Boxcryptors GDPR Journey Part 3: Internal implementation and external data protection officers

Since May 25th 2018 the new General Data Protection (GDPR) applies for Boxcryptor and all companies, processing any personal data of EU citizens. This new provision of the European Union is fundamentally reshaping how personal data is processed within the EU. The amendment is demanding far-ranging changes and re-structuring within company-processes. Surveys show that the GDPR is striking fear in many companies affected by this regulation.
We, at Boxcryptor decided to understand the GDPR as a chance, rather than a threat. Therefore, Boxcryptor CEO Andrea Pfundmeier is going to report, in a multi-part series of articles, how the new GDPR is implemented and applied at Boxcryptor.

Read the other parts of the series here:

• Part 1 – Getting an overview (Steps 1-4)
• Part 2 – Optimization of existing processes (Steps 5-8)
• Part 4 - Third Party Providers (Step 9)
• Part 5 - Encryption
• Part 6 - Before GDPR is past GDPR

Implement the necessary changes with external help or by myself?

The previous parts of this series have shown that almost every business area and organizational level is affected by the new GDPR. Therefore, I consider keeping track of everything as being one of my most important duties as CEO. There are two reasons for not giving full response of our GDPR compliance to an external audit service provider:
Firstly, at the end my business partner and I remain accountable for possible mistakes. Even in case of outsourcing all GDPR duties, I would still have to consider every aspect of it myself. Additionally, external auditing is quite expensive to a young and rather small company as Boxcryptor.
Secondly, I assessed the already existing knowledge of our team. As a provider of encryption software, we of course have experts in the area of IT security, helping us to face some of the challenges on our own. Adding my own legal expertise with a specialization on corporate law, the original GDPR text was coherent to me.
Furthermore, the edits on the information, as provided by inter-trade organizations, specialized journalists and chambers of commerce proofed themselves to be helpful as well. Hence, I consider our company to be quite well prepared to deal with the bulk of issues connected to the GDPR without pricey external help.

Why we want to meet most requirements of the GDPR internally

For the reasons mentioned above I decided to oversee all actions, necessary for our GDPR compliance by myself and to operate all processes internally, as far as possible. This is going to result in comprehensive, long-term knowhow for our company, so we can confidently look beyond the May 25th 2018. Because – despite this being the due date – GDPR will not disappear afterwards. Instead, we constantly have to check for complying with GDPR. The solution to do so is creating and maintaining thorough knowledge of the GDPR and all its implications internally.
With Boxcryptor being an appropriate „technical and organizational measure“(TOM) according to Art. 32 GDPR we represent an important part of our customers’ measures to reach GDPR compliance. Hence, a lot of questions about GDPR reach us, which makes it a regular topic in communication with our users.
It is my personal objective to make the GDPR part of our company culture – instead of just accepting it as a necessary evil. As I mentioned above: We perceive the GDPR as a chance.

Ask for external advice

For certain issues I asked for additional, external advice, though. A local law office supported us for this purpose, especially on “one-time” issues like:

• Assessment and revision of our data privacy statement
• Assessment and revision of our website’s imprint page
• Assessment and revision of our general Terms of Use
• Assessment of our contracts of employment

Appointing an external data protection officer

According to Art. 37 GDPR we are obliged to appoint an external data protection officer (DPO) who will start working soon. After assessing our already taken data protection measures this service provider will continuously be advising us and provide trainings, to keep awareness about GDPR active among our employees.
Beyond that, our DPO is our contact to the inspecting authority (which in our case is the “Bayerische Landesdatenschutzbehörde”) and will furthermore take actions in case of customer complaints, keeping me as CEO informed about case details and preparing a statement for the complainant.

Expenditure of time for getting Boxcryptor GDPR compliant

As in the previous parts of this series, I am reporting our way to GDPR compliance from my perspective. For this reason I try to provide some details, with estimations of time required for each aspect, in this section so every reader can guess for each point individually if more or less time will be required in their respective companies.
These are the time requirements I wrote down for myself:

• Research for GDPR and procedure planning: approx. 5 working days
• Documentation of third-party services (accumulation, contact, legal documentation): approx. 5 working days
• Employee briefing and meetings: ongoing, approx. 3-5 hours/month for me as CEO, expenditures by employees depending on team size
• Law office consultation, revision of required documents, implementation of changes: approx. 2 working days
• Technical implementation of changed processes for all departments: approx. 5-10 working days for me as CEO, expenditures by employees depending on team size

Summed up, implementing measures to reach GDPR compliance results in a personal expenditure, for me as CEO, of 25 working days in the past and in addition 3-5 hours of time expenditure on a monthly basis.