top of page
  • Writer's pictureIryna Manukovska

XME Advice: Helping You to Keep Your Digital Platform GDPR-Compliant

More than 3.5 billion people saw their personal data stolen in the top two of 14 biggest breaches of this century, while the smallest incident involved the data of a mere 134 million people. Adobe, Canva, eBay, LinkedIn, Marriott International, My Fitness Pal, MySpace, eBay - the all are on the list. The fresh Mariott International issue showed that data privacy compliance is still a hot topic.

We collect, keep and use data of our customers independently from the product or business strategy. And for the customers, it’s precious to be sure that their data is secured and used only for their own benefit.

There are tons of information on what to do to make your business GDPR compliant, and we want to emphasize the essentials to consider in your digital solution.

Who is in Charge?

If you are the company who deliver products and services, interacts with the customers, your key responsibility is to take care of the personal data protection from A to Z. You are going to be Data Controller for legislative. Large and medium enterprises may have Data Protection Officer - the one who takes care of all GDPR criteria. And the smaller ones can either outsource this role or combine it with other non-contradicting roles in the organization.

What is vital to remember for the organization of any kind, is that working over the GDPR is never-ending, and require routine activities, like keeping records of the processing activities, impact assessment, measurement and controls.

GDPR Policy Basics for Digital Online Solutions

The digital platforms and channels are becoming a major way of interaction with customers, especially in the circumstances of limited physical communication of nowadays. Digital channels can be the most helpful when they keep track of customer preferences and offer personalized experiences.

Customer should agree that his data will be stored and used. Such an agreement should be based on the action, like clicking the checkbox or button, acknowledging the decision.

One of the basic GDPR rules is having a specific purpose of the tracking data usage. Giving the personalized service is a common purpose, but only as soon as all the data you ask and store are directly implied for such a service.

This should be stated clearly and in details in your Privacy Policy and there is no space to play with complex legal language: GDPR is straightforward that the data you collect, the purpose and the way of processing should be described in the words which can be understood without lawyer consultancy.

In addition, all the personal data you keep should be tracked in the registry which describes the type of the information, purpose, the way and place the data is stored and processed, how long it would be stored and who are the people who can access these data.

GDPR data privacy declares that personal data stays the property of the individual or company should offer the way to ‘forget’ all the tracked data of the customer on his demand.

GDPR for Data Processing

In the digital world, not so many companies use only their own technical facilities to serve their customers. Everyone uses virtualization, cloud services, SaaS, online tools and other third-party solutions. They all can be involved in your customer relationship and services offering.

All these systems and tools which has an access to the personal data are Data Processors and has their obligations to keep and process the data in a secure way. Usually, most of the technical measures of data processing are implemented in these solutions. It includes a variety of criteria, starting from controlling access to the data by users, data encryption and prevention of data leakage. They should offer the way for your customer to see, amend and remove his personal data.

Any mistake in GDPR data processing made by your CRM or another service supplier may result in the fines and reputation losses of your business. That’s why the choice of the service provider should involve an evaluation of the quality of data processing.

GDPR for the custom-developed software

If you order the software to be tailored for you, you take solid responsibility for the proper way of the data processing. For the software created from scratch, it’s vital to enlist every technical measure of the data processing in the scope of your requirements, otherwise, you can hardly expect that final service you will offer to customers can be GDPR compliant.

From the other hand, a good vendor company can emphasise the importance of the GDPR compliance and offer you the recommendations on how these needs can be fulfilled in your project.

An even better way is to use the application or digital service platforms such as They offer the components for your custom solution and will include all the major technical measures of GDPR-compliant data processing. You will save not only the time and resources to launch your custom application but also will eliminate the basic risks associated with GDPR compliance.

And please remember, GDPR, as a regulation, is not just protection of the personal data by enforcing companies, but it’s a tool to make companies the trustful holder of the personal information. Obviously, we will share more secrets when we sure it will be kept well!


Read more

Want to beat 53% your competitors?

bottom of page