GDPR Practical

Handbook
 Contents

3 What is GDPR?

4 How should you prepare for GDPR?

5 Does it matter where a business is

located ?

6 Step 1: Getting know your company

DISCLAIMER
7 Step 2: Data Protection Officer
The content provided by VulnOS
shall not be considered legal 8 Step 3: Prepare for Data Subject
advice and no attorney–client
Request (DSAR)
relationship is established. Please
note that in some cases,
depending on your legislation, 9 Step 4: Update your Privacy Policy
further actions may be required to
ensure your compliance 10 Step 5: Manage Data Subject Consent
procedure meets local laws, for
which we recommend you seek a
lawyer. No part of this document 11 Step 6: Keep Records of Processing
may be reproduced in any form Activities
without the written permission of
the copyright owner.

VulnOS shall have no liability for

any error or damage of any kind
resulting from the use of this
document.

Copyright © 2019 I.D Cyber

Solutions Ltd. (“VulnOS”).
Proprietary & Confidential.

2 GDPR Practical Handbook 2

 Introduction

What is GDPR?
The European General Data Protection Regulation (GDPR) came into
effect on 25 May 2018 to replace the old 1995 Data Protection Directive,
which failed to address the evolving world of social media and large-
scale internet use. GDPR sets out to protect the rights of EU citizens
regarding how data about them is held and used by companies
worldwide.

The new regulation

ensures that data
protection policies are
uniform across all EU
member countries, with
the aim to give EU citizens
greater power over their
personal data and make
companies more
transparent in how they
deal with this data across
all industries.

Companies that are found guilty of misusing data or not complying

with the new regulations can be fined up to €20 million or 4% of the
company's annual turnover—whichever is higher.

GDPR Practical Handbook 3

 Does it matter where a
business is located?
GDPR affects every company, in every country and state that holds and processes
personal data of EU residents. GDPR is not concerned with whether or not an
individual is an EU citizen; anyone located within the EU is protected by GDPR.

For example, if an American travelled to Germany, his/her personal information

would need to be protected in line with GDPR requirements, as by being in the EU,
they are given the same rights and freedoms as an EU citizen under GDPR. So, it’s
not where a business is located, but where their customers are based that counts.
The hardest hit will be those that hold and process large amounts of consumer
data: technology firms, marketers, and the data brokers who connect them.

As a result of the Brexit referendum on March 29, 2017, the GDPR will be regulated
by the Data Protection Act 2018 for companies in the UK, enabling it to function as
national law. The GDPR is here to stay, and it will continue to be actively enforced by
the Information Commissioner’s Office (ICO) post-Brexit. Organizations in Europe will
be prohibited from sending personal data about their employees, customers,or
suppliers to the UK, even to members of the same corporate group, without a data
transfer solution in place.

US companies, especially those that collect EU personal data identifiers from landing
pages, inbound marketing, or events, should take note of the changing GDPR practices.
California-based companies must comply with the California Privacy Act (CCPA), which is
an outcome of the reaching influence of GDPR and shifting government priorities toward
greater protection of individual privacy.

4 GDPR Practical Handbook 4

How should you
prepare for GDPR?
Becoming GDPR-compliant may require your company to shift the
way personal data is handled in many aspects. This can involve
wide technological changes that can be risky and time-consuming,
so you should develop a cohesive risk management strategy and,
most importantly, a compliance plan.

Remember, the more secure your company keeps its data, the
more data your customers will be willing share, making your
marketing campaigns more precise and efficient. And don’t forget,
as a rule of thumb: always ask for user consent when it comes to
processing his/her personal data.

Let’s start building your ready-to-go compliance plan !

GDPR Practical Handbook 5

 STEP 1:

Outline your company

Create a profile about your company’s legal entity, including:

 Where is your company based or located? (To check if there’s

any local data protection regulations you’ll also need to comply
with)
 How many employees do you have?
 What departments do you have?
 Who is your Data Protection Coordinator in each department?
 What is the email address for customers’ privacy issues or
concerns?
 Who takes care of Data Subject Requests in your company?

Bear in mind that you must keep this record accurate and up-to-date as
your company grows and evolves.

GDPR Practical Handbook 6

 STEP 2:

Data Protection Officer

The GDPR introduces a duty for companies to appoint a Data Protection
Officer (DPO) to monitor internal compliance, inform and advise on your
data protection obligations, provide advice regarding Data Protection
Impact Assessments (DPIAs), and act as a contact point for data subjects
and the supervisory authority.

Your company MUST designate a DPO if it meets one or more of the

following criteria:

I t is a public authority or body (except for courts acting in their

judicial capacity);
 Its core activities require large-scale, regular, and systematic
monitoring of individuals (for example, online behavior tracking); or
 Your core activities consist of large-scale processing of special
categories of data (for example, HR company processing applicant
data) or data relating to criminal convictions and offences.

If you aren’t required to appoint a DPO, you can decide to voluntarily

appoint a DPO, but note that the same requirements of the position and
tasks apply had the appointment been mandatory.

