Boxcryptor’s GDPR Journey Part 6: Before GDPR is past GDPR
Since May 25th 2018 the new General Data Protection (GDPR) applies for Boxcryptor and all companies, processing any personal data of EU citizens. This new provision of the European Union is fundamentally reshaping how personal data is processed within the EU. The amendment is demanding far-ranging changes and re-structuring of the companies. Surveys show that the GDPR is striking fear in many companies affected by this regulation.
We, at Boxcryptor decided to perceive the GDPR as a chance, rather than a threat. Therefore, Boxcryptor CEO Andrea Pfundmeier is going to report how the new GDPR is implemented and applied at Boxcryptor, in a multi-part series of articles.
Read the previous parts here:
Part 1 – Getting an Overview (Steps 1-4)
Part 2 – Optimization of existing processes (Steps 5-8)
Part 3 – Internal implementation and external data protection officers
Part 4 – Dealing with Third Party Providers (Step 9)
Part 5 – How we at Boxcryptor apply encryption to protect our data
Step 10 – Stay in Touch
Now that we have concentrated on the coming into effect of the GDPR May 25th 2018 for two years, it is now time to focus on staying in touch with GDPR-conformity from now on.
Within this EU-regulation, there are certain areas that are not as distinctly formulated as one might wish for, if one is responsible for adhering to the regulation.
This is the reason why the first court decisions are expected to be reached, which will then further clarify how certain data protection rules need to be set up, in detail.
But while we can only wait for those court decisions to be reached, there are other areas in which CEOs, data protection officers (internal or external) and employees already should be engaged in.
Documentation of processes
Be aware that the documentation of data protection processes needs to be up-to-date at all times. An easy way to do so is to immediately take note, when a new tool is being used. Of course, it is crucial to train the employees to do so, as well. As an alternative, one might also implement a recurring appointment to revise the documentation of data protection processes on its up-to-dateness, for example every 2 months.
It is crucially mandatory that the data protection principles of the GDPR are met also for interfaces, programs and processes that are implemented past the date of May 25th 2018.
Simply because a technical measure has been deemed “appropriate” on May 25th 2018, this does not mean that it remains appropriate half a year, two years or 5 years later. Quite the contrary – with many services and applications exactly the opposite is likely to be the case. Information technology is a very fast-moving area, software ”decays”, as one software engineer vividly formulated, recently. Constantly, there are updates, new developments and more current versions. It is a tedious, yet crucial task to pay attention to all measures being state of the art.
To do so, it is of extraordinary importance to include the IT department and the developers in this process. This is, because those employees are on the forefront of knowing when a technology is becoming outdated and should, in this case immediately pass on this information.
Training of new employees
As a growing startup we do constantly welcome new members to our team, which need to be integrated into the company. For this purpose, I developed an “onboarding process in which all new employees are getting informed on the most relevant issues: Besides the code of conduct in the office, staying at home when someone is ill, the allocation of the “kitchen duty”, I now integrated the most important information, on how to handle personal data, in this process. This onboarding process – in combination with the training, happening no matter what – is preparing our new team members well for the requirements of the GDPR.
Control of Processes
Based on the documentation of processes, I developed and described in part 1, I review all processes for their GDPR-conformity, in regular time intervals. In doing so, I focus on the following aspects:
• Has the process been changed since the last review?
• Have new steps been implemented into the process, which require new tools and thereby new aspects in dealing with third-party providers?
• Has the process been made obsolete and can therefore be excluded from the documentation of processes?
• Are all employees informed on how the process needs to be completed correctly and does everyone comply?
You might have noticed that some processes need to be executed more frequently now, compared to the time before the GDPR came into effect. To exemplify for such a process, I would like to mention the right to demand deletion of data, every EU citizen possesses since May 25th 2018.
In case this right is claimed against your company on a regular basis, it might be the correct time now, to consider automatization.
We at Boxcryptor, did execute the necessary preparations for automatization, or at least put in thoughts on it, in collaboration with our team of developers. Whether, and if so when we do have to implement an automatization of a process, depends upon the number of requests we are going to receive, with regard to this process.