GDPR News Center News for 07-31-2018

How to get GDPR compliant with Microsoft – TechNet UK Blog

When the EU’s GDPR is introduced this year, the bar for data privacy protection in the UK will be raised. For thousands of businesses GDPR highlights daunting issues of compliance. The May 25, 2018, deadline for GDPR compliance is drawing closer but many businesses, including some Microsoft Partners and customers, are unsure where to begin. Microsoft has released a set of assets that will help businesses and Microsoft partners achieve GDPR compliance. You’ll also get detailed guidance on how GDPR will affect your business, including the supporting Microsoft technologies and features that could be leveraged to help achieve compliance. 

Partners can also download the accompanying GDPR Detailed Assessment, intended to be used by Microsoft partners to assist customers in assessing their journey to GDPR readiness. The GDPR Detailed Assessment is also accompanied by supporting materials to assist partners in facilitating customer GDPR assessments. Microsoft has also introduced a GDPR product demo for Microsoft 365 Enterprise, showcasing features for GDPR compliance. The fundamental goal of this project is to show how businesses can use Microsoft technology, like SharePoint, Office UI Fabric and Office 365, to easily build GDPR solutions. There are also a wealth of resources that support Microsoft partners in making the most of GDPR as a market opportunity. 

Prepare for GDPR. Microsoft is committed to helping customers achieve GDPR compliance and have committed that their technology will be GDPR compliant by May 2018. Whilst Microsoft does not provide any GDPR specific training, organisations that need to also skill up their employees can turn to third-party training providers for GDPR training. 

Keywords: [“GDPR”,”Microsoft”,”compliance”]

Smartsheet Prepares for GDPR

We take very seriously the need to keep the personal data that customers entrust to Smartsheet private and secure. As the European Union seeks to further strengthen EU residents’ privacy rights with the General Data Protection Regulation, we are working to ensure our compliance in advance of the GDPR May 2018 effective date. The GDPR legislation is designed to give EU residents more control over and information about the use of their personal data across digital platforms. To ensure our compliance with the GDPR standards as of its effective date, we are undergoing the process of reviewing and, where necessary, updating our current policies and practices. Today I wanted to share some information about our current practices and our plans related to GDPR compliance. 

Similar to the Data Protection Directive, the GDPR requires that an adequate transfer mechanism be in place in order to facilitate the transfer of personal data from the EU to the United States. To enable our EU customers to meet this requirement, Smartsheet self-certifies under the EU-US Privacy Shield and the Swiss-US Privacy Shield. That’s why we protect all customer data with a rigorous combination of infrastructure and procedures. Smartsheet was built with strict security requirements and protocols to ensure the security your data. Here at Smartsheet, we value our customers’ privacy and respect each person’s interest in knowing how their personal data is collected and used. 

As I mentioned previously, we are undergoing the process of updating our current policies and practices to ensure compliance with the GDPR standards as of its May 25, 2018 effective date. For the latest information on Smartsheet and GDPR, please visit this page. 

Keywords: [“GDPR”,”data”,”privacy”]

GDPR – Essentiamail

If you’ve any questions about email marketing and GDPR, or if you’ve any general queries about the legislation, please do feel free to call us – we’d be happy to have a chat. Either way, it will have implications for the way companies conduct their marketing and interact with customers and prospects. The only change that is likely to affect B2B marketers is for those that market to sole traders and partnerships. For sole traders and partnerships, the rules that apply to B2C will apply to B2B marketers. In order to send email or text marketing messages to a sole trader for example, you would need their express opted-in consent. 

If you are emailing or texting a marketing message to an individual employee of a corporate, a limited company, a LLP, partnerships in Scotland or a government body you do not need them to opt-in. Essentially, if you are marketing to individuals or companies by telephone or direct mail, you do not need prior consent. No matter what channel you use for marketing, or who you are marketing to, the information on the ICO website stipulates that content must be about products or services that are relevant to that individual’s job role. It would be acceptable to keep only the amount of data necessary to suppress that person from receiving any further marketing messages. Proof of consent – The GDPR states that it is down to the company from whom the marketing messages come to prove that consent was obtained. 

Not only is it necessary for compliance with the law, it makes good marketing sense to use data that is up to date, compliant, and from a reliable source. If any of these factors are in doubt, the results of your marketing campaigns are likely to suffer as a direct result. 

Keywords: [“marketing”,”consent”,”GDPR”]

GDPR News Center News for 07-30-2018

HubSpot Product Readiness Page

Now that we’ve gotten product specifics out of the way, a quick word on our mindset towards the GDPR, as marketers. Here’s the thing: all of the recent data protection laws, from CAN-SPAM to CASL to the GDPR and beyond, are built for a simple reason: to provide better experiences for our customers and the people who trust us with their data. Complying with the GDPR will require effort, and that effort may lead to stress between now and deadline day. At the end of the day, if the GDPR makes your customers’ lives better, it’ll grow your business as a result. The GDPR has specific rules about enabling your contacts to specify exactly what they want to receive from you. 

