Blog

How to prepare for the GDPR

We explained what the GDPR is in our previous article; do have a read through it again, especially if you’re a bit confused by the terminology. We’ve now put together a guide and a checklist for you. Stop panicking – you can get everything sorted quickly and on your own.

When can you process data?

You may process personal data of natural persons only for the following reasons:

  • if the processing is necessary to comply with a legal obligation incumbent on AITOM;
    • for example, storing invoices or employees’ employment contracts
  • if processing is necessary for the performance of a contract to which the data subject is a party, or for the implementation of measures taken prior to entering into a contract at the request of that data subject;
    • for example, processing necessary to fulfil an order from an online shop
  • for the purposes of legitimate interests;
    • A legitimate interest is not precisely defined. It includes, for example, direct marketing (including electronic marketing), and very likely also reminders about abandoned shopping baskets or the distribution of press releases. If you are unsure whether an interest is legitimate or not, carry out a balancing test. You can find a template here.
  • to protect the vital interests of the data subject or another natural person;
  • where processing is necessary for the performance of a task carried out in the public interest;
  • with the consent of the data subjects concerned.

What valid consent should look like

Consent must be freely given, specific, informed, unambiguous and unconditional. It is an active and voluntary expression of will. The controller must be able to provide evidence of
consent. However, it does not necessarily have to be in writing; you can also provide evidence of verbal consent (if you have witnesses, a recording, and so on). Consent always relates to a specific purpose of processing, which the data subject must be aware of.

A company must not make the use of an application conditional on consent
(a common practice with e-books or various calculators). Do not use consent in cases where it can be assumed that the data subject does not understand the nature of the consent – i.e. in the case of children, the elderly or persons with reduced decision-making capacity.

As part of the consent process
, the user must be provided with the following information:

  • To whom they are providing the data (i.e. your company’s identification)
  • What data you are collecting about them
  • The purpose of the processing
  • How long you will process the data
  • Whether the data will be transferred to other processors, who these processors are, and whether the data will be transferred outside the EU
  • How consent can be withdrawn
  • What rights the user has

DOWNLOAD CHECKLIST

How to be prepared?

Step 1: carry out an internal audit

To know what you need to fix or tweak, you need to know what data you process and where. So have a good sort through your data. You don’t need expensive lawyers or days spent on analysis (unless you’re a corporation).

Use this questionnaire from the Association for Internet Development. The output will be a simple Excel spreadsheet mapping out what data you collect. You can find a template for such a spreadsheet here.

The GDPR requires a Data Protection Impact Assessment. However, this only needs to be carried out by companies that process sensitive data or that “systematically and extensively evaluate personal aspects relating to natural persons, provided that this evaluation is based on automated processing (including profiling)”. In practice, this applies to very few people.

If you are required to carry out an impact assessment, you are likely also obliged to appoint a Data Protection Officer, who is then responsible for ensuring compliance with all relevant legislation. Find out more about what the Data Protection Officer must do.

Step 2: analyse the risks

The risk analysis will add a few columns to your internal audit. You will ask yourself how great a risk a specific piece of personal data poses to the data subject.

For example, the risk involved in processing an email address is low. A potential leak would not cause the user any significant harm. However, a leak of personal data in the form of a sensitive photograph could discredit the data subject. You should choose security measures accordingly. Alternatively, consider whether the risks are too great; if so, it is wiser not to process the data at all. The Association for Internet Development once again offers a practical guide.

Step 3: Check your website and marketing

By now, you should know when and where you collect personal data. Check that users are aware at all times of how their personal data will be handled.

Add a link to the full text of the consent form to enquiry forms, newsletter sign-ups and other forms. You can find a consent form template here. A newsletter sign-up form might look like this, for example. And that is perfectly fine.

Note that there is no tick box in the form. A tick box is not always necessary
. Tick boxes are slightly more complex to programme, so consider whether you really need to use them.

How should personal data be processed in an online shop?

In the case of an e-shop, you can include some information about the processing of personal data directly in the terms and conditions. In these, inform the user how you will handle their address (just as you tell them how quickly you will process their complaint); you can also inform them of your legitimate interests.

However, if you wish to use the data for a purpose other than processing an order, you must obtain specific consent, which must be separate from the terms and conditions.

Step 4: Consider cookies

Cookies may constitute personal data. Without consent, you may only process analytical cookies or those necessary for the website to function properly.

You may only process marketing cookies for ad targeting or personalisation with consent. You can obtain this via a cookie banner. Cookies will in future be regulated by the ePrivacy Regulation, but this is not yet in force.

