In this article we’ll share the steps we’ve taken to comply with the General Data Protection Regulation (GDPR), coming into force no later than tomorrow. In the second installment of this mini-series we’ll specifically look at the technology needed to ensure compliance.
Modifying internal systems for GDPR compliance
Like I mentioned in ‘Part 1’ of the mini-series, we already were ridiculously compliant, but a round-up of the modifications we needed to make regardless:
We’ve set up the procedures (for each system separately, we don’t link between accounts remember?) so that users can export their data if they wish to. We have added the functionality of requesting a data export or deleting an account entirely via the Passenger customer portal (account/account_settings). Customers can request a file containing all data Phusion holds on them, in machine-readable format (JSON).
We implemented log rotation for services that output logs which contain IP addresses. Those logs will now be saved a maximum of 14 days, before they’re deleted automatically. In the previous post we mentioned that we removed old, unpaid quotes from our system. Paid quotes we retain for the lawfully obliged minimum of 7 years.
To get an idea of how many unique Passenger instances are running, securely, we hash IPs (so we can now no longer see the raw addresses). In fact, we use IP anonymization for every system where we use Google Analytics so you can be sure we do not collect personally identifiable information on Google1.
Switching to compliant SaaS
Like any other business we rely quite a bit on external software and services (including but certainly not limited to: Zapier, Trello, Slack, Typeform, Vimeo, Twilio, Highrise and AWS). We needed to make sure these software providers are compliant as well. For video-conferencing (we do quite a bit of video-conferencing as a distributed team) we decided to move away from Skype until they have clarified their legal position on GDPR, which remains very vague. MailChimp on the other hand - with their GDPR-friendly forms, improved contact management and updated data processing agreement - exemplifies the other end of the compliance spectrum.
Privacy by Design
We went ahead and created a (very) elaborate data register representing when and why we collect what data, for how long we retain and how we protect data morsels. We then created links between fields and departments. Mapping what data is transferred to what internal system helped provide tremendous insight and a myriad of opportunities to optimize for ‘Privacy by Design’, which is what we strive for.
We also appointed a Data Protection Officer even though we are not obliged to.
Next steps
In part 3 of this series we’ll look into (our) external and internal communication concerning privacy and GDPR compliance.
I’d love to hear about the steps you’ve taken to ensure your product/service’ compliance and how you plan to stay compliant in the messy, async and ad hoc day-to-day world that is business.
1. We are painfully aware that Google Analytics only blanks the last (arguably the least significant) digits of an IP.↩