Regulatory authority
The regulatory authority is an authority which controls the implementation of the GDPR. During this control the data protection authority, that would be the ICO in the UK, checks the GDPR compliance. An important tool for doing that is the mandatory documentation. If the documentation is not being submitted or if it is incomplete, fines will be imposed.
Data Processor
As soon as you are transferring data to another organisation, this partner company is considered a data processor according to the GDPR. This kind of data transfer happens a lot more often than you might think. Starting with an accountant, that books invoices right through to a parcel service, that delivers the goods. Regardless of whether sole proprietor or capital company, without data transfers many business procedures are no longer viable. However, the transfer without an adequate contract is not permissible according to the GDPR and can lead to an administrative penalty. Without the adequate knowhow such a contract cannot be legally constructed. You can create agreements concerning data processors for each service provider at the click of a mouse with easyGDPR.
Agreements concerning data processors
Processing personal data via service providers has to be regulated with a contract according to the guidelines of the General Data Protection Regulation. These so-called agreements concerning data processors require expert knowledge to ensure a GDPR compliant design. Our software easyGDPR enables you to create the contracts for each service provider. As a result of our years-long experience and certified knowledge you can not only create your contracts quickly but also accordingly to the GDPR guidelines. On demand (e.g. change of the service provider) you can adjust the contract at the click of a mouse.
You can protect yourself against high fines with easyGDPR. Your GDPR documentation can be generated quickly and easily via our generator. Thereby we are covering all points, like the risk analysis, the record of processing activities, the privacy impact assessment, etc. On request you can update your documentation with little effort with easyGDPR.
Data subject access requests
According to the GDPR every natural person has the right to know how their personal data is being processed. Such a request is being called a data subject access request. But they do not only have the right to erasure (right to be forgotten) but also the right to access to the saved data and the right to lodge a complaint with a supervisory authority.
Every citizen of the European Union has this right and this right is also a constraining law (lat. ius cogens). Admittedly, the request can be declined under certain requirements, but you are still obligated to answer the request.
Even for small businesses this administration effort can be immense but with easyGDPR Enterprise you are getting the possibility to answer these requests automatically. So, you can reduce your administration effort with our GDPR software.
Cloud
The cloud is a process that describes how programs, infrastructure or platforms are being moved to the internet. The advantages of doing so is that the expense can be reduced because more capacities can be rented and also the worldwide availability.
Data protection is a crucial aspect of the Cloud because the data is no longer under personal control but is being managed by service providers. That is why respective agreements concerning data processors have to be concluded. The safe data transfer is crucial to prevent that data is being intercepted from third parties. The GDPR demands a solution for all processes regarding data gathering and data processing at the state of the art.
With our easyGDPR consulting you can benefit from our years-long experience in the computer security sector and from our GDPR expert knowledge. We can also assist you with the migration into the Cloud and we can make sure that this process is in accordance with the European General Data Protection Regulation.
Compliance
Compliance is a term used in the economy and describes the implementation of statutory provisions. If someone is talking about compliance in the context of the GDPR, then the implementation of the GDPR is meant. All organisations that process personal data on a regular basis have to be GDPR compliant.
You can implement this measure quickly and easily with easyGDPR. Our tool enables you to implement the documentation, like the record of processing activities (ROPA), the risk analysis, etc. quickly. easyGDPR also offers consulting and trainings for the GDPR. You’ve got a strong GDPR partner with easyGDPR.
Data Breach
A data breach or a personal data breach exists if the data that you store or process is being lost, stolen or published on the internet. If this data breach is likely to result in a risk to the rights and freedoms of natural persons, the data controller has to notify the data breach to the supervisory authority within 72 hours after having become aware of this breach. If your organisation is the data processor, you have to notify the data breach to the data controller.
Additionally, when the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller has to notify the data breach to the data subjects immediately, unless that would involve a disproportionate effort, see Art. 33 GDPR and Art. 34 GDPR.
Privacy impact assessment
The privacy impact assessment is a documentation measure according to the GDPR. You have to be able to provide your privacy impact assessments if requested by the ICO. This process has to be performed independently if a special risk for data subjects exists due to a processing. Absence of this documentation can lead to high fines (up to 4% of your organisation’s annual global turnover).
Not only a privacy impact assessment including a risk analysis can be created with easyGDPR but you can also fulfil all further documentation obligations according to the GDPR. On request you can also utilise our data protection consulting to benefit from the expert knowledge of our certified GDPR expert and also from our years-long experience.
