GDPR - What we're doing

What is GDPR?

GDPR will become enforceable on 25th May 2018, so now is the time to take action!

GDPR (General Data Protection Regulation) is all about protecting personal data and handing control of it back to the subject of the data. Most businesses with customers and staff will need to take a look at their processes as a result of this new regulation.

As we prepare for the new regulation to come into force, we want to share what we’re doing and chart our progress.

How is BaseKit getting ready for GDPR?

In preparation for GDPR, BaseKit will be taking a number of broad steps. These will include:

1. Updating our privacy policy to ensure that our customers and partners know exactly what we do with our data
2. Minimising the amount of data that we collect and use
3. Improving the encryption that we use when storing data
4. Reviewing our usage of data to ensure that it’s all legitimate

More specifically, what actions do we need to take to ensure that we are compliant? 

We need to ensure that we have taken several actions by 25th May 2018 – these are listed below, with updates on our progress:

1. Update our Privacy Policy to reflect the changes in data protection requirements
   – Still to do
2. Ascertain whether we need to appoint a Data Protection Officer (DPO)
   – Done: we don’t, but we have assigned DPO duties to an existing member of staff
3. Find out what personal data we have, where it is and who has access to it
   – Audit undertaken
4. Consult with an expert on what actions we need to take (if any) to be compliant
   – In Progress
5. Generate a plan of remedial action (including time frames)
   – In Progress
6. Execute this plan
   – Still to do
7. Publish compliance
   – Still to do

Why doesn’t BaseKit need a DPO?

We’ve realised we don’t need a DPO because we don’t fit the criteria outlined here:

1. We are not a public authority
2. Our core business does not require the systematic processing of data
3. We have no interest in processing sensitive data

What data does BaseKit have that is covered by the GDPR? 

We don’t actually hold much data. When a user signs up to BaseKit, they are required to fill out some basic details (such as username, email address, first name, last name) but we don’t use this data for anything other than allowing you to log in to the platform. The same goes for the personal data you enter into the editor for publication on your website: you are in control of this. We only use your data to provide you with the BaseKit Editor and host your website; not for our own purposes. 

Processor or Controller?

To make sure we’re ready for GDPR, we’ve been required to look at whether we’re a Data Processor or a Data Controller. We’ve concluded (with the help of legal friends) that we’re a Data Processor. This means that we process data at the request of the Controller (in this case either the end user or one our partners) but we have no interest in the data that we have.

For more information about GDPR, take a look at this guide. This contains loads of great information on GDPR and what it will mean for you.