The GDPR requires increased transparency around data collection and processing. Not only will that satisfy the specific contact in question; it’ll ensure that you’re not wasting your time trying to market and sell to people that have no interest in your product or service. Perhaps most importantly, the GDPR requires lawful basis for processing. That’s bad news if you’re purchasing lists: not only is this not allowed under the HubSpot Acceptable Use Policy, but now it’s also not permitted under the GDPR. That may sound painful in the short term, but it’s good news for your company in the long run. 

Making sure you have established a lawful basis will lead to a more engaged list, better email deliverability, and fewer annoyed contacts. For many companies — HubSpot included — GDPR compliance is stressful and work-heavy. As you work through those long hours reading through the GDPR and building out your process, don’t forget the purpose behind the law: to provide better, more secure, more transparent experiences for our customers. 

Keywords: [“GDPR”,”contact”,”better”]

Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK

There has naturally been a good deal of discussion of the forthcoming General Data Protection Regulation. One issue of interest to all data controllers, and of particular concern for researchers, is whether the GDPR expands the scope of personal data through the introduction of the term ‘pseudonymisation’ in Article 4(5). If all data which have been ‘pseudonymised’ in the conventional sense of the word are to be treated as personal data, this would have serious implications for research. Administrative data research, which is carried out on data routinely collected and held by public authorities, would be particularly affected as the sharing of de-identified data could constitute the unconsented disclosure of identifiable information. Instead we argue that the definition of pseudonymisation in Article 4(5) GDPR will not expand the category of personal data, and that there is no intention that it should do so. 

The definition of pseudonymisation under the GDPR is not intended to determine whether data are personal data; indeed it is clear that all data falling within this definition are personal data. Rather, it is Recital 26 and its requirement of a ‘means reasonably likely to be used’ which remains the relevant test as to whether data are personal. This leaves open the possibility that data which have been ‘pseudonymised’ in the conventional sense of key-coding can still be rendered anonymous. There may also be circumstances in which data which have undergone pseudonymisation within one organisation could be anonymous for a third party. We explain how, with reference to the data environment factors as set out in the UK Anonymisation Network’s Anonymisation Decision-Making Framework. 

Keywords: [“Data”,”personal”,”pseudonymisation”]

What the Heck is GDPR? Smart Blogger

It’s the General Data Protection Regulation – a new data privacy law being introduced by the European Union – and it’s a bit of a game-changer. The risks to individuals’ data privacy are clearly increased where that data contains inaccuracies. You are therefore obliged to address data inaccuracies without delay – incorrect data must be rectified, or deleted. You are expected to take steps that are proportionate to the sensitivity of the data that you collect, and the risk to the individuals concerned were the data to be lost or disclosed. Long story short, if you are the person who decides to collect the data, or decides what data is collected and why, then you are a Data Controller – regardless of whether you are operating as a business in the normal sense of the word. 

The GDPR specifically states that cookies are potentially personal data. IP addresses are personal data as far as the GDPR is concerned. We’ve already seen that the core factor in determining whether the GDPR applies to you is whether or not you process personal data. Data Controllers in the EU are within the territorial scope, and the GDPR applies. While full GDPR compliance is going to be complex for some, there’s likely to be some low-hanging fruit to be had. 

Not only will it start you off on a path toward full compliance, you’re also demonstrating a commitment to data privacy – and you might be surprised how much you’re already doing. One of the core objectives of the GDPR is to keep personal data secure. Even if you’re not in the EU. While regulators are extremely unlikely to start handing out huge fines on Day 1, smart bloggers will see this as an opportunity get their data processes properly nailed down. 

Keywords: [“Data”,”GDPR”,”blog”]

GDPR News Center News for 07-29-2018

GDPR & SAP BI Compliance

By clarifying regulations around data privacy, the regulation also aims to simplify compliance for businesses. Of course, one might be forgiven for believing the opposite, because the introduction of any new data privacy regime has complications and pitfalls for all business entities. The GDPR gives data subjects the right to seek compensation for distress caused by the mishandling of private information, which may vastly increase the cost of data breaches beyond the statutory penalties. The objective seems to be to make data privacy difficult, if not impossible, to ignore. Privacy is the price we pay for doing business with EU data subjects. 

Data privacy should be regarded as a best practice in your business processes, rather than as an inconvenience. One way to reduce information security risk is to limit the data subject information you gather to what is specifically necessary to your dealings with the data subjects. In general, private information should be anonymized and encrypted at every opportunity, and you should note that the GDPR applies not just to information that is clearly private, but also to any data that can be traced to identify an individual. In general, data subjects have the right to control the who, where, when, why and how of the ways in which their personal information is collected, processed and retained. Perhaps the most important of the rights of data subjects is the right to understand and determine level of consent. 

You must have clear consent to use the data for the purpose for which it was collected. This right needs to be considered throughout your BI processes from the collection of data, through the creation of BI content, and its distribution for use in decision making. 

Keywords: [“Data”,”information”,”GDPR”]

GDPR Compliance for WordPress and WooCommerce in 2018

I attended WordCamp Manchester and WordCamp Stockholm in the last few months, and they had one thing in common: lots of questions about GDPR. I heard a number of discussions around what WooCommerce site owners needed to do, and if they were ready for GDPR. To help our WooCommerce site owners get ready for the GDPR, we wanted to provide some information about the regulation, along with our GDPR plans at WooCommerce. On 25th May 2018, the GDPR enacted by the EU will come into effect. Stronger rules on data protection from May 2018 mean citizens have more control over their data. 

