Convert + GDPR

Committing to Compliance

Starting late May 2018, GDPR (General Data Protection Regulation) will be made effective—and any organization not in compliance with the new regulation will face heavy fines. But it’s not as scary as it sounds. At Convert, we’re dedicated to adhering fully with GDPR and ePrivacy Regulations prior to the it’s enforcement date with modifications to our applications to put "Privacy by Design" in our product see the full roadmap here, and with GDPR as company.

This article details how.

What is GDPR (and why should I care)?

General Data Protection Regulation (GDPR) was passed by the EU Parliament in April of 2016. Replacing the Data Protection Directive from the 90s, it’s the biggest overarching legislative change in data privacy regulation to take place the last 20 years.

In a gist, GDPR was created to standardize data privacy laws throughout Europe—and to put greater protection on the data privacy of EU citizens. The big changes are:

  • A Change in Legislative Scope: Now, all controllers and processors in the EU are subject to GDPR—even if the data they’re accessing is processed outside of the EU. The reverse is also true. If you’re a company processing the data of EU citizens (either to offer goods and services, or to monitor behavior taking place in the EU)—it doesn’t matter where you’re based, or where you’re processing the data. You still have to comply with GDPR.
  • Greater Penalties for noncompliance: The maximum fine for noncompliance with GDPR is up to 4% of annual global turnover, or 20 million euros—depending on which is greater.
  • Strengthened Conditions for Consent: No more legalese. Consent has to be given in an easy, accessible way before processing a persons data. You also have to disclose the purpose for that data processing, and make it as easy to withdraw consent as to give it.

A full list of the key GDPR changes can be found on the EU GDPR website here.

Who does GDPR affect?

Just about anyone dealing with data. If your business is based in the EU, or you ever process the data of citizens from the EU—you’ll want to make sure you’re doing everything you can to comply with GDPR.

What is Convert doing to ensure GDPR compliance?

We’re glad you’ve asked! The chart below breaks down the new GDPR privacy standards, and how we’re working to respond to them. We’ll update this article frequently, so you can keep an eye on how far along we are in the process.

Art. in GDPRSummary Actions to be taken - Progress
Articles 1-4General Provisions, Scope and Definitions

Convert has read the general provisions and definitions as well as the scope of this new legislation. COMPLETE

Article 5

6 new Data Protection Principles have been introduced:

  1. Lawfulness, fairness and transparency
  2. Purpose limitations
  3. Data minimisation
  4. Accuracy
  5. Storage limitations
  6. Integrity and confidentiality

Convert already raised awareness and made sure that key decision makers are aware that the law is changing and identified areas that could cause compliance problems under the GDPR. COMPLETE

Convert employees who handle personal data of other employees or customers will receive training in order to ensure that they handle changes in accordance with GDPR. Convert should keep a record of training and provide update and refresher training on an annual basis. IN PROGRESS

Through this, Convert will define new Policies and Procedures, the most common should be:

  1. General Data Protection Policy
  2. Data Subject Access Rights Procedure
  3. Data Retention Policy
  4. Data Breach Escalation and Checklist
  5. Employee Privacy Policy and Notice
  6. Processing Customer Data Policy
  7. Guidance on Privacy Notices
Article 6 Lawfulness of processing: conditions that must be satisfied for the processing of personal data to be lawful.
  1. Consent from individual
  2. Contract with individual
  3. Compliance with a legal obligation
  4. Vital interests
  5. Public task
  6. Legitimate interest

Convert will:

  1. Audit the use of personal data to assess what lawful processing ground(s) it currently relies on and whether they remain valid under the GDPR
  2. Train staff so that they are aware of legal processing grounds.
Articles 7 New legislation around the consent of the individual for the organisation to hold his/her personal data. Several aspects need to be addressed:
  1. Unbundled
  2. Active opt-in
  3. Granular
  4. Named
  5. Easy to withdraw
  6. Documented
  7. No imbalance in the relationship

Our main plan is to review methods for seeking, obtaining and recording consent to ensure compliance.

Convert will implement explicit and affirmative consent through check boxes and clear privacy policies. Convert works together with lawyers to craft policies and terms based on your needs and data processing.

In addition, Convert will track all the actions that users take, from the signup to account deletion, and ensure that each step complies with new laws of consent.

Finally, Convert has in mind these questions to answer when the new consent is applied:

  1. Was the consent freely given?
  2. Is the consent presented in a manner which is clearly distinguishable from other matters,
  3. in an intelligible and easily accessible form, using clear and plain language?
  4. Can Convert demonstrate that the data subject gave their consent?
  5. Does the data subject have the ability to withdraw their consent?
Article 8 Same as article 7 but for children’s data consent in relation to information society services

Create and implement new practices for (i) verifying the age of individuals and (ii) obtaining parental or guardian consent when processing the data of children. IN PROGRESS

Article 9 Sensitive Personal Data which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, health-related information (physical or mental), sexual orientation.

Convert does not keep such data. Data that people enter into Convert app cannot later be used to discriminate against them due to their identity, expression or behavior, thereby restricting the enjoyment of their rights.

