AN IMPORTANT FREE GUIDE FOR

THE GDPR

GDPR: WHAT YOU

HAVE TO KNOW
3 EASY STEPS TO BE COMPLIANT

A step by step roadmap, easily-applicable advices

and all the professional templates you need to make

your business compliant.

www.digidly.com
Disclaimer
This document is intended as a guideline and is not intended as legal
advice. The guidance that follows is in the nature of general information
about the subject matter concerned – it is invariably the case that detailed
legal advice requires a lot of fact-sensitive information that we will not
have while discussing points today. As such, no reliance should be placed
on the guidance given in this talk without first taking such detailed advice.

THE DOCUMENTS ARE AVAILABLE WITH A PRO MEMBER

ACCOUNT

For more information about the

documentation, visit digidly.com.
PAGE 02       
 STEP 1

AWARENESS
EMPLOYEES
SHOULD BE ‘IN THE
KNOW’

It is important that every member of an organisation

understands how their role is impacted by a
regulation and how they can contribute towards
complying with it.

With the GDPR, we expect that the product

development team to know what “privacy by design”
means and how it should be incorporated into
product workflows. A marketing team should know
when they have a legal right to send emails to
customers (and when they don’t). IT departments are If your marketing team sends out marketing
expected know what good security looks like. HR emails to individuals when they have no right
teams should be ready to respond to requests from to do so, a complaint could be made to the
individual members of staff in relation to their regulator. If your IT department does not
personal information. understand what good security looks like
there could be a data breach which has to be
notified to the regulator. And if your HR
IF THE REGULATOR’S team does not respond to an information
EXPECTATIONS request from an individual, a claim could be
made against your organisation by that
individual.
are not met by an organisation then that organisation
will not be compliant with data protection law, In all these scenarios, there is a risk of bad
including the GDPR. If your product development publicity and fines resulting directly from a
team doesn’t understand its responsibilities, non failure to train your staff. However, let’s not
compliant products will be released which could lead be too alarmist about all this. There are very
to customer complaints. positive reasons to train all your staff in
GDPR compliance.

PAGE 03       
 What does a compliant
company look like?
A company that is GDPR compliant
regularly trains all its staff. Firstly, the
employees should be “in the know” with a
general presentation*.
N
P R A TIO EE
*GD SENT PLOY N Than the company conducts training and
E
PR T EM ATIO
S
*LI NFIRM refresher sessions on a regular basis. It
CO incorporates data protection training into
its process for onboarding new employees
and when retaining contractors.

A compliant company does not simply

train its staff and then forget about data
protection compliance – it embeds data
protection compliance into company
culture so that protecting personal
information becomes second nature.

APPOINT
THE PERSONS
RESPONSIBLE OR A
DPO
It is important to identify who, within your
organisation, is responsible for privacy compliance
and who else is involved:

      individuals who are authorised to decide on

important matters on behalf of the organisation

      individuals who know about law, technology and

data processing within an organisation

      people who recognise the importance of privacy

compliance.

PAGE 04       
 DPO
DATA PROTECTION
OFFICER
The DPO is a position that the vast majority of
companies will not need as they are either too small
or do not carry out enough processing or profiling.

*INTERACTIVE GDPR LAW

*CONTACT OF THE DATA However you should undergo a formal assessment
PROTECTION and make sure that you have written reasons as to
AUTHORITIES your choice in case of any future enquiry.

Even if it is not obligatory, you can still appoint a

DPO (art. 37).

In any case, you must appoint a DPO if:

       you are a public authority or body

       if your work involves processing operations that

amount to regular and systematic observation of
individuals on a large scale

       if your job involves processing of special personal

data on a large scale (see Step 2).

Any organisation is able to appoint a DPO

Regardless of whether the GDPR obliges you to appoint a DPO,

you must ensure that your organisation has sufficient staff and
skills to discharge your obligations under the GDPR.

There is no specific training or certification needed for a DPO.

What is required is they are familiar with the GDPR and with your
organisation.
They do not have to undergo any specific courses but you should
ensure that they keep themselves up to date on all relevant issues
and future legislation.
They will manage any contact with the Data protection authority
of your country*.

PAGE 05       
 STEP 2

PREPARATION
DATA
INVENTORY
INVENTORY PERSONAL
DATA PROCESSING
OPERATIONS
To be able to act in accordance with the GDPR,
you must firstly inventory the personal data
processing operations within your organisation.
You should know which data is used, by whom
and for what purposes. Then you can assess
what needs to be changed in order to be
compliant.
You should inventory everything in a
document*.

Having mapped your data inventory, you will

have a better idea of the data processing INTRODUCE A DATA
operations within your organisation, the MINIMISATION POLICY:
greatest risks associated with those operations, DECIDE ON YOUR
and what will change for you. You can then RETENTION PERIODS
decide what action to take and which subjects
are a priority for your organisation. The GDPR emphasises the obligation
not to process more personal data
than necessary. This is also referred
to as data minimisation.
*DATA INVENTORY MAP
In this context it is important to
determine how long you will retain
the personal data and ensure that
data is removed promptly.

PAGE 06       
 UPDATE
YOUR SECURITY POLICY
AND APPLY PRIVACY BY
DESIGN AND PRIVACY BY
DEFAULT
Under the GDPR you must take “appropriate technical
and organisational measures” to secure personal data.

What is appropriate depends on the processing risk: you

must be able to demonstrate that you have taken
appropriate measures and are able to make your
considerations in this regard readily comprehensible.

