GDPR Compliance Solutions

GDPR compliance may be required for your organization.

Your customers trust you to provide transparency and security

Proficiency, meet process

Next Steps

Privacy Policies and Cookie Consent Tools Crafting your policies and informing individuals about them can be tricky. We help you read between the lines to create and/or update your privacy notices, information governance, and security policies.

Cookie consent tools are a GDPR requirement. We evaluate your vendors so you can assess and establish risk. Once we’ve found your perfect cookie consent tool, we’ll help you pick the best route to implementation.

Looking for a DIY approach? We provide customizable templates for privacy notices and cookie banners.
Vendor Management and Privacy Technology Who are you working with? Are your management processes appropriate for your relationship? We help you analyze and update your strategies for new and existing vendors, including vendor assessments, Data Protection Addendums, or vendor agreements.

Are third-party privacy technology vendors part of your plan? We’ll assess your vendors and walk you through building a roster of data management and consent tools and establish plans for reporting processing activities, data security, and more.

Starting out with a vendor assessment? This project makes a useful point of entry for later data inventories.
Privacy Impact Assessments Create and perform privacy impact assessments for new products or marketing campaigns.

What You Need to Know About GDPR

What’s GDPR?

The General Data Protection Regulation (GDPR) was described by everyone as the European Union’s “game-changing data privacy law.” It went into effect in March of 2018 and businesses have been chasing compliance ever since.

They aren’t wrong. GDPR is the biggest data protection law to come about in the last 20 years since the internet, mobile devices, e-commerce, social media, and big data took off. It affects businesses of all sizes around the world.

But what does that really mean?:

In plain English, the GDPR set guidelines that businesses, organizations, non-profits, essentially anyone who touches someone’s personal information in connection with goods and/or services to EU residents. Money doesn’t even need to change hands – the rules can apply if you’re asking for people’s personal information in exchange for information, subscription to an email list, etc.

—-

GDPR instructs businesses and organizations, but at its core, it’s about giving individuals control over their data. GDPR includes a number of pieces in place designed to provide that control, including:

  • The right to be informed
  • The right to access
  • The right to rectification
  • The right to erasure/to be forgotten
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

Combined, all of these rights give EU residents the right to be informed and understand how their personal data is being collected, stored, and used by companies. Companies have to get people’s content before using their data and they have to delete it if you ask them to. Learn more about the full scope of GDPR rights and how they differ from the new data protection law, CCPRA.

What’s Article 30 and Why is it Important?

Article 30 requires organizations to develop and maintain an internal Record of Processing Activities (ROPA). Without this record, it’s impossible to know what kind of personal data a company is gathering, how they’re storing it, and how it’s being used both internally and externally. Without this record, ultimately, it’s impossible to be fully compliant with GDPR.

Why is it Important to Businesses?

On a financial level, non-compliance can be a killer. If you’re found out of compliance with GDPR, you risk a fine of up to 20,000,000 euros or up to 4% of your company’s profits from the previous year. (Whichever is higher.)

Compliance also creates transparency for your clients. Without it, your business risks serious reputational damage, loss of consumer confidence, and loss of business.

GDPR compliance extends past your own office doors, too. If your company has partners, they also need to be in compliance. That’s why vendor relationships are important to address when building your compliance – the trust factor is critical to doing business in a compliance-driven landscape.

Looking at the bigger picture, GDPR compliance can save your company time and money by prioritizing a streamlined data policy.

What’s Considered Personal Data?

One of the major changes to privacy came with the way that GDPR defined “personal data.” GDPR took a more expansive view of the concept. Most companies view personal data as being names, emails, addresses, ID numbers. And it is!

But GDPR has expanded what personal data means in some big ways by including new categories of health, genetic, and biometric data. According to the regulations, these categories are “particularly sensitive in relation to fundamental rights and freedoms.”

GDPR protects the following types of information:

  • Identity information. May include name, birthdate, address, and ID numbers
  • Web data such as location, IP address, cookie data
  • Health and genetic data
  • Sexual orientation
  • Biometric data
  • Racial or ethnic data
  • Political opinions

Interested in the whole list? Learn more about how GDPR classifies personal data here.

Does GDPR Apply to my US-based Company?

This is one of the most common questions posed by companies in the US. While GDPR covers the personal data of individuals in the European Economic Area (EEA), it potentially applies to any company in the world. If your company provides goods or services in the EEA, then GDPR applies to you.

What if no financial transaction happens?

Yes, potentially your company would need to be compliant with GDPR. If you’re an internet-based company that sells or markets products online to EU customers, you need to comply. If your company has a domain suffix for an EU country, ships to an EU country, provides translation of your site into a language of an EU country, or markets in that language, then GDPR applies to you. Are you B2B? If your customers serve an EU audience, GDPR compliance likely also applies to you.

Tracking information also counts. For example, if your company does market research on EU residents by tracking and collecting information to predict online behaviors, that qualifies.

What if we’re considered a public authority?

Public authorities or agencies make heavy use of personal data to deliver their services. That means they have the same responsibilities as private companies.

What does “Data Processor” and “Data Controller” mean?

Data processor and data controller are big concepts in the implementation of GDPR. Companies need to determine if they are either a “data processor” or a “data controller.”

Under GDPR, a data controller is the entity responsible for making decisions about personal data, like how it will be collected, used, shared, retained, destroyed. If something goes wrong – i.e., a data breach or mishandling of data – they’re on the hook.

A data processor, on the other hand, is simply that: The party that processes the data on behalf of the data controller. They are contracted by the data controller to process the personal data only as instructed and only for the purposes of the controller, among other obligations. Most of the GDPR’s compliance obligations attach to the data controller, however processors have some too.

Go beyond compliance

Data Privacy is Just Good Business