GDPR Compliance
The General Data Protection Regulation is the latest European data privacy law that aims at changing the way EU citizens’ personal data is collected, processed and stored, transferring the power over personal data from companies to data subjects.
A person’s identity is no longer just a set of randomly floating data; the new law provides power, control and consent over the shared data.
According to the GDPR, consent must be obtained from data subjects before companies can collect any personal identifying information. It also brings a new perspective on consent management, in which the liberty to withdraw consent must be granted at any moment.
Even though the first step towards GDPR compliance is awareness and a thorough understanding of what changes the regulation has brought, acknowledging its impact over your organisation is the starting point towards compliance.
Who does the GDPR apply to?
The GDPR applies to data processors and controllers that:
- Are established in the European Union and process personal data in the context of activities of a EU establishment, no matter if the data processing is performed within the EU or not.
- Are not EU-based but process the personal data of European data subjects with the purpose of monitoring their behaviour or selling goods or services to them within the EU.
- Are not established in the European Union but in a place where the laws of a member state applies by virtue of public international law, such as the case of diplomatic missions and consular posts of EU member states.
The GDPR applies to the processing of personal data:
- Belonging to natural persons and not legal persons.
- Partly or wholly by automated means.
- Not by automated means, but as part of a filing system or that is intended to be part of a filing system.
- That includes any action performed on it, such as collection, storage, organisation, recording, use, disclosure by transmission, restriction, etc.
What personal information is covered?
- Classical personal data such as name, surname, initial, alias, home address, phone number, birthdate or place of birth, ID card number, credit card number and e-mail address.
- Sensitive data such as genetic and biometric data such as health data, face, fingerprints, retina, DNA, etc.
- Online identifiers such as IP addresses and cookie identifiers.
- Location data such as device location history.
- Metadata related to data subject's Internet activity such as browsing and search history, as well as information regarding a data subject's social media accounts and posts.
- Education information not otherwise available.
- Employment or professional information not otherwise available.
What are the exceptions?
The GDPR does not apply to the processing of personal data:
- As part of an activity that falls outside the scope of the Union Law.
- By a Member State while carrying out an activity that falls within the scope of Chapter 2 of Title V of the TEU.
- By a natural person as part of a purely personal or household activity.
- Through a non-automated method that is not part of a filing system.
- Performed by authorities as part of the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
The following types of personal information are exceptions from the GDPR’s requirements:
- Anonymised data.
- Pseudonymised data.
What are the Penalties for GDPR?
2% OF THE ANNUAL TURNOVER, OR
4% OF THE ANNUAL TURNOVER, OR
European Data Subjects' Rights
Right of access
Data subjects have the right to receive confirmation on whether their personal information is processed and if that is the case, be granted access to it.
Right to erasure (right to be forgotten)
According to the GDPR, in certain cases data subjects have the right to have all their personal data erased.
Right to data portability
They have the right to get from data controllers their personal data in a structured format and they have the right to transfer this data to another data controller.
Right to restriction of processing
Under the regulation, data subjects have the right of obtaining the restriction of processing of their personal data, under certain situations and/or for a certain period.
Right to object
In certain cases, data subjects have the right to object to the processing of their personal data, including for profiling or if such data has been collected for direct marketing purposes.
Right to rectification
The GDPR grants data subjects the right to rectification of their inaccurate personal data and to provide additional data to complete any incomplete personal data.
Right to reject automated individual decision-making
Data subjects have the right not to be a subject of a decision based only on automated processing.
Make your website fully compliant for the
CCPA and GDPR regulation today!
GDPR Compliance Requirements
- Publicly display your company's name and contact information, as well as your DPO's name and contact information, if your company has assigned one.
- Communicate European data subjects' rights clearly.
- Empower data subjects to exercise their data privacy rights by setting up a method they can use to easily submit requests.
- Verify the identity of data subjects before acting on the requests you receive.
- Enforce internal processes to respond data subject's requests in time (30 days).
- Update and communicate your cookie / data collection policies to include information on what personal data you collect, why, for how long, what is the legal base for collecting it, where you store the data and who you share it with.
- Classify and map data, legal bases, processing purposes and data processors.
- Ensure cookie compliance by asking users' consent before loading any scripts on your website.
- Ensure the security of personal information through security and privacy practices.
- Document that you collected consent before performing any processing activity that is governed by users' con-
sent.
- Demonstrate that you have respected users’ rights and addressed their requests.
GDPR Compliance Checklist
Company And DPO Contact Information
Under GDPR, companies are required to make the name and contact details of their Data Protection Officer as well as their company contact details publicly available to allow data subjects to easily contact them for inquiries.
How Clym can help:
- Company data management that brings more transparency over the company's identity and helps build trust.
- DPO contact information management that helps you comply with the obligation of displaying such information.
- Companies' Open Registry that allows users to browse through a database containing companies’ contact and DPO details, terms, privacy and cookie policies and their privacy rights.
Data Mapping And Classification
Processing of personal data is only possible if you have a lawful basis, which means that you must determine and document yours before collecting any PII data.