Privacy policy
In the privacy policy organisations state what measures have been implemented to ensure data protection. You are obligated to create this document according to the GDPR and you also have to provide it to customers upon request. Contrary to popular belief, the privacy policy is not only mandatory if you are conducting a homepage but also has to be created from every organisation that processes personal data.
In article 13 GDPR you can find what information has to be included in the privacy policy. You can find more information about the privacy policy in our post Privacy Policy and Information Obligations.
With easyGDPR you can create your privacy policy. Our system will ask you for all necessary information and then generates a privacy policy via generator from that. You can then not only integrate the privacy policy into your homepage or your webshop but also fulfil part of your GDPR documentation obligation.
Data controller
The data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing
of personal data. The data controller is not equivalent to the data protection officer (DPO).
Data protection officer (DPO)
The data protection officer (DPO) is a natural person that has been appointed by an organisation (company, club, authority) for questions about the data protection. This person can be someone from inside your company or appointed externally (e.g. solicitor, GDPR expert). In any case the DPO is required to have sufficient professional qualities and expert knowledge of the data protection law to fulfil his/her tasks. If the appointment is mandatory or not depends on the business activity of the organisation. You can find more information at the following link: When does an organisation need to appoint a Data Protection Officer (DPO)?
Third countries
If the GDPR is referring to third countries, then the countries that are not members of the European Union are meant. If personal data is being transferred from the EU to a third country then an adequate permission or certification is needed. This also applies to the United States of America. In that case, the European Union and the United States of America have made an agreement – the EU-US Privacy Shield.
easyGDPR
easyGDPR is a software that is accessible via the internet and also helps you fulfil the requirements of the GDPR. By asking you structured questions, step by step, you are initially getting an assessment about your data protection status in your organisation. On the basis of that, easyGDPR will show you the necessary measures to fulfil the requirements of the GDPR. The mandatory documentation, like the record of processing activities (ROPA), risk analysis, privacy impact assessments, etc, can be created quickly and efficiently. If your business process is changing you can update the documentation with just a few mouse clicks and with that you can fulfil the requirements of the GDPR at all times.
easyGDPR is available in the version Lite, Standard and Enterprise. We are also offering you a GDPR consulting.Recitals
The GDPR recitals are part of the General Data Protection Regulation and describe the aims and intentions of the European Parliament and the European Council at the creation of the regulation. They are helping with the interpretation of the legal text and prevent obscurities. Altogether there are 173 recitals which have significantly affected the GDPR.
The tremendous extent of the regulation makes it clear that the GDPR cannot be implemented accordingly to the regulations without expert knowledge. You can therefore leave the implementation of the GDPR to an expert or you can choose the more cost-effective alternative – namely easyGDPR.
easyGDPR is a software that enables you to implement the GDPR without previous knowledge. Our years-long experience and our expert knowledge about the GDPR has advected in the development of easyGDPR. By gradually and specifically asking you the necessary information, you are receiving all necessary information from easyGDPR to implement the GDPR. The necessary documentation is being generated automatically as per your specification and you can update it at any time. By this you are not only fulfilling the General Data Protection Regulation now but also in the future.
All of it with just one tool – easyGDPR.
EU-US Privacy Shield
According to the GDPR, every transfer of personal data to third countries is only permissible if that third country has a similar data protection level as the European Union. That is done to ensure that the General Data Protection Regulation is not being circumvented by processing the data in third countries. The Privacy Shield consists of a number of agreements between the European Union and the United States of America. The agreements ought to ensure that the data protection in the USA is comparable with the one in the EU.
US-American organisations have to be certified under the Privacy Shield and as soon as they are certified, a data transfer to these organisations is permissible. A transfer of personal data to organisations in the USA without a Privacy Shield certification would be a violation of the GDPR.
If you have any questions about data transfer you can utilise our easyGDPR consulting, our certified data protection expert will assist you with all questions. You can also find more information about the Privacy Shield in our post EU-US Privacy Shield.
Data Protection by Default
This term describes a fundamental demand of the General Data Protection Regulation. If a new technique is being developed (e.g. a computer program, a website, etc.) then even while developing you have to pay attention to maximal data protection. A webshop is a classic example: Ordering as a guest user must be possible, being obligated to create an account (= long-term storage) as part of ordering would be a violation of the principle data protection by default.
Data protection also has to be ensured with technical measures. It has to be ensured by the use of adequate measures in the cyber security section that attackers have no access to sensitive documents.