It is partly for that reason that it is important to check

whether your security policy is still compliant and to
update it where necessary.

Check our data privacy policy template*.

FURTHERMORE, *DATA PRIVACY POLICY

THE EMPLOYEES TEMPLATE
*PRIVACY BY DESIGN &
should read the new data privacy policy for complying PRIVACY BY DEFAULT
with the new code. In addition, the GDPR introduces
obligations in the field of Privacy by Design and Privacy
by Default*.

This means that as soon as you have chosen a medium

for data processing or when designing systems or
applications, you must take the personal data protection
into account by implementing security measures and
data minimisation, for example.

The standard settings must be such that only personal

data is processed for a specific aim. The rights of those
concerned must be taken into account at all times as
well, which includes in the design of a processing
operation.

PAGE 07       
STAKEHOLDERS
AND CONSUMER’S
AWARENESS
A number of your data processing operations will
probably be based on the principle of consent.

Lawful consent only applies if this is “freely given,

specific, informed and unambiguous”, without coercion.
This can be given by means of a statement or an
affirmative act, such as ticking a box, if sufficient
information is also provided. The automatic, implicit
assumption of consent or the use of prefilled tick boxes is
not sufficient to obtain valid consent.

You must be able to demonstrate that you have obtained

the valid consent of data subjects to process their
personal data.

Furthermore data subjects are entitled to withdraw their

consent at any time. This must be as simple as giving
consent, and before data subjects give their consent, they
must be informed of this right. Otherwise consent is
invalid.

*READINESS LETTER CHECK YOUR PROCESSORS

*READINESS PROVE LIST
AND DATA PROCESSING
AGREEMENTS
A processor is a third party that processes personal data
on behalf of an organisation.  

These may include service providers who do the payroll

accounting but may also include all kinds of cloud or
other IT services where the service provider stores or
can access your personal data.

So, you should send by email or post asking if the

processor is compliant with the GDPR*.

PAGE 08       
 STEP 3

IMPLEMENTATION
IMPLEMENTS
TOOLS TO RESPECT THE
NEW RIGHTS OF DATA
SUBJECTS
The GDPR gives particular attention to the rights
of data subjects.

For example, data subjects have the right to access

and rectify their details. Moreover, individuals are
being given even more opportunities to speak for
themselves when it comes to the processing of
their data.

Their rights are being strengthened and expanded.

Therefore, evaluate your procedures for granting
access, etc. and set out the conditions for
individuals to exercise their rights under the
GDPR within your organisation*.
DPIA: DATA PRIVACY
The information should, in principle, be provided IMPACT ACCESS
at the time the personal data is collected.
Under the GDPR you may be obliged
to carry out a data privacy impact
assessment (“DPIA”).

A DPIA is an instrument that allows

*CONSUMER'S RIGHT you to inventory a data processing
*DPIA LONG VERSION
operation before such operation is
carried out, so that measures can be
taken to reduce those risks*.

PAGE 09       
 DPIA
WHEN IS THERE A
NEED FOR A DPIA?

A DPIA is mandatory for (envisaged) data

processing operations which, given their
nature, context and objective, represent a
high risk to privacy.

There is certainly a high risk in the following

cases:

      if you assess individuals on the basis of

personal characteristics and base decisions
on those characteristics. This includes
profiling and forecasting;

      if you process sensitive personal data,

such as data regarding health, data on crime
or political preferences, on a large scale;

      if you monitor people in public places

systematically and on a large scale (e.g.
camera surveillance).

DE
I A GUI T
In all other instances you must decide for *DP A SHOR
I
yourself whether an operation entails a “high *DP ION
R S
risk”. VE
If your processing operation meets two or
more of the criteria in our DPIA guide*, you
can assume that you must carry out a DPIA.

PAGE 10       
DRAW UP A DATA
DATA BREACH
BREACH PROTOCOL
AND KEEP A REGISTER
Under the GDPR you may be obliged to report a
data breach to the competent authority and/or
the data subjects. A data breach refers to the
access to or destruction, alteration or release
of personal data to an organisation without this
being intended. Data breach therefore covers
not only the release (breach) of data, but also
unlawful processing of data and unintentional
destruction.

Under the GDPR you are obliged to report any

data breach to the data protection authority
of your country without delay*, within 72
hours where possible. In addition, you could
notify the data breach to your customers.

In addition, the GDPR imposes the requirement

that all data breaches – both reported and
unreported – that have occurred in your
organisation, be documented in a register*. DATA LEAK PROTOCOL
Based on this, the competent authority can
check whether you have complied with your To be able to comply with the
reporting obligation. aforementioned obligations, you must
ensure that you are aware of a data
breach as soon as it occurs and take
appropriate action immediately. It is
*DATA BREACH REPORT FORM
*DATA BREACH POLICY important to have a data breach
TEMPLATE protocol*.
*DATA BREACH REGISTER
In the protocol you can record the steps
to be taken if your organisation is
confronted with a data breach, what
information must be collected/recorded
and/ or reported, by whom, and within
what time frame.

PAGE 11       
 LOOK TO OUR
DOCUMENTS

BE
COMPLIANT

POWERED BY

DIGIDLY

www.digidly.com
[email protected]

PAGE 12       
 GDPR SUMMARY

Got any
Questions?
DON'T BE SHY! E-MAIL US AT
[email protected]

WWW.DIGIDLY.COM

PAGE 13