First to GDPR. Now what?
You published a Privacy Policy and put together a DPA for your clients to sign off.
Perfect! And yay to you!
Now, does it makes you fully GDPR compliant?
There good chances that, unfortunately, no.
Certification is not here, yet.
The first reason is that at the moment there is no mean to certify against GDPR. Certification is on its way, but we don’t know yet what will be the form it will take.
Second, there is very little chance to reach 100% compliance in just a few weeks. It may never happen, in fact.
But that’s not the point.
And third, because a Privacy Policy & a DPA are only the front facing part of the GDPR.
GDPR invites you to devise a data governance
Let’s step back a little bit, here. I’m making a broad and personal statement:
The GDPR is about having proper data governance inside your company and letting people know what you are doing with their data —and being transparent about it.
what are the best next steps towards this?
starts at the head.
There is no way to be deliberate about meeting the GDPR requirements without buy-in from the head of your organization. The GDPR infuses into a lot of decision. You want people at helm taking responsibility for it.
A core principle of GDPR is privacy by design and by default.
This means that any decision taken must be run against this rule even if it means only checking that there is no personal data involved in the next planned feature.
Appoint a point of contact
You may not need a Data Protection Officer, but designate a point of contact whom contact details will be in your Privacy Policy.
Train your team
Then you also want the whole team to understand what privacy means and warrants in GDPR parlance.
In fact, this is a requirement of the GDPR to train your team —the people who will touch the data— about security, privacy and knowing what’s is ok and what is not when dealing when personal data.
Next step is discovering your data
I get it; it’s your business. What you do all day is shoveling data around, right?
Now, does it means that you know precisely what kind of data —in sales, marketing, operations— you hold, what you do with it, for what purpose, what is its lifecycle, where do you send it, etc.
I can tell by experience that the answer is no.
Really, you want to take an inventory of your data and map its flow so you can draw a realistic map of all the data inside your company.
Actually, this step might be time and work-intensive —depending on the size of your company and the numbers of departments you need to interview— but it’s mandatory for the next step toward meeting the GDPR requirements.
As a reminder here a bullet point list for what you want to know as a result of this exercise:
- What is the purpose of the processing
- What category of data do you hold
- how did you obtained it
- what’s the legal ground
- how long is it stored
- what safeguards measures for security
- is there a transfer to third-party? outside EU?
Publish helpful information when collecting personal data
Go over all the different way you obtained the data: marketing forms, transfer, etc. and assess whether you provide sufficient information to people about why you need this data, what you are going to do with it, what are their rights and how they can exercise them.
The recommendation here is that the information should be directly accessible —displayed inside the form, for example— in a clear and plain language. You may also link to your privacy notice for further explanation but the main info should be accessible right there.
Review your service providers
Now, it’s time to review your vendors —which are called processors in GDPR speak— and assess their capacity to meet the GDPR requirements.
This is here that you sign their DPAs.
But make sure to review what is written in there thoroughly. The terms may not be acceptable.
In particular, you want a clear commitment to disclose a data breach promptly. With appropriate action listed.
You want to have a clear way to fulfill a Data Subject Request from your users or your users’ customers.
You want to have a well-defined list of all their sub-processors
Don’t forget the Record of Processing Activities
With the mapping of your data and your vetted processors, it’s time to establish your Record of Processing Activities
This is a mandatory document see Article 30
Consider it as the basis of your compliance documentation.
If a Data Protection Authority comes knocking at your door, first they’ll ask you to show your Record of Processing Activities.
However, don’t think about that as “some paperwork” which stay unnoticed, gathering bit dust at the bottom of a shared folder.
This is a living document that you’ll use every day —Product Owner’s words— as a source of trust about your data. You’ll rely on it to document your next feature, to map out the different way your data flows into your software.
Your dev team will need and use it. Your marketing team will use it to document its campaigns.
New features should follow the privacy by design & by default framework
Speaking of development, write a procedure for your technical team to follow when writing a new feature/ user’s story.
First, start with assessing if you’re dealing with personal data. And then act accordingly: do we need it at all, can it be anonymized, what’re the risks.
Plan for a consultation on technical issues with the development team, to go through all the technical implementation of the GDPR. Both regarding security, privacy and users’ rights.
Same should happen with the marketing team. Have best practices/ procedures in place to prevent shady practices just because “you can”.
Assess your security
As a Saas company, there are good chances that you are doing this part right, mainly.
But sometimes, you started “quick and dirty.” And things are just rolling along.
Take time to assess if all safeguards are in place to reduce your surface of attack and the risk of a data breach.
FYI, having a general login for all your team is considered a data breach by the regulation.
You should document what appropriate measures you take.
Write procedures.
Yes like a grown up :)
Meeting the GDPR requirements is a lot about documentation and processes.
In fact, running a proper business is about docs & procedures.
Critical parts such as data handling will benefit from being tightly managed.
So, procedures. Sounds as dry as it is?
Starts with documenting how to handle a data breach notification. The day the sauce hits the fan, you don’t want to run around in circles waiting for an inspiration for what to do.
Document what the escalation path is.
What should be the immediate response? In term of security and communication with your customer.
How do you contact your Data Protection Authority?
How do you mitigate the risks?
And don’t forget to run a post-mortem to recap what you learned and what you could do better.
Document how you’re going to handle a Data Subject Request
Someone may ask about its data, or to delete it, or to export it.
It’s a good thing you designated a point of contact, isn’t?
And as a bonus, your Record of Processing Activities will tell you all there is to know about the personal data of this person. How convenient!