The principle of data protection by default has to be applied to all business procedures. For example, the printed payroll accounting data must be stored in a lockable cabinet.
Data Protection by Design
Another principle of the GDPR is the data protection by design. This basic rule says that for every data processing you are only allowed to ask for the necessary data. That means that asking for the birthplace as a mandatory field while ordering in a webshop would be prohibited because the information is not needed for the processing of the order.
This GDPR principle is especially import if you are offering a newsletter. In order forms and application forms the box for the subscription to the newsletter must not be pre-ticked. Instead the user has to tick the box for the newsletter subscription actively, otherwise the data processing is prohibited.
State of the art
The GDPR demands for the data processing and the data security an implementation considering the state of the art. In that way, the legislator has ensured that organisations have to bring their processing and safety precautions constantly up to date. That’s why ongoing measures are necessary to still construct all processes legally. With easyGDPR you always know what measures you have to take so that your data processing is still at the state of the art.
Ransomware
Ransomware is a special kind of malware that encrypts data or data mediums. By doing that victims no longer have access to their data. Especially for organisations this can be a disaster. If no backup is available most people feel constrained to give into the ransom demand and pay the demanded amount. But there is no guarantee that the data is being decrypted again. That’s why it is important to backup all data at regular intervals to be able to recover the data in such cases.
Right to be forgotten
The right to be forgotten is part of the comprehensive rights that have been conceded to every EU citizen by the GDPR. The personal data of a person has to be deleted if that is requested by that person. Only in certain situations this request can be rejected by an organisation, for example if it would otherwise harm a legal obligation for the retention.
With easyGDPR you are getting the possibility to automatically answer these requests of erasure, by doing that you can actively reduce your GDPR administration effort with our tool easyGDPR.
Risk analysis
The risk analysis is part of the privacy impact assessment and under certain criteria a GDPR obligation. This documentation includes the existing risks for data subjects whose personal data is being or has been gathered. If requested by the data protection authority, you also have to be able to provide your privacy impact assessments.
With easyGDPR you can perform a complete risk assessment. If you are unsure if a risk analysis is necessary, you can utilise our easyGDPR consulting. Our certified data protection expert will enlighten you about the necessity of a risk analysis.
Safe Harbor Privacy Principles
The Safe Harbor Privacy Principles are the preceding model of the EU-US Privacy Shield that has been abrogated in 2015 by the European Court of Justice (ECJ) because the Safe Harbor Privacy Principles have endangered the data protection in the EU.
SSL/TLS
SSL is short for Secure Sockets Layer and is the term for an outdated encryption method which was replaced by TLS (Transport Layer Security). If someone is talking about SSL these days, normally TLS is meant.
TLS enables the bug-proof communication between two applications over the internet. By now the data transfer without TLS is no longer at the state of the art. If you are visiting a website you can spot that the connection is encrypted with TLS by the displayed lock icon. Programs, websites and webshops without a TLS encryption do not fulfil the GDPR requirements.
Record of Processing Activities (ROPA)
The Record of Processing Activities (ROPA) is one of the important demands of the GDPR. In the ROPA you can document all processes in which personal data is being processed. If an organisation is being controlled by the data protection authority, these records have to be provided in printed form. The Record of Processing Activities is not only a listing of data gathering processes but also includes reasons for the data gathering, the legal basis and the information about what persons have access to the gathered data.
Even for small organisations such a Record of Processing Activities could mean a great effort. An exception for the creation of the ROPA solely exists if personal data is not regularly being processed. But even small businesses, like craftsman, gardening shops or movers process this kind of data as part of the payroll accounting, billing to the customer, applications, etc.
With easyGDPR you can create your GDPR Record of Processing Activities without previous knowledge. Thanks to templates for misc. business processes like payroll accounting, time tracking of the employees, contact forms for homepages, email communication, etc., it is ensured that no data gathering process is being forgotten. easyGDPR also has templates for misc. branches (e.g. driving schools) available to create the record of processing activities more quickly.
With easyGDPR you can implement the GDPR without any previous knowledge.
Encryption
With an encryption it is secured that sensitive data cannot be evaluated by unauthorised individuals. If a data medium (hard drive, USB flash drive, etc.) contains personal data an encryption has to be performed otherwise the data processing does not happen at the state of the art and contradicts the GDPR. Even backups have to be encrypted. The team of easyGDPR will gladly assist you with the implementation of this measure of the General Data Protection Regulation.
Please note that a password protection (access control) is not equivalent to an encryption.