Tell the user who you are, why you collect the data, for how long, and who receives it. Each of these bullet points is subject to many caveats, exceptions, and degrees of how much you need to do, but they do serve as a good starting point. Each WooCommerce site uses a different set of plugins, has a different flow for shipping, etc. You’ll need to know what you need to do for your specific site. If you sell any products to customers based in the EU, or have EU visitors to your site, you’ll need to make sure your site complies with GDPR. 

Your site can be considered GDPR-compliant, depending on how you’ve set it up. Code in WP has put together a breakdown of how the GDPR affects WordPress sites. It’s also up to you as the site owner to communicate how your customers’ information is being used – it’s more of a communication and process question, rather than something that can be solved with technology. GDPR affects every site that operates in the EU – there are lots of resources to assist you further. We expect that Automattic products and services will be in compliance with GDPR requirements by May 2018. 

Keywords: [“site”,”GDPR”,”Data”]

GDPR Basics: Understanding And Complying With The GDPR

Big data describes both structured and unstructured volumes of data: the data is typically so large that it presents logistical challenges in its management. Volume as the data is large and has many sources, velocity because data streams at a fast speed and variety because big data is presented in many formats. Pseudonymised data takes elements of personal data and replaces them with artificial identifiers. The purpose is to render the data record less identifying and therefore reduce concerns with data sharing. The difference between pseudonymised and anonymised data is that the pseudonym allows tracking back of data to its origins, meaning the subjects could be eventually identified again. 

Does the GDPR apply: If the data necessary to re-identify the individuals is destroyed the GDPR does not apply, if the company retains the data to identify the individuals then the GDPR applies. Anonymised data is data held in a form that does not identify individuals. The GDPR also states that anonymised data is not personal data and thus does not need to comply with the data protection principles set out by the GDPR. Does the GDPR apply: no. Datasets containing personal data can only be published as open data by controllers or processors with the consent of the data subject or on some other legitimate basis. 

The data GDPR data can only be transferred to a country that is also subject to the GDPR unless that receiving country has been deemed to have equal or better data protection laws in place. The data subjects have the right to access how their data is being used by the data controller. The data is also to be immediately destroyed after having used it, meaning that most grey data will be eliminated. 

Keywords: [“Data”,”GDPR”,”open”]

GDPR News Center News for 07-28-2018

Global Privacy Awareness Traini

The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities. There is a requirement for data protection by design that requires those designing products and services to build in privacy and security protections in the early stages of development. With a length of about 250 pages, it is the strictest privacy law in the world and will require extensive time and resources to prepare for. A survey conducted at this year’s RSA conference concluded that over half of the security professionals surveyed were either not currently preparing or not aware of what they needed to do to prepare. According to a different survey of 900 professionals across eight different countries, nearly half of the respondents were concerned their organizations would not be in compliance with GDPR by next year. 

GDPR imposes huge potential fines for non-compliant organizations – up to 4% of global turnover in many cases. Preparing for the GDPR can seem overwhelming, but the key is good privacy and security fundamentals. It starts with having a healthy data protection program. Getting ready for GDPR can’t be accomplished in a few weeks, so now is the time to start. At far too many organizations, the C-Suite doesn’t even know what GDPR is and hasn’t allocated sufficient resources to be ready. 

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum, an annual event that aims to bridge the silos between privacy and security. 

Keywords: [“GDPR”,”privacy”,”training”]

Hireserve recruitment software blog

Already there are a wealth of resources out there to help in-house recruitment teams prepare for the new legislation, from our GDPR hub to the ICO’s range of excellent templates and guidance. Take time to read up on the key points of the GDPR. The ICO provides a great overview of the regulation, whilst REC has useful guidance for the recruitment industry. Throughout all your steps to GDPR compliance, you need to keep these points in mind. No matter what size your organisation, you should establish a person, or team of people, to lead your GDPR actions. 

Your steering group should meet regularly to ensure all departments are progressing the necessary actions for GDPR compliance. Data mapping is the process of identifying, understanding and documenting the flow of data that comes in and out of your organisation. For an in-house recruitment team, this could include when and how you collect data from your candidates. Your GDPR steering group should ensure that your data mapping exercise is a business priority and is completed comprehensively and satisfactorily. The GDPR sets out legal bases in Article 6 of the regulation. 

During your data mapping process, you should identify the legal basis that justify how and why you collect, process and store personal data in your organisation. Part of GDPR compliance is being utterly open about how you intend to process and store people’s data, and what your legal basis is for doing so. As you’ll see from the disclaimer below, we are not qualified to legally advise you ahead of the GDPR. As such, we would always recommend that you speak to a suitably qualified lawyer who can help ensure you are meeting your obligations as a responsible and diligent data controller. 

Keywords: [“GDPR”,”Data”,”legal”]

6 steps to GDPR compliance

Unlike the US, businesses currently operating within the EU and gathering data on individuals do not have to reveal if they have been hacked. The introduction of GDPR is set to change all of this and bring data protection to the top of businesses’ priority lists. Part of this compliance audit, no matter the size of the company, is hiring a data protection officer to explain the regulations and apply them to the business. This should be done through the keeping of a Data Register – essentially a GDPR diary. Should a breach occur during the early stage of implementation, the business should be able to show the DPA its progress towards compliance through its Data Register. 

Without any proof that the company has even started the process, the DPA could enforce a fine between 2% and 4% of a company’s turnover, depending on the sensitivity of the data being breached. Once the data has been identified, it’s important to start evaluating the data, including how it’s being produced and protected. With any data or application, the first priority should be to protect the user’s privacy. Businesses should complete a Privacy Impact Assessment and Data Protection Impact Assessment of all security policies, evaluating data life cycles from origination to destruction points. Always keep in mind that data should be protected from the day it is collected, through to the day it is no longer needed and then it should be destroyed in the correct manner. 

It’s these actions that show the DPA that the business is taking compliance and data protection seriously. In a year’s time, regulators will start to get the real picture of how seriously businesses are taking the security of their data – and the number of breaches really taking place. 

Keywords: [“data”,”businesses”,”GDPR”]

GDPR News Center News for 07-27-2018

GDPR Privacy Policy

The main focus of the General Data Protection Regulation is the protection of personal data and digital privacy. Unify the current data protection privacy laws throughout the EU, and. While the Data Protection Directive only applied to data controllers, the GDPR now applies to data processors as well. Data controllers must now conduct Data Privacy Impact Assessments and add more thorough methods of obtaining consent for collecting data. Data processors will have to start keeping written records, increasing security measures to protect data and notify data controllers of any breaches that occur with the data. 

In some instances you may be required to appoint a Data Protection Officer to oversee your data security strategy and GDPR compliance. Find more information here to help you determine if you need a DPO. The GDPR requires that users are provided with thorough information about how their personal data is processed. The data controller will likely be your business, unless your business operates as a data processor for other companies. A Privacy Notice is a short, concise yet informative notice that lets a user know why you’re collecting data. 

It’s easy to see how a short Privacy Notice at the point of data collection can help users be informed of your data collection practices in a concise, clear and easy-to-understand way. This section covers accessing data, correcting it, deleting it, objecting to it being collected, declining to provide it and other rights users have under the GDPR. Another important part of the GDPR is that businesses cannot retain data beyond a reasonable time. Add Privacy Notices in places where you’re asking for consent to collect data to help users understand what they’re consenting to. 

Keywords: [“Data”,”information”,”GDPR”]

GDPR Regulations and Requirements

The General Data Protection Regulation is a legislation aimed at protecting the personal data of European Union citizens. The GDPR applies to any company doing business with EU data subjects. Simply put, if an organization offers goods or services, maintains offices, or operates a website in the EU, the GDPR likely applies. Depending on the severity of the infraction, non-compliance can result in formidable consequences, including fines up to €20m or four percent of your organization’s global annual revenue-whichever is greater. LogRhythm’s GDPR Compliance Module provides you with a consolidated framework to help ensure your organization is compliant. 

LogRhythm’s GDPR Compliance Module addresses 16 technology-focused GDPR Articles – making it easier for you to meet and exceed regulations. You’ll realize immediate benefits from pre-built content, including rules and alerts, investigations, and reports. LogRhythm’s Compliance Module is included free of charge for LogRhythm Threat Lifecycle Management platform customers. GeoIP Configurations: Enrich log data with geographic context to help identify when data may be entering your environment from an EU member country and facilitate the application of regulatory requirements. Machine Data Intelligence Fabric: Process and enrich diverse data sources and streams to achieve enterprise-wide visibility and enable effective analytics. 

Risk Based Prioritization: Every event is assigned a risk, threat, and confidence score, ensuring your security team can accurately identify and prioritize true threats. With the LogRhythm GDPR Compliance Module, you’ll be better able to protect your organization’s personal data-ultimately avoiding fines, a damaged reputation, and loss of customer confidence. 

Keywords: [“Data”,”GDPR”,”LogRhythm”]

Designed to strengthen data protection and privacy for individuals within the European Union, it will have an impact on all organisations that collect data. GDPR gives EU citizens the right to know the details of any personal data you hold about them and how that data is processed and used. If you hold data about anyone, they can now ask for that data to be passed to another organisation. Some organisations have kept serious data breaches secret for months in order to protect them from bad publicity and other unwanted consequences. Under GDPR, any data you hold about an individual must be accurate. 

If you hold data about political affiliations, whether that is their membership of a particular party or just a political opinion gathered on a survey, it needs protection under the GDPR. Greater security demands on business. From May, organisations will be required to implement reasonable data protection measures to protect EU citizens’ personal data and privacy by design. GDPR extends beyond the EU. GDPR is designed to protect the data and privacy of EU citizens. 

The UK’s Data Protection Act was passed in 1984, 11 years before the EU got around to issuing its Data Protection Directive in 1995. The size of the fines which can be given to organisations that do not comply with GDPR is an indication of how determined the EU is to tackle issues with data protection and data privacy. The issue of transferring data to countries or organisations with less adequate data protection should be a major concern for any company that has a website. Private data is secured using mod security rules and fool-proof physical, electronic and managerial procedures, and we backup shared servers to avoid data loss in case of disasters. 

