written by Paula Arturo
Last week, the Biz Muses offered a free introductory webinar on our Marketing Group for language professionals who wanted to learn about the GPDR. The webinar was quite successful. In fact, it was scheduled to last only an hour, but our attendees had SO many questions, that it went on for 2 hours instead!
Because we couldn’t get to everyone’s questions or simplify the matter as much as we originally wanted to, we decided to write up a series of posts to help you wrap your head around the GDPR. This post is the first of that series of follow-up posts, which will revolve around our attendees’ questions and are designed to help break down GDPR compliance into a series of simple, manageable steps that you can implement before May 25th to make sure your business model is GDPR-compliant.
When it comes to GDPR compliance, the first key is determining whether you are a Controller or a Processor. You’ll find the definition of each in article 4 of the GDPR. We recommend that you read that article, but if reading it sheds little or no light on whether you’re a processor or a controller, don’t worry! Even lawyers are still arguing about that one!
To make it simple, ask yourself this: Do I decide what information is to be collected and stored, what it’s going to be used for, and when it’s going to be deleted? If the answer is yes, then it’s safe to say that you are the Controller.
If you’re leaning toward a DIY solution, I’ll tell you what all my lawyer friends and I are doing: We’re using Excel sheets. I know, I know, Excel is ugly. Seriously ugly! But it’s also practical and you can use macros to set helpful reminders and links. It’s one of those things we may not like but are lucky to have!
So, let’s suppose you’re doing it yourself. Here’s the info you’ll need to store:
- As Controller, you may or may not be required to have a Data Protection Officer (DPO). How do you know if you need a DPO? You’ll need a DPO if meet one of the following criteria:
(i) You are a public authority (except for courts acting in their judicial capacity);
(ii) Your core business activities require you to run large-scale, regular and systematic monitoring of individuals (like tracking consumer
(iii) Your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offenses.
If none of the above sounds like you, then just move on to Number 2. If it does sound like you, then include your DPO info in your Excel sheet.
- Now, think of your Data Subjects. What “categories of Data Subjects” apply to your case? For example, active clients, old clients, prospective clients, vendors (if you outsource), etc. Make sure your Excel sheet contains both the categories and a description of each (i.e what criteria you used in determining each category).
- Think of the data you’ll be processing under each category. What is the purpose of processing each category’s data? For example: for active clients, your purpose may be invoicing, for prospective clients, your purpose may be marketing. See how simple? Now include that in your Excel sheet.
- Now that you’ve figured out your categories and purposes, figure out for each category what personal data you’re going to need to collect and reflect that in your Excel sheet.
- Next, ask yourself whether you’re going to be transferring any of that data to recipients in third countries (or international organizations). For example, if you’re in Italy and outsource to someone in Argentina, then you might be transferring personal data to a third country. If that’s the case, then make sure your record reflects what will be transferred and how. If you’re transferring data to third countries or international organizations, familiarize yourself with Article 32(1), which explains all the safeguards you’re going to have to make sure are in place. This also applies when data is being transferred for storage outside the EU.
- Unless you are required by law to store certain data for a specific amount of time (for example, in some countries, you are required to store data for 10 years about anyone to whom you’ve submitted an invoice), then you’re going to have to delete data that you are no longer using. For example, although it’s OK under the GDPR to keep a record of all the clients you’ve worked with, you’ll need to delete the personal info pertaining to specific people inside the organization after a certain amount of time if your client becomes inactive. You might want to schedule such deletions for twice a year if you manage a large client base with many different clients or once a year if you have a small base of returning clients. Make sure your Terms and Conditions clearly tell your clients when and how you’ll be deleting that data as required under the GDPR, but also make sure you tell them that you may be legally required to keep certain data on record and inform them of how that will be handled.
- Make sure your record also describes any technical and organizational security measures that you’ll be installing as part of your GDPR compliance process. You’ll find those measures under article 32(1) of the GDPR.
If you’re acting as Processor instead of Controller, your record will be very similar, but also a bit simpler. You’ll need to record the following:
- You won’t need a DPO. Instead, you’ll need to record the Controllers for which you process data. If they have a DPO, you’ll need to record who your Controller’s DPO is or, if they are Controllers for another Controller, you’ll need to record that too.
- You’ll need to record the categories of data you are processing for them.
- Transfers of personal data to third countries or international organizations.
- General description of any technical and organizational security measures that you’ll be installing as part of your GDPR compliance process.
Some other useful info you may want to keep a record of includes:
- What data is collected on the basis of consent and whether or not information has been provided to the data subject that said info is being collected.
- If you have your own data storage: where your server is located, who operates your server, and the legal basis for storing info on that server.
- If you use a data processor (for example, a third party to send out newsletters or marketing emails), you’ll want to include the processor’s name and contact info, location of their server, legal basis for processing their data, info of any sub-processors they use (How do you know? Well, because under the GDPR they are required to tell you!).
Ready to take action? We have just the thing for you!
Subscribe to our biz newsletter for weekly updates on the GDPR and other relevant trends.
We’ll give you a step by step GDPR checklist to help you get ready for May 25th!