GDPR compliance services
Ensuring your compliance with GDPR and other jurisdictions’ Privacy regulations within 5 to 8 weeks.
What is GDPR?
The European Union has made a great leap with the creation of General Data Protection Directive (hereinafter GDPR) and set a norm on how data subjects’ rights can be protected uniformly.
GDPR is applicable in every Member State of the Union and there are no derogations in any Member State that may create any sort of significant difference. This is because the GDPR has been structured in a way that it will single handedly regulate every aspect of the privacy related affairs and also ensure the application of these protective measures beyond the Union’s territory. Moreover, GDPR also provides general provisions under its ‘Six Principles’ setting a minimal protection standard for the instances where GDPR has not directly addressed. However, as an addition to the GDPR, certain Member States has decided to apply stricter measures on certain activities in specific sectors, these additional precautions are either sourced in Union wide supplementary legislations or local laws. An example could be the E-Privacy directive which significantly changes the state of Marketing Affairs, and local Anti-Money Laundering Laws which sets different retention period of certain data types and limits their delivery to the data subject. This consequently means that the legal landscape of the Union is more complicated than it appears to be and require detailed inspection of business activities in a company to ensure compliance with applicable laws. Our experts are ready to navigate you through this complicated legal regime and help you with ensuring your compliance is intact with the regulations.
6 Principles of GDPR
Lawfulness, fairness and transparency
The entity that is dealing with a personal data must act with good faith and ensure that the data is used on lawful grounds, necessary consents are taken, and the processing structure is outlaid to the data subjects in a proper and acceptable manner.
Purpose limitation
No personal data shall be used for the purposes further than the reason that it was collected and communicated to the data subject. If an entity wishes to use the personal data for another reason, it must take permission before initiating operations.
Data Minimization
Entities must only process the personal data that is strictly necessary for the provision of the terms that was agreed with the relevant subject.
Accuracy
While the personal data is being collected, the collecting entities also acquires the sole responsibility to integrate necessary procedures or systems that will be used for the erasure or rectification of the personal data that was collected from their data subjects.
Storage Limitation
Entities are under strict obligation to hold the personal data not more than it is needed, and the data which expires its retention span must be appropriately deleted.
Integrity and Confidentiality
Entities are required to conduct their processes in a manner that ensures appropriate security of the personal data, where necessary precautions must be implemented against unauthorized or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organizational measures.
GDPR service packages
- DPIA
- PIA
- International Data Transfer Risk Assessments
- Data Processing Agreements
- Disclaimer Agreements
- Privacy Policies
- Cookies Policies
- International Data Transfer Notices
- Incident Notification Documents
- Employee Guidelines
- Data Processing Guidelines
- External Product Privacy Inspection
- DPIA
- PIA
- Privacy Policy
- Cookie Policy
- International Data Transfer Risk Assessment
- Red Flag Analysis for Consent Acquisition
- Product Privacy Inspection
- DPIA
- Privacy Policy
- Cookie Policy
Process and Timeline for GDPR
ASSESSMENT STAGE
Stage 1
- Interviewing with the customer
- Assessing the business structure
- Identifying the issues
IMPLEMENTATION STAGE
Stage 2
- Preparation of documents
- Implementing solutions
- Performing last interview
Services of GDPR We Provide
Gofaizen & Sherle provides the following services to their clients to ensure that they are compliant with the requirements of GDPR.
Privacy Policy
Sometimes certain personal data must be collected for the provision of services by entities, this service must be provided in an application or a website, the privacy policy is the document that sets the necessary terms for the collection and use of them. We can call that privacy policies are the means to legalize processes involving personal data, as collecting and using personal data without proper consent is strictly prohibited. Privacy policies are provided in a visible manner, as necessary consents must be taken from the data subject immediately.
The privacy policy must include how the entity collects information and whether it keeps it protected or shares it with someone else. The content of the Privacy Policy depends on the geographical region where it is located and where it operates. Different countries have different laws and jurisdictions. So a company needs to obey them to avoid problems with the government and its legislative principles, according to which an organization can or cannot ask for data and use it.
We will help you create such a document to correspond to the law and meet the requirements of the relevant country. Due to it, you will collect the required data safely and lawfully.
Cookie Policy
Entities collect information for the smooth progress of their services in their websites, and this information are usually gathered depending on the behavior of the user. They are sent by the website and held in a small file to be stored locally. These information are usually related to the preferences of the user and not strictly related to their personal traits. Once the data stored, web browser keeps and processes the information taken. A user can easily find these files and delete them if necessary. Moreover, most websites ask a visitor for permission to either use them or not.
