With less than six months to go until 25 May 2018, when the new General Data Protection Regulation comes into force, more than 75 percent of the time you have had to implement it in your business has passed. Have you not reached 75 percent of your goals either? Then read on and let's start a shared journey where we can hopefully learn from each other through our concrete experiences.
What will the new data protection regulation mean for your company?
Have you also read countless articles from professionals giving good advice on the new European data protection regulation, which replaces the Danish Data Protection Act on 25 May 2018? If so, you should read on. Or, more unlikely; is this the first time you have encountered the new data protection regulation? If so, you absolutely must read on. In short; you should read on.
We are trying to turn things on their head and instead start from how Intempus as a company is preparing for the General Data Protection Regulation, and what resources we anticipate we will be using for it. And let's just make it clear from the outset; we are in the early stages, so you won't find a detailed best practice solution here for implementing the General Data Protection Regulation. But perhaps your company has more or less in common with Intempus. Perhaps you can take comfort in knowing that there are others who have just as much work ahead of them as you do. But if, like 26 percent of medium-sized Danish companies, still going around talking about the “personal data law,” and this is the first time you're hearing about the General Data Protection Regulation, we can't console you – then you just need to get started!
We will be publishing many more blog posts as we progress with implementing the law into Intempus’ systems, but we are starting off gently. So, what have we done so far?
First and foremost, we have quickly concluded that Intempus is very much affected by the General Data Protection Regulation. It concerns all companies that work with personally identifiable information. And it would be naive to imagine that this is not the case for a company that sells time tracking software and handles this data for its users.
But in reality, very few things are not personally identifiable. Just take an example from last week with a customer. We were talking about journey logging, and when we also touched upon GDPR – which is the English abbreviation for the General Data Protection Regulation – the customer fell into the classic trap of believing that GDPR is primarily about sensitive personal information such as the CPR number. But no, consider, for example, if someone got hold of a person's journey logs. Route and time. In the eyes of the courts, it would be possible, based on the information, to stand by the roadside and identify the person – not least if the information is supplemented by the number plate, as would typically be the case in Intempus.
It is therefore significantly easier to discuss which data is not personally identifiable than which data is. And off the cuff, we can't really think of any of the former that we handle. At least not when they are in context with others. In addition, there are all the collaboration partners our system integrates with, and to whom we therefore pass on data, as well as all those for whom we handle data. Conclusion: We have a lot of work ahead of us, both in optimising our own systems and workflows for GDPR, and in drawing up watertight contracts with all those we work with in one way or another.
Trade association The IT industry also has a standard contract., which can be adapted and made your own (requires membership). This way, you can avoid hiring a lawyer for those hourly rates they charge. Or even worse; creating a contract haphazardly yourself. This solution can hardly be recommended if you don't have the skills for it. Another good tip is to completely avoid personal sensitive information such as CPR number, sexual and political orientation, trade union membership, and so on, if you can. They are extremely difficult to process and at the same time comply with GDPR. This naturally only applies to data you are a data processor for. For employment contracts and the like, it is impossible not to have personal sensitive information. Are you in doubt about the difference between data processors and data controllers? Then expand the box below and learn more.
Data controller or data processor?
Instead of juggling a lot of technical terms, we believe it can be expressed more precisely and pedagogically; Is the data in question yours or just data you are processing for someone else? In the first case, you are the data controller – in the second case, you are the data processor.
Intempus provides software for reporting work-related data. And behind that software, we naturally have some databases that store this data. However, this is not data that we own or are particularly interested in. It is our customers' data, and therefore we are data processors.
Furthermore, all companies naturally have a lot of HR data such as employment contracts, salary information, customer details, and so on. You are the data controller for these, and the requirements are stricter here, but that applies to everyone. If you can avoid storing CPR numbers and other sensitive personal data, you must do so – they are difficult to manage!
What have we concretely done in Intempus?
We first heard about the new personal data regulation by chance at a customer meeting back in the spring. The reaction was probably very predictable, much like most people's; to dismiss it and underestimate it a bit – likely because it seemed too overwhelming. However, it didn't take much research to ascertain that this is something we can't easily get around, so the focus has been on gathering a lot of knowledge so that we have the best conditions to take the right steps from the outset.
On a purely practical level, one person has been tasked with staying completely up to date on GDPR. And an easy way to save time on that task is to set up a Hootsuiteor TweetDeck account and conduct Danish-language monitoring of the terms ‘GDPR’ and ‘ persondataforordning’. GDPR is discussed quite a lot on Twitter, so our theory is that if content is created on the subject, it can be found on Twitter, which is a very manageable medium to monitor.
In addition, we have attended some events where knowledgeable individuals have given presentations about the General Data Protection Regulation and, of course, its implementation within companies. The advantage of these is that you can get answers to specific questions, talk with like-minded people, and receive valuable input to help assess how urgently you need to act within your own company. And, not least, they are quite often free.
Last week, we also took what must be the first step for all types of companies, once they have moved past the initial knowledge acquisition phase – namely, mapping the various datasets and segmenting them into harmless, personally identifiable, and sensitive personal data. We have, in a very practical way, created a document where we have divided the data into those for which we are the data controller (primarily HR data and lead data), and those for which we are the data processor (primarily app data).
That was it. That's as far as we've actually got. But of course, we must, and it must be soon – at least this side of Christmas.
What is the next step?
We do not have a full overview of that. However, we expect the next step to be an analysis of how the various data are currently processed and what is missing to meet the new requirements. From there, the work of optimising the company's digital and analogue infrastructure, as well as entering into data processing agreements, will naturally commence.
That must be the plan in outline. Do we have any overview of how many resources it will require? Not at all. Will we be negatively surprised by it? Most likely. Therefore, all the more reason to get started now, as there's no way around it. Or yes, there is, if one wants to run the risk of sharing a lot of people's personal data, incur fines that could destroy a company, and become a black sheep among the flock. But we don't want to run that risk. Fortunately, we fall into the category of data processors, who get off somewhat easier with GDPR than the data controller companies do.
Although Intempus is only a data processor, we will hardly escape having to have a Data Protection Officer (DPO) – or a “professional pain in the ass”, as the person is jokingly referred to. In other words, a person who is responsible for supervising compliance with the General Data Protection Regulation. In our own best assessment, we are not looking at a new hire, but simply an existing employee who will have the responsibility added to their role, and thus a difficult task of maintaining good relations with colleagues in the future.
