Q(LETTER_WIP): This is the GDPR letter generation tool.
It is a work-in-progress, so not all answer fields will be populated, and there may be some broken fields.
A: I understand.
Q: Great. Thanks for giving it a spin! If you find any errors or broken parts, please send us a note. Thanks!
A:Okay! We will!
Q:Thanks. You're the best!GOTO:LETTER_START
Q(LETTER_START): We're going to ask you several questions to help identify potential risk areas for you to speak about with your attorney.
A: Got it.
Q: At the end, we'll draft a letter for you to send to your attorney to help identify areas of potential GDPR Compliance risk.
A: Got it.
Q:GOTO:LETTER_DISCLAIMER
Q(LETTER_DISCLAIMER): We're about to get to the good part.
But, before we do, we need to go over a few things with you.
A: Okay, I'm ready.
Q: This is the companion piece to the BLIP LTL GDPR Learning Tool. If you haven't already, you should check out that tool by clicking here.
A: Wow. Okay. Thanks. I haven't been there yet and will go right now!
Q: Great.GOTO:ENDRUN
A: Why should I check out that tool?
Q: The tool has a lot of useful information about the GDPR and how it could affect you and your business. If you're unfamiliar with the GDPR, it's a good place to start.
A: Okay. I'll check it out.
Q:GOTO:ENDRUN
A: Meh. Not for me. I'd like to stick with this.
Q: You really should check it out.
A: Okay. You've convinced me.
Q:GOTO:ENDRUN
A: I would really rather not. I'm already here and would like to move on.
Q:If you insist.GOTO:REAL_DISCLAIMER
A: I have already been through the learning tool. That's how I got here!
Q: Oh, okay. So you're not new at this. Great!GOTO:REAL_DISCLAIMER
A: I don't care about that other thing. I wanna keep checking this out!
Q: You really should check that site out first, but if you insist.GOTO:REAL_DISCLAIMER
Q(REAL_DISCLAIMER): Before we go any further, we need to go over some legal business.
A: Oh. Figures. Let's do it!
Q:Okay. This tool shall not be construed as legal advice of any kind. If you have any legal questions or concerns, you should contact an attorney.
A: I understand that this is not legal advice.
Q: Terrific. In addition, we are not entering into an agreement to represent you, and nothing in this tool should be understood as an offer to enter into an attorney/client relationship with you.
A: Okay. I also understand that we are not entering into an attorney/client relationship.
Q: This tool is meant to help you learn a bit about the GDPR and identify some areas about which you should speak with an attorney.
A: I think it's great that this is only a learning tool.
Q: And, finally, if you have any legal questions, you should speak with an attorney.
A: Of course I'll speak with an attorney if I have any legal questions.
Q: Terrific. Let's get started.GOTO:PURGATORY
Q(PURGATORY): Alright. We are going to ask you some information about you and your business soon. But, do you have any questions for us before we begin?
A: Yes
Q(ROUND1): What would you like to know?
A: What sort of questions will you be asking?
Q: We will ask for some basic biographical information, such as your name, the name of your business, if you have a lawyer and the name of that lawyer.
A: Why do you need this information?
Q: At the end of this, together we'll have drafted an email outlining some areas you should probably discuss with your lawyer.
A: What do you do with that information?
Q: We only use it to populate the email.
We provide you with pseudonyms you can use if you'd rather fill that info in youself.
A: Okay. I have more questions.
Q:GOTO:ROUND1
A: This format is really cool! What is it?
Q: Thanks for noticing! This was built using a markup language called QnA built by David Colarusso.
You can build your own interactive QnA by visiting the QnA Markup Editor (still in beta).
A: Thanks. I have more questions.
Q:GOTO:ROUND1
A: Gotcha. That covers it. I'm ready to get down to business!
Q:GOTO:USER_NAME
A: No.
Q: Are you sure?
A: Yes, I'm sure.
Q:GOTO:USER_NAME
A: No. Actually I have some questions.
Q:GOTO:ROUND1
Q(USER_NAME): What's your full name?
X:
Q:GOTO:BIZ_NAME
A: Alex
Q:GOTO:BIZ_NAME
Q(BIZ_NAME): What's your business called?
