As you probably already know, GDPR is not just a software "thing". You can't only modify your app and say that you are GDPR compliant. There is more than that. You also need to review and revise your business processes related to the personal data.
Vice-versa also applies. It is not enough to put in order just business processes but most likely, you will also need to adopt software as well.
In general, when we are talking about the GDPR, there are two main parties involved: you and an individual whose personal data you are processing. In GDPR terminology, an individual (your customers, users, employees, etc.) is called the "data subject".
In this article, we'll focus on three main communication channels:
A. communication between you and data subjects,
B. communication between you and GDPR HQ and
C. communication between GDPR HQ and data subjects
Note that this is a simplified version - if you are not the only entity processing personal data, the picture gets more complicated. One typical example is when you are using third-party entities for conducting personal data processing activities on your behalf (as "processor").
Relationship between you and your data subject is the core. It is all about the various communication channels between your organization and your customers (users, employees, etc.). The new legislation will apply to all EU member states as law on the 25th May 2018 and individuals will have more rights than before.
All your processing activities dealing with the personal data will have to adopt or stop.
For all those processing activities where lawful basis is consent, you will have to positively know whether you are allowed to continue the processing or not.
All your employees will have to know if they are allowed to process some data (e.g. call someone, send him an e-mail or a flyer, etc.). For each individual in your system, you will need to know, among other things - do you have permission to process data.
For those processing activities where lawful basis is a legal interest, an individual has the right to object. In plain language - if you carry out specific processing, individuals have the right to say "stop". And if they say so, you are not allowed to continue (exception may apply).
For example, if you are sending an e-mail notification to your users, each user can exercise his right to object by opt-out.
The big thing about the GDPR is "Privacy by Design". Among other things, it means that you should redesign your software and your business processes to be able to support data subject rights. In many scenarios, that's easier to say than done.
Both, your business processes and your apps, must be able to "survive", for example, these situations:
- deal with a minimum of a personal data; do not store "everything, just in case" - store only what is really needed for specific processing
- deal with data subject requests exercising right to rectification or right to be forgotten. Think what will happen with database/application integrity if you are forced to change/delete specific data?
We provide open source client SDK your developers can use to help themselves in application customizations.
To be able to conduct specific processing activity, you will need to generate and print a document of consent. An individual can then sign that document stating that he is permitting you (giving you consent) to proceed with that specific processing.
On the other hand, you are obligated to store (signed) consents to be able to demonstrate that an individual gave you his permission.
A similar situation is with HTML form consent, for web and online businesses, but instead of printed and signed form you will use web forms and checkboxes (unticked).
Privacy notice (policy) is an essential document where you state all necessary information related to data subject’s privacy. GDPR HQ can help you with policy generation process so that you can indicate how will you use their personal information, will you share it with third-parties, explain how individuals can exercise their rights, etc.
This feature is a simple and easy to implement on almost every website and it will help you with the management of the data subject rights.
Website cookies are often necessary for the proper functioning of a website, for user login, e-commerce shopping cart, analytics or advertising.
Any cookie that is capable of identifying an EU resident, or treating them as unique without explicitly identifying them, means that the website is processing personal data.
GDPR HQ provides you with the tools to scan your website for cookies and to group those cookies into functional groups, e.g. necessary, analytics, marketing cookies, etc.
You can easily find every information related to GDPR in our app manually – open the app, go to a specific module and find what you are looking for. The manual lookup will work if you don’t have many customers, clients, users, visitors… for all other cases, it is likely that you will need to connect your existing applications and systems with the GDPR HQ application.
We are providing three different mechanisms your IT developers can use to connect with us:
· API – implemented in a standard, secure and documented way. Developers can use it to work with the data stored in our databases
· Webhooks – use them to get notified when certain events occur in our systems, e.g., when a new request for erasure is created
· Client SDK – developers can reference it directly in local apps to handle communication with our systems more easily; it is an open source, and it is available on the GitHub
Whether you are about to call a potential customer from your CRM application, or you are about to send an e-mail to a subscriber, you will need to know if you are permitted to do so.
Display information related to consent existence right inside your applications, so that employees know how to proceed with the activity. Filter e-mail addresses automatically before sending, to ensure that unwanted emails are never sent.
Similar to consent, for all processing where lawful basis is a legal interest, you will have to obey to an individual’s right to object. No more processing if someone objected.
Automate this process with our SDK/API – for example, check if an individual unsubscribed (exercised “right to object”) from email communication - by contacting GDPR HQ.
Subscribe your application to different events occurring in our systems, e.g.:
· when a record of consent is created,
· when a data subject objects to processing (for example, email unsubscribe),
· when a data subject request erasure or rectification of personal data
Handle these events in your app and automate interactions with the GDPR HQ.
You can conduct GDPR related communication with your customers, users or employees using our app. Some of the important features of the GDPR HQ application are modules for creating answer templates (both PDF and email versions) and a module for storing and creating all communication with data subjects.
Send an email directly from GDPR HQ, or print out PDF if a hard copy is required. Store all answers from data subjects in one place, as files or scans of documents.
When an individual sends you a request for exercising one of his rights, enter it into the GDPR HQ. These requests can also pour in from DSR Form (see #5 above) or from API or other sources.
Track all communication with the individual and send templated answers back.
For example, if an individual request data erasure, your workflow may be:
- send templated answer saying that you received the request and that you will proceed with data erasure as quickly as possible
- once erasure of the personal data is finished, notify the individual that a process is completed
Track complete history of communication.
The truth about the GDPR is that you can have one large folder, plenty of papers, a sharp pencil and still be compliant. That is if you live in the 20th century and don't have any computers and software.
But if you are in some way digitalized, with many different applications, databases and systems storing and processing personal data, the story if different. You need digitalized help.
Employees calling leads needs to know if it is allowed to call or not. Software for e-mail marketing campaigns needs to know if a user unsubscribed ("Right to object"). Manager in the human resources department needs to know if he can publish employee's photo.
All other apps (CRM, ERP, HR, etc.) need to know when to delete ("Right to be forgotten") personal data.
Nowadays systems and applications are interconnected more than ever before. GDPR HQ follows that approach and allows you to connect your applications and systems to be able to get answers to these critical questions:
- am I allowed to conduct processing of specific individual ("do we have a consent")?
- is it forbidden to contact someone ("is an individual exercised right to object to our processing")?
- is an individual exercising his other rights (e.g. “asking for information or personal data rectification”)?
GDPR HQ is a software which helps you to comply with the General Data Protection Regulations. It also helps you in various business scenarios by providing a secure communication mechanism your software systems can utilize to get timely answers.
Use GDPR HQ to handle all processing activities related to personal data in one place. Let both your employees and your applications use it to simplify GDPR tasks in your organization.