Committing To Compliance
Starting from May 2018, GDPR (General Data Protection Regulation) will be made effective—and any organization not in compliance with the new regulation could face fines. But it’s not as scary as it sounds. At Opentracker, we’re dedicated to adhering fully with GDPR, prior to its enforcement date. And we’ve modified our product based on the principles of Privacy by Design.
What is GDPR (and why should I care)?
General Data Protection Regulation (GDPR) was passed by the EU Parliament in April of 2016. Replacing the Data Protection Directive from the 90s, it’s the biggest legislative change in data Privacy regulation to take place the last 20 years.
In a gist, GDPR was created to standardize data Privacy laws throughout Europe—and to put greater protection on the data Privacy of EU citizens. The big changes are:
- A Change in legislative Scope: Now, all controllers and processors in the EU are subject to GDPR—even if the data they’re accessing is processed outside of the EU. The reverse is also true. If you’re a company processing the data of EU citizens (either to offer goods and services, or to monitor behavior taking place in the EU)—it doesn’t matter where you’re based, or where you’re processing the data. You still have to comply with GDPR.
- Greater Penalties for noncompliance: The maximum fine for noncompliance with GDPR is up to 4% of annual global turnover, or 20 million euros—depending on which is greater.
- Strengthened Conditions for Consent: No more legalese. Consent has to be given in an easy, accessible way before processing a persons data. You also have to disclose the purpose for that data processing, and make it as easy to withdraw consent as to give it.
A full list of the key GDPR changes can be found on the EU GDPR website here.
Who does GDPR affect?
Just about anyone dealing with data. If your business is based in the EU, or you ever process the data of citizens from the EU—you’ll want to make sure you’re doing everything you can to comply with GDPR.
What is Opentracker doing to ensure GDPR compliance?
We’re glad you’ve asked! The chart below breaks down the new GDPR Privacy standards per article, and how we’ve worked to respond to them. We’ll update this table as more knowledge pertaining to the GDPR compliance arrises.
|Art. in GDPR||Summary||Actions to be taken – Progress|
|Articles 1-4||General Provisions, Scope and Definitions||Opentracker has read the general provisions and definitions as well as the scope of this new legislation. COMPLETED|
6 new Data Protection Principles have been introduced:
Opentracker has raised awareness and made sure that key decision makers are aware that the law is changing and identified areas that could cause compliance problems under the GDPR. COMPLETED
Opentracker employees who handle personal data of other employees or customers have received training in order to ensure that they handle changes in accordance with GDPR. Opentracker keeps a record of training and provides update and refresher training on an annual basis. COMPLETED
Through this, Opentracker defined new Policies and Procedures, the most common are:
Lawfulness of processing: conditions that must be satisfied for the processing of personal data to be lawful.
New legislation around the consent of the individual for the organization to hold his/her personal data. Several aspects need to be addressed:
Our main plan has been to review methods for seeking, obtaining and recording consent to ensure compliance.
Opentracker will implement explicit and affirmative consent through check boxes and clear Privacy policies. Opentracker works together with lawyers to craft policies and terms based on your needs and data processing.
In addition, Opentracker will track all the actions that users take, from the signup to account deletion, and ensure that each step complies with new laws of consent.
Finally, Opentracker has these questions to answer when the new consent is applied:
Is the consent presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language?
|Article 8||Same as article 7 but for children’s data consent in relation to information society services||Create and implement new practices for (i) verifying the age of individuals and (ii) obtaining parental or guardian consent when processing the data of children. IN COMPLETED|
|Article 9||Sensitive Personal Data which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, health-related information (physical or mental), sexual orientation.|
Opentracker does not keep such data. Data that people enter into Opentracker app cannot later be used to discriminate against them due to their identity, expression or behavior, thereby restricting the enjoyment of their rights.