Keywords: [“data”,”GDPR”,”organisation”]

GDPR News Center News for 07-26-2018


As of May 25, 2018, registrant information-name, organization, address, phone number, and email-will be considered personal data that can no longer be published in the public Whois. While the audience for registrant data may no longer be the entire public, it will still be sizable. The service also provides a way for third parties to contact the domain owner via the privacy service email address displayed in the Whois output, an option that will not be provided as a part of GDPR data protection. The personal data associated with a domain that is protected by Whois privacy will not be shared with registries. Here we will disclose all the uses of personal data that are required by contract in order for us to provide the requested domain service. 

At this time, we will also request consent from the data subject for those data uses where our legal basis is their consent. Request consent for any data elements that are not required by contract,. Certain registries require additional information in order to complete domain registrations, and in these cases, we will include in our contract a point about processing those additional pieces of registrant data. We give the option of processing any piece of personal data that isn’t essential or necessary to provide the service. For most domain registrations, we don’t require the registrant to provide their phone number, but by collecting this piece of data we are able to provide a backup verification method. 

The data is required by a third party, with whom we do not yet have a GDPR-compliant contract. If we don’t have a GDPR-compliant contract with this particular registry, we would have to request consent from the data subject to process and share this extra piece of personal data before completing the registration. 

Keywords: [“data”,”Whois”,”domain”]


GDPR is one of the most prominent regulatory changes coming up in 2018. Companies that breach the GDPR legislation will receive a fine of €20 million of 4% of annual turnover, whichever is higher. Businesses and other organisations will be required by law to prove their employees have received communication about the GDPR and that they understand what it means for them and the organisation they work for. As a function, we also need to be aware of the information we hold on our employees and ensure that we are complying with the new legislation too. Here are some key things to consider when preparing for the GDPR:. 

Find out who is overseeing the GDPR programme/process in your organisation and ask to join the project team, if you’re not already part of it. It’s important internal communication help to guide the strategy from the outset as cutting through the noise and ensuring all employees are aware of the changes will be a legal requirement. Start communicating regularly with your employees now to help them understand what the legislation means and what they are required to do around recognising and protecting information. The GDPR may affect how you manage internal communication. Remember, this information might be stored locally in paper, GDPR is not only about digital records. 

Internal communication need to understand the impact those changes might have on employees and share appropriate, targeted communication about policy changes, training on the new legislation etc. Now is the time to understand how they are being used and ensure employees understand how these channels are impacted by the GDPR and what their responsibility is to keep information secure. We strongly recommend that internal communicators start preparing for GDPR now. 

Keywords: [“GDPR”,”employees”,”information”]

GDPR Support

GDPR compliance is a worry for many businesses based in the EU. This free extension supports Cookie Compliance and Customer Data Anonymisation. The ZERO-1 GDPR Support module for Magento 1 adds some key features to aid your support in meeting the requirements set out in the new General Data Protection Regulation legislation which comes into effect throughout the EU on 25 May 2018. Key requirements under the new legislation include the removal of customer data on request. Magento Core code does not currently facilitate this therefore all sites without this extension will not be adhering to legal requirements, given Magento can store customer cart data and customer order data for failed orders. 

Both these should not be retained by Magento under new laws. The ‘Express Consent’ law also requires that you refrain from setting ALL non-essential cookies from operating UNTIL express consent has been granted. Features: Cookie Notification Popup requesting ‘express consent’ from your website visitors upon entering your website. Delete Customer & Anonymise Data from Admin or Front-end – Although legally a business is permitted to retain customer information if the customer has purchased from you, Magento does have functionality to record sales data even if the order has not technically resulted in a completed sale. This extension allows you to fully anonymise customer data from Customer, Sales, Quotes tables so that you can feel assured that you have met your GDPR obligations. 

ZERO-1 have also partnered up with a law firm specialising in supporting the other requirements which must be met. These include onsite documentation such as Privacy, Terms & Conditions and Cookie Policy. This extension requires a basic understanding of Google Tag Manager. 

Keywords: [“Customer”,”Data”,”Magento”]

GDPR News Center News for 07-25-2018

A Resource Guide to Compliance for 2018

The general data protection regulation comes into force May 25th, 2018. Increased Scope – The new legislation clearly lays out specific types of protected data such as name, address, ID numbers, Web location, IP address, cookie data and RFID tags. Health, genetic, biometric, ethnic, political views and sexual orientation data are also covered. Companies in the United States processing data for U.K. or French customers must abide by GDPR regulations. 

WP sites must be reviewed and amended to ensure all data collection follows consent policies. Plugins: Site owners are ultimately responsible for the data collection and storage methods of any plugins or third-party software used, meaning it’s critical to audit existing plugin libraries and address anything that needs clarification before May 25th – there’s a WP GDRP Compliance plugin available through WordPress to help identify key issues. The Case for Consent – While consent is critical under the new legislation, it’s not the only lawful ground for processing data, creating confusion among organizations. If you have an existing contract with individuals or must process data to meet legal requirements, consent may not be required. Age Limits – Initial drafts of the GDPR set the EU age limit for choosing to hand over personal data at 13. 

With protecting children’s data as a priority for this new legislation, WordPress sites must be diligent in obeying local age limit regulations and keep an eye on potential revisions. New Technologies – Article 35 of the GDPR lays out the need to asses the risk of new technologies for processing and storing data on the risk to personal information. The new legislation comes with significant impact for data collection, informed consent and direct user control over personal data. 