Most websites use the following types of cookies:
- persistent and session cookies (the first type is used on a regular basis until they expire or a user decides to delete them, and the second one stops its function as soon as the session ends);
- first-party and third-party cookies (in other words, either the visited website’s owner or a third party can use them). However, just like the types of the cookies, there are also different purposes and attached responsibilities that accompanies them:
- strictly necessary cookies are always used by websites, they are usually necessary for their functioning, and their holders don’t need your permission but acknowledgement to use them (for example, the storage of items in the cart from your previous visit when you buy something online);
- preference cookies makes navigation in the website more convenient for the user, because the website can remember your preferences which you have chosen or used before, examples could be; geolocation choice, preferred language, night mode etc.,
- statistics cookies help the website gather specific details about you and things in which you have interacted or are interested, though since they are anonymized, one should not particularly worry about their privacy;
- marketing cookies are for companies who want to promote their services and goods on other websites and attract visitors to their web pages.
In most cases, visitors can refuse to accept anything but strictly necessary cookies. Otherwise, they are used illegally. We will help you create cookie policies that meet the law and appropriate privacy expectations of every visitor and organization.
Assessments
There are different assessments for various purposes and objectives. When the matter is privacy, an organization can understand the risk they are exposed to, by simply performing Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA).
DPIAs are a necessary and crucial tool to assess new products and systems before they are implemented to a business structure. This assessment may also be done at any point of time when there are suspicions of high risk imposed on a Data Subject’s personal data due changes in the service or additions to an already existing service. This assessment type is seen as the building stone of a privacy system as it helps to understand the risks associated with internal and external processes, pinpoint their sources, and assist with locating necessary remedies.
PIAs on the other hand, are required for understanding the risks associated with collection of personal data and usually performed to identify, document, and handle these risk imposed on a person’s privacy. With the help of PIA, the company guarantees the legality of the data gathering, evaluates the risks for data security, minimizes the possible danger to the data of people.
All the assessments helps with understanding:
- what information the company gathers;
- why the company needs it;
- how it is going to use it;
- with who this data can be shared;
- how the company protects personal information;
- what and if there is the record system;
- how people agree or disagree with the company’s right to use their information.
Through these assessments, a company guarantees utilization of the six principles and it promises to be responsible for the received data, use it only when needed, secure it, and ensure both fair and transparent grounds with its clients.
Data Processing Agreement
A company must create agreements that explain how the information is gathered and processed by the company and associated third parties. They are established between organizations to clearly identify the roles of involved third parties and draft out the services offered. Form and the contents of the agreement are tied to the relationship between these organizations and whether they are a controller, joint-controller, or processor.
GDPR compliance is impossible without the accurately created DPA. Gofaizen & Sherle provides this service to guarantee legal collaboration between the service providers and their partners. It will help clients understand how their data is collected, stored, and used.
GDPR Audit
How can one know that the chosen companies legally collect data and use it without violations? That is where the GDPR audit is required. GDPR audit must be performed by a specialist who is aware of all the regulations demanded by a concrete state or region. Consequently, if the company doesn’t have such a person, we can be an audit company. An audit is a must for companies who want to:
- change their service;
- add new functions and services;
- enter new markets;
- become partners of companies whose data they will use or with whom they will share their data;
- merge companies;
- routinely check data related processes.
The audit can require several steps to meet international standards and rules and give the desired results.
FAQ about GDPR services
What is required for GDPR compliance?
For GDPR compliance, companies should handle the user’s data as defined in the GDPR law. Your customers must know that their data is safe, while using your services and be sure that their personal data is processed by a trustworthy entity and a secure way as per the criteria provided by the GDPR. Your company compliance program should be adequate with the regulation. To make your program perfect, you can use special services or hire a Data Protection Officer.
What is GDPR service?
The General Data Protection Regulation (GDPR) is the number of rules that were implemented in 2018 by European Union (EU) state members, it requires organizations to protect the consumers’ personal data, to control the movement, shifting, sharing with third parties and the processing of the data, and uphold the privacy rights of anyone on and beyond the Union’s territory. It is not allowed to gather and use more data than is necessary, only according to the strict privacy standards.
How do I ensure my company is GDPR compliant?
Becoming GDPR compliant is a continual process, and challenges differ for every specific company. The GDPR consists of six principles of data protection that should be realized and eight data subject rights that should be facilitated. In addition, you should develop a lawful base for personal data maintenance and processing, saving, and transferring it.
Why should your company be GDPR compliant?
EU-located businesses or any business that deals with a subject of the EU, must be GDPR compliant. This means you are obliged and required to comply in the cases with a subsidiary or branch, or if (even one of) your customers, suppliers, or any other stakeholders are residents of an EU member state. In other words, you do not have another choice if you work in the EU market. If you fail to do so, you may be fined, and fines imposed by the GDPR can be up to 4% of a company’s global annual turnover.
What services are impacted by GDPR?
The next services are impacted by GDPR: Privacy Policy, Cookie Policy, Data Protection Impact Assessment, Privacy Impact Assessment, Data Processing Agreements, and Audit. All these services have their specific needs and regulatory rules. Even small businesses are responsible for being GDRP compliant.
to our news & insights
Connect with our experts
Our experts will tell you how to do it as quickly and easily as possible.
By clicking the button, I confirm that I have read the privacy policy and consent to the collection and processing of my personal data in accordance with the GDPR rules.