Journey with ArcStone as we overhaul our data privacy policies and procedures.
Riveting bedtime reading?
Maybe not, but trust us – this is timely, important, and could have real-world consequences if you ignore these regulatory changes.
First, a little background...
Does your organization collect data on users visiting your website? It’s likely that you track visitors using Google Analytics or collect basic information like names, email addresses or phone numbers in contact forms.
If you fail to get consent to track user data from website visitors based in the EU or if you mishandle personal information that you collect from them, your company may be liable to pay fines up to €20,000,000 or 4% of your annual revenue, whichever is greater.
Even if you don’t have a business address or presence of any kind in Europe, the EU has indicated that it is planning to enforce its data privacy regulations across national boundaries if your sloppy data management impacts their citizens.
This is a big change from the old rules.
So what can you do to protect your organization?
We asked the same question and have distilled a list for ourselves. We thought it would be useful to share this with others as well.
ArcStone’s Four Week / Ten Step Process for GDPR (General Data Protection Regulation) Compliance
Week 1 – Organize
Get support: Make sure management / IT / marketing staff are aware of the new regulations.
Assess your data: Look at where and how your organization stores / uses personal data. Determine the flow of personal data in your organization and any third-parties who have access to it. Are those vendors compliant? Document it.
Assign a manager: The EU mandates that a DPO (Data Protection Officer) responsible for data privacy be appointed within your organization. Exemptions exist for small businesses – though it’s still a good idea to assign a responsible person to handle the GDPR and data protection policies for your organization in general.
Week 2 – Update Policies and Procedures
Review procedures to handle individual data rights: The GDPR has very specific rules around managing, transmitting and deleting data. Set policies and procedures accordingly.
Data breach policies: Make sure adequate protections are in place to detect, respond and investigate any data breaches.
To PIA or not to PIA – Privacy Impact Assessments – do you need them or not? If there’s any question, the UK ICO publishes a list of questions a non-technical person can use to assess whether you need to run a PIA process.
Week 3 – Update the Website(s)
Update your site for consent: This means having users consent to cookies, approve data use and age restrictions (parental consent is required for ages 16 and under). Consent must be recorded and auditable.
Week 4 – Commit
Educate staff: Fully educate the appropriate staff members who will need to ensure proper data protection procedures. Provide training that supports any procedural updates.
Schedule a quarterly review: Make certain your DPO / person responsible for data in your organization is maintaining their education around this issue and provides a quarterly assessment report for your management team to review.
There are a number of guides available to help ensure compliance with the updated regulations. One of the best is published by the UK’s Information Commissioner's Office. Another helpful site is the EU GDPR office. (Reminder GDPR = General Data Protection Regulation)
Please follow along as we drink our own medicine.
Update - Week 1
1. Get support: Make sure management / IT / marketing staff are aware of the new regulations.
We held a staff meeting and brought everyone up to speed. See our photographic documentation...
2. Assess your data: Look at where and how your organization stores / uses personal data. Determine the flow of personal data in your organization and any third-parties who have access to it. Are those vendors compliant? Document it.
We assembled a list of all the applications and data stores where we have customer information. We identified 18 data stores and have begun reviewing privacy policies to check compliance and deleting data from unused stores. It's big job!
We are documenting our progress in a central spreadsheet.
3. Assign a manager:The EU mandates that a DPO (Data Protection Officer) responsible for data privacy be appointed within your organization. Exemptions exist for small businesses – though it’s still a good idea to assign a responsible person to handle the GDPR and data protection policies for your organization in general.
We have assigned a manager, our CTO Alicia Cermak.
Update - Week 2
We were a bit surprised by the number of different cloud applications that touched our data and it took a fairly long time to review each one and review their privacy policies in light of our own policies and procedures. We were glad to see that all of them appeared compliant with GDPR and our policies.
We determined that we would not do a Privacy Impact Assessment at this time.
Update - Week 3
Update - Week 4
At this point everyone is getting fairly sick of GDPR. I (David) actually got SPAM email from a consultant offering to certify us as compliant and provide training. I couldn't help but reply, "Aren't you spamming me? It seems emailing me without my permission violates the spirit and practice of GDPR." Not surprisingly, I never heard back.
Our next quarterly data practice review is scheduled for the start of Q3 - July 5th.
I feel that we're a stronger company having reviewed our data protection and privacy policies than we were before. It will be interesting to see how this unfolds here in the USA as our lawmakers respond and start to grapple with these issues.
Fundamentally GDPR is answering the question - who owns the data about a person - the person, or the company that collects it? The EU says the person, right now U.S. law says it belongs to the company that collects it.
We'll have to see if that changes. No doubt there will be interesting times ahead as our ethics catch up with our technology.