GDPR Compliance

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Preferences Deny Accept

Privacy Preference Center

When you visit websites, they may store or retrieve data in your browser. This storage is often necessary for the basic functionality of the website. The storage may be used for marketing, analytics, and personalization of the site, such as storing your preferences. Privacy is important to us, so you have the option of disabling certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may impact your experience on the website.

Reject all cookies Allow all cookies

Manage Consent Preferences by Category

Essential

Always Active

These items are required to enable basic website functionality.

Marketing

Essential

These items are used to deliver advertising that is more relevant to you and your interests. They may also be used to limit the number of times you see an advertisement and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the website operator’s permission.

Personalization

Essential

These items allow the website to remember choices you make (such as your user name, language, or the region you are in) and provide enhanced, more personal features. For example, a website may provide you with local weather reports or traffic news by storing data about your current location.

Analytics

Essential

These items help the website operator understand how its website performs, how visitors interact with the site, and whether there may be technical issues. This storage type usually doesn’t collect information that identifies a visitor.

Confirm my preferences and close

GDPR Compliance Outline

‍

Audit the data PW is processing

What kind of personal data are we collecting, storing, and processing? (i.e.) names, emails, phone numbers, IP addresses, device IDs, credit card or bank details, geolocation data, etc.
Are we collecting ‘sensitive’ personal data beyond what’s listed above? This would include race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric data.

If so, we are required to have additional provisions in place such as Data Protection Impact Assessment (DPIA) or appointing a Data Protection Officer (DPO).

Establishing legal basis

Once the above is established (that is, what data we collect), we need to assign and Identify the legal basis for processing each personal data that PW collects.
GDPR provides for six legal bases for processing: consent, the performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.
There should only be one legal basis for processing at a time and that it must be established before the processing begins.
The legal basis should also be demonstrable at all times (i.e. a business must be able to show internally, to data subjects, and to regulatory entities what legal basis it uses for each user).

‍

Review data storage practices

Ensure that the personal data of EU residents are stored in the EU or that the service providers can provide GDPR-level adequate protections.

Need to check Google Drive, Airtable, Hylo, Donorbox, etc.

We have this in place already, but we need to be vigilant about ensuring that data is stored on secure servers that have technical and organizational security measures to safeguard it and to reduce the risk of loss, misuse, and unauthorized access, disclosure, and alteration.

‍

Storage limitations

GDPR principles outline that personal data must be stored for the shortest time possible.
PW will need to delete or anonymize personal data once it is no longer needed.
Also, GDPR gives users the right to access, edit, and delete their personal data collected by a business. So, PW must have a secure system in place to store data and mechanism on the website and any other platforms we’re using that will give this option.

Obtain prior user consent

GDPR consent must be freely given, specific, and unambiguous. For consent to be free, it should be affirmative i.e. the user must give consent using a positive action. Data collected on websites via contact forms, subscriptions forms, sign up forms, email lists etc. should respect GDPR consent requirements.
Unambiguous consent would look like:

Identity of the controller
Purpose of each processing for which consent is asked
Data and type of data that will be collected and used through consent.
Information about the right to withdraw consent.
Information regarding the use of data for automated processing including profiling
Possible risk of data transfers to third countries in case of an absence of adequacy decision

We need to make sure that we can prove, if ever required, proof of consent:

When and how you got consent
The user who gave consent
What specifically they consented to

Clear affirmative action

users must take deliberate and specific action to opt-in or agree to the processing, such as ticking an opt-in box, clicking an opt-in button or link, double opt-in emails, etc.
GDPR guidelines state that we cannot rely on lack of response, inactivity, pre-ticked boxes, default settings, or blanket acceptance as signs of consent. We must also provide easy ways for the individual to opt-out or withdraw consent in the future.

‍

Obtain cookie consent

Cookies can technically be classified as personal data under GDPR.
Must inform and ask website visitors for consent before dropping cookies on their browser (the only exception is strictly necessary cookies that are essential for our website to function).
This means your website should display a GDPR compliant cookie consent banner when it is accessed by users in the EU.
Cookie consent should be specific and granular, meaning users should be able to opt-in to activate some cookies and not be forced to accept all.
GDPR also requires that websites cannot assume consent if users ignore cookie banners and continue browsing nor use pre-checked boxes.
Cookie walls that prevent the user from accessing the website or mobile app are unlawful.

‍

Data breach notification

GDPR requires us to implement “appropriate technical and organizational measures” to address any security risks that we may face when dealing with personal data.
Pseudonymization, encryption, and regular systems testing are all measures that are cited as risk reduction measures against data breaches.
In case a data breach occurs, PW must report the event to the appropriate data protection authority (e.g. the ICO in the UK or CNIL in France) within 72 hours of becoming aware of the event. If the data breach poses a high risk to the rights and freedoms of consumers, then they must also be notified by us.

‍

Appoint a DPO or GDPR representative

GDPR specifies two main criteria for businesses that need to appoint a DPO:

One being large scale processing where the core activity of the company involves regular and systematic monitoring of users.
The second criteria depend on whether you process sensitive categories of data.

Ensuring our Privacy Policy is GDPR compliant

I don’t think we need to do this, as I imagine our legal team developed PW’s privacy policy with GDPR in mind, but we need to ensure transparency and detailed information on processing.

‍

GDPR beyond our website

Admin

Any EU residents that we employ or hire on a contractual basis: current or previous employee data that PW has access to is subject to GDPR.
Review agreements with third-parties

Identify and list vendors who process data on PW’s behalf.
Ensure that we have Data Protection Agreements (DPAs) with third parties so that they fulfill the necessary GDPR requirements.
Ensure that the third-party business has adequate technical and organizational safeguards.
Include the terms about the security of processing and data breach notification in written agreements. Third-parties must be contractually obligated to report any data breach to supervisory authorities and users, and Data Protection Impact Assessments. It is important to ensure that data processors implement GDPR measures with equal force to mitigate potential fines and penalties that may flow from vendors to PW.