Umbraco and GDPR VI: 6 months later
Remember this: the last day before GDPR came into effect. Many a person had announced that the world would go under and we all would die. Death by GDPR. But we did not die. Perhaps it was because of the modern dancer performing the GDPR text at the Codegarden 2018 bingo, or more likely; it did not happen because we all were pretty well prepared and had given the topic attention.
And here we are, six months after, allowing me to make some comments on our experience with GDPR:
- If you are using cloud then you know that we have a DPA. Most customers have accepted that. Other customers, typical governmental or large corporations, would like us to use their own DPA. I think that it should not be the order of the day that the customer dictates how the supplier handle their legal obligations. I do understand that a customer prefers to have one DPA across all suppliers. That is perfectly legitimate. However, we, the supplier, have the same preference (alone from scaling reasons). And since it is the supplier’s prerogative to determine how they want to sell, we find that it is up to the supplier to determine how the DPA is constructed. Therefore we have given a friendly push back to customers wanting us to make separate DPAs. But all in all, a positive experience without much drama.
- We have introduced GDPR in our onboarding program for new employees ensuring that basic knowledge is acquired and that procedures and principles are internalised.
- Brexit is very much up in the air. Where it ends is still unclear. What we know is that the British Governement have announced how they see the world with regards to Data security aka GDPR. This regardless of “deal or no deal”. In either case, UK companies should be fine by storing data in EU. With regards to Umbraco Cloud, we store data in EU outside of UK. So both UK and the 27 remainers are fine with present set-up on Umbraco Cloud. We will continue to follow this issue closely.
- We have had four people asking for deletion of hers/his data. Our procedure was initiated and we had data deleted in good time within the stipulated time frame (see our Right to be Forgotten policy). Remember that a request for deletions needs an answer within 30 days and data has to be deleted in back-ups as well.
- We have introduced a biannual GDPR revision policy. We have just finished the first after the introduction of GDPR. The revision included:
- Checking that we still have all relevant data mapped
- Remove systems and delete data that are not in use anymore
- Adjusting our MO to new rulings by the data authorities.
The overall conclusion after six months with GDPR is that it has improved the thinking around privacy. Further, I conclude that GDPR is here to stay :-), meaning that we as others continuously need to work with this as rulings and processes around this is not at a standstill.
For all our GDPR related initiatives, please visit our dedicated page on this topic.
And if you missed the Codegarden GDPR dance performance (or just want to re-watch it) here it is: