What is GDPR?

GDPR stands for General Data Protection Regulation and is the new European Union Regulation set to replace the Data Protection Directive and the UK Data Protection Act of 1998. The goal of GDPR is to give EU citizens more control over their personal data, a need for stronger fines for non-compliance and more control over companies and their use of personal data.

Personal Data” refers to any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Processing” is a set of operations performed on sets of personal data, whether or not by automated means, such as collection, organization, structuring, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. “Restriction of Processing” is the marking of stored personal data with the aim of limiting their processing in the future.

Sensitive Data” is a special category of personal data (including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health) to which additional protections apply.

Data Controller” is the competent authority which, alone or together with others, determines the purposes and means of the processing of personal data, where the purposes and means of such processing are determined by the Union or the Member State law.

Data Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

What’s the difference between a controller and a processor?
An organization working with personal data will operate either as a controller or a processor.
A “controller” is the organization that determines the purposes and means of the processing of personal data. If the controller processes the data itself, it will still be considered a controller. For instance, online retailers will fall under this category (as will the majority of businesses).
A “processor” is someone outside the controller organization processing the data on behalf of the controller. Examples of typical processor companies include payroll companies, accountants, market research firms and most cloud providers.

How is Sales.Rocks preparing for GDPR?

At Sample Solutions BV and our platform Sales.Rocks, we believe that GDPR is an important milestone in the data privacy landscape, and we are committed to achieve compliance with it.
We use in-house technology – we process publicly available information to the extent that is legally permitted under applicable law.

By using Big Data and merging a sampling frame with Social Media profiles’ unstructured content, such as images and messenger applications, additional info can be linked to mobile phone numbers which allows accurate targeting (age and gender).

According to GDPR, the age range is 16 years. Sales.Rocks is respecting this regulation, and does not knowingly collect Personal Information from children who are under 16 years of age. However, some National regulative may lower the age range, but not below 13 years.
We’ve made significant investments to prepare the business for impending the GDPR enforcement deadline this May. This means we started conducting a Privacy Impact Assessment by updating our Data Protection Agreement, appointing a Data Protection Officer, assembling a GDPR Task force, and dedicating engineering resources to enhance the platform with additional GDPR compliance features.

We ensured that our Data Protection Officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. For that purpose, the DPO reports to the highest levels of management and to the board.

• Informing and advising the controller or the processor and all employees who carry out data processing of their obligations to this Regulation and to other Union or Member State data protection provisions;
• Monitoring compliance with the GDPR;
• Providing advice where requests as regards the Data Protection Impact Assessment and Monitor its performance;
• Cooperating with the supervisory authority;
• Act as the contact point for the supervisory authority on issues related to processing.

Our six step preparation for GDPR compliance

Understanding the Law

At our organization we knows our obligations with GDPR as our work relates to processing, collecting, storing data. We always strive for improvement by organizing workshops, training and audits in order to keep our employees constantly informed about their obligations to keep the data secure and private, complying with the law.

Risk Assessment

We have made a list of what is most important to our organization and what is the best way to implement the GDPR. We risk assessed the list, determined our risk tolerance against that list, and we built our roadmap around it. GDPR and ISO 27001 mandate that organizations conduct regular risk assessments. These are helping us to identify threats and vulnerabilities that can affect organization’s assets and give us the information we need to assure the confidentiality, availability and integrity of the personal data.

Accountability Roadmap for Demonstrating GDPR Compliance

Organizations can do this by implementing appropriate technical and organizational measures to ensure that it can demonstrate that the processing of personal data is performed in accordance with the GDPR. We established appropriate technical and organizational measures (TOMs) to ensure the protection of personal data.

Knowing which data is regulated

We know which data is regulated, therefore we already determined what information our company holds and where it is held. Since, in order to comply we need to have a clear record of the customer information in our possession, we have classified who has access to the data, who shares the data, when it was accessed and what information was used.

Providing subject’s right to access

Data subjects can contact us in order to find out information about how we process their data and what kind of data we keep. Our DPO is responsible for providing the data subject with information as to whether or not their personal data is being processed, and, when that is the case, what personal data is used.

Establishing procedures for responding to data subjects when they exercise their rights

This requirement applies to all communications conducted with the data subjects, and the specific responses required for each type of data request including access, correction, erasure, processing restrictions, objections, and data portability.