upholds, in the interest of the public, information rights. The ICO provides guidance on how businesses can comply with GDPR.
Recently, ICO created a code of practice and an ICO Guide to the General Data Protection Regulation. The code of practice lays out how businesses should explain to customers exactly how their personal information and data is being used.
The ICO also works with other international data protection authorities to:
- Investigate complaints.
- Share information with other data protection authorities.
- Work with partners to provide guidance and to improve the understanding of data protection laws.
Is Dropbox GDPR compliant?
Individuals and businesses widely use cloud storage. Dropbox is a popular way of storing and sharing information. Employees may use the system to send files to each other or store work files. As these files can contain sensitive data of individuals, it will be covered by GDPR.
Using a system such as Dropbox will need to be assessed and monitored as with all other methods used for storing information. The subject of cloud storage services, including Dropbox, is a complicated one when it comes to GDPR. There are several things that the Data Protection Officer will need to know before allowing data to be transferred to Dropbox:
Where is the data stored – GDPR require companies to be able to report to individuals if their data is stored inside or outside of the EEA.
Security of sharing data – Is the data in a shared or private space and what encryption is used when sharing.
Dropbox themselves say that they have taken all necessary steps to comply with GDPR. Should a company have a data breach with information stored with them, presenting the Dropbox evidence of their compliance may cover them under GDPR. It may not be enough in the event of a potential issue, so this will need to be a point of consideration before choosing to hold information here.
The people that are responsible for handling a businesses compliance with GDPR should consider whether Dropbox fits in with their company brand and philosophy. Would a customer be happy to know that the information being provided will be stored on Dropbox? As with all data storage systems and services, each company must make sure that all information is protected and processed according to GDPR.
Is MailChimp GDPR compliant?
A common way of reaching out to new and existing clients is through email marketing, and MailChimp is one of the largest providers of this type of service. Small and large businesses use MailChimp to create email campaigns quickly and signup individuals to receive updates on new products and services. During these campaigns, individuals will usually provide information, some of which may be considered sensitive. In these cases, the data held will have to conform to GDPR storage and processing laws.
Each company has to implement procedures to make sure they are compliant with the new rules of data protection and storage under GDPR. However, when using a service like MailChimp, the data is not only collected by the company that created the project. It is also on MailChimp servers.
MailChimp states that they have created many tools to help a company with GDPR as well as taking the steps for their own compliance. Some of the ways that MailChimp maintains GDPR include:
- Data processing addendum
- 2-factor authentication for account protection
One of the elements of GDPR gives individuals the right to request information on the data held about them. MailChimp gives companies easy and quick access to contact profiles. Easy access to campaign information and individuals data allows for a quick response to data requests.
MailChimp handles and processes data from millions of people and has to conform to GDPR. Each company that uses them also has to make sure they are compliant. Any data breach would have to be defended, showing that all necessary steps have been taken to protect information.
Should the information come from a MailChimp campaign, using their GDPR evidence may be enough of a defence. Each company is ultimately responsible for their own GDPR compliance. Using MailChimp is placing the responsibility in a third party’s hands
Is Gmail GDPR compliant?
Any business that uses Gmail may be wondering if the data they are sending through the system is GDPR compliant. Data on Gmail is likely to be passing through the USA. The company has stated that its services are fully GDPR compliant. G Suite and the Google Cloud Platform are used for data purposes in Gmail. These systems are, according to Google, fully covered under GDPR. The company takes data protection very seriously and has been working with the relevant authorities in Europe for years.
As the company works with European Data Protection Authorities, it has aimed to cover any existing and new laws as they come into effect. All of this means that Google has put processes in place that will collect, store, and remove any data on individuals according to GDPR practices. While this is good news for any business using Gmail as an email service, those individual businesses are ultimately responsible for their own GDPR compliance.
The evidence of Gmail GDPR processes and technical solutions may be enough in the event of a data breach. Should a problem occur with the data, the company that collected it using Gmail will have to show that they have done everything necessary under GDPR.
Google has added several new features to Gmail to make it easier for businesses to be GDPR compliant.
An option now exists that will let your business set a time for messages to become inaccessible. This new confidential mode can be used to stop recipients downloading, printing, copying, and forwarding emails, that your business sends via Gmail.
You can now revoke access to the email at any time, set a password, and set an expiration date. To turn the confidential mode on or off, go to Gmail >Compose >Confidential Mode (lock icon at the bottom of the email window), and enter the details requested.
When the confidential mode is active, Gmail sends a link to the content of the email. This email content is visible through this link, which no longer works after the expiration date. Obviously, Gmail cannot delete an email from someone else’s account, so this is a great workaround.
Still, the confidential mode is primarily a function to protect confidential emails from accidentally being shared. It does not stop an email recipient for photographing the message or taking a screenshot of the message, at the time of opening the link.
Is SurveyMonkey GDPR compliant?
SurveyMonkey is GDPR compliant and its services are built for Enterprise. Specifically geared towards GDPR compliance, SurveyMonkey has introduced the following features:
- Control and retention of data – Your business can control its data through its SurveyMonkey account. You can control the length of time that personal data is held. You can delete the responses from an individual survey response and account data will be deleted permanently. Deletion includes SurveyMonkey back-ups, which occur within 90 days.
- EU data centre – Following concerns of data being held outside of the EU, SurveyMonkey is building a data centre that will be located on the EU.
