GDPR Action Plan

September 2017

BLUE STATE DIGITAL

GDPR Action Plan

GDPR Action Plan

General Information

What is the GDPR? The EU General Data Protection Regulation (GDPR) is a new set of data privacy and security laws which aims to protect EU data subjects from privacy and data breaches.

Who does the GDPR affect?The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU — like Blue State Digital — if they offer services to EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union.

What actions is Blue State Digital taking to prepare for the implementation of the GDPR? We will be making significant changes to our BSD Tools and CallOut products to ensure that user data capture, hosting, and removal processes are compliant with the GDPR. Additionally, we will be working with all clients to put in place the updated services agreements required by the new laws. More information on the changes being made can be found on the pages that follow.

When does the GDPR go into effect? The GDPR will go into force on 25 May 2018.

When will BSD’s product changes be deployed?Blue State Digital expects to complete all updates to its BSD Tools and CallOut products before the May 2018 deadline, with time for customers to test and implement the updated functionality.

What steps does my organisation need to take? BSD strongly encourages all clients with operations in the EU to seek the counsel of an expert in the new law. In order to continue using the BSD Tools and/or CallOut products, your team will need to:

• Work with BSD to ratify a new Data Processing Agreement

• Display the appropriate privacy policy and/or terms & conditions to all end users who interact with BSD Tools or CallOut pages

• Ensure that all BSD Tools and CallOut features made available to your organisation remain properly implemented through the duration of your engagement with Blue State Digital

Where can I find more information? More information can be found at http://www.eugdpr.org.

BLUE STATE DIGITAL

SOURCE: EUGDPR.ORG

GDPR Action Plan

Product Changes

BLUE STATE DIGITAL

Explicit Consent from Data SubjectsThe GDPR requires that data subjects give explicit consent before submitting personal data to you. Webforms in the BSD Tools and CallOut products will be updated with new dropdown menus where data subjects can provide consent to have their data stored and set their email subscription preference. If the data subject does not provide consent, the user will not be able to use the webform.

CookiesThe BSD Tools and the CallOut products automatically set cookies on end user browsers to facilitate webform auto-filling, session tracking, and action attribution. These cookies are integral to both products. As such, end users who navigate to BSD Tools and CallOut pages will be presented with an overlay informing them that cookies are required to continue and requesting their explicit consent. Users who do not grant consent will not be able to proceed.

Data Access Requests from End UsersThe GDPR requires that data subjects have a method to request that their personal data be removed from storage. BSD will develop a public page where users can enter their email address to request their personal data be removed. Removal requests will trigger an email message to the data subject requesting confirmation, and will then start an automated deletion and anonymisation process. The same method may be used by customers for removal requests they receive directly.

GDPR Action Plan

Product Changes

BLUE STATE DIGITAL

AuditabilityBSD will be adding reports to the Advanced Reports & Data section of the BSD Tools to:

• Detail the personal data stored for a given data subject, which will enable customers to respond to data access requests

• Report on the number of personal data deletion requests received• Audit access to data subjects’ personal data by administrators

Automated DeletionAs a best practice, we will implement an automated, time-based record deletion process. The process will identify inactive records based on a time interval (i.e. has not taken action in the past N days) and trigger a data removal and anonymisation process

Data HostingWe will be reviewing and updating our policies and procedures with regards to data hosting, as well as the data hosting providers used by the BSD Tools and CallOut applications, to ensure that they are compliant with the GDPR.

GDPR Action Plan

Legal & Policy Changes

Prior to GDPR’s effective date, existing BSD Toolset and CallOut Agreements with EU and UK clients must be replaced by an updated BSD Toolset Agreement.

BSD will update our privacy policies and BSD Toolset and CallOut terms and conditions to comply with the new GDPR requirements.

BSD will provide you with ongoing access to information required for your organisation to be compliant with GDPR Data Controller requirements.

BSD will update our agreements with sub-processors of BSD Toolset and CallOut data as required for our compliance with GDPR requirements.

BSD is available to consult with your GDPR implementation team regarding your organisation’s specific needs, and scope new features and functionality upon request.

BLUE STATE DIGITAL

GDPR Action Plan

BLUE STATE DIGITAL

Thank you. Questions? Please contact help@bluestatedigital.com