Working Towards GDPR Compliance—Monterail Case Study

Joanna Staromiejska02/29/2024

gprd

This one particular deadline applied to every business based in the EU or working with personal data of EU citizens—and as May 25 is behind us, this means that the GDPR is now in force. 

The new law has stirred a lot of discussions, revolving chiefly around big companies relying heavily on advertising like Facebook.  The whole tech world has been looking at Twitter, Uber, Airbnb, and other big players that manage loads and loads of data in their day-to-day operations, to see what they’d do. The main question was: What’s in it for us and our businesses? Can we draw any conclusion from their stories and use them? Unfortunately, the answer, more often than not, was no. 

According to a 2017 PARP report, 99,8% of all companies operating in Poland are small and medium enterprises (SMEs). The percentages look more or less the same in other EU countries and Norway, while in the US SMEs make up 99,7% of all business. These numbers clearly demonstrate that SMEs are the backbone of American and European economies. However, as the overwhelming majority of SMEs run their business on a scale much smaller than the tech giants, they will, consequently, be facing a much different landscape of GDPR-related issues than them. Thus, large corporations or tech giants might not be the best inspiration to follow in this particular area.

So, if you’re looking for a real-life use case from a medium-size company like Monterail, you may find this piece useful. To give you some more context:

  • Monterail is a software house based in Wrocław, Poland
  • We’re working with clients from the EU, the US, and Asia
  • Our team consists of 80+ experts
  • About a year ago, we hired a full-time in-house lawyer to work on our documents and help us get ahead of this new legislation

As soon as the GDPR was adopted by the European Parliament, it was clear that it would affect us—pretty much every client of ours deals with European customers’ data, so we wanted to help them comply with new the regulation. On top of that, we had some internal data collection processes to audit—our employees, contractors, documents… The list of things we still had to do to prepare ourselves for GDPR’s arrival seemingly went on and on.

The new law is a hard nut to crack as it does not provide explicit instructions or procedures, and charges the businesses themselves with deciding how to comply with its provisions. In the end, we had this massive document in front of us and nothing but big question marks on our faces.

Kamila Koszewicz, our in-house lawyer with seven years of experience in IT law and personal data protection, took the reins to help us tame the beast. Around that time, we also began collaborating with a global production company that needed several GDPR-ready apps. This new business became an additional trigger to organize our GDPR tasks, curate the compliance checklist, and finally train the team using a real-time case. 

Step 1: Start Digging

Kamila with a handful of our co-workers began identifying potential risks. To do so, they used the GDPR questions checklist that we drafted for one of our enterprise clients, but the process ultimately required multiple meetings where we’d come up with some specific action points.

We drafted separate checklists for all purposes of processing personal data, for example—”processing data on client’s behalf for the purpose of providing software development services,” or “processing data for marketing purposes.” We also discussed data storage rules, access criteria, procedures of data rectification and erasure.

After a comprehensive audit in our own backyard, we ended up with a list of areas that required our attention in order to make us GDPR ready. These included:

  • minimizing the scope of data we collect 

  • restricting access to personal data 

  • updating consent clauses under the data-collecting forms available on our website

  • drafting new privacy policy

  • adjusting the rules of sending automated messaging

  • making a few updates to our recruitment process 

  • drafting new document regarding data processing to be added to our client contracts  

It was our priority to make sure we and our clients are on the safe side.

Step 2: Educate the Team 

What was obvious to our in-house lawyer, wasn’t necessarily so to everyone else in the company. And so it was our duty, stemming from genuine business needs, i.e our clients’ expectation of receiving GDPR-ready apps, to educate all team members on all things GDPR-related. As we’re really enthusiastic about knowledge sharing and transparency, we decided that launching an internal GDPR awareness campaign would be an excellent expression of our belief in the company’s core values.

We held a “brief introduction to all things GDPR” meeting for designers, developers, project managers, and marketers in order to familiarize them with the new regulation and explain what they should pay attention to in their daily tasks. Our goal was to give them a basis they could rely on and use in their work with clients. Critical aspects and conclusions from this meeting included:

  • Only order and well-established processes provide personal information security, therefore we need to list the means and procedures for collecting and storing client data. 
  • The less data a form collects, the better. This enhances the signup conversion rate and simplifies control. 
  • It’s obligatory to implement one checkbox of consent for each purpose of collecting or sharing personal information.
  • We need to start treating GDPR as an inherent element of the production pipeline and incorporate privacy concerns into the process of designing a new service. It lets us predict and preempt potential problems, such as data leakage or abuse. 
  • We need to reduce the number of people with access to personal data to the necessary minimum in order to minimize the potential risk of unlawful or accidental dissemination or leakage.

It became apparent to everyone that in order for our company to be GDPR-compliant each team had to take care of the issues outlined above. For example, data-collecting forms on our website or monitoring the CRM system would be a concern for the marketing and sales teams, while anonymizing data should be a crucial step for DevOps. 

 

Step 3: Make Your Plan a Reality 

We applied the following changes to seven crucial GDPR-affected areas: 

SCOPE OF DATA

To comply with the rule of data minimization, we assessed the scope of data we collect, and curtailed our collection to include only data that are absolutely necessary. For example, in a form where you sign up for downloading content (like our GDPR checklist), we no longer require providing a name, as e-mails are sufficient for the purpose of processing.

ALL DATA-COLLECTING FORMS

Wherever we collect data, we added explicit information on what you consent to if you click the given button. That information includes links to our Privacy Policy which was updated with all information required by GDPR.

example: Click "Send me my copy” to consent to process your data by Monterail Sp. z o.o. for marketing purposes, including sending emails. For details see our Privacy Policy. 

PRIVACY POLICY 

Our new Privacy Policy answers all questions related to personal data collection and processing. It provides information on what data we collect and how we do it, what we do with it, how long we store it, and what rights we have if we store your data. 

ACCESS TO DATA

We used to enable access to data to whole groups, e.g business development team, rather than particular individuals. To remedy that, we’ve created different levels of access. Now, only people who need access to data for their daily tasks and people directly involved in the projects have access to data, and only for their duration.

CLIENT CONTRACTS

The GDPR obliges us to write down all the rules of processing data on behalf of our clients. Therefore, we supplemented all contracts on providing software development services with a new document. 

If you’re looking for a list of information that needs to be included in such a document, the GDPR defines it in a catalogue (Arts. 28-29 of the GDPR)

RECRUITMENT PROCESS

We verified who has access to job applications we receive and restricted it. We also made sure we collect valid consents for processing data for the purpose of future recruitment processes (so we don’t have to erase résumés upon completion of the recruitment process the person has applied for).  

AUTOMATED MESSAGING

In this case, we process data to send you the content you requested and a follow-up message (or, in some campaigns, a series of messages) regarding the subject matter that the piece of content dealt with. After these messages are sent out, your data is erased. We also updated our Privacy Policy with clear information on how we process data for that purpose.

 A GDPR-Conscious Team

The GDPR will be a crucial element of business for companies of all shapes and sizes. So maybe it’s time to shift your perspective on the new law, and start seeing it as an opportunity rather than a threat? 

Our journey towards GDPR compliance was not easy, but here we are—ready for the future, with the entire team aware of new legal issues, with developers prepared for new processes in future projects, with clients still ready to trust us with their data. And with peace of mind.

Cta image

Joanna Staromiejska avatar
Joanna Staromiejska