Keywords: [“data”,”GDPR”,”WordPress”]

What Should Software Engineers Know about GDPR?

A software designer should try to find ways to avoid being a data processor, and still be able to do the work. Your data subjects should be able to verify, correct, export, move, and erase their data as easily as they gave it to you in the first place. If the team members that build the software have access to actual personal data while building it, they become data processors and liable to the same sanctions and responsibilities. After any data breach, whether by an internal or external party, the first thing you need to do is find forensics that can show which users are affected and which data were accessed. If a data breach happens, it can only affect data that was actually in the targeted system at that point. 

Many systems continue to collect all data but never clean it up, even when the data becomes obsolete. It’s worth mentioning that anonymization and pseudonymization mechanisms can help you with things like test data or analysis data. You might already have a general-policy document that explains the rules, but I’ve seen many software designers start to create a grid of data columns in which they can state GDPR classification. The most important thing to get right is the one-stop shop where data subjects can exercise their rights, leading to a process that identifies and validates the request and then to mechanisms that erase or export that data. Most software projects do not require exposure to actual PII data, and this is definitely the recommended path to take – but it might require new skills and tools. 

No, a data subject is not supposed to get everything connected to their identity when they request an export of their data. Take care of transparency, data security, and legal basis, and do not collect more data than you need and you should be fine. 

Keywords: [“data”,”GDPR”,”system”]

Getting Ready for the GDPR

If your business is based in the European Union or you have customers or contacts in the EU, then you have probably heard of the General Data Protection Regulation by now. In this article, we’re going to cover a few things to keep in mind as GDPR approaches and provide you with the resources you need to learn more. It will regulate the treatment and use of personal data belonging to EU citizens. EU-based businesses, as well as anyone processing the personal data of EU citizens, will likely be affected by the GDPR. If you ever collect, record, store, use, or erase personal data from customers or contacts in the EU, the GDPR should be on your radar. 

Here at MailChimp, we’ve been reviewing and updating our internal data processes and systems to make sure we’re ready by May. And soon, we’ll be releasing an updated version of our Data Processing Agreement to allow our customers to continue to lawfully transfer EU personal data to MailChimp when the GDPR goes into effect. Our preparation efforts are ongoing and will continue into next year. We’re committed to achieving compliance with the GDPR, and we want to help our customers do the same. How to prepare your business for the GDPR. 

If your business is preparing for the GDPR, we know that it takes a lot of time and effort. The guide includes an overview of the new law, details on how MailChimp is preparing for it, and information about how to make sure your use of MailChimp is compliant. An article that outlines the tools we’re building to help you prepare for the GDPR. This post was updated on March 6, 2018 to include a link to our newest GDPR article. Please note that this post and the guide are for informational purposes only, and should not be considered legal advice. 

Keywords: [“GDPR”,”Data”,”prepare”]

GDPR News Center News for 07-24-2018


General Data Protection Regulation compliance comes into effect in a matter of days now and though many businesses are aware of the law and what it requires, only 10% of people polled in a recent survey conducted by Restore said they have the right measures in place for handling paper records. Of course, that doesn’t necessarily take into account all the digital data held on computers, laptops, servers, and mobile devices. Making sure we handle data professionally, securely and strictly in line with current and future protection regulations is the cornerstone of all our businesses, so we have a lot of experience and insights to give in ways to suit you. Speak to our team of knowledgeable, approachable business consultants and digital specialists who will help you understand the impact of the incoming GDPR legislation on your organisation through a GDPR readiness assessment. Get your organisation ready for GDPR changes with our GDPR Brochure. 

Covering paper and digital records, as well as the need for the compliant, secure destruction of both, our brochure will help you understand what’s needed, whether the changes apply to your organisation and highlights 13 key areas to look at in depth. We know that paper records represent a significant GDPR compliance risk. Data subjects have the right to report organisations who hold their data and they believe have infringed their rights to the supervisory authority, the ICO being the one in the U.K or take legal action through the courts to recover material OR non material damages. They do not have to prove any impact, such as reputational damage. The cost of non-compliance could be as high as £20 million or 4% of global turnover. 

Take the first step towards your GDPR readiness assessment by contacting us on 03300 376 323 or website. 

Keywords: [“GDPR”,”Data”,”organisation”]

How will the GDPR impact open source communities?

This new regulation by the European Union will impact how organizations need to protect personal data on a global scale. The General Data Protection Regulation was approved by the EU Parliament on April 14, 2016, and will be enforced beginning May 25, 2018. The aim of the GDPR is to protect the personal data of individuals in the EU in an increasingly data-driven world. The GDPR applies to all organizations processing the personal data of data subjects residing in the European Union, irrelevant to its location. The GDPR brings many changes, strengthening data protection and privacy of EU persons, compared to the previous Directive. 

EU persons get expanded rights by the GDPR. One of them is the right to ask an organization if, where and which personal data is processed. Upon request, they should also be provided with a copy of this data, free of charge, and in an electronic format if this data subject asks for it. It will need to have specific features such as obtaining and storing consent, extracting data and providing a copy in electronic format to a data subject, and finally the means to erase specific data about a data subject. Under the GDPR, a data breach occurs whenever personal data is taken or stolen without the authorization of the data subject. 