GDPR Practical Handbook 7

 STEP 3:

Prepare to respond to Data

Subject Access Requests
Article 15 of the GDPR conveys set of rules that are meant to help data
subjects and enforce their rights against abusive personal data
processing. A Data Subject Access Request, known as a DSAR, is a
written request, in paper or electronic form made by a data subject to the
data processor or controller for information. A DSAR from a data subject
must be responded to within 30 days of receipt.

Recital 63 recommends that, where possible, “the controller should be

able to provide remote access to a secure system which would provide the
data subject with direct access to his or her personal data.”

These rights include rectification of their data, data erasure (the “right to
be forgotten”), restriction of processing data, objection to processing
data, and receiving data in an electronic format so it can be moved to
another controller.

In a nutshell, your company must be able to provide data subjects with

direct access to their personal data and the option to export it into a
common machine-readable format (e.g., JSON /XML), as well as the
ability to change or erase those personal data at any given moment.

GDPR Practical Handbook 8

 STEP 4:
Update your Privacy Policy
Under GDPR, you will need to make a
few changes to your existing Privacy
Policy. Keep in mind that even if your
company is not located within the EU,
you must comply with GDPR if you
have users who reside within the EU.
The GDPR makes it very clear that any
entity which collects or processes the
personal data of EU residents must
abide by its regulations. You must also
ensure that your Privacy Policy meets
any other applicable local data
protection laws.
At first glance, if your current Privacy
Policy is written with excessive legal
terminology that would make it
difficult for an average user to read or
understand, you should rewrite it in a
more natural, conversational manner.
Simplify the legalese wherever
possible, as it needs to be
comprehensible by everyone, not just
lawyers or government officials.
GDPR Practical Handbook
TO-DO LIST:
 Make sure you outline all the
third-parties and sub-processors
you may or may not share
information with. Explain in
simple language who these third-
parties are, what information is
disclosed to them, and how this
information is used, and describe
any organizational and technical
measures in place to secure this
information.
 In addition, you must disclose
in your Privacy Policy that you
have an appointed Data
Protection Officer and include a
means of contacting him or her in
the event that your users have
any questions, concerns, or
suspect a data breach.
 If your website uses Cookies or
LocalStorage technology, then
you must provide link to a
detailed Cookie Policy explaining
about them as well.
9
 STEP 5:

Manage Data Subject

Consents
Consent is defined in Article 4(11) as “any freely given, specific, informed and
unambiguous indication of the data subject’s wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the processing of
personal data relating to him or her.”

Article 7 also sets out further “conditions” for consent, with specific provisions on
keeping records to demonstrate consent. A consent audit log must as a minimum
include:

 What is the purpose of collecting data?

 Who gave that consent?
 When can this consent be given or withdrawn by the data subject?
 What willyou do with the data (the processing activities)?

A commonly used example is an onboarding flow—when user signs up for the first
time, he is asked to tick a box to consent (“I agree to the TOS and Privacy Policy”),
which is then captured and logged. Bear in mind that all consent logs need to be
up-to-date and accurate.

GDPR Practical Handbook 10

 STEP 6:

Keep Records of Processing

Activities (RPAs)
The documentation of operations and processes wherever personal data is
involved is known as a processing activity. Maintaining an up-to-date record of
your company’s processing activities, as required by GDPR Article 14, may help
your company effortlessly mitigate the impact of GDPR.

To provide legal protection to companies, it is necessary to ensure transparency

with regards to processing personal data. Keeping clear records is proof of
compliance and demonstration of accountability towards GDPR requirements.

Under GDPR, the documentation of your processing activities must be in writing;

this can be in paper or electronic form. Generally, most organizations will benefit
from maintaining their documentation electronically so they can easily add to,
remove, and amend it as necessary, as keeping a record of your processing
activities is not a one-off exercise; the information you document must reflect the
current situation regarding the processing of personal data, so it must remain
accurate and up-to-date.

IMPORTANT: Audit and sign agreements with vendors

According to GDPR Art. 28(1), 24(1), 29 & 46(1), you need to instigate
Data Processing Agreements (DPAs) with your third-party vendors
(e.g., Google Cloud, AWS, PayPal, etc.) and sign with them about data
processing agreement (DPA) to reduce your liability as a controller. Up-
to-date records of signed documents with any third-party vendors that
process data on your company’s behalf should be kept in a central
place.

GDPR Practical Handbook 11

About VulnOS
VulnOS has been designed and developed by data protection and privacy
expert practitioners to achieve GDPR compliance 90% faster than with
externally hired consultants or manually filled paper toolkits. VulnOS is
powered by AI-legal tech solutions that guide you step-by-step through
the GDPR compliance process.

It includes:
• A complete set of easy-to-use, one-click templates, which will
save you time and money and ensure GDPR compliance;
• Helpful documentation tools to ensure complete GDPR coverage;
• Fully automated solutions for Cookie banners (“cookie law”),
consent management, and data subject requests in oneline of code
(no programming skills required); and
• A dedicated AI-based bot to accelerate your compliance
progress.

TRY VulnOS for 14-Days FREE by clicking the button below:

YES ! I WANT TO COMPLY 90% FASTER

GDPR Practical Handbook 12