Blog

How We Prepared for GDPR

on May 1, 2018

GDPR Compliant

We heard about the looming GDPR law last year. Wanting to be compliant with this personal data legislation we got to work before the law had a chance to come into effect.

GDPR applies to European residents. But despite where you’re business is located, if you have ever interacted with anyone from the EU, the law applies to you. May 25th 2018 is the deadline to become compliant. What’s worse, violators of GDPR, you can face a hefty fine of up to 20 million euros (Yes, that’s “million”).

Aside from avoiding fines, EU residents are going to be keeping a close eye on potential violators. GDPR compliance also means keeping EU customers and their confidence.

Being a company with a 30% EU customer base, we couldn’t afford to overlook this.

Let’s first go over some guidelines on what GDPR entails and how to conform. Keep in mind, as you investigate your own company it’s wise to document the process so you’re 100% ready if the authorities come knocking:

1. Know what data you have on your customers and visitors

This means digging into your databases, doing an inventory of every single field and row of data you have on people around your company. This includes your own server databases, your 3rd party app accounts, physical documents you have on file and any other form of personally identifiable information.

Anything that constitutes personally identifiable data should be written down. This includes but is not limited to:

  • IP Addresses
  • Emails
  • Phone numbers
  • Names
  • Geo-location data
  • Sensitive, private personal information
  • Avatars
  • Addresses

Once you have all of this information mapped out and documented you can continue to step two:

2. Take measures to secure personal data

Audit where this data is stored, who has access to it and procedures you have in place in the event of security being compromised.

You should already have the best possible security however now you’ll possibly face scrutiny in regards to how it’s implemented and clear policies surrounding it.

GDPR states that you must report security breaches to the owners of the data involved. So having a way to mass mail your customer base is another process to consider.

3. Don’t hold onto data without a specific purpose

Data for the sake of data is now dangerous. Unless you have a specific reason for holding on to a piece of information, shred it or delete it.

Data without purpose is a GDPR violation. Keeping data that doesn’t aid in supporting customers, using in reports, filing your taxes or complying with other laws, makes no sense to keep. Explaining why you hold onto this data will be part of the following document:

4. Write a clearly written Fair Processing Notice

Since holding onto data without a specific purpose is a case for a fine, you must have a Fair Processing Notice in plain view (on your website) that details what you use customer data for, who accesses it, it’s lifetime in your possession and what happens breaches, sale of your company, etc.

I found a little information here on the exact guidelines for writing one of these notices.

Keep in mind that “Clearly written” is actually part of the law. No legal jargon or vague language is acceptable.

5. A process for supplying information when requested

GDPR requires that you provide all information in your company’s possession when requested by a European resident. Having a process in place to handle this situation quickly and accurately is key.

Better yet if you can make this part of your digital platform so it can be sent out with one click.

6. A process for deleting data when requested

Again, if you’re a software company, this should be built into your admin panel. An EU resident can request to have all of their information removed from your company’s databases. This should not be a difficult task.

7. People must explicitly opt-in to your marketing (no pre-ticked checkboxes)

A refreshing part of GDPR is that services are no longer allowed to send you marketing without you explicitly opting-in. No more pre-ticked checkboxes. I can’t imagine the number of online services that are going to be in violation of this one come May 25th.

8. Make it easy to opt-out with a policy that explains how you’re not going send them marketing in the future

Once someone opts out of your newsletter or campaign, the law entails that you have a strict policy to ensure that they don’t receive future marketing, emails, SMS messages or mails from your company.

This one is going to be a bit tough. We have to make sure our newsletter lists are maintained very well and don’t have duplicate addresses. However, this is a case you should have in your Fair Processing Notice.

9. Let your entire team know and make sure they’re on board

Your team has to be entirely on board with your GDPR-related policies and know how to execute the procedures. Send out a document with guidelines for each role on your team and how they can easily comply with GDPR without overcomplicating their lives.

 

What we did to make Dedupely GDPR compliant

So we got past the basic guidelines for complying with GDPR. Now I’m going to go over a few areas Dedupely needed to brush up on. Like I said, our second biggest market is in Europe and there was no way we were going to wake up on May 25th and not be prepared. Hopefully, this helps you get a feel for where to start in your own organization.

1. We did a thorough personal data assessment

We’ve never been sloppy with data security and it’s something we built into the platform from day one. However, for the sake of disclosure, we wrote some policies and documents outlining how our company handles user data in regards to security–without compromising our security secrets.

After that, we decided to assess where the data was stored. This was not hard since we keep our collections pretty tight and well maintained.

2. Added a Fair Processing Notice to our Website

A Fair Processing Notice is the new requirement for GDPR. You can view ours here.

It has to follow some ICO guidelines.

A few tips we learned while writing ours:

  1. It has to be human-readable (as in no technical, legal sounding jargon no one with a law degree can’t understand)
  2. It has to cover the who controls the data, why it’s asked for, how it’s used and who has access to it
  3. Be tailored for your company
  4. Cover unique cases your company handles differently
  5. Has to have your company information and address
  6. Data you do not ask for and what you do not do

We called our Fair Processing Notice “Your Personal Data” and placed a link to it in the footer. It’s easy to understand and easy to find.

3. Sending out a newsletter to clean the list

Our MailChimp lists were full of past customers. We decided to delete our Previous Customers list as it didn’t serve any specific purpose besides marketing.

For our Member Newsletter, we decided to send out an email asking for permission once again to be in contact with them about future news and updates. This gave users a chance to opt-out if they no longer wanted to be subscribed.

We also added our Fair Processing Notice to the newsletter checkbox:
GDPR Fair Processing Notice in signup form

4. Built GDPR into our dashboards

Want to know what info we have on you? Our support can now tell you with the click of a button and a quick email. The same goes for deleting your data from our servers.

The way we did this didn’t take any time at all, besides a few minutes of changing some CSS and telling support how to hit the print button in the admin. Once they hit print, they save a PDF that they can quickly send to the requester.

5. Got the team on-board

Of course, all of this is a waste if our team can’t comply. A brief document was sent to the team members outlining our new responsibilities per the law, for each role on the team.

Support gets the most pressure since they are the first point of contact and are responsible for handling customer requests.

Developers and IT must know what they can and can’t keep according to our Fair Processing Notice. This includes, how data is managed during the customer lifetime cycle.

Accountants need to disclose how they handle backups and where they store (if at all) any data outside our 3rd party accounting software.

6. Documented the entire process

Like I said above, documentation is key. Mostly for our benefit. We want to remember what we did so we can both give clear answers to customers, EU authorities and our own future selves.

So covering the basics we are now prepared for the introduction of GDPR and all that it comes with. As alarming as it sounds at first, the preparation for smaller IT companies should be quick. The important part, is that you’re complying by the end of May and don’t have any loose ends hanging around.

Conclusion

Hopefully this helps your company find a starting point. Each company will have it’s own set of liabilities to address in regards to GDPR. However, ensuring your assessment is solid and leaving no stone unturned is the best way to avoid future headaches, complaints (and fines).