What kind of personal data are we collecting, storing, and processing? (i.e.) names, emails, phone numbers, IP addresses, device IDs, credit card or bank details, geolocation data, etc.
Are we collecting ‘sensitive’ personal data beyond what’s listed above? This would include race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric data.
Once the above is established (that is, what data we collect), we need to assign and Identify the legal basis for processing each personal data that PW collects.
GDPR provides for six legal bases for processing: consent, the performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.
There should only be one legal basis for processing at a time and that it must be established before the processing begins.
The legal basis should also be demonstrable at all times (i.e. a business must be able to show internally, to data subjects, and to regulatory entities what legal basis it uses for each user).
Review data storage practices
Ensure that the personal data of EU residents are stored in the EU or that the service providers can provide GDPR-level adequate protections.
Need to check Google Drive, Airtable, Hylo, Donorbox, etc.
We have this in place already, but we need to be vigilant about ensuring that data is stored on secure servers that have technical and organizational security measures to safeguard it and to reduce the risk of loss, misuse, and unauthorized access, disclosure, and alteration.
GDPR principles outline that personal data must be stored for the shortest time possible.
PW will need to delete or anonymize personal data once it is no longer needed.
Also, GDPR gives users the right to access, edit, and delete their personal data collected by a business. So, PW must have a secure system in place to store data and mechanism on the website and any other platforms we’re using that will give this option.
Obtain prior user consent
GDPR consent must be freely given, specific, and unambiguous. For consent to be free, it should be affirmative i.e. the user must give consent using a positive action. Data collected on websites via contact forms, subscriptions forms, sign up forms, email lists etc. should respect GDPR consent requirements.
Unambiguous consent would look like:
Identity of the controller
Purpose of each processing for which consent is asked
Data and type of data that will be collected and used through consent.
Information about the right to withdraw consent.
Information regarding the use of data for automated processing including profiling
Possible risk of data transfers to third countries in case of an absence of adequacy decision
We need to make sure that we can prove, if ever required, proof of consent:
When and how you got consent
The user who gave consent
What specifically they consented to
Clear affirmative action
users must take deliberate and specific action to opt-in or agree to the processing, such as ticking an opt-in box, clicking an opt-in button or link, double opt-in emails, etc.
GDPR guidelines state that we cannot rely on lack of response, inactivity, pre-ticked boxes, default settings, or blanket acceptance as signs of consent. We must also provide easy ways for the individual to opt-out or withdraw consent in the future.
Obtain cookie consent
Cookies can technically be classified as personal data under GDPR.
Must inform and ask website visitors for consent before dropping cookies on their browser (the only exception is strictly necessary cookies that are essential for our website to function).
This means your website should display a GDPR compliant cookie consent banner when it is accessed by users in the EU.
Cookie consent should be specific and granular, meaning users should be able to opt-in to activate some cookies and not be forced to accept all.
GDPR also requires that websites cannot assume consent if users ignore cookie banners and continue browsing nor use pre-checked boxes.
Cookie walls that prevent the user from accessing the website or mobile app are unlawful.
Data breach notification
GDPR requires us to implement “appropriate technical and organizational measures” to address any security risks that we may face when dealing with personal data.
Pseudonymization, encryption, and regular systems testing are all measures that are cited as risk reduction measures against data breaches.
In case a data breach occurs, PW must report the event to the appropriate data protection authority (e.g. the ICO in the UK or CNIL in France) within 72 hours of becoming aware of the event. If the data breach poses a high risk to the rights and freedoms of consumers, then they must also be notified by us.
Appoint a DPO or GDPR representative
GDPR specifies two main criteria for businesses that need to appoint a DPO:
One being large scale processing where the core activity of the company involves regular and systematic monitoring of users.
The second criteria depend on whether you process sensitive categories of data.
GDPR beyond our website
Any EU residents that we employ or hire on a contractual basis: current or previous employee data that PW has access to is subject to GDPR.
Review agreements with third-parties
Identify and list vendors who process data on PW’s behalf.
Ensure that we have Data Protection Agreements (DPAs) with third parties so that they fulfill the necessary GDPR requirements.
Ensure that the third-party business has adequate technical and organizational safeguards.
Include the terms about the security of processing and data breach notification in written agreements. Third-parties must be contractually obligated to report any data breach to supervisory authorities and users, and Data Protection Impact Assessments. It is important to ensure that data processors implement GDPR measures with equal force to mitigate potential fines and penalties that may flow from vendors to PW.