Skip to content

Instantly share code, notes, and snippets.

@JoelLisenby

JoelLisenby/gdpr.md

Last active May 4, 2018 21:50
Show Gist options
  • Save JoelLisenby/237bfda475e0308209cf486d9e612ebc to your computer and use it in GitHub Desktop.
Save JoelLisenby/237bfda475e0308209cf486d9e612ebc to your computer and use it in GitHub Desktop.
Download ZIP
GDPR Summary
Raw
gdpr.md

General Data Protection Regulation [GDPR] Summary

Must have and store the lawful basis of processing for each contact.

  • Consent (opt-in)
    • Must be told (notified) of what they are opting into.
    • Needs to affirmatively opt-in with an unchecked box. (only opts in for what they were notified they are opting into, not everything you want to send.)
    • Consent must be granular, covering the various ways you use the users data (e.g. email, calls).
    • Must log auditable evidence of what the user consented to: the notice and when they consented.
  • Performance of a contract (customer you need to send bills to)
  • Legitimate interest (customer you want to send products related to what they have)

Withdrawl of consent

  • Must give the user the ability to see what they have consented to and the ability to withdraw consent at any time. It needs to be just as easy as giving consent.

Deletion

  • User must be able to request that you delete all data stored about them permanently, including email tracking history, call records, form submissions and more.
  • Must respond to the request within 30 days.
  • The right to deletion depends on the context of the request, so it does not always apply.

Cookies

  • User must be notified that you are using cookies in laymans terms and must consent before a cooking can be set.
  • ePrivacy regulation coming soon regarding this for extra fun.

Access / Portability

  • User must be able to request access to the personal data you have stored about them.
  • Personal data is anything identifiable, like name, email, ip address(es).
  • You need to provide a copy of the data in CSV format.
  • User can also request to see and verify the lawfulness of processing (via the auditable log of consent mentioned above).

Modification

  • Must be able to request modification of personal data.
  • Must fulfill received request.

Security measures

  • Data must be encrypted at rest
  • Data must be encrypted in transit (SSL)
  • Access controls to data pseudonymization and anonymization.

And more

This summary was written based on hubspot.com's gdpr readiness document. https://www.hubspot.com/data-privacy/gdpr/product-readiness.

Searchable GDPR law: https://gdpr.algolia.com/

See the full text of the law at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment