Table of Contents
This one particular deadline applied to every business based in the EU or working with personal data of EU citizens—and as May 25 is behind us, this means that the GDPR is now in force.
The new law has stirred a lot of discussions, revolving chiefly around big companies relying heavily on advertising like Facebook. The whole tech world has been looking at Twitter, Uber, Airbnb, and other big players that manage loads and loads of data in their day-to-day operations, to see what they’d do. The main question was: What’s in it for us and our businesses? Can we draw any conclusion from their stories and use them? Unfortunately, the answer, more often than not, was no.
According to a 2017 PARP report, 99,8% of all companies operating in Poland are small and medium enterprises (SMEs). The percentages look more or less the same in other EU countries and Norway, while in the US SMEs make up 99,7% of all business. These numbers clearly demonstrate that SMEs are the backbone of American and European economies. However, as the overwhelming majority of SMEs run their business on a scale much smaller than the tech giants, they will, consequently, be facing a much different landscape of GDPR-related issues than them. Thus, large corporations or tech giants might not be the best inspiration to follow in this particular area.
So, if you’re looking for a real-life use case from a medium-size company like Monterail, you may find this piece useful. To give you some more context:
- Monterail is a software house based in Wrocław, Poland
- We’re working with clients from the EU, the US, and Asia
- Our team consists of 80+ experts
- About a year ago, we hired a full-time in-house lawyer to work on our documents and help us get ahead of this new legislation
As soon as the GDPR was adopted by the European Parliament, it was clear that it would affect us—pretty much every client of ours deals with European customers’ data, so we wanted to help them comply with new the regulation. On top of that, we had some internal data collection processes to audit—our employees, contractors, documents… The list of things we still had to do to prepare ourselves for GDPR’s arrival seemingly went on and on.
The new law is a hard nut to crack as it does not provide explicit instructions or procedures, and charges the businesses themselves with deciding how to comply with its provisions. In the end, we had this massive document in front of us and nothing but big question marks on our faces.
Kamila Koszewicz, our in-house lawyer with seven years of experience in IT law and personal data protection, took the reins to help us tame the beast. Around that time, we also began collaborating with a global production company that needed several GDPR-ready apps. This new business became an additional trigger to organize our GDPR tasks, curate the compliance checklist, and finally train the team using a real-time case.
Step 1: Start Digging
Kamila with a handful of our co-workers began identifying potential risks. To do so, they used the GDPR questions checklist that we drafted for one of our enterprise clients, but the process ultimately required multiple meetings where we’d come up with some specific action points.
We drafted separate checklists for all purposes of processing personal data, for example—”processing data on client’s behalf for the purpose of providing software development services,” or “processing data for marketing purposes.” We also discussed data storage rules, access criteria, procedures of data rectification and erasure.
After a comprehensive audit in our own backyard, we ended up with a list of areas that required our attention in order to make us GDPR ready. These included:
-
minimizing the scope of data we collect
-
restricting access to personal data
-
updating consent clauses under the data-collecting forms available on our website
-
drafting new privacy policy
-
adjusting the rules of sending automated messaging
-
making a few updates to our recruitment process
-
drafting new document regarding data processing to be added to our client contracts
It was our priority to make sure we and our clients are on the safe side.
Step 2: Educate the Team
What was obvious to our in-house lawyer, wasn’t necessarily so to everyone else in the company. And so it was our duty, stemming from genuine business needs, i.e our clients’ expectation of receiving GDPR-ready apps, to educate all team members on all things GDPR-related. As we’re really enthusiastic about knowledge sharing and transparency, we decided that launching an internal GDPR awareness campaign would be an excellent expression of our belief in the company’s core values.
We held a “brief introduction to all things GDPR” meeting for designers, developers, project managers, and marketers in order to familiarize them with the new regulation and explain what they should pay attention to in their daily tasks. Our goal was to give them a basis they could rely on and use in their work with clients. Critical aspects and conclusions from this meeting included:
- Only order and well-established processes provide personal information security, therefore we need to list the means and procedures for collecting and storing client data.
- The less data a form collects, the better. This enhances the signup conversion rate and simplifies control.
- It’s obligatory to implement one checkbox of consent for each purpose of collecting or sharing personal information.
- We need to start treating GDPR as an inherent element of the production pipeline and incorporate privacy concerns into the process of designing a new service. It lets us predict and preempt potential problems, such as data leakage or abuse.
- We need to reduce the number of people with access to personal data to the necessary minimum in order to minimize the potential risk of unlawful or accidental dissemination or leakage.
It became apparent to everyone that in order for our company to be GDPR-compliant each team had to take care of the issues outlined above. For example, data-collecting forms on our website or monitoring the CRM system would be a concern for the marketing and sales teams, while anonymizing data should be a crucial step for DevOps.
Step 3: Make Your Plan a Reality
We applied the following changes to seven crucial GDPR-affected areas:
SCOPE OF DATA
To comply with the rule of data minimization, we assessed the scope of data we collect, and curtailed our collection to include only data that are absolutely necessary. For example, in a form where you sign up for downloading content (like our GDPR checklist),we no longer require providing a name, as e-mails are sufficient for the purpose of processing.
ALL DATA-COLLECTING FORMS
PRIVACY POLICY
ACCESS TO DATA
CLIENT CONTRACTS
T
RECRUITMENT PROCESS
AUTOMATED MESSAGING
In
A GDPR-Conscious Team