This one particular deadline applied to every business based in the EU or working with personal data of EU citizens—and as May 25 is behind us, this means that the GDPR is now in force.
The new law has stirred a lot of discussions, revolving chiefly around big companies relying heavily on advertising like Facebook. The whole tech world has been looking at Twitter, Uber, Airbnb, and other big players that manage loads and loads of data in their day-to-day operations, to see what they’d do. The main question was: What’s in it for us and our businesses? Can we draw any conclusion from their stories and use them? Unfortunately, the answer, more often than not, was no.
According to a 2017 PARP report, 99,8% of all companies operating in Poland are small and medium enterprises (SMEs). The percentages look more or less the same in other EU countries and Norway, while in the US SMEs make up 99,7% of all business. These numbers clearly demonstrate that SMEs are the backbone of American and European economies. However, as the overwhelming majority of SMEs run their business on a scale much smaller than the tech giants, they will, consequently, be facing a much different landscape of GDPR-related issues than them. Thus, large corporations or tech giants might not be the best inspiration to follow in this particular area.
So, if you’re looking for a real-life use case from a medium-size company like Monterail, you may find this piece useful. To give you some more context:
As soon as the GDPR was adopted by the European Parliament, it was clear that it would affect us—pretty much every client of ours deals with European customers’ data, so we wanted to help them comply with new the regulation. On top of that, we had some internal data collection processes to audit—our employees, contractors, documents… The list of things we still had to do to prepare ourselves for GDPR’s arrival seemingly went on and on.
The new law is a hard nut to crack as it does not provide explicit instructions or procedures, and charges the businesses themselves with deciding how to comply with its provisions. In the end, we had this massive document in front of us and nothing but big question marks on our faces.
Kamila Koszewicz, our in-house lawyer with seven years of experience in IT law and personal data protection, took the reins to help us tame the beast. Around that time, we also began collaborating with a global production company that needed several GDPR-ready apps. This new business became an additional trigger to organize our GDPR tasks, curate the compliance checklist, and finally train the team using a real-time case.
Kamila with a handful of our co-workers began identifying potential risks. To do so, they used the GDPR questions checklist that we drafted for one of our enterprise clients, but the process ultimately required multiple meetings where we’d come up with some specific action points.
We drafted separate checklists for all purposes of processing personal data, for example—”processing data on client’s behalf for the purpose of providing software development services,” or “processing data for marketing purposes.” We also discussed data storage rules, access criteria, procedures of data rectification and erasure.
After a comprehensive audit in our own backyard, we ended up with a list of areas that required our attention in order to make us GDPR ready. These included:
minimizing the scope of data we collect
restricting access to personal data
updating consent clauses under the data-collecting forms available on our website
drafting new privacy policy
adjusting the rules of sending automated messaging
making a few updates to our recruitment process
drafting new document regarding data processing to be added to our client contracts
It was our priority to make sure we and our clients are on the safe side.
What was obvious to our in-house lawyer, wasn’t necessarily so to everyone else in the company. And so it was our duty, stemming from genuine business needs, i.e our clients’ expectation of receiving GDPR-ready apps, to educate all team members on all things GDPR-related. As we’re really enthusiastic about knowledge sharing and transparency, we decided that launching an internal GDPR awareness campaign would be an excellent expression of our belief in the company’s core values.
We held a “brief introduction to all things GDPR” meeting for designers, developers, project managers, and marketers in order to familiarize them with the new regulation and explain what they should pay attention to in their daily tasks. Our goal was to give them a basis they could rely on and use in their work with clients. Critical aspects and conclusions from this meeting included:
It became apparent to everyone that in order for our company to be GDPR-compliant each team had to take care of the issues outlined above. For example, data-collecting forms on our website or monitoring the CRM system would be a concern for the marketing and sales teams, while anonymizing data should be a crucial step for devops.
Step 3: Make Your Plan a Reality
We applied the following changes to seven crucial GDPR-affected areas:
To comply with the rule of data minimization, we assessed the scope of data we collect, and curtailed our collection to include only data that are absolutely necessary. For example, in a form where you sign up for downloading content (like our GDPR checklist), we no longer require providing a name, as e-mails are sufficient for the purpose of processing.
Wherever we collect data, we added explicit information on what you consent to if you click the given button. That information includes links to our Privacy Policy which was updated with all information required by GDPR.
example: Click "Send me my copy” to consent to processing your data by Monterail Sp. z o.o. for marketing purposes, including sending emails. For details see our Privacy Policy.
Our new Privacy Policy answers all questions related to personal data collection and processing. It provides information what data we collect and how we do it, what we do with it, how long we store it, and what rights you have if we store your data.
We used to enable access to data to whole groups, e.g business development team, rather than particular individuals. To remedy that, we’ve created different levels of access. Now, only people who need access to data for their daily tasks and people directly involved in the projects have access to data, and only for their duration.
The GDPR obliges us to write down all the rules of processing data on behalf of our clients. Therefore, we supplemented all contracts on providing software development services with a new document.
If you’re looking for a list of information that needs to be included in such a document, the GDPR defines it in a catalogue (Arts. 28-29 of the GDPR).
We verified who has access to job applications we receive and restricted it. We also made sure we collect valid consents for processing data for the purpose of future recruitment processes (so we don’t have to erase résumés upon completion of the recruitment process the person has applied for).
In this case we process data to send you the content you requested and a follow-up message (or, in some campaigns, a series of messages) regarding the subject matter that the piece of content dealt with. After these messages are sent out, your data is erased. We also updated our Privacy Policy with a clear information on how we process data for that purpose.
A GDPR-Conscious Team
The GDPR will be a crucial element of business for companies of all shapes and sizes. So maybe it’s time to shift your perspective on the new law, and start seeing it as an opportunity rather than a threat?
Our journey towards GDPR compliance was not easy, but here we are—ready for the future, with the entire team aware of new legal issues, with developers prepared for new processes in future projects, with clients still ready to trust us with their data. And with peace of mind.