Starting late May 2018, GDPR (General Data Protection Regulation) will be made effective—and any organization not in compliance with the new regulation will face heavy fines. But it’s not as scary as it sounds.
At Convert, we're dedicated to adhering fully with GDPR, prior to its enforcement date. And we've modified our product based on the principles of Privacy by Design.
You'll find the full roadmap here, and an overview below.
We have 173 recitals here And 99 articles here.
And you can request a (free, signed) Data Processing Agreement here.
General Data Protection Regulation (GDPR) was passed by the EU Parliament in April of 2016. Replacing the Data Protection Directive from the 90s, it’s the biggest overarching legislative change in data privacy regulation to take place the last 20 years.
In a gist, GDPR was created to standardize data privacy laws throughout Europe—and to put greater protection on the data privacy of EU citizens. The big changes are:
A full list of the key GDPR changes can be found on the EU GDPR website here.
Just about anyone dealing with data. If your business is based in the EU, or you ever process the data of citizens from the EU—you’ll want to make sure you’re doing everything you can to comply with GDPR.
We’re glad you’ve asked! The chart below breaks down the new GDPR privacy standards, and how we’re working to respond to them. We’ll update this article frequently, so you can keep an eye on how far along we are in the process.
Art. in GDPR | Summary | Actions to be taken - Progress | |||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Articles 1-4 | General Provisions, Scope and Definitions |
Convert has read the general provisions and definitions as well as the scope of this new legislation. COMPLETED |
|||||||||||||||||||||
Article 5 |
6 new Data Protection Principles have been introduced:
|
Convert already raised awareness and made sure that key decision makers are aware that the law is changing and identified areas that could cause compliance problems under the GDPR. COMPLETED Convert employees who handle personal data of other employees or customers will receive training in order to ensure that they handle changes in accordance with GDPR. Convert should keep a record of training and provide update and refresher training on an annual basis. COMPLETED Through this, Convert will define new Policies and Procedures, the most common should be:
|
|||||||||||||||||||||
Article 6 |
Lawfulness of processing: conditions that must be satisfied for the processing of personal data to be lawful.
|
Convert will:
|
|||||||||||||||||||||
Article 7 |
New legislation around the consent of the individual for the organisation to hold his/her personal data. Several aspects need to be addressed:
|
Our main plan is to review methods for seeking, obtaining and recording consent to ensure compliance. Convert will implement explicit and affirmative consent through check boxes and clear privacy policies. Convert works together with lawyers to craft policies and terms based on your needs and data processing. In addition, Convert will track all the actions that users take, from the signup to account deletion, and ensure that each step complies with new laws of consent. Finally, Convert has in mind these questions to answer when the new consent is applied:
|
|||||||||||||||||||||
Article 8 | Same as article 7 but for children’s data consent in relation to information society services |
Create and implement new practices for (i) verifying the age of individuals and (ii) obtaining parental or guardian consent when processing the data of children. COMPLETED |
|||||||||||||||||||||
Article 9 | Sensitive Personal Data which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, health-related information (physical or mental), sexual orientation. |
Convert does not keep such data. Data that people enter into Convert app cannot later be used to discriminate against them due to their identity, expression or behavior, thereby restricting the enjoyment of their rights. In the future, in case it is needed, Convert will only keep special category data for as long as it needs it, once it is no longer needed will securely remove it from its systems in an auditable way. COMPLETED |
|||||||||||||||||||||
Article 10 | Sensitive Personal Data relating to criminal convictions and offences or related security measures. |
Convert does not keep such data. COMPLETED |
|||||||||||||||||||||
Article 11 | Processing which does not require identification: A controller that cannot identify the data subject is absolved from having to respond in detail to a data subject’s requests — except to tell the data subject (“if possible” to do so) that it cannot comply due to lack of identification. |
Convert will examine every data subject’s request with respect. However in cases where Convert can prove that the data subject cannot be identified, data subject's rights will be limited. COMPLETED |
|||||||||||||||||||||
Articles 12-14 | Privacy Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one month. |
During data collection, e.g. user registration, Privacy Notices must exist and be clear. COMPLETED |
|||||||||||||||||||||
Articles 15-23 |
Expanded Individual's’ Rights:
|
Convert will enable employees and customers to request their personal data processed by Convert. COMPLETED Trained personnel will respond to requests within the 1 month timeframe. COMPLETED |
|||||||||||||||||||||
Article 24 | Definition of a Controller |
Convert acts as a controller and will comply with all corresponding regulations. COMPLETED |
|||||||||||||||||||||
Article 25 | Data Protection by design and by default |
Several guidelines will be applied during the software development circle:
|
|||||||||||||||||||||
Article 28 | Definition of a Processor |
Convert acts as a processor and will comply with all corresponding GDPR regulations. COMPLETED |
|||||||||||||||||||||
Article 30 | Record keeping all personal data processing activities shall be recorded. |
Article 30 says that these requirements don’t apply to organisations of under 250 employees, in addition Convert Experiences also does not manage personal data at the finish of this roadmap. COMPLETED |
|||||||||||||||||||||
Articles 33-34 | Data breaches |
Convert will ensure that there are procedures in place to detect, investigate and report on personal data breaches within 72 hours of becoming aware of it. COMPLETED |
|||||||||||||||||||||
Articles 35-36 |
Privacy Impact Assessment (PIA): If you are using "new technologies" which process personal data which is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an assessment of the protection of personal data. Prior Consultation: Data controllers should consult the supervisory authority every time a PIA identifies an inherently high risk processing activity. |
Not strictly necessary as the type of processing Convert does is unlikely to result in a high risk, but Convert will put a simple PIA in place anyway COMPLETED |
|||||||||||||||||||||
Articles 37-39 | Appointment of DPOs: Public authorities and large businesses will be required to appoint a Data Protection Officer to oversee compliance. |
Convert won’t need to appoint a DPO (since it it not a large company), but a trained team will be responsible for data protection matters as part of their role. COMPLETED |
|||||||||||||||||||||
Articles 40-43 | Codes of Conducts and Certifications: GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply. |
Convert will find the appropriate Codes of Conducts and Certifications and comply with them. The most “popular” are:
|
|||||||||||||||||||||
Articles 44-50 | Cross-border data transfer: As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an “adequate” level of data protection. A current list of “approved countries” is available here. | Convert Experiences does not know any cross-border data transfer from to or from outside EEA borders in its infrastructure. COMPLETED | |||||||||||||||||||||
Articles 51-59 | Independent Supervisory Authorities |
Convert has read these articles. COMPLETED |
|||||||||||||||||||||
Articles 60-76 | Cooperation and Consistency |
Convert has read these articles. COMPLETED |
|||||||||||||||||||||
Articles 77-84 | Remedies, Liability, and Sanctions |
Convert has read these articles. COMPLETED |
|||||||||||||||||||||
Articles 85-91 | Provisions relating to specific data processing situations |
Convert has read these articles. COMPLETED |
|||||||||||||||||||||
Articles 92-93 | Delegated Acts and Implementing Acts |
Convert has read these articles. COMPLETED |
|||||||||||||||||||||
Articles 94-99 | Final provisions |
Convert has read these articles. COMPLETED |
If you're looking to document your GDPR compliance efforts, we can help. Convert's DPA (Data Processing Agreement) outlines our obligations (as a data processor), and yours while using our tool (as a controller). Get it signed for free here.
Have questions about how Convert’s actions, and GDPR, will affect your business? Contact us at: support@convert.com