Once discovered, you should notify your affected community members within 72 hours unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. As an organization, you will become responsible for keeping a register which will include detailed descriptions of all procedures, purposes etc for which you process personal data. I have covered some of the parts of the regulation that could be of impact to an open source community, raising awareness about the GDPR and its impact. 

Keywords: [“data”,”GDPR”,”community”]

The clock is ticking: Is your business ready for GDPR compliance?

Whether you are a small business that sells customized T-shirts online, operate a digitally powered startup service offering SEO and digital marketing consultancy, or are a giant in the cloud-based service industry – your world is about to change because of the need for GDPR compliance. GDPR is a consolidated set of rules and regulations around data privacy laws, and applicable to all members of European Union – and to any business or individual that exchanges data electronically with an EU citizen. The deadline for GDPR compliance is getting near: It’s May 25, 2018. If you haven’t come up with a GDPR compliance plan yet, you’d better get started. GDPR compliance: ‘The right to be forgotten’. 

Most organizations are mistaken when it comes to GDPR tenets related to the responsibility of data privacy and security. A key requirement of GDPR is that organizations need to implement strong practices to make sure that former employees are not able to access their systems. In the Veritas survey we talked about, a group of respondents claimed that their organizations were already in GDPR compliance. The survey revealed that only 2 percent of the surveyed organizations were actually in a state of GDPR compliance. All these are deep pitfalls that any enterprise will find difficult to navigate as it tries to reach the safe side of GDPR. 

To fare better, make sure you start engaging consultancy services that can objectively evaluate your business’ true GDPR readiness. Veritas’ research revealed that firms are forecasting investment of $1.4 million at an average to ramp up security practices for being GDPR ready. GDPR compliance is going to be a regulatory reality sooner than you think, so now’s the time to take stock and do whatever is necessary to hit the May 25 deadline. 

Keywords: [“GDPR”,”data”,”organization”]

GDPR News Center News for 07-23-2018

8 Ways EU GDPR Differs From the EU Data Protection Directive

On May 24th, 2018, the EU Data Protection Directive will be updated for the first time since 1995. Under the current directive, each of the 28 countries developed their own interpretation of what constituted personal data. The EU GDPR enforces a strict and broad definition of personal data, referring to any information that could be used, on its own or in conjunction with other data, to identify an individual. Organisations will have to disclose the intended use and duration of storage of the data acquired, and re-solicit permissions each time a new use of the data is proposed. EU citizens will have to explicitly opt in to the storage, use, and management of their personal data, and will have the right to access, amend, or request the deletion of, their personal data. 

The EU GDPR requires organisations to report data breaches to the individuals whose data was lost, and to a supervisory authority within 72 hours. The regulation defines data controllers as organisations who acquire EU citizens’ data, and data processors as organisations who may manage, modify, store, or analyse that data on behalf of or in conjunction with the controllers. This means If an organisation outsources data entry or analysis to a third party, or processes data on behalf of another organisation, both parties are liable. Under the EU GDPR, organisations are required to actively track how and where data are stored and used through the supply chain. Any organisation directly involved with the processing of data, or with more than 250 employees must also appoint a Data Protection Officer. 

Organisations based outside of the EU must comply if they handle, store, manage, or process EU citizens’ personal data. Any companies in the world who sell to European companies, or received data from EU citizens, for example will be affected. 

Keywords: [“Data”,”organisation”,”regulation”]

GDPR Compliance Checklist

Learn about GDPR. Most people will know something about the GDPR. The basics are that the GDPR replaces the Data Protective Directive. The GDPR also gives individuals greater control over how their data is used. Any company processing the data of people living in the EU must comply with the new regulation. 

This level of awareness and training is required as part of a company’s compliance with the GDPR. Carry out an audit of data held. Once a company knows what is required to comply with the GDPR, it needs to carry out an audit of the personal data it’s currently holding. The GDPR stipulates that data should only be used for the purpose for which it was originally acquired. Companies need to identify any high risk data or activities. 

Once GDPR is introduced, it will be mandatory for all data breaches to be reported within seventy two hours. When the GDPR becomes a reality, any company or organisation that monitors personal data on a large scale must engage the services of a DPO, either internally, or via an external provider. Every company needs to be able to prove that it’s compliant, should it be audited by the relevant DPA. Companies can only prove that they are compliant if everything they do, with regards to data management and protection, is documented, and if they can prove that a checking regime is in place. From then it’s a case of auditing current data and practices, and making sure that any data currently held complies with the GDPR. 

Companies also need to have processes and procedures in place to ensure that ongoing data collection and management complies with what the GDPR stipulates. Although companies should do everything possible to ensure the security of data, they should also be prepared to report data breaches within 72 hours. 

Keywords: [“Data”,”company”,”GDPR”]

What the GDPR Means to Social Media Marketers

That’s the penalty for failing to comply with the General Data Protection Regulation, the EU’s new data privacy law. So if you are a business with customers in the EU, the GDPR will be applicable to you when you are handling personal data of your EU customers. Greater trust: Your customers will know what data of theirs is collected and how it will be used. Improved marketing experience: With stricter regulation on the use of personal data for marketing and advertising, consumers will likely have a better experience while surfing the internet. More privacy: Businesses are required to collect and process only personal data that are necessary for each specific purpose and implement measures to protect personal data. 

