11 December 2017

We can help you with GDPR

In my previous blog post I challenged the scare talks on the net about GDPR and I explained why I disagree. You can read it here if you did not already do so. In this blog post I will present a proposal for a solution regarding GDPR that has been appreciated by our current clients.

GDPR audit

Wunder offers a GDPR audit where we help our clients with GDPR compliance of their web services. We map all the personal data in the service, then walk through the findings together with the client, after which Wunder produces the needed documentation for proving GDPR compliance of the service. I’ll tell you about all this in detail in this blog post. But from the client’s perspective all that is needed is letting Wunder help with this, sit down and talk about all personal data that is being processed, and then receive a bunch of documents proving GDPR compliance. That sounds rather convenient doesn’t it? Our clients to whom we have already completed this service tend to agree.

Step 1: Mapping personal data

The effort starts with mapping all the personal data in the service. One of Wunder’s developers will do a thorough job on it or the client can take care of this, if there is somebody skilled enough in the company or if the amount of personal data is very limited. But just mapping the personal data is not enough. As mentioned in my earlier blog post, all processing of personal data must be justified. There are also a number of other parameters needed for the personal data processed. The list is long, but one central parameter is where it is stored – especially if it is within the EU/EEA or if it is outside in some US based cloud service for example. Another important parameter is who has access to the different types of personal data. Only those who really need the access may have it. This work will be completed before proceeding to the next step.

Step 2: Discussion of the mapped data

Next the results of mapped data is discussed together with the client to agree on the data protection parameters of all personal data and processing of it. Once we’ve agreed the mapping is complete, other findings will be discussed - like possibly redundant data found, or improvement suggestions to the service. Another focus in this discussion will be certain details that will be documented, e.g. how to prepare for the new rights of the data subjects, the persons of whom the personal data is about. An even more important – how to react in case of a data breach. There is every reason to discuss this at least once before it possibly happens. GDPR has some explicit regulations regarding actions after discovering a data breach, like an obligation to report to the Data Protection Authorities within 72 hours. With well laid out plans, reacting to the new data protection aspects of GDPR is more like business as usual, and that is exactly the goal of Wunder’s GDPR audit service.

Step 3: Documentation

The production of documentation comes next. There needs to be a data protection appendix added to the contracts of Wunder’s maintenance clients, where responsibilities and obligations of both parties are defined according to GDPR. This document should ideally also contain the agreed actions when data subjects use their new rights, and what to do in case of a data breach.

Another document to produce is the so-called data processing policy. This is my translation of the name of the document originally proposed to us in Finnish by our lawyers. There may be other names for it out there. It is not a mandatory paper yet, some claim it will be, but it is at least a highly recommended one. It is a bit like a privacy policy for a website, but this one is solely about processing of personal data. The data from the mapping efforts is for this document. We also make a report of the whole process, what data was mapped, what was agreed about it, what was agreed regarding the documents and of processing of personal data in general.

As a last piece of documentation, we produce proposals for the discovered improvements to the service. But it is naturally up to the client if the proposed improvements will be implemented or not. And the client has every right to do the implementation themselves or outsource it to some other digital agency than Wunder.

That's it!

When the documentation has been delivered, the project ends and possible data protection improvements to the service can begin. Wunder welcomes adjustment proposals to the service described here as one service format hardly fits all clients. Some clients have preferred to perform the mapping of the personal data themselves. Others have had their own GDPR compliance efforts already ongoing and have preferred to use their own documentation templates. This is all okay to us – whatever makes the change to GDPR compliance easier for our client, we will be happy to help with the preferred approach.

 

If your company needs help with GDPR, or if you just wish to discuss its implications further, I would be delighted to receive an email from you at [email protected]. Or read about our offering here.

Kontaktieren Sie uns