X:
Q:GOTO:GC_YorN
A: Acme Anvils, Inc.
Q:GOTO:GC_YorN
Q(GC_YorN):Does your business have a general counsel, or do you work with a lawyer?
A: Yes.
Q(LAWYER_FIRST): What's your lawyer's first name?
X:
DOC: Dear LAWYER_FIRST,
Q:GOTO:PD6
A: Pat
DOC: Dear LAWYER_FIRST,
Q:GOTO:PD6
A:No. We don't have a lawyer yet.
DOC: Dear FUTURE LAWYER,
Q:GOTO:PD6
Q(PD6):Okay, that's the end of the optional personal questions. From here on out, you'll need to answer these questions in order for us to get you accurate answers for the letter to work.
A: Okay.
Q:GOTO:JX
A: Why do you need this information?
Q: In order to assess your potential GDPR compliance risks, we will need some information about your business.
A: Okay.
Q:GOTO:JX
Q(JX): The GDPR applies to a company or entity that processes personal data as part of its activities of one of its branches established in the EU
OR
A Company established outside the EU offering goods/services (paid or free) or monitoring the behavior of individuals in the EU.
A: Okay. I think I see what's coming.
Q(DO_The_DEW): So, do you think this applies to you? Do you store/process personal data of people in the EU as part of your activities or do you offer services to individuals in the EU and monitor their behavior?
A: Yes.
Q:GOTO:JX_1_or_2
A: No. Absolutely not.
Q: Are you sure?
A: I am absolutely sure.
Q: Well, then it sounds like you might not need to worry too much about the GDPR, BUT you should speak with your attorney to make sure.. You may also want to check out our GDPR Learning Tool.GOTO:ENDRUN
A: I'm not sure.
Q: Okay. If you're not sure, let's just assume that you might in order to play it safe. You
A: That sounds good.
DOC: We are not sure whether we process personal data on individuals in the EU. Nonetheless, we would like to discuss the General Data Protection Regulation (GDPR), and how the rule may affect our business. In order to direct our conversation, we have compiled a list of information we can discuss to help determine our compliance risk.
Q:GOTO:JX_1_or_2
Q(JX_1_or_2): Okay. So which do you think describes you best?
A: We process personal data as a part of activities and have a branch in the EU.
DOC: Since we have a branch in the EU and process personal data as part of our activities, we believe we may be subject to the GDPR.
Q:GOTO:DATA_TYPE1
A: We are established outside the EU but offer goods/services (paid or free) to individuals in the EU or monitor the behavior of individuals in the EU.
Q: Which is it?
A: We are established outside the EU and offer goods/services (paid or for free) to individuals in the EU.
DOC: Though we are established outside the EU, we offer goods/services to individuals in the EU.
Q:GOTO:DATA_TYPE1
A: We are established outside the EU and monitor the behavior of individuals in the EU.
DOC: Though we are established outside the EU, monitor individuals in the EU.
Q:GOTO:DATA_TYPE1
A: Sorta both.
DOC: Though we are established outside the EU, we offer goods/services to individuals in the EU and monitor behavior of individuals in the EU.
Q:GOTO:DATA_TYPE1
A: All of the above.
DOC: We have a branch in the EU, and we offer goods/services to individuals in the EU and monitor behavior of individuals in the EU.
Q:GOTO:DATA_TYPE1
Q(DATA_TYPE1): What sort of data do you process?
A: We don't really process data.
Q:Hmmm.... You may not process it yourself, but do you store it and determine the purposes for which and the means by which the personal data is processed?
A: Yes, we do.
DOC: We may be a data controller and therefore subject to the GDPR.
Q:GOTO:SIZE_MATTERS
A: No, we do none of that.
DOC: GDPR may not apply to us. However, we would like to speak with you to be sure.
Q:GOTO:SIZE_MATTERS
A: I'm not sure.
DOC: It's unclear to us whether we process or control data for purpose of the GDPR and would like to make sure.
Q:GOTO:SIZE_MATTERS
A: We process sensitive data such as financial records, medical records, or criminal records.
DOC: In addition, we process sensitive data, so we think we may need to keep records of processing activities and/or appoint a Data Protection Officer (DPO).
Q:GOTO:SIZE_MATTERS
A: We process generic, pseudonymized or anonymized aggregate data.
DOC: However, we generally process generic, psuedonymized or anonymized aggregate data.
Q:GOTO:SIZE_MATTERS
A: We process a mix of sensitive and non-sensitive data.
DOC: Unfortunately, we process a mix of sensitive and non-sensitive data.
Q:GOTO:SIZE_MATTERS
Q(SIZE_MATTERS):The GDPR applies to companies not based on their size, but rather on their activities. However, there are some requirements that relate to firm size.
How large is your firm?
A: We have fewer than 250 employees.
DOC:
Since we have fewer than 250 employees, we understand that we may not be required to keep records of processing activities unless the processing of personal data is a regular activity, poses a threat to individuals' rights and freedoms, or concerns sensitive data or criminal records. From what we have seen DPO must inform an advise us and our employees of our obligations under data protection law, monitor compliance with all legislation in relation to data protection, including audits, awareness-raising activities, as well as training staff and involved in processing operations, provide advice when a Data Protection Impact Assessment has been carried out and monitor its performance. In addition, a DPO must act as a contact point for for Data Protection Agencies on issues relating to processing. If we are required to appoint a DPO, we will need to do so in a timely manner, so we could use your guidance in deterring whether a DPO is necessary.
Q:GOTO:DPIA
A: We have 250 employees or more
DOC:
Since we have more than 250 employees, we understand that we may be required to keep records of processing activities and appoint a Data Protection Office (DPO). From what we understand, a DPO must inform an advise us and our employees of our obligations under data protection law, monitor compliance with all legislation in relation to data protection, including audits, awareness-raising activities, as well as training staff and involved in processing operations, provide advice when a Data Protection Impact Assessment has been carried out and monitor its performance. In addition, a DPO must act as a contact point for for Data Protection Agencies on issues relating to processing. If we are required to appoint a DPO, we will need to do so in a timely manner, so we could use your guidance in deterring whether a DPO is necessary.
Q:GOTO:DPIA
Q(DPIA):Do you either perform systematic and exhaustive evaluations of the personal aspects of an individual, including profile; process sensitive data on a large scale; or, systematically monitor public areas on a large scale?
A: Yes.
Q: Which one?
A: We perform systematic and extensive evaluations of the personal aspects of an individual including profiling.
DOC:
Since we perform systematic and extensive evaluations of the personal aspects of an individual including profiling, we might need to perform a Data Protection Impact Assessment.
Q:GOTO:HEAD1
A: We process sensitive data on a large scale.
DOC:
Since we process sensitive data on a large scale, we might need to perform a Data Protection Impact Assessment.
Q:GOTO:HEAD1
A: We systematically monitor public areas on a large scale.
DOC:
Because we systematically monitor public areas on a large scale, we may need to perform a Data Protection Impact Assessment.
Q:GOTO:HEAD1
A: Some combination of the things listed above.
DOC: Because of the nature of our data processing activities, we may need to perform a Data Protection Impact Assessment.
Q:GOTO:HEAD1
A: No.
Q:GOTO:HEAD1
Q(HEAD1): We're almost done!
A:Okay!
DOC():
We look forward to speaking with you about our next steps in working toward GDPR compliance.
In order to ensure we are prepared for our discussion, we have consulted the BLIP LTL GDPR Learning Tool, to learn more about the GDPR and its impact on our business.
Warm Regards,
USER_NAME
BIZ_NAME
Q:GOTO:readyquery
Q(readyquery): Are you ready to see your talking points?
A[javascript:submit2('http://www.qnamarkup.org/doc/parse/html/', 'POST', 't', 'GDPR Talking Points')]: Yes, as text on a web-based editor.
Q: Thanks! And good luck!
A[javascript:save2('GDPR_Talking_Points_Markdown.txt',doc());]: As a file I can save (best for pasting into a markdown editor).
Q: Thanks! And good luck!
A[javascript:mail2('the email of your lawyer','GDPR Questions',doc())]: As an email.
Q: Thanks! And good luck!
If you have further questions, you can can request service from BLIP.
Q(FIXME): This isn't built yet. Sorry.GOTO:ENDRUN
Q(ENDRUN): Thanks for stopping by!