GDPR Compliance for Apps workflow

Owned by Gautami Shetty (Unlicensed)
Last updated: Feb 19, 2020 by Philip Andrews
2 min read

Liquid State has put measures in place to meet the GDPR Compliance within the solutions it provides.

The following process has been formulated by Liquid State to ensure that our response to user requests for control over, or access to, their personal data, is GDPR compliant.

Here, ‘Client’ or ‘Customer’ refers to Liquid State’s Client or Customer. Here, ‘User’ refers to the person who uses the app also the person who puts forward the request and for whom the app should be GDPR compliant.

Steps for GDPR Compliance:

  • A request for ‘Sending the user’s personal data' or ‘deleting the user’s personal data' can come from any source. This is why the process includes all the possible sources to be GDPR compliant.

  • The entire process of ‘Sending the user’s personal data' or ‘deleting the user’s personal data' should be completed within 30 calendar days. This is to ensure that the legal requirements are met.

  • A user will send a request either by Call, Email, Social Media or through the Solution itself. If the user sends a request through Call, Email or Social Media then the client organisation representative should respond to the user letting them know that the request has been lodged and an agent will get back to the user in 72 hours.

  • If the user sends a request through the Solution then the client organisation representative will receive an email informing the user’s request and next steps. Client Organisation Representative should respond back to the user within 72 hours.

  • Once the Client Organisation Representative has the request, they should log a Liquid State Service Desk Ticket with the details of the user and the details of the solution to get the data required.

  • Liquid State team will then gather the information required (Do the processing required if the user needs to delete the data) and give the file with all the information (give a confirmation after the details is deleted while informing that the user will not be able to access information) to the Client Organisation Representative. Liquid State aims to respond back within 15 business days.

  • Once Liquid State Provides the results of the request, the Client Organisation Representation should provide the appropriate feedback to the user.

 

Please note all communications between Liquid State and Client Organisation should be through Service Desk to ensure information is not lost between the different sources of communication.

Standard Action Steps to commence GDPR compliance

Liquid State Should enable features in the app to be GDPR compliant i.e. buttons to request for a copy of user’s personal data or to delete data
Liquid State should tested the features along with the timeframe to get personal data from external software (mixpanel, OneSignal)
Liquid State should develop content around the features to be user friendly
Liquid State should have a form in SD for GDPR requests
Client should finalise and complete their T&Cs and Privacy Policy. Their Privacy Policy should have the information needed to be GDPR compliant
Client should nominate an email address to start and continue communication with the user
Client should have nominated people to have access to Service Desk to put forward a GDPR request (Currently, General Enquiry form should be used to log in service desk requests)

 

Unless otherwise indicated in the Overview page of this WIKI the information contained within this space is Classified according to the /wiki/spaces/ISMS/pages/739344530 as

INTERNAL