Step 5: Prepare for new obligations

New obligations await you; plan how you will address them. In particular, you must:

  • Keep records of processing
    The internal audit and risk analysis from the introduction will serve this purpose.
  • Ensure security
    Keep printed documents under lock and key. Implement the HTTPS encryption protocol on your website. You can encrypt electronic documents, protect them with passwords, and so on. Generally, use only trusted services.
  • Report security breaches
    A breach is considered to have occurred if someone breaks into your office and forces open a locked filing cabinet containing documents, gains unauthorised access to the server, or steals a device containing personal data.
    You must report the breach to both the Office for Personal Data Protection and the data subjects. Ideally, this should be done within 72 hours of discovering the incident. Of course, you also have a duty to minimise the damage.
    Note: If you can demonstrate that it is unlikely that the security breach in question would result in a risk to the rights and freedoms of natural persons, you do not need to report anything. For example, if you can prove that the data was perfectly encrypted.
  • Keep records of security breaches
    As soon as an incident occurs, make a note of what happened and how you dealt with it. Again, a single table will suffice. You must also record incidents that you have not reported (see point above).
  • Provide access to data
    Ideally, access should be online.
  • Respond to requests from data subjects
    Users have the right to ask you to update or delete their data. You always have 30 days to respond. Nevertheless, set up an internal mechanism so that you know who is responsible for this task.
  • Ensure data is deleted
    This applies to both electronic storage and all printed and backed-up copies.
  • Transfer data in machine-readable form
    Your tools must be capable of preparing data exports.

Frequently asked marketing questions

Should I ask for consent for everything? Just to be on the safe side?
That’s not possible; you’d confuse users. You must only require consent where you have no other legal basis for processing the data.

Do I need a checkbox for everything?
The GDPR states that consent must be a clear action – and filling in an email address and clicking is undoubtedly that. Use a checkbox when you want to be sure that the user has read the text. It is necessary if the form has multiple options – for example, if you want to offer registration straight away alongside an order in an online shop.

Our law firm also recommended that we include a checkbox in the online shop if the user enters personal data at one stage of the order process and the text of the consent and terms and conditions appears at another.

For example, the Labeloo online shop: you enter details (such as name and address) in the third step of the order, but the full consent form only appears in the fifth step, before you finally confirm the order.

 

When must I use double opt-in?

Double opt-in is a procedure where you verify the data subject’s identity by sending a confirmation link, for example via email. It is commonly used in email marketing. It will not be mandatory under the GDPR, but we would certainly recommend it. Among other things, this helps you avoid emails that would only spoil the quality of your database.

How long can I process the data?

In principle, for as long as the data subject allows. The processing period should be proportionate to the purpose. Granting consent to receive a newsletter for 100 years is not proportionate. A period of up to 5 years is often recommended. However, you can always ask the user for an extension or new consent before the consent period expires.

How can I handle business cards?

Any expression of free will is considered consent – including handing over a business card at a business meeting. Remember, however, that the controller of the business card is the company that employs you. If you receive a business card from a business partner, you may use it in discussions about your services or pass it on to anyone in your internal team. However, you cannot use the email address on the business card to send another commercial offer.

In the case of AITOM, we can discuss the website with you, but under no circumstances can we send you, for example, an offer from our partner e-shop to your work email.

Can I pass on my supplier’s contact details?

The recommendation will still work. Let’s say you know an excellent plumber and have his business card, which he gave you during his last job. You can pass this business card on to a neighbour who is also looking for a reliable tradesperson, even without his explicit consent. You are, after all, acting in his best interests. It can be assumed that this is a professional contact and they will appreciate new jobs. However, you cannot pass on a private telephone number.

Can I use references?

Generally, you must have consent to publish a reference, as it contains personal data. In the case of Facebook, Facebook is the data controller and is responsible for obtaining consent.

Another solution is to anonymise the data. For example,

instead of signing ‘Tereza Malkusová, AITOM’,

you could sign the testimonial as ‘Tereza from Prague’.

If the testimonial does not include a photograph or other identifying information, you will not need to worry about it.

Do I have to delete all databases?

No, if you obtained the contact details in accordance with the GDPR (for example, the user gave their consent previously or they are your customers), then simply inform the user of the new terms and conditions. However, if you did not obtain the contact details in accordance with the GDPR, then you must request consent again.

DOWNLOAD CHECKLIST

Let’s take your business to the next level

Let’s start with a free consultation

Get in touch with us