Boxcryptor’s GDPR Journey Part 1: Getting an Overview
For Boxcryptor, just as for any other company that is processing personal data of EU citizens, May 25, 2018 is a turning point. From that date on, the new General Data Protection Regulation (GDPR) will apply – a new regulation of the European Union, which fundamentally redefines the handling of personal data.
As a result of this new approaching law, many companies are facing the need to implement far-reaching changes and restructurings. Many surveys show that the GDPR is literally spreading fear and terror.
We at Boxcryptor decided to see the GDPR as an opportunity. In a multi-part series of articles, therefore, our CEO Andrea Pfundmeier will report on how we implement the new European General Data Protection Regulation.
First Step: Collecting Information About the GDPR
For an introduction to the topic of the General Data Protection Regulation, I first read the Regulation in the original, Personally, I coped well with the official document of the European Union. But there are also various helpers, such as apps with full-text search and bookmark function.
In addition to the legal text, I have also searched for articles and specialist contributions that are tailored specifically to us as an IT service provider, software manufacturer and to medium-sized companies. To get a comprehensive overview, we exchanged ideas in the team, shared links and participated in webinars.
Second Step: Documenting Processes
Andrea working through the paragraph jungle of the GDPR.
The next step is to create a complete documentation of all interfaces where personal data could potentially be shared. I decided to create an Excel spreadsheet. Line by line, an overview of the tools we use, emerged. It also includes, which personal data is transferred and to what purpose.
Important: It is not just about the processing of our customer data, but just as much about the personal data of our own employees. Even personal data with professional context (for example, the professional email address or the IP address of the work computer) is personal data that must be protected under the GDPR.
Here are some examples of the tools we use here at Boxcryptor:
With this application we process the support requests of Boxcryptor users. The customer ID and the email address as well as the name and the license type are transmitted here. All this data is needed to solve technical problems. Depending on the support request, we additionally have to ask our users which browser and which operating system are used to encrypt files with Boxcryptor.
Company-internal emails are not our preferred way of communication. As a matter of fact, we mainly communicate via chat. Emails are more often used for outside communication, for example when we receive press inquiries or plan a trade fair. But of course, the data sent by our partners and contacts in these emails is personal data in the sense of the GDPR as well. Therefore, it must be treated carefully.
We have a shared Dropbox account where each department has its own folder. This allows us to conveniently manage the access rights, and the teams work efficiently. There are no files containing personal data stored locally on the individual workstations. Of course, we encrypt all corporate data that we upload to Dropbox with Boxcryptor. Thus, our company internal data and all personal data is encrypted and therefore not visible to outsiders. Since the founding of the company, we have been strictly adhering to this workflow.
Third Step: Sensitize Employees for Data Protection
One very factor in the implementation of the GDPR at Boxcryptor for me is the sensitization of the employees. After all, in the end, they are the ones who work with sensitive data every day, and therefore, they play an important role in GDPR compliance.
As the CEO of a security startup, I am in a very convenient position since my employees are well informed about data protection, due to the nature of our product. Nevertheless, we make sure to educate ourselves on a regular basis and we discuss new technologies and court rulings related to data protection in a team.
However, first of all, I need the support of my team in documenting the work processes and in collecting the third party programs we use internally. Although we are a small team, it is still a big task to find and list all the tools and services used by our employees. We have four different departments (marketing, sales, development, and customer service), and of course, each department uses different tools to handle the individual tasks.
The first discussions in the team have already shown that the GDPR is a welcome opportunity to rethink work processes, and optimization potential has already come to light. For example, by just collecting the tools, employees stumbled across some old accounts for services that have not been used for a long time. Deleting these accounts is a first step in reducing the unnecessary diversification of personal employee data (such as the email address).
Fourth Step: Check GDPR Compliance of Third-party Providers
The contact to third-party providers is an effortful, but necessary diligence. We need to contact all partners and software vendors for GDPR compliance. This means that we check, for example on the website of our payment provider Share-It, whether there is already information on GDPR on their website. If this is not the case, we have to contact the company and have information sent to us, or ask when it will be available.
Likewise, as software vendors, we receive requests from our customers who want to know whether we are compliant with the GDPR. A common question we are being asked frequently is how encryption with Boxcryptor can support GDPR compliance? We answer this question here in our blog post: How Boxcryptor can help with the GDPR.
The GDPR and Boxcryptor
In the coming months, we will report regularly about our journey to GDPR compliance. We assume that even after the cut-off date May 25, 2018, there will be more interesting developments when the first court rulings are pronounced. We'll keep you up to date here on our blog.
Continue reading here:
- Boxcryptor’s GDPR Journey Part 2: Optimization of existing processes
- Boxcryptor’s GDPR Journey Part 3: Internal implementation and external data protection officers
- Boxcryptor’s GDPR Journey Part 4: Dealing with Third Party Providers
- Boxcryptor’s GDPR Journey Part 5: Encryption
- Boxcryptor’s GDPR Journey Part 6: Before GDPR is past GDPR