Boxcryptor’s GDPR Journey Part 2: Optimization of existing processes
Since May 25th 2018 the new General Data Protection (GDPR) applies for Boxcryptor and all companies, processing any personal data of EU citizens. This new provision of the European Union is fundamentally reshaping how personal data is processed within the EU. The amendment is demanding far-ranging changes and re-structuring of the companies. Surveys show that the GDPR is striking fear in many companies affected by this regulation.
We, at Boxcryptor decided to perceive the GDPR as a chance, rather than a threat. Therefore, Boxcryptor CEO Andrea Pfundmeier is going to report how the new GDPR is implemented and applied at Boxcryptor, in a multi-part series of articles.
- Read Part 1 of the series here: Boxcryptor’s GDPR Journey: Getting an Overview
- Read Part 3 of the series here: Boxcryptor’s GDPR Journey: Internal implementation and external data protection officers
- Read Part 4 of the series here: Boxcryptor’s GDPR Journey: Third Party Providers
- Read Part 5 of the series here: Boxcryptor’s GDPR Journey: Encryption
- Read Part 6 of the series here: Boxcryptor’s GDPR Journey Part 6: Before GDPR is past GDPR
Fifth Step: Review documents for conformity with GDPR
Although I read deeply into the European General Data Protection Regulation, with respect to some aspects of the regulation I needed help of a law firm. I collected some of our documents to be reviewed by the specialists for their up-to-dateness and conformity with the new regulation. Part of those documents are for example our data privacy statement, the imprint of our website and our terms and conditions.
One point that is often missed: The GDPR applies to all data that is linked to a person. Hence, it applies not just to data regarding customers, but furthermore to all data concerning a company’s employees. Data protection has always been a separate section in the contracts of employment at Boxcryptor. Nevertheless, this section is reviewed by our legal specialists.
Sixth Step: Revision of existing processes.
With approximately 30 employees there are certain processes that are re-occurring. For example, we reviewed in detail what is happening when someone is leaving the company. We looked at this process with “data-protection-glasses” to discover and define potential for optimization. For instance, the accountabilities in association with online-services, like Salesforce, Mailchimp or email were defined precisely and additionally the handling of issues, like dealing with remaining hardware were revised. To date, the sequence on the last working day of an employee has been comparatively free in its course. While now, the moment of disabling and deleting the accounts and devices, as well as the person responsible for the respective task is exactly defined.
Seventh Step: Declutter third-party providers
In my last article regarding the implementation of the GDPR I already noted, the process-analysis paid off, since we discovered some old and obsolete processes, through this analysis. By gaining a thorough overview, we could begin sorting out obsolete services and accounts. In addition, we were able to terminate subscriptions and licenses, we required no longer. It was a liberating process, both personally, for me and additionally from a data protection point-of-view.
Tip: Resort to employees with expertise
As a provider of highly specialized encryption software some of our employees are experts with regard to data protection issues and possess a profound knowledge of the gateways between different systems. Over the following weeks we scheduled meetings, with those experts in order to clarify how the different systems are processing information and at which point personal data is transferred between the systems.
Our Tech team is focusing on the management of deleting data, since the right to be forgotten is a major novelty we need to be concerned with, due to the new GDPR taking effect.
Eighth Step: Sensitize and train employees
Despite my conviction, data protection is the responsibility of the company management, the issue concerns all employees of the company. Therefore, we already set up an internal workshop, in which I am going to thoroughly explain why this issue is very important for us and what personal data is in detail (see infographic). Furthermore, I am going to explain the rules applying at our company.
Those rules include, for example that no customer data is shared via our internal chat program HipChat. Or that by no means ever information or data concerning our employees is passed down to a third party. A summary of this workshop will be attached to our onboarding document, so newly recruited employees are sensitized for the issue, right from day one.
The GDPR and Boxcryptor
We are going to report, during the coming months repeatedly on our path towards fulfilling the GDPR. We are expecting that after the due date, May 25th 2018, there are going to be highly interesting developments in complying with the general data protection regulation, as soon as the first court decisions will be rendered. We will keep you up-to-date, concerning those developments in our blog.
Continue reading here: