Professional Documents
Culture Documents
GDPR Consultation -
[Company]
XX.XX.2018
─
1
Overview
The GDPR, or General Data Protection Regulation, is wide-ranging legislation set to go into
effect in Europe on May 25, 2018. The GDPR will impose new requirements on companies
that collect data about citizens of the European Union. [Company], as part of its continued
efforts to offer privacy compliant services, has engaged kidSAFE to assist with GDPR
compliance as it relates to child users.
Goals
1. Update [Company]’s privacy policy and related privacy notices to better align with
GDPR standards;
2. Update consent flows and other registration flows to better align with GDPR
standards; and
3. Complete a limited data inventory to discover and record critical privacy
information, including the lawful bases for collecting data under the GDPR.
GDPR Compliance
Much of the GDPR is still open to interpretation by the enforcement bodies in the individual
member countries. As these bodies have yet to issue any enforcement decisions, it remains
unclear what compliance will look like in all situations.
kidSAFE has been researching the GDPR and existing guidance to assist our members in
moving towards compliance.
The overall requirements set out by the GDPR are extensive and involve many areas that
will not be covered under this project. As such, completion of this project will not indicate
that kidSAFE has certified [Company] as GDPR compliant or has conducted a full GDPR
audit.
Project Structure
This project will consist of three phases, which are laid out in the Milestones section below.
As member completes a phase, kidSAFE will prepare a new set of documentation for the
next phase. This documentation will include information on GDPR standards, note issue
areas within [Company]’s services, and provide suggestions and new language as required.
2
Milestones
I. Data Inventory
This data inventory will include information about all personal data being collected
by [Company] and important details about that data. kidSAFE will provide you with
a template to assist with organizing this information. Prior to providing this
template, kidSAFE will attempt to populate it with what information it already has
about [Company].
The goal of the data inventory is to get a complete documentation of what
information is being collected from users along with how that data is being
collected, shared, and used.
We will also use this data inventory to begin documenting the legal bases for
collecting this data under the GDPR. It is important to have a tangible record
showing that [Company] has taken the time to review its data collection practices
and that you have valid bases for collecting this information under the GDPR.
This phase will be broken down into a two sub-phases:
A. [Company] will complete most of the data inventory template, with exception
of “lawful basis for collection” column
B. kidSAFE will work with [Company] to determine the most fitting lawful basis
for collecting each piece of data