GDPR compliance services

Gofaizen & Sherle provides the following services to their clients to ensure that they are compliant with the requirements of GDPR.

Sometimes certain personal data must be collected for the provision of services by entities, this service must be provided in an application or a website, the privacy policy is the document that sets the necessary terms for the collection and use of them. We can call that privacy policies are the means to legalize processes involving personal data, as collecting and using personal data without proper consent is strictly prohibited. Privacy policies are provided in a visible manner, as necessary consents must be taken from the data subject immediately.

The privacy policy must include how the entity collects information and whether it keeps it protected or shares it with someone else. The content of the Privacy Policy depends on the geographical region where it is located and where it operates. Different countries have different laws and jurisdictions. So a company needs to obey them to avoid problems with the government and its legislative principles, according to which an organization can or cannot ask for data and use it.

We will help you create such a document to correspond to the law and meet the requirements of the relevant country. Due to it, you will collect the required data safely and lawfully.

Entities collect information for the smooth progress of their services in their websites, and this information are usually gathered depending on the behavior of the user. They are sent by the website and held in a small file to be stored locally. These information are usually related to the preferences of the user and not strictly related to their personal traits. Once the data stored, web browser keeps and processes the information taken. A user can easily find these files and delete them if necessary. Moreover, most websites ask a visitor for permission to either use them or not.

Most websites use the following types of cookies:

• persistent and session cookies (the first type is used on a regular basis until they expire or a user decides to delete them, and the second one stops its function as soon as the session ends);
• first-party and third-party cookies (in other words, either the visited website’s owner or a third party can use them). However, just like the types of the cookies, there are also different purposes and attached responsibilities that accompanies them:
  1. strictly necessary cookies are always used by websites, they are usually necessary for their functioning, and their holders don’t need your permission but acknowledgement to use them (for example, the storage of items in the cart from your previous visit when you buy something online);
  2. preference cookies makes navigation in the website more convenient for the user, because the website can remember your preferences which you have chosen or used before, examples could be; geolocation choice, preferred language, night mode etc.,
  3. statistics cookies help the website gather specific details about you and things in which you have interacted or are interested, though since they are anonymized, one should not particularly worry about their privacy;
  4. marketing cookies are for companies who want to promote their services and goods on other websites and attract visitors to their web pages.

In most cases, visitors can refuse to accept anything but strictly necessary cookies. Otherwise, they are used illegally. We will help you create cookie policies that meet the law and appropriate privacy expectations of every visitor and organization.

There are different assessments for various purposes and objectives. When the matter is privacy, an organization can understand the risk they are exposed to, by simply performing Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA).

DPIAs are a necessary and crucial tool to assess new products and systems before they are implemented to a business structure. This assessment may also be done at any point of time when there are suspicions of high risk imposed on a Data Subject’s personal data due changes in the service or additions to an already existing service. This assessment type is seen as the building stone of a privacy system as it helps to understand the risks associated with internal and external processes, pinpoint their sources, and assist with locating necessary remedies.

PIAs on the other hand, are required for understanding the risks associated with collection of personal data and usually performed to identify, document, and handle these risk imposed on a person’s privacy. With the help of PIA, the company guarantees the legality of the data gathering, evaluates the risks for data security, minimizes the possible danger to the data of people.

All the assessments helps with understanding:

• what information the company gathers;
• why the company needs it;
• how it is going to use it;
• with who this data can be shared;
• how the company protects personal information;
• what and if there is the record system;
• how people agree or disagree with the company’s right to use their information.

Through these assessments, a company guarantees utilization of the six principles and it promises to be responsible for the received data, use it only when needed, secure it, and ensure both fair and transparent grounds with its clients.

A company must create agreements that explain how the information is gathered and processed by the company and associated third parties. They are established between organizations to clearly identify the roles of involved third parties and draft out the services offered. Form and the contents of the agreement are tied to the relationship between these organizations and whether they are a controller, joint-controller, or processor.

GDPR compliance is impossible without the accurately created DPA. Gofaizen & Sherle provides this service to guarantee legal collaboration between the service providers and their partners. It will help clients understand how their data is collected, stored, and used.

How can one know that the chosen companies legally collect data and use it without violations? That is where the GDPR audit is required. GDPR audit must be performed by a specialist who is aware of all the regulations demanded by a concrete state or region. Consequently, if the company doesn’t have such a person, we can be an audit company. An audit is a must for companies who want to:

• change their service;
• add new functions and services;
• enter new markets;
• become partners of companies whose data they will use or with whom they will share their data;
• merge companies;
• routinely check data related processes.

The audit can require several steps to meet international standards and rules and give the desired results.