- Email opt-in changes – Your business can now opt-in and opt-out of receiving SurveyMonkey emails, no matter which part of the business they originate from.
SurveyMonkey has introduced 13 robust security features to ensure that it remains GDPR compliant:
- Single sign-on support.
- Access control (authorisation and authentication).
- SOC 2-accredited data centres.
- Data encryption in transit and at rest.
- Vulnerability management.
- Continuous security and network monitoring.
- Security awareness training.
- Incident recovery and response.
- EU-US Privacy Shield certificated.
- HIPAA and PCI DSS 3.2 compliant.
- Periodic independent third-party penetration testing and security reviews.
- Trusted security partners, ensuring best-in-class protection and security.
- Security and high availability service at scale guaranteed through multiple data centres.
Is WhatsApp GDPR compliant?
WhatsApp’s GDPR compliance is questionable in several areas, such as Data Portability, the Right to be Forgotten, and the Right to Access. Non-GDPR compliance issues include:
- Transfer of data to the US – The US has less strict personal data privacy laws, than the EU, so adequate protection cannot be ensured.
- Collection of metadata – WhatsApp collects the metadata of users, even though the messages are end-to-end encrypted. With this in mind, WhatsApp is not transparent in what personal metadata it holds, how it is processed, and who it is transferred to.
- User address book – User data, such as email addresses and phone numbers are sent to WhatsApp and Facebook. Companies are unable to let customers know how that data is being used and hence cannot fulfil the Right to Access element of GDPR.
Many businesses are banning the use of WhatsApp and instead, are using enterprise messaging apps. If your company wishes to minimise the risk of GDPR non-compliance then it should consider the following three points when selecting a messaging app:
- Encryption – Does the enterprise messaging app encrypt and pseudonymise, as far as possible, personal data?
- Geo-data storage – Does the enterprise messaging app store personal data outside of the EU?
Is OneDrive GDPR compliant?
According to Microsoft, OneDrive is GDPR compliant. OneDrive’s GDPR compliance is highlighted at Microsoft’s Trust Center, where its methodology is explained. OneDrive is built upon four principals; security, compliance, privacy, and transparency.
With OneDrive for Business and SharePoint, administrators can set their own lifecycle policies for information and data. Admins can delete or retain OneDrive files when an employee leaves the company, through retention policies. Your organisation can modify contact information and user account information, as well as force password updates.
For the purposes of GDPR compliance, you can manage and identify data and set your own data management and access policies. Your company can also control where your data resides geographically.
OneDrive protects customer data against unauthorised, unlawful, or accidental access, as well as destruction, alteration, loss, and disclosure. Examples of the measures and controls in place include:
- Services are verified independently to comply with the framework outlined in OneDrive’s Online Services Terms.
- Internal reviews of new features, processes, and services are conducted to ensure security, privacy, and legal compliance.
- Data is encrypted in transit between users and data centres, as well as when data is at rest.
- Multiple layers of physical security are in place at data centres. Measures include security breach alarms, 24-hour secured access, video surveillance cameras, biometric readers, and motion sensors.
If a data breach occurs, then Microsoft will notify your company’s admin.
Is Office 365 GDPR compliant?
Office 365 is a cloud-based subscription service that comprises of office applications such as Word and Excel. With over 40% of organisations using Office 365, GDPR compliance is crucial.
According to Microsoft, Office 365 is GDPR compliant. Microsoft provides server tools designed for businesses that are GDPR compliant, such as SharePoint Online and Exchange Online.
Office 365 integrated tools leverage intelligence to minimise risk across three key areas:
- Assess – Actionable insights and amplification will help you manage customer compliance in one place.
- Protect – Across devices, cloud services, and apps, you can automatically govern and protect sensitive data.
- Respond – Find the most relevant data with AI (artificial intelligence) to quickly respond to regulatory requests.
These three areas of compliance include tools such as the Service Trust Portal, Customer Lockbox, Customer Key, Privileged Access Management and Compliance Manager. These help business with encryption, information governance, access control, advanced eDiscovery, and auditing.
Microsoft also provides a Compliance Manager to help companies be GDPR compliant. The Compliance Manager will help you continually monitor your organisation’s compliance. The software recommends actions your company can take to enhance your data protection capabilities.
Your data governance strategy can make use of the Azure Information Protection Scanner. The Azure Information Protection Scanner will help you configure policies and automatically, protect, label, classify, and discover documents, held on your premises’ repositories, such as file servers. In addition to this, the Azure SQL Database is designed to alleviate the burden of updating and patching the data platform.
Is Google Drive GDPR compliant?
Google Drive is a cloud service that complies to EU General Data Protection Regulation. Google Drive meets GDPR compliance through a variety of measures. To start, Drive uses Google-made servers and hardware that have the highest level of security standards.
Google Drive also minimises the access that Google employees have to its servers and data. Google has a long term plan to automate all processes so that human access is unnecessary.
All data is protected with state-of-the-art AES encryption with 256 bits. Data in transit is protected with SSL/TLS encryption and data that travels within Google, is also encrypted.
To aid organisations that use Google Drive, Google:
- Offers additional security features that can help you protect the most sensitive personal data.
- Continues to evolve its capabilities as regulations change.
- Gives you resources and documents that will help businesses assess Google’s privacy services.
- Commits to comply with GDPR in its contracts, in relation to processing personal customer data.