Help

Overview on Binding Corporate rules What is it? Binding Corporate Rules ("BCR") are internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection. What is the purpose of BCR? BCR are used by multinational companies in order to adduce adequate s

The GDPR contains new provisions intended to enhance the protection of children’s personal data. Privacy notices for children Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear, plain way that a child will understand. Online services offered to children If you offer an ‘information society service’ (ie online service) to children, you may need to obtain consent from a parent or guardian to process the child

Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particul

What is a data protection impact assessment? Data protection impact assessments (DPIAs) (also known as privacy impact assessments or PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. While

Sorry no additional help is available for GDPR Account Switcher at the moment.

The GDPR Action module allows you to create , record and manage actions as you go through the whole GDPR process.  Actions are a vital part of the process to help demonstrate compliance and to ensure you do not forget to carry out any required tasks. There are 6 types of actions that you can create; GDPR Review: Select this type of action if it relates to a review of the framework and/or processes that you are following.  These types of actions help demonstrate compliance as d

Sorry no additional help is available for GDPR Activity Log at the moment.

The GDPR document contains 99 articles that define its requirements and rights granted to EU citizens, GDPR operations, structure and penalties. Summary of Articles Contained in the GDPR Regulation of the European Parliament and of the Council on the protection of individuals with regard to processing of personal data and on the free movement of such data Table of Contents Chapter 1: General Provisions Article 1: Subject matter and objectives Article 2: Material scope Article 3:

Throughout the whole GDPR process you may have to carry out various types of Assessments for example: Data Audit Data Mapping Risk Assessment These assessments are required to provide a structured process to analysis data in your privacy network they also help demonstrate compliance to the GDPR framework. The different types off assessments can be applied to carry out industry standard approaches such as a Supplier Risk/Data Asssessment, SWOT (or SLOT) analysis or a GAP Analysi

The GDPR Assessment Editor allows you to

Document Auto Fill is a time saving tool to help you fill in configurable text within any document in your Documents/Policies list eg Company Name, Address etc.  It works in a similar way to a find and replace. To utilise the Document Auto Fill load sample data, then edit each item to fill in the details you want inserted eg edit [Company Name] and in the Auto Fill Details box delete the text that is there and enter your actual company name. Once you have configured all Aut

The contact page is where you can list all of the key stakeholders within the Privacy Network along with their basic contact details  If you also provide their email address the system can optionaly email out certain items to stakeholders automatically e.g. An action/task assigned to them. Make sure if you are using Sample Data that you have customised the data to fit in with your organisational and operational structure.  Generally, data that requires customising will be enclosed w

The GDPR Dashboard displays the 13 stages of the GDPR Framework, which will help to guide you through the GDPR document to compliance.  Each GDPR Stage is broken down into a number of sections, each section will ask a key questions to determine if your organisation is operating within the GDPR guidelines.  The questions require either a Yes, No or Not Sure answer.  If you answer Yes, then you must provide evidence to demonstrate why you answered yes, this may be in the form of

Use the GDPR Data Processing section to create a complete list of all the types of processes that your organisation carries out on data. You can Load Sample Data to give you some ideas of types of processes that you may deal with. Make sure if you are using Sample Data that you have customised the data to fit in with your organisational and operational structure, remove any that are not relevant and add in any types of processing not listed. This list will be used in the Process Registe

Use the GDPR Data Recipients section to create a complete list of all the types of recipients that your organisation sends data to that it processes and/or stores. You can Load Sample Data to give you some ideas of types of data recipients that you may deal with. Make sure if you are using Sample Data that you have customised the data to fit in with your organisational and operational structure, remove any that are not relevant and add in any data recipients not listed. This list will b

Use the GDPR Data Subjects section to create a complete list of all the types of data subjects your organisation processes and/or stores. You can Load Sample Data to give you some ideas of types of data subjects that you may process and store. Make sure if you are using Sample Data that you have customised the data to fit in with your organisational and operational structure, remove any that are not relevant and add in any data subjects not listed. This list will be used in the Process

Use the GDPR Data Types section to create a complete list of all the types of data your organisation processes and/or stores. You can Load Sample Data to give you some ideas of types of data that you may process and store. Make sure if you are using Sample Data that you have customised the data to fit in with your organisational and operational structure, remove any that are not relevant and add in any data types not listed. For each type of data you are processing you need to give some

Use the GDPR Document Types section to create a complete list of all the types of documents your organisation uses to processes and/or store data. You can Load Sample Data to give you some ideas of types of documents that you may use. Make sure if you are using Sample Data that you have customised the data to fit in with your organisational and operational structure, remove any that are not relevant and add in any document types not listed.

The Documents and Policies list is where you can store all related documents that you create throughout your GDPR journey.  If you have a non trial license you can download 34 sample documents to cover key requirements within the GDPR framework.  Each sample document will need customising to meet your operational needs.  You can use the Autofill lists to help speed up this process for example filling out the Company Name, Address, etc. all automatically. NOTE: Using the sample

Sorry no additional help is available for GDPR Dpia at the moment.

