With the day of GDPR coming into effect getting closer and closer and tension of impending “doom” that it “might be” getting higher than ever — it seems reasonable for all involved to get ready for it on all fronts possible before it is too late and the fines will come in full swing.
Cue numerous think-pieces that describe “what you need to know” or “what you need to know” and more of the same all over again in other words with a sacred anchor “GDPR compliance”.
However, none of those raving and drooling pieces are actually telling anything about particular approaches the companies are using order to get ready for GDPR implementation.
Because of that, we thought it would be a great idea to share a thing or two about a way of adapting to GDPR that we have figured out for ourselves.
It is not as much bragging as a well-mannered sign of confidence in the face of coming changes.
The APP Solutions is a kind of company that favors getting ready beforehand and not on the fly. Because of that, we have spent a considerable amount of time studying every existing possibility of improving and evolving our data protection and privacy policies.
First things first — we needed to know what is coming where and to what extent.
Regarding “what”, our first step was to analyze the sources of incoming data. The main purpose of the operation was to determine which of the elements are coming from the European Union and thus are covered by GDPR.
Regarding “where”, we have conducted the general assessment of services that we were using for personal data managing purposes, i.e gathering, processing and storing.
In order to get a clearer picture and determine the exact scope and depth of state of things, we have performed a complete and thorough audit of all the personal information our company was storing. We’ve studied its strong and weak points and considered a variety of options for improvement or replacement.
This operation was divided into several steps:
- Assessment of information stored on third-party service beyond the company’s control (for example, personal Dropbox or Google Drive);
- Determining circumstances upon which sensitive information was going to the third-party services beyond the company’s control.
- Determining the physical location of data storage
- Develop tools for preventing unsanctioned access for personal information. In order to realize that we defined types of information and based upon that determined several levels of access for sensitive information.
During risk assessment, we’ve determined several risk types of information that require reporting in cases of breaches.
We studied possible threats for every industry we are working in. We determined types of threats, ways they can affect our products and also possible consequences of their outbreaks.
We also developed a code of conduct and standard operating procedures in cases of data breaches and other dangerous situations.
This included expanding Users AKA Data Subjects rights to those defined by GDPR and adapting the documenting procedures of data storing accordingly.
Our primary goal was to redefine and reassert legal grounds upon which we are using certain personal information and reiterate respective documents. In order to do that we have determined several levels of sensitivity for personal information.
Also, we developed guidelines for maintaining User Consent.
- Statement of consent must be clear and specific
- It must be written in plain, easy to understand the language
- All parties involved in operation relying on user consent are named
- Nature of data and purpose of its use must be specified
In order to keep User Content intact we are running the following procedures:
- record of when and how user consent was obtained
- record of the exact agreement
- User Consent review over certain time intervals
- Processes of updating user consent over certain time intervals
Regarding our project, we have defined several types of data protection services that we can provide.
These are divided into two sections — standard and those that can be implemented for an additional fee.
Standard options that are always adhered to (even before GDPR became a popular thing to do):
- Documenting the process of data storing
- Tools for age verification (child-oriented)
- Data encryption
- General network security
For additional fees, we can also provide the following automated tools:
- Tools for user consent management with optimal user experience low
- Tools for managing user requests for erasure, rectification or download of personal data;
- Automatization of data gathering and segmentation processes
- Data Loss Prevention and Backup tools
- Hack attempts monitoring and intrusion detection tools
- Data anonymization (complete or partial)
- Data export at User Request
- Suspicious activity determining and monitoring
- Monitoring of super administrator activity
This is how we do it. GDPR is not as imposingly scary as it seems. In fact — it is actually beneficial for the companies because GDPR compliance serves as a guarantee of maintaining certain rules. This, in turn, makes the companies more trustworthy which is always good for business.
* * *
This blog post is a part of the series. Click to read the other chapters: