Long Way to GDPR
General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. The Regulation will affect all EU companies and many of those working with EU. Like many others, we began investigating the Regulation and what it implies to our company long before that date.
Our way to mastering GDPR expertise started more than 18 months ago. Many of our Customers have granted access to our teams to their personal information databases, so we had to know how to deal with this data in compliance with GDPR requirements. We faced a pile of documentation to study and it seemed “mission impossible”))
If you are in charge of GDPR compliance activities in your company and was in the same position, you probably understand the feelings I had then. When I took up this responsibility, I felt a little lost: so many materials to learn, so many questions to answer to myself and later to others, so many projects to cover. Luckily, I was not alone, I had my professional team to back me up. We rolled up our sleeves and got down to business.
Our immediate steps were as follows:
- To study GDPR and to understand all requirements and restrictions the new regulation brings.
- To convert our GDPR analysis into a EU Personal Data Protection (PDP) Program, which could be applied to all our projects.
- To identify all projects with personal data processing.
- To prepare each project to GDPR enforcement.
Now, when I’m writing these words after a year and a half of hard work, it looks like a piece of cake. However, the list of the completed tasks seems impressive:
- A month for studying and analyzing GDPR, consulting with lawyers, DB engineers, InfoSec experts, and other specialists.
- Three months for EU PDP Program development, elaboration of actions for communication of Program guidelines, and measures to control fulfilment.
- Identification of the projects with personal data processing took place simultaneously with the previous item.
- And then the EU PDP Program implementation began …
As we found out, we had more than 40 projects, which dealt with personal data processing. The projects were very different in size, in nature of the data stored, and in specifics of data obtaining and handling. Our Quality Management Department team contacted each project manager of those 40 projects. Our aim was to present the EU PDP Program and explain its purpose: ensure that Sigma Software projects involved in any kind of processing of personal data relating to data subjects in the EU or European Economic Area fulfill Standard Contractual Clauses required by the Article 26(2) of Directive 95/46/EC. In terms of the EU PDP Program, project managers assessed hardware, software, and telecommunication assets used at these projects to transfer and process EU personal data against GDPR requirements. We had more than 30 assessments of projects according to our EU PDP Program.
When performing these numerous assessments, we derived some basic principles for GDPR beginners.
Here they are:
- Determine which type of data you process: internal or external. Internal data may include your employees’ data (and you need to be very careful about it), while external data may relate to applicants, your clients’ data, and the like.
- Investigate if you can eliminate personal data protection or process only the data that does not fall within the definition of personal data. For example, if you store data of a person that asked you a question via your website “just in case,” stop it. It will make your life so much easier.
- If you are an owner of a website or software product, make sure that all features for GDPR compliance are up and running on the commencement day: May 25. For example, consents collection, people’s access to their information, etc.
- Find an IT services supplier clued up not just in functional programming, but also in secure one.
Hope these principles help you on your way to GDPR compliance.
For us though, the GDPR fight was not over after implementing EU PDP Program. Data protection enforced by GDPR applies also to organizations based outside EU in case they deal with personal data of EU residents. Our company perfectly fits into this category. So, it became clear that we need to prove to every customer that their data is on the safe side with us. At that moment, we were ISO 27001 compliant. To eliminate any GDPR-related doubts, we passed 27001 certification. All these activities took us over a year.
This time was spent with business benefit. We have implemented a dedicated GDPR Program, trained teams, made sure our projects comply with GDPR, passed ISO 27001 certification.
We still on our way, but it looks like this fight is won!
P.S. By the way, don’t you know why it is decided to enforce GDPR on Friday? I believe, Monday is the best fit for such matters ))