Sorry no additional help is available for GDPR Dpo at the moment.

The home page is the starting point to work through all of the tasks required to become GDPR compliant.  It is generally accepted that it is impossile to become 100% compliant due to all of the possible interactions between all stakeholders, processes and systems within the privacy network.  However by following this framework it will ensure that you are, with best endeavour, trying to work within the guidelines set out by the GDPR articles. The steps listed on the home page wi

Sorry no additional help is available for GDPR Issue Log at the moment.

The locations page is where you list the physical areas within your business that store and/or process data eg the name and address of your acountants, your office addresses etc. If you have more than one eg hosting provider, please create two entries, one for each. You can assign a location to a contact eg the person that looks after your hosting. You can Load Sample Data to give you some ideas of areas in your organisation that may process and store data. Make sure if you are using

If you have purchased a multiuser license then other users can also work on your GDPR framework. Users must first register on the web site using the create account page,  They need to enter their name, email address and the GDPR License Key which can be found under the Options Menu -> Settings.  Once registered the Manage Users table will list all users who wish to have access to your account.  Initially all users are given a Access Status of Not Authorised.  It is up t

The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected (See below for more information from the ICO). The Data Breach Register is a register to record all data breaches within your privacy network. The data entry form for each register entry allows you to record the following: The status of this breach; New Pending Assessment Pending Response Pending

The GDPR will introduce a duty on all organisations to maintain a record of processing activities under its responsibility (Article 30) The Data Processing Register is a register to record all processing activities within your privacy network. The data entry form for each register entry allows you to record the following:     Type: The Type of register entry i.e. either a Data Controller or Data Processor     The status of this entry;   

Under the GDPR, individuals will have the right to obtain: confirmation that their data is being processed; access to their personal data; and other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15). These are similar to existing subject access rights under the DPA. The Re

Sorry no additional help is available for GDPR Register Restrict Data at the moment.

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined. The Transfer Data Register is a register to record all data transfer outside of the European Union within your privacy network.

Sorry no additional help is available for GDPR Release at the moment.

All of the reports are available in either HTML (opens in a new window) or PDF format (for download). Most of the individual reports displayed are also available on an item by item basis from the relevant section within this system. For example: To obtain a report of all Documents and Policies, Select the Reports menu option, then the Documents/Policies report. To obtain a report on just a single Document or Policy, Select the Lists menu option, then the Document/Policies List, locat

This page is where you can obtain the code to add our forms to your website.  Click the button 'Include This Form On Your Website' which provides you with your code snippet and tells you how to authorise your code. You MUST authorise your website first, or the code will not work. This GDPR Subject Access Requests page displays a list of all data subjects who have submitted a request. When a request gets submitted we automatically create an entry in the Register called&nbs

The GDPR Stage displays 1 of the 13 stages of the GDPR Framework, each GDPR Stage is broken down into a number of sections, each section will ask a key question to determine if your organisation is operating within the GDPR guidelines.  The questions require either a Yes, No or Not Sure answer.  The section question will provide a reference to which GDPR Articles the question is checking against, all Articles are available to be viewed by clicking the link in the section question, b

Sorry no additional help is available for GDPR Transaction Log at the moment.

Sorry no additional help is available for GDPR Wizard at the moment.

Sorry no additional help is available for GDPR-data-privacy-impact-assessments at the moment.

For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing” under the DPA. It is important that you determine your lawful basis for processing personal data and document this. This becomes more of an issue under the GDPR because your lawful basis for processing has an effect on individuals’ rights. For example, if you rely on someone’s consent to

The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA. Identify whether any of your processing operations constitute automated decision making and consider whether you need to update your procedures to deal with the requirements of the GDPR. When does the right apply? Individuals have the right not to be subject to a decision when: i

What information is an individual entitled to under the GDPR? Under the GDPR, individuals will have the right to obtain: confirmation that their data is being processed; access to their personal data; and other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15). These are similar to existing subject access rights under the DPA. What is the purpose of the right of access under GDPR? The

The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data. What information must be supplied? The GDPR sets out the information that you should supply and when individuals should be informed. The information you supply is determined by whether or not you obtained the personal data directly from individuals. See the table below for fu

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. Some organisations in the UK already offer data portability through the midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data i

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. When does the right to erasure apply? The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circ

When does the right to object apply? Individuals have the right to object to: processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics. How do I comply with the right to object? If you process personal data for the performance of a legal task or your organisation’

When should personal data be rectified? Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate. How long do I have to comply with a request for rectification? You must respond within one month. This can be

Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future. When does the right to restrict processing apply? You will be required to restrict the processing of personal

Personal data Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people. For most organisations, keeping HR record

The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR. If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal d