GDPR

Off we went with Juha to Rigacomm, the biggest business and IT technology fair in Baltics arranged this year on Oct 11 to 12. Our stand was strategically located between coffee area demonstrating InOut cloud-based queueing system and Diatom stand occupied by interactive robot, near digital marketing stage. So we received our fair share of visitors which was nice.

In quite a few conversations I ended up explaining the significance of GDPR legitimate interest and balancing test. There is no legal requirement to ask for marketing consent from customer on customer list when certain (broadly set) conditions are met. Of course regular explicit opt-our is still mandatory.

There were also many questions about what our technical solutions for GDPR are and do we develop those ourselves (answer being yes, but no for software). So, more discussions about dark data assessment in different environments (fileserver, SharePoint, O365, other cloud-based environments). There is no single patent solution for all cases. We are offering solutions based on Veritas, Varonis and Micro Focus software.

As there were vivid discussions on our SMB start package content and implementation and the effort and commitment it takes from customer organization as well (we go deep inside to verify), there was not as much time for discussions about data flow modeling ”beef” as I would have liked.

As contrast for GDPR discussions in our booth, there were two generally available robots around in the fair. I overheard someone asking the lobby robot: ”Do you like Robocop?” That confused the robot more or less (and amused me). I wonder if the robots were set to collect and store questions made by people this time. That could be really interesting machine learning data as I assume human imagination in the end is still supreme to what any machine could possibly produce.

I also had a really nice discussion with a lady who was tired of all that information available and GDPR in particular. It’s no surprise GDPR doesn’t have a good echo as so many misunderstandings and even disinformation about it around. She was open about her frustration and then we ended up talking about chocolate and ice cream. That’s what we humans are like and I appreciate it.

GDPR deadline is less than a month away. The two year transition time is almost used up. The General Data Protection Regulation, GDPR, regulates data processing strictly compared to the previous laws. What are the steps organizations should have taken? These are some of the important things your organization should do:

• Is your company processing or controlling large amount of data? Make sure that you have Data Protection Officer named if you do.

• If your organization operates in several European countries, appoint leading DPO.

• Document the data processing of personal data. Go through all the phases from the collection to the disposal of the data.

• Make sure what are the lawful basis behind the data collection, controlling or processing. Do notice that the basis does not have to always be direct opt-in. ICO has just recently released useful guidance tool for lawful basis that can be found from here.

• What kind of risks could be involved in the data processing in your organization? Make sure to have a mitigation plan.

• Get ready for data subject access requests. Update your processes to make GDPR compliance more automatic. Is your organization ready to find the data if need?

• Make sure your data security is up to date. Get also ready to announce possible data breaches.

• Check the GDPR readiness of your partner organizations and service providers and update your contracts.

• If you process or control data of minors, make sure to check the special requirements you need to meet.

Many parts of this checklist can be filled by our Start package. The package works as a fast lane for GDPR compliance! Check also Gap analysis by our partner IT Governance! It will provide a detailed breakdown by area of your compliance status, and an action plan that sets out and prioritizes the key issues that your organization must address to become compliant.

If you have not started yet with GDPR compliance – this is the time you should start!

Contact us for more information!