Frequently Asked Questions
Choose a category:
What is the GDPR?
It stands for the General Data Protection Regulation. By 25 May 2018, all organisations using personal data will have to be compliant with it.
What type of information is considered to be personal data?
The GDPR categorises personal data as any information relating to an identifiable natural person. This broad definition includes information such as name, email and location. It also includes online identifiers such as IP addresses and online behaviour.
What kind of changes will the GDPR bring to Europe's privacy law?
1. Individuals will have significant new rights, such as the right to be forgotten. 2. Consent will be harder to obtain and can be withdrawn at any time. 3. Organisations will become responsible for data security, and must report breaches. 4. Privacy notices will need to contain specific disclosures. 5. Transfers of data to organisations outside the EU will incur specific requirements. 6. Organisations outside the EU will have to abide by the law if they collect and process personal data from within the EU.
How do I obtain consent?
Consent needs to be explicit, opt-in and freely given. This means the popular, opt-out based consent of today will no longer be acceptable.
Our organisation is based outside of the European Union. Do we need to comply?
Yes. If you offer goods or services to EU residents, then you must comply with the GDPR.
We don't charge for the services we offer. Do we need to comply?
Yes. The GDPR applies to organisations that offer goods or services to EU residents irrespective of whether a payment is required or if the organisation is monitoring the behaviour of EU residents.
We process personal data manually instead of using automated means. Do we need to comply?
If the manual data processing contributes toward a database, then you must comply. If the processing is once-off and doesn't enter a structured and accessible database, then the GDPR may not apply.
Are there any compliance exemptions for businesses or specific industries?
EU Member States can make derogations for national security, defense, public security, criminal and ethics investigations and prevention, public interest and the enforcement of civil law. You'll need to ask your supervisory authority for a list of derogations.
What happens if I don't comply?
You may be fined up to €20m or 4% of your worldwide turnover (revenue), whichever is greater. You may also be subject to lawsuits by affected data subjects.
How aggressive will regulators be about fining organisations that don't meet the May 2018 deadline?
The truth is we don't know. The EU is still issuing guidance on provisions so there remains some uncertainty about how they'll be enforced. What this means is, initially, you'll need to make value judgements on whether your processing is lawful. For example, allowing an employee to take a laptop on holiday or selling your business and transfering your books could be technically non-compliant but unavoidable and in need of a risk assessment. The Information Commissioner's Office (the UK supervisory authority) has insisted it will be a proportionate, rational regulator , and that it won't aggressively go after businesses to levy fines except as a last resort. But their budget is funded by fines. And they issued ¾ million pounds in mid-2017 despite the new Data Protection Law being enacted. So it'll be best to err on the side of caution.
Will Brexit negotiations affect the UK's GDPR compliance?
In January 2017, Theresa May said the UK would retain the GDPR and convert in into UK law. In August 2017, the UK Department for Digital, Culture, Media & Sport released a Statement of Intent indicating that the GDPR would be translated into a new Data Protection Bill for the UK. Furthermore, UK organisations that offer goods or services to EU residents would need to comply.
Is there any leeway, in terms of the May 2018 deadline, for organisations of different sizes/budgets?
The Irish Data Protection Commissioner, Helen Dixon, has indicated a willingness to apply the full fine as the case may call for it, and when asked if there'll be any leeway to ease companies into the new regulation, she answered "No. There's not going to be any amnesty or first or second chances." The Information Commissioner's Office Head of International Strategy and Intelligence, Steve Wood, says, "Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That's not part of our regulatory strategy. What you will see is a common-sense, pragmatic approach to regulatory principles."
Will organisations with a history of poor data protection be examined any harder or made examples of?
Conglomerates and companies working with sensitive personal data such as health and biometric data would do best to ensure they comply with the GDPR. Industries with a history of poor data protection practices, such as digital direct marketing and social media organisations that hold large quantities of personal data, should make sure their consent practices comply and that they can guarantee their data subjects' rights under the GDPR.
Are there any benefits to being compliant or is it just another burden on business?
There are very concrete benefits. Compliance is an opportunity to redefine your organisation's governance, policies and data management practices. By educating your employees and clients in data protection and privacy you'll strengthen your brand as being responsible and trustworthy.. During the assessments, data mapping and gap analysis you'll undertake in order to become compliant, you'll have an opportunity to not only review and improve your data security, but also have a better understanding of how you're using personal data and how you might be able to use it more effectively.
Is anyone offering GDPR compliance guidance for businesses/organisations?
All the supervisory authorities are issuing advice and offering guidance, as are independent organisations such as the IAPP and the Data Protection Forum. Data Privacy professionals, IT consultancies and law firms have also begun to offer services related to GDPR compliance.
Does my business/organisation need a Data Protection Officer (DPO)?
You must appoint a DPO if you represent a public authority or are a business/organisation that undertakes regular and systematic monitoring of data subjects or processes sensitive personal data.
Who can use GDPR365?
Data Protection Officers, consultants and businesses/organisations needing to become compliant. GDPR365 is a comprehensive service that simplifies and manages a data protection programme.