In the future, in case it is needed, Convert will only keep special category data for as long as it needs it, once it is no longer needed will securely remove it from its systems in an auditable way. COMPLETE

Article 10 Sensitive Personal Data relating to criminal convictions and offences or related security measures.

Convert does not keep such data. COMPLETE

Article 11 Processing which does not require identification: A controller that cannot identify the data subject is absolved from having to respond in detail to a data subject’s requests — except to tell the data subject (“if possible” to do so) that it cannot comply due to lack of identification.

Convert will examine every data subject’s request with respect. However in cases where Convert can prove that the data subject cannot be identified, data subject's rights will be limited. IN PROGRESS

Articles 12-14 Privacy Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one month.

During data collection, e.g. user registration, Privacy Notices must exist and be clear. We are in the process of defining these new Privacy Notices. IN PROGRESS

Articles 15-23 Expanded Individual's’ Rights:
  1. access their information;
  2. have inaccuracies corrected;
  3. have information erased;
  4. prevent direct marketing;
  5. prevent automated decision making and profiling;
  6. data portability.

Convert will enable employees and customers to request their personal data processed by Convert. IN PROGRESS

Trained personnel will respond to requests within the 1 month timeframe. IN PROGRESS

Article 24 Definition of a Controller

Convert acts as a controller and will comply with all corresponding regulations. IN PROGRESS

Article 25 Data Protection by design and by default

Several guidelines will be applied during the software development circle:

  1. Training (developers will be trained on Privacy and Security aspects)
  2. Design (all data oriented and process oriented design requirements will be driven by GDPR)
  3. Coding (developers will use approved tools and frameworks, disable unsafe functions and modules, and regularly carry out static code analysis and code review)
  4. Testing (test whether data protection and security requirements are implemented properly will be conducted)
  5. Before every release, an Incident Response Plan will be established, and a full security review of the software will be carried out. Release will then be approved and all relevant data from the entire development process will be archived.
  6. Maintenance (Convert should be prepared to respond to incidents, personal data breaches, faults and attacks, and be capable of issuing updates, guidelines, and information to users and those affected by the software)
Article 28 Definition of a Processor

Convert acts as a processor and will comply with all corresponding GDPR regulations. IN PROGRESS

Article 30 Record keeping all personal data processing activities shall be recorded.

Article 30 says that these requirements don’t apply to organisations of under 250 employees, however it has some UNLESS clauses that make it difficult to decide if Convert needs to take any action. UNDER INVESTIGATION

Articles 33-34 Data breaches

Convert will ensure that there are procedures in place to detect, investigate and report on personal data breaches within 72 hours of becoming aware of it. IN PROGRESS

Articles 35-36

Privacy Impact Assessment (PIA): If you are using "new technologies" which process personal data which is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an assessment of the protection of personal data.

Prior Consultation: Data controllers should consult the supervisory authority every time a PIA identifies an inherently high risk processing activity.

Not strictly necessary as the type of processing Convert does is unlikely to result in a high risk, but Convert will put a simple PIA in place anyway IN PROGRESS

Articles 37-39 Appointment of DPOs: Public authorities and large businesses will be required to appoint a Data Protection Officer to oversee compliance.

Convert won’t need to appoint a DPO (since it it not a large company), but a trained team will be responsible for data protection matters as part of their role. COMPLETE

Articles 40-43 Codes of Conducts and Certifications: GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply.

Convert will find the appropriate Codes of Conducts and Certifications and comply with them. The most “popular” are:

  1. ISO 27001 (Information Security Management)
  2. ISO 27017 (Cloud Security)
  3. ISO 27018 (Cloud Privacy)
  4. SSAE16 / ISAE 3402 (SOC 2/3)
  5. PCI-DSS
  6. ISO 9001 (Quality Management)
Articles 44-50 Cross-border data transfer: As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an “adequate” level of data protection. A current list of “approved countries” is available here.

Convert will:

  1. Identify and map all cross-border data flows.
  2. Examine and assess for each of these flows whether (i) the receiving country is an EEA Member State or deemed “adequate”, (ii) if not, whether any “appropriate safeguards”have been put in place, and/or (iii) if not, whether any specific derogations apply.
  3. Adhere to approved code of conduct / certification mechanisms (described in previous articles).
  4. Review if Privacy Shield is in place.
Articles 51-59 Independent Supervisory Authorities

Convert has read these articles. COMPLETE

Articles 60-76 Cooperation and Consistency

Convert has read these articles. COMPLETE

Articles 77-84 Remedies, Liability, and Sanctions

Convert has read these articles. COMPLETE

Articles 85-91 Provisions relating to specific data processing situations

Convert has read these articles. COMPLETE

Articles 92-93 Delegated Acts and Implementing Acts

Convert has read these articles. COMPLETE

Articles 94-99 Final provisions

Convert has read these articles. COMPLETE

Have questions about how Convert’s actions, and GDPR, will affect your business? Contact us at: