GDPR

7 minute read

Like most European companies, the last year was spent worrying and preparing for GDPR. My journey, being an IT pro and all, started much before that.

The background

I’ll be honest. InfoSec and data privacy law had historically never been on the agenda for the company, and it used to be a low priority thing for me as well. My personal reasoning has been: we don’t have any information worth protecting in the company. I know some in the company would disagree, but I’ll still stick to my statement. Since we’re a consultancy-based organization, everything we produce is owned by the customer. The code, the design, the strategies, everything. And more often than not, that “IP” is to become public soon anyways. And to be fair, not so interesting for someone else to steal since everything we do is custom start to finish. “But we have our method, that’s IP”. Well there’s no patent pending on that method, I can assure you. Still there’s always a reason for InfoSec. Like any company we have some sensitive internal information, and yes, I don’t want a crypto ransom outbreak, the payroll database to be stolen or defacement of our website. But, there’s been laws in the Nordics to protect PII (Personally Identifiable Information) long before GDPR was even thought of. And no IT manager with a shred of dignity would ignore InfoSec completely. And of course, being an IT pro, I kept myself up to speed on all things happening in the US and EU regarding data transferring laws (I really enjoy following Max Schrem’s shenanigans) and local policies, but that was more out of personal interest, and not so much because I saw a need for the company. I’ll admit, the company has always produced digital solutions for our customers, and in these solutions sometimes lots of PII is processed. I was aware of that fact. But I newer saw it as my responsibility to keep 100+ (at any given moment) customer solutions safe and compliant. I’m internal facing. Other entities within the company need to worry about their hygiene was my reasoning. But when GDPR hit mainstream back in 2016, the top brass and our customers started to notice.

Let’s organize

As I described in a previous post, I recently ran a project to consolidate our data centers. During the planning of that project, my boss, somewhat forcefully, introduced the “suggestion” that since GDPR is about to happen, InfoSec should be a part of the consolidation project. I silently disagreed at first, but my mouth said yes. The following couple of months we debated back and forth on how to approach GDPR, and to my relief, the whole burden of becoming GDPR compliant was not placed on my shoulders alone. The boss took it upon herself to organize us. And she soon realized I myself could only be expected to deliver on the compliance of internal facing processes and systems. I’d say she did everything right. She correctly identified and prioritized what the organization was facing. Yes, I took a big load of the work, also on the customer facing stuff, but that can be expected, being an IT director and all. The boss organized us so that we had one group looking at the “Internal facing” stuff (IT, HR, Finance, Facilities), and one group on the “Customer facing” stuff. She also engaged a couple of (internal) consultants to produce some material to ease the introduction of GDPR to the masses. They did a really good job through the summer of ‘16, and their efforts amounted to:

  • A GDPR glossary (there are a lot of terms in GDPR that need to be understood)
  • A Cheat Sheet
  • Infographics
  • A checklist tool for Project Managers to see if their project is compliant
  • A quiz for all employees

The 2 groups set out to work. We produced plans, inventories, road-maps and clean-ups in our respective areas. We had loads of workshops and sessions, and after a couple of months we decided to consolidate the Customer- and Internal facing groups, since many of the challenges faced where the same, and there were also a lot of overlapping between the groups. We ended up with this structure.

GDPR organization

Responsibility

Who’s responsible for what in GDPR? Well, the CEO of each company is responsible for compliance. Do they understand what that means? No, not really. Our group soon realized it was our mission to give the CEOs (4 of them) the necessary information, so that they on their hand could give us the assignment to make them compliant. This is usually the way IT is done in my experience, but I’m a little disappointed that it had to be done with GDPR as well, since it’s not really an IT matter. When the alarm bells had rung, and the CEOs realized the gravity of what was about to happen, they gave us acknowledgment, and me and my boss held a presentation on the annual Leadership Summit for all managers within the organization. In that presentation, we made clear that the responsibility for compliance was local. We (the coordinating group) would only provide training material and knowledge, but the implementation had to be local. In the presentation we described all the stuff that had been done so far (mainly IT and HR related), and suggestions for how to approach customers and the importance of writing a DPA (Data Processing Agreement), and thereby inventorying, prioritizing and securing all customer solutions built by the company. At least those where we have an active agreement.

Let’s implement

The countries chose somewhat different paths. The Danish branch went all-in on external consultants, much to me and my boss disgruntlement (our stance is that you cannot buy yourself compliance, it’s by design in the GDPR, you must roll up you’re sleeves, and the lawyers telling you otherwise are lying).

GDPR snake oil

I myself was exposed to oh so many charlatans, mainly IT vendors trying to make a quick buck on stuff they had absolutely no knowledge about. But not only IT people, also lawyers and finance chipped in to stir up a hysterical atmosphere. I will not go into detail on all the stuff that happened during this period (so many strong opinions and grown people acting like children, some rising to the challenge and really blossoming in my eyes) but all-and-all it was an exciting ride! We had done so many things right, and the ground work done by the group was excellent in my opinion. The implementation fell a little short though. As usual, in a company where the product is hours, people are rarely allowed and/or inclined to engage in a subject that is not directly billable. We had an early head-start compared to other companies, we really “sold” what had to be done, we held numerous presentations and events, we did quizzes and threats. But when the dust had settled, and May 25th had come, I was left with the feeling that most of our employees and managers still didn’t get it, and especially, the broad realization that compliance is not a one-off thing; it’s a constant that needs to sprinkle through every process and system, now and for eternity, never took hold. Yes, we achieved much, but to be honest I was hoping for more.

The outcome

Did we become compliant? Yes, I believe so. Will we stay compliant? Hopefully, but not inherently. Compliance, which really all boils down to processes and policies, need to be defended over time. In an organization where the average employee stays with the company for a relatively short time, the “muscle memory” of the company also need constant reminders and re-education. This is an eternal struggle. On the IT side of things, InfoSec has been a big thing in my team during the last year, I would say exclusively thanks to GDPR. We have really stepped up our game, and taken charge of a lot of processes, systems and policies. Security is now on the daily agenda for us. This has been a major change. One of the side effects of the whole GDPR journey was me becoming a “GDPR expert” and therefore, by accident, the acting Legal department for the Swedish branch. Suddenly I found myself reading DPAs in the evenings, having one-on-ones with account managers to analyze specific customer needs, attending customer meetings and discussing stuff that was way out of scope for my role. And since I was becoming “so good” at reading agreements, I was dragged into the group responsible for the new company agreement templates and other non-IT initiatives as well.

Legal hat

I didn’t mind, since there’s no one else more suited right now, but I’ve made clear this is not a permanent solution. Let’s hope I’ll be able to leave all those tasks to someone else soon. And, most importantly, let’s hope the work done by the group has really led to a permanent change in the organization’s awareness on topics such as InfoSec and Privacy.

The personal experiences, viewpoints and opinions expressed in this blog post are my own and in no way represent those of the company.