Is there a setup fee or any additional costs?
No. The subscription contains all an organisation needs for compliance. For additional fees we do provide onboarding services or additional GDPR employee training.
How long does it take to set up my GDPR365 account?
Sign up now, get instant access and two weeks free.
Are we tied into a long-term contract?
It takes about three months to complete the compliance process. We require an annual subscription because, to be compliant, you need to maintain evidence of your efforts and monitor your GDPR compliance processes.
What support do you provide?
We provide email support and access to our support knowledge base, which includes help, videos, webinars and a discussion area. Take a look: http://help.gdpr365.com.
Can I upgrade if my organisation grows?
Yes, you simply choose the next package.
Can I downgrade if necessary?
Yes, you simply choose the lower package.
Why should I use GDPR365?
The GDPR is a good regulation, but it was written with individuals, not businesses in mind. Our team has extensive experience building technology companies and understands data security and privacy from an organisation’s perspective. GDPR365 provides training tools to ensure every member of staff is aware of the GDPR and the processes necessary to demonstrate and monitor compliance.
Can I take a trial?
Yes, register for GDPR365 and get a 15-day trial.
Do I need to enter my payment details to take a trial?
No, you only need to make payment when you decide to subscribe.
Can I add additional users during a trial?
No, you can’t add users during the trial but, depending on your plan, you can when you take a subscription.
How do I convert the trial to a monthly subscription?
Converting your trial to a subscription is easy. From the Subscription submenu in the Organisation menu, select your plan and your payment method.
What happens when the trial is over?
After the trial, access to your account is frozen, but you can still activate a subscription. If you want to have the trial extended just contact email@example.com. After three months, any data in GDPR365 will be permanently deleted.
Can I pay by credit card?
No. GDPR365 takes payment by direct debit using GoCardless. You can find details about GoCardless on their website: https://support.gocardless.com/hc/en-gb/articles/115002835269-FAQs-for-customers-paying-through-GoCardless. Alternatively, if you want to pay for one year upfront you can pay on invoice and by electronic fund transfer (EFT).
When will my payment card be billed?
The initial payment taken when you sign up is a pro-rata amount for the days remaining in the month and your first full month's payment. Thereafter, a direct debit will be made on your account on the first day of each month.
Can I choose what currency I pay in?
GDPR365 accepts payments in £ (GBP) and € (EUR). When you sign up your organisation, GDPR365 determines the currency you’ll use based on the location of your organisation.
How much will I be billed?
The monthly amount you’ll be billed is based on the plan you’ve subscribed to. Please see our pricing page or the Subscription submenu in the Organisation menu of your account.
Can I update my direct debit details?
To do this you need to contact us at firstname.lastname@example.org so we can cancel the current mandate. You’ll then need to re-input your new direct debit details in the Subscription menu of your account.
What is the length of the subscription term?
Our minimum agreement is one year.
How do I cancel?
To cancel the subscription send an email to email@example.com.
Is my organisation’s data secure?
GDPR365 is hosted by Amazon Web Services (AWS) and uses the latest techniques to ensure data is secure. Please contact us if you require more information about our data security practices.
Where is my organisation’s data stored?
Data is stored in AWS’s data centres in Ireland and Germany, which are both in the EU.
How do I sign in to GDPR365?
Once you’ve created your account and set your password you’ll be logged in to GDPR365. For subsequent logins, click on the User login link on the homepage or go to https://app.gdpr365.com/.
What are the different user roles in the GDPR365 portal?
GDPR365 contains administrator, compliance and HR users. Additionally, you can select the compliance permissions that each of these users can access. The collaborative tools within the compliance area can be used to communicate with individuals who don’t have seats on the platform.
What is the minimum and maximum number of users?
The minimum number of users is two. On the enterprise plan, there’s no maximum.
How do I add more users?
Go to the Users submenu in the Organisation menu and click on the Add New button.
Can I delete a user?
Yes. A user can be deleted.
Can I upload my organisation’s policy documents in GDPR365?
Yes. By uploading your policies in GDPR365 you can then distribute them to your staff and maintain a read and acceptance audit trail.
Can I upload and store my organisation’s personal data in GDPR365?
No. The only personal data from your organisation that can be stored in GDPR365 is the personal data of the users and the names and email addresses of your staff.
Can I delete information stored in GDPR365?
No. Information can’t be deleted. This allows you to retain a complete historical audit trail.
Which devices and browsers does GDPR365 support?
GDPR365 has been designed to work with commonly used browsers such as Internet Explorer 11, Edge, Chrome, Firefox and Safari. It is responsive and will also work with tablets such as iPads, and smartphones.
Where can I find a detailed explanation of the functionality in GDPR365?
Please take a look at the videos available in our help area: http://help.gdpr365.com.
Can I select my organisation’s time zone?
Yes, when you sign up you can choose the time zone you want.
English is not my organisation’s business language. Is GDPR365 available in other languages?
No, English is the only language we currently provide.