More security of their personal data: With stricter rules on collection and processing of personal data, there would likely be fewer data breaches such as the recent incidents. This is because most organic social media activities such as posting content and engaging fans do not collect personal data from people who view or engage with it. You would not want to export or scrape contact details from your social media followers or groups as that is personal data. Under the GDPR, if you want to use your customers’ data or track their behavior for advertising, you must obtain the legal basis to do so. You have to state what data will be collected and how it will be used. 

Several social media advertising features use customer data that you upload, collect personal data, or track behavior on your site. There have also been some changes to lead form ads on Facebook and LinkedIn to help you stay in compliant with the GDPR. As you would be collecting data through lead forms, you’ll need to state how the data will be processed and establish a legal basis for processing the data. 

Keywords: [“Data”,”personal”,”GDPR”]

GDPR News Center News for 07-22-2018

GDPR Explained: What are the Technical Security Requirements?

The upcoming GDPR will bring substantial changes to how organizations process personal data. Every time we buy a product online, pay our taxes or use a service, we have to hand over some of our personal data. Clearly, cyber theft of the data exposes us to significant personal risks. Data Subject RightsTo be informed about processing of the personal data, to have access to the data, to be forgotten, to be notified about a data breach, and so on. The rights along with privacy principles dictate the implementation of security controls and managing personal data lifecycle. 

Data Protection Impact AssessmentDPIA includes such tasks as identification of data flows, evaluation of security controls, assessing effects of a presumed data breach and mitigating privacy risks. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing… Data Breach NotificationOrganizations shall monitor access to personal data and effectiveness of security controls in order to detect data breaches in their systems. That means to identify personal data processed in the system, find users having access to the data, evaluate security controls, and identify risks to data subjects in case of the data breach. 

The second step is mitigating identified risks: restrict access to personal data, implement security controls, and configure blocking and erasing rules for personal data. We have to monitor access to personal data, detect ongoing cyberattacks, and prepare incident response plans. It’s noteworthy, that GDPR in many different ways requires monitoring access to the data and effectiveness of security controls. 

Keywords: [“data”,”personal”,”GDPR”]

Is Your Nonprofit Ready for GDPR?

The new EU data protection law, the General Data Protection Regulation comes into force on May 25th and it brings with it an entirely new set of rules that nonprofits world-wide – not just in the European Union – will have to abide by. If your nonprofit has even one constituent in the European Union, this regulation is something you need to be aware of and comply with. If your organization hasn’t talked to expert counsel to be prepared for GDPR compliance, there’s no time to lose at this point. Some key things to know It doesn’t matter that your nonprofit isn’t in the EU. The GDPR covers privacy as it relates to individuals resident in the European Union, but companies and nonprofits everywhere in the world must be in compliance. 

Even if your organization is based in the US or Canada, if you have any kind of constituent living in the EU, then your organization must be in compliance. The data doesn’t have to be strictly private or confidential. Your nonprofit may need to hire a designated data protection officer. If your nonprofit already has a HIPAA compliance officer, that person would be a logical choice for this added role. EU residents will have the right, among other things, to control how you collect and use their data. 

Take some first steps: Your organization’s leadership should confer with your nonprofit’s legal counsel about your responsibilities to abide by GDPR. Talk to colleagues at organizations like yours and find out what they’re doing. EUROPEAN COMMISSION. The EC has published its own webpage with information about the Regulation and data protection, with a library of white papers, guides, and further information links. INSTITUTE OF FUNDRAISING. 

The IoF has put together a series of helpful guides and events to help nonprofits prepare for when GDPR takes effect. 

Keywords: [“data”,”organization”,”nonprofit”]

How GDPR Impacts Marketers: What You Need to Know

In this article, you’ll find a plain-language overview of GDPR, how it could impact your data collection, and what you need to do to make sure you’re compliant before May 25, 2018. A non-EU-based business must comply with the GDPR if it collects or processes personal data of any EU resident. GDPR may require significant changes in how a company discloses and obtains consent to collect personal data. Explain why the entity wants the data and what it will do with the data. Individuals have a right to access their data, which means the right to know where, why, and how their data is processed. 

Under GDPR, a company may not collect personal data of anyone under 16 without parental consent. For many social media marketers, there are many questions about whether compliance is necessary for companies outside of the EU. However, non-EU companies must comply with GDPR if: 1) they collect or process personal data of any EU resident, or 2) the company’s activities relate to offering goods or services to EU citizens, regardless of whether payment is required. Any non-EU-based business must comply with the GDPR if it collects or processes personal data. After you’ve determined what personal information you collect or process, obtain explicit consent, described above, for each reason you collect such data. 

If you still aren’t sure exactly what personal data you may be collecting, here are a few examples that are common for social media marketers, along with some tips on how to stay compliant for each. If you have ads on your website from a third-party ad server, upon entering your site, users should immediately consent to your use of a third-party server that collects user data for advertising and marketing purposes. GDPR Personal Data Reports: generates a personal data report for users invoking their Right of Access. 

Keywords: [“data”,”consent”,”personal”]