If you work in an IT company operating in the European Union, chances are you’re already tired of hearing about GDPR, the General Data Protection Regulation, to be enforced come May 25th.
This new regulation lays the rules for the protection, handling, and free circulation of personal data in the European Union, strengthening the rights of individuals and increasing the responsibilities of organizations. More than ever, businesses will need to be fully transparent with anyone willing to trust them with their personal data, informing individuals about the purposes of its collection or how it’s kept safe and secure. Companies will need to meet a very high ethical and technical standard, otherwise, they can be held accountable and risk hefty fines of up to €20 million (or 4% of global turnover).
With little over a month to go before the new regulation’s enforcement, we share some of the steps we took in preparation for GDPR and, hope to inspire some partners and peers to follow them:
- Getting the right people involved: Since most teams at DevScope handle customer personal data to some degree, we created a work and discussion group (aptly named GDPR) composed by each team manager. Since its inception, everyone involved has used it to share and debate all sorts of information regarding GDPR, be it benchmarks, best practices, or even opinion pieces. This short-term “Think tank” allowed us to gather enough information to write and develop the policies that best reflect our transparency efforts to protect our users.
- Collaborating: since every company collecting personal data in the European Union must follow the new regulation, why go at it alone? We partnered up with Bind Tuning, a leading web design company, to interchange ideas and create policies that could be adopted by both companies.
- Proofreading as many times as necessary: you can never be too careful when it comes to handling personal data. In early January, we adjusted our websites’ privacy and cookies policy, as well as their terms & conditions, but have since then lost count of how many times they were revised and rewritten to be 100% GDPR compliant. Comb through your text and make as many adjustments as necessary.
- Testing our own policy: there’s no better way to know if you’re GDPR compliant than testing your own policy. Read (and re-read) your own terms & conditions, privacy policy, and cookie policy, and create an account on your own website or app. Proceed to delete that account and asks for all personal data the company collected and kept. If you don’t feel comfortable with what you see, chances are neither will your customers. Companies shouldn’t keep more personal data than what’s strictly necessary for them to render a service. Adjust your policy and what your company is collecting while you still can.
GDPR may be a tiresome subject for developers to deal with and require a lot of adjustment by some companies, but it’s a much-needed policy and one that reflects the maturity of the internet itself. Individuals will be more protected than ever and, and won’t have to rely as much on the goodwill of the companies rendering them services through the web. Above all, GDPR draws clear lines regarding what companies can and can’t do in an often unregulated environment.