As a data controller and processor, you have the legal obligation to identity and map the personal information collect, what is the legal base and processing purpose for doing so and what data processors have access to it.
How Clym can help:
- Data mapping and classification by data point and category, including sensitive information.
- Management of processing purposes, data processors, legal bases and retention periods.
- Data processing agreements management for each data processor.
Transparent Sharing
Make sure you update your Terms, Policies, Agreements & Procedures to include information regarding all processes related to personal data, explaining the reason why it is processed, who else has access to it, and what measures you are taking for ensuring its security.
How Clym can help:
- Document management for Terms, Policies, Agreements & Procedures.
- Flexible set up per country, allowing you to adapt to different privacy requirements and stay connected to your users.
- Policy update and versioning, allowing you to create, modify and publish new versions of your policies instantly, in a transparent way.
- Embeddable policies that can be included throughout your website and synchronised at once.
- Secure sharing of documents via unique URLs for easier sharing with your partners.
Data Subject Rights And Requests (DSR)
Under the General Data Protection Regulation, data subjects have seven fundamental rights.
As a data processor or controller, you have the obligation of informing them about these rights, set up a mechanism for allowing users to exercise their rights, as well as to address these requests in a serious and timely manner.
How Clym can help:
- Publicly available list of data subject rights within the privacy widget and privacy center.
- Data subject request collection and management.
- Identity verification of the users submitting the request through a unique e-mail verification link.
- Data subject request management flows for easier status tracking and responsible assignation.
- Request timeline and configurable notifications.
- Anonymised profiles that contain all consents and requests of a data subject.
Cookie Consent & Compliance
Inform your users about any personal data collection activity you may perform and collect their consent for doing so in an unambiguous, informed and free way.
Let them know what categories of personal information you are collecting about them, why you are collecting it, how it will be used, for how long and what other processors you are sharing this information with.
Don't load any cookies or third party content on the website before obtaining your users' explicit consent.
How Clym can help:
- Automatic cookie website scanner that discovers all cookies use on your website, the data they collect and assigns them to a data processor from our repository of 100+ vendors.
- Cookie consent management using our powerful cookie tag manager, supplier whitelisting, cookie indexation and piggybacking prevention, ensuring that cookies are not loaded on a page unless the user gives his consent.
- Customisable notice layouts featuring custom company logo and colours for a consistent user experience.
- Customisable opt-out/opt-in mechanisms for non-essential cookies.
- Consent collection for loading third-party embedded content such as YouTube videos or Mailchimp forms.
Granular Consent
Clym allows detailed consent and cookie management, consent expiry date and automatic consent deletion. Manage legal bases for all processing activities and manage specific consent.
How Clym can help:
- Granular script, data and processing purpose classification.
- Consent collection is performed for each script, before loading it within the page.
Easy To Withdraw Consent
Another requirement for GDPR compliance is that you must empower data subjects to withdraw consent at any moment, through the same mechanism they gave it in the first place.
Make sure you provide them with an easy method of doing so.
How Clym can help:
- Customisable privacy widgets that can be accessed by visitors at any time, allowing them to manage consent, view your company’s contact information and policies, view their rights, submit requests or delete the data we stored about them.
- Consent withdrawal through the Privacy Center, acting as your users’ privacy control center and is available from any page on your website.
- Customisable “Forget me” button that automatically deletes the subject’s current session and cookie preferences.
- Manual “Stop Processing” option for each profile we store within the platform.
Records Of Consent
Proving compliance is as important as being compliant. You need to be able to prove that you respected data subjects’ rights, addressed their requests and collected consent before performing any processing activity governed by consent.
How Clym can help:
- Unique consent receipts automatically generated for all consent-related actions. These include the purpose for data collection, what types of data are collected (without including personal information), as well as what third-parties have access to it.
- Integrated audit system for user consent actions and cookie management. Everything is signed and cannot be changed, creating an audit trail.
- Full control on data retention, purpose and legal base, allowing detailed consent and cookie management, consent expiry date and automatic consent deletion.
- Public Consent Ledger that stores all consent receipts, allowing you, your data subjects or other parties to verify consent receipts.
Language And Jurisdiction
All the information requiring data subject consent that you display to the user must be easily accessible, concise, and most importantly, available in the data subject's preferred language.
How Clym can help:
- Management and customisation of terms, policies, agreements & procedures for different jurisdictions.
- Flexible setup per country that helps you reach users regardless of their location and language.
Privacy By Design And By Default
The General Data Protection Regulation places a strong emphasis on securing data subjects' personal information, encouraging security by design and by default.
This means that organisations should build systems with security deeply integrated from the beginning, rather than add it on top, at a later stage.
Encryption and pseudonymisation are listed as good ways of ensuring adequate levels of protection for personally identifiable information(PII).
How Clym can help:
- Encryption of all personal information including IPs and browser data for a high level of security.
- Anonymised user profiles that include all consents and data subject requests.
- Secure access management through passwordless authentication.
Our Data Privacy Tools of Trade
Managing data privacy made easy. These are the complementary tools that help us cater your compliance needs.
Learn More about Our Privacy WidgetSee you on the safe side