In the future, in case it is needed, Opentracker will only keep special category data for as long as it needs it, once it is no longer needed will securely remove it from its systems in an auditable way. COMPLETED
|Article 10||Sensitive Personal Data relating to criminal convictions and offenses or related security measures.||Opentracker does not keep such data. COMPLETED|
|Article 11||Processing which does not require identification: A controller that cannot identify the data subject is absovled from having to respond in detail to a data subject’s requests — except to tell the data subject (“if possible” to do so) that it cannot comply due to lack of identification.||Opentracker will examine every data subject’s request with respect. However in cases where Opentracker can prove that the data subject cannot be identified, data subject’s rights will be limited. COMPLETED|
|Articles 12-14||Privacy Notices must be given at the time that the data is obtained from the data subject, or if the data was received from a third party, within a reasonable period after obtaining the data but at the latest within one month.||During data collection, e.g. user registration, Privacy Notices must exist and be clear. COMPLETED|
Expanded individual’s’ Rights:
Opentracker will enable employees and customers to request their personal data processed by Opentracker. COMPLETED
Trained personnel will respond to requests within the 1 month timeframe. COMPLETED
|Article 24||Definition of a Controller||Opentracker acts as a controller and will comply with all corresponding regulations. COMPLETED|
|Article 25||Data Protection by design and by default|
Several guidelines will be applied during the software development circle:
|Article 28||Definition of a Processor||Opentracker acts as a processor and will comply with all corresponding GDPR regulations. COMPLETED|
|Article 30||Record keeping all personal data processing activities shall be recorded.||Article 30 says that these requirements don’t apply to organizations of under 250 employees, in addition Opentracker Experiences also does not manage personal data. COMPLETED|
|Articles 33-34||Data breaches||Opentracker will ensure that there are procedures in place to detect, investigate and report on personal data breaches within 72 hours of becoming aware of it. COMPLETED|
Privacy Impact Assessment (PIA): If you are using “new technologies” which process personal data which is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out an assessment of the protection of personal data.
Prior Consultation: Data controllers should consult the supervisory authority eery time a PIA identifies an inherently high risk processing activity.
|Not strictly necessary as the type of processing Opentracker does is unlikely to result in a high risk, but Opentracker will put a simple PIA in place anyway COMPLETED|
|Articles 37-39||Appointment of DPOs: Public authorities and large businesses will be required to appoint a Data Protection Officer to oversee compliance.||Opentracker won’t need to appoint a DPO (since it it not a large company), but a trained team will be responsible for data protection matters as part of their role. COMPLETED|
|Articles 40-43||Codes of Conducts and Certifications: GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply.|
Opentracker will find the appropriate Codes of Conducts and Certifications and comply with them. The most “popular” are:
|Articles 44-50||Cross-border data transfer: As a general rule, transfers of personal data to countries outside the EEA may take place if these countries are deemed to ensure an “adequate” level of data protection. A current list of “approved countries” is available here.||Opentracker Experiences does not know any cross-border data transfer from to or from outside EEA borders in its infrastructure. COMPLETED|
|Articles 51-59||Independent Supervisory Authorities||Opentracker has read these articles. COMPLETED|
|Articles 60-76||Cooperation and Consistency||Opentracker has read these articles. COMPLETED|
|Articles 77-84||Remedies, Liability, and Sanctions||Opentracker has read these articles. COMPLETED|
|Articles 85-91||Provisions relating to specific data processing situations||Opentracker has read these articles. COMPLETED|
|Articles 92-93||Delegated Acts and Implementing Acts||Opentracker has read these articles. COMPLETED|
|Articles 94-99||Final Provisions||Opentracker has read these articles. COMPLETED|
Let’s make it official
If you’re looking to document your GDPR compliance efforts, we can help. Opentracker’s DPA (Data Processing Agreement) outlines our obligations (as a data processor), and yours while using our tool (as a controller). Get it signed for free here.
Have questions about how Opentracker’s actions, and GDPR, will affect your business? Contact us at: firstname.lastname@example.org