Simplifying compliance for
businesses and organisations

General GDPR questions

No. The subscription contains all an organisation needs for compliance. For additional fees we do provide onboarding services or additional GDPR employee training.

Sign up now, get instant access and two weeks free.

It takes about three months to complete the compliance process. We require an annual subscription because, to be compliant, you need to maintain evidence of your efforts and monitor your GDPR compliance processes.

We provide email support and access to our support knowledge base, which includes help, videos, webinars and a discussion area. Take a look: http://help.gdpr365.com.

Yes, you simply choose the next package.

Yes, you simply choose the lower package.

The GDPR is a good regulation, but it was written with individuals, not businesses in mind. Our team has extensive experience building technology companies and understands data security and privacy from an organisation’s perspective. GDPR365 provides training tools to ensure every member of staff is aware of the GDPR and the processes necessary to demonstrate and monitor compliance.

Yes, register for GDPR365 and get a 15-day trial.

No, you only need to make payment when you decide to subscribe.

No, you can’t add users during the trial but, depending on your plan, you can when you take a subscription.

Converting your trial to a subscription is easy. From the Subscription submenu in the Organisation menu, select your plan and your payment method.

After the trial, access to your account is frozen, but you can still activate a subscription. If you want to have the trial extended just contact support@gdpr365.com. After three months, any data in GDPR365 will be permanently deleted.

No. GDPR365 takes payment by direct debit using GoCardless. You can find details about GoCardless on their website: https://support.gocardless.com/hc/en-gb/articles/115002835269-FAQs-for-customers-paying-through-GoCardless. Alternatively, if you want to pay for one year upfront you can pay on invoice and by electronic fund transfer (EFT).

The initial payment taken when you sign up is a pro-rata amount for the days remaining in the month and your first full month’s payment. Thereafter, a direct debit will be made on your account on the first day of each month.

GDPR365 accepts payments in £ (GBP) and € (EUR). When you sign up your organisation, GDPR365 determines the currency you’ll use based on the location of your organisation.

The monthly amount you’ll be billed is based on the plan you’ve subscribed to. Please see our pricing page or the Subscription submenu in the Organisation menu of your account.

To do this you need to contact us at support@gdpr365.com so we can cancel the current mandate. You’ll then need to re-input your new direct debit details in the Subscription menu of your account.

Our minimum agreement is one year.

To cancel the subscription send an email to support@gdpr365.com.

GDPR365 is hosted by Amazon Web Services (AWS) and uses the latest techniques to ensure data is secure. Please contact us if you require more information about our data security practices.

Data is stored in AWS’s data centres in Ireland and Germany, which are both in the EU.

Once you’ve created your account and set your password you’ll be logged in to GDPR365. For subsequent logins, click on the User login link on the homepage or go to https://app.gdpr365.com/.

GDPR365 contains administrator, compliance and HR users. Additionally, you can select the compliance permissions that each of these users can access. The collaborative tools within the compliance area can be used to communicate with individuals who don’t have seats on the platform.

The minimum number of users is two. On the enterprise plan, there’s no maximum.

Go to the Users submenu in the Organisation menu and click on the Add New button.

Yes. A user can be deleted.

Yes. By uploading your policies in GDPR365 you can then distribute them to your staff and maintain a read and acceptance audit trail.

No. The only personal data from your organisation that can be stored in GDPR365 is the personal data of the users and the names and email addresses of your staff.

No. Information can’t be deleted. This allows you to retain a complete historical audit trail.

GDPR365 has been designed to work with commonly used browsers such as Internet Explorer 11, Edge, Chrome, Firefox and Safari. It is responsive and will also work with tablets such as iPads, and smartphones.

Please take a look at the videos available in our help area: http://help.gdpr365.com.

Yes, when you sign up you can choose the time zone you want.

No, English is the only language we currently provide.

Frequently asked questions

It stands for the General Data Protection Regulation. By 25 May 2018, all organisations using personal data will have to be compliant with it.

The GDPR categorises personal data as any information relating to an identifiable natural person. This broad definition includes information such as name, email and location. It also includes online identifiers such as IP addresses and online behaviour.

1. Individuals will have significant new rights, such as the right to be forgotten. 2. Consent will be harder to obtain and can be withdrawn at any time. 3. Organisations will become responsible for data security, and must report breaches. 4. Privacy notices will need to contain specific disclosures. 5. Transfers of data to organisations outside the EU will incur specific requirements. 6. Organisations outside the EU will have to abide by the law if they collect and process personal data from within the EU.

Consent needs to be explicit, opt-in and freely given. This means the popular, opt-out based consent of today will no longer be acceptable.

Yes. If you offer goods or services to EU residents, then you must comply with the GDPR.

Yes. The GDPR applies to organisations that offer goods or services to EU residents irrespective of whether a payment is required or if the organisation is monitoring the behaviour of EU residents.

If the manual data processing contributes toward a database, then you must comply. If the processing is once-off and doesn’t enter a structured and accessible database, then the GDPR may not apply.

EU Member States can make derogations for national security, defense, public security, criminal and ethics investigations and prevention, public interest and the enforcement of civil law. You’ll need to ask your supervisory authority for a list of derogations.

You may be fined up to €20m or 4% of your worldwide turnover (revenue), whichever is greater. You may also be subject to lawsuits by affected data subjects.

The truth is we don’t know. The EU is still issuing guidance on provisions so there remains some uncertainty about how they’ll be enforced. What this means is, initially, you’ll need to make value judgements on whether your processing is lawful. For example, allowing an employee to take a laptop on holiday or selling your business and transfering your books could be technically non-compliant but unavoidable and in need of a risk assessment. The Information Commissioner’s Office (the UK supervisory authority) has insisted it will be a proportionate, rational regulator , and that it won’t aggressively go after businesses to levy fines except as a last resort. But their budget is funded by fines. And they issued ¾ million pounds in mid-2017 despite the new Data Protection Law being enacted. So it’ll be best to err on the side of caution.

The Irish Data Protection Commissioner, Helen Dixon, has indicated a willingness to apply the full fine as the case may call for it, and when asked if there’ll be any leeway to ease companies into the new regulation, she answered “No. There’s not going to be any amnesty or first or second chances.” The Information Commissioner’s Office Head of International Strategy and Intelligence, Steve Wood, says, “Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy. What you will see is a common-sense, pragmatic approach to regulatory principles.”

Conglomerates and companies working with sensitive personal data such as health and biometric data would do best to ensure they comply with the GDPR. Industries with a history of poor data protection practices, such as digital direct marketing and social media organisations that hold large quantities of personal data, should make sure their consent practices comply and that they can guarantee their data subjects’ rights under the GDPR.

There are very concrete benefits. Compliance is an opportunity to redefine your organisation’s governance, policies and data management practices. By educating your employees and clients in data protection and privacy you’ll strengthen your brand as being responsible and trustworthy.. During the assessments, data mapping and gap analysis you’ll undertake in order to become compliant, you’ll have an opportunity to not only review and improve your data security, but also have a better understanding of how you’re using personal data and how you might be able to use it more effectively.

All the supervisory authorities are issuing advice and offering guidance, as are independent organisations such as the IAPP and the Data Protection Forum. Data Privacy professionals, IT consultancies and law firms have also begun to offer services related to GDPR compliance.

You must appoint a DPO if you represent a public authority or are a business/organisation that undertakes regular and systematic monitoring of data subjects or processes sensitive personal data.

Data protection officers, consultants and businesses/organisations needing to become compliant. GDPR365 is a comprehensive service that simplifies and manages a data protection programme.