Lots of interesting questions have risen, not only regarding to end-user-data (Which we don't have, since we're an Agency), but also client-data from other companies (e.g. PMs, Owners).
One example (hypothetical):
One of our developers has the phone-number of a client's IT-specialist saved on their device, which has Whatsapp installed.
Is the number considered personal data?
What is the legal basis to store that number on their phone?
What is the legal basis to share that info with Facebook?
In my job, we are taking this new regulation very seriously. :-)
We are building guidelines for POs and developers to respect the new GDPR restrictions on future projects and during development.
Also, we have to build an internal tool to erase correctly the user's datas of our system (on explicit demand only).
Our databases are protected, but they aren't adequately encrypted. We've been trying to move to encrypted servers for over a year and they've just been saying "We can't afford it". We've even said that moving to AWS would only be slightly more expensive (Only an extra few grand) and everything would be fine.
They said they'll consider it, and as soon as our Auditor started kicking everything into gear for GDPR, they finally realised that we a lot of systems aren't compliant and we can be fined massively. We are taking it incredibly seriously, but we should have dealt with this at least a year ago.
I believe we're still holding onto hope for an extension at this rate.
Yes, it has added a lot of work at my current job. A lot of system wide changes need to be implemented, data needs to be consented or deleted. At my current company we have had this in the works for a couple of years so it's all planned work.
We have to analyse all our systems as well. Most of them are going fine, but I have a problem with a few. We not only have to take care of customer data, but also for employee data. This is personal data, too. And with GDPR we have to define how long we keep the data and there must be a process to delete the data as soon as it is no longer needed. There is also the "right to be forgotten".
I have no answer yet, how to deal with versioning systems like GIT. There is personal data in every commit (username and email), But it is not build to delete its history after a while. You can delete the history on purpose of course, but this is more a surgery and breaks all your processes based on the commit id.
How do others deal with such systems? There are also document management systems where you have to keep such history.
We are taking the new regulations very seriously. We've prepared an impact analysis of the GDPR ruling and have come up with an action plan for all the things we'll have to account for to be in compliance. It's definitely going to take up a good chunk of our time this year and it will have to be something we keep in consideration just like WCAG compliance as we build new features.
We have mandatory trainings for each employee, in depth meetings (5-10 hours) to gather information what we already have and what the gaps are followed by tasks to document and implement. The worst things are basically the need to export all user related data and the need to delete data compeletely. If you have large systems running, that’s a lot to do.
Lots of interesting questions have risen, not only regarding to end-user-data (Which we don't have, since we're an Agency), but also client-data from other companies (e.g. PMs, Owners).
One example (hypothetical):
One of our developers has the phone-number of a client's IT-specialist saved on their device, which has Whatsapp installed.
In my job, we are taking this new regulation very seriously. :-)
We are building guidelines for POs and developers to respect the new GDPR restrictions on future projects and during development.
Also, we have to build an internal tool to erase correctly the user's datas of our system (on explicit demand only).
Our workstack tripled due to lack of foresight.
What kinds of problems have arisen specifically?
Our databases are protected, but they aren't adequately encrypted. We've been trying to move to encrypted servers for over a year and they've just been saying "We can't afford it". We've even said that moving to AWS would only be slightly more expensive (Only an extra few grand) and everything would be fine.
They said they'll consider it, and as soon as our Auditor started kicking everything into gear for GDPR, they finally realised that we a lot of systems aren't compliant and we can be fined massively. We are taking it incredibly seriously, but we should have dealt with this at least a year ago.
I believe we're still holding onto hope for an extension at this rate.
But if they listened to the developers...
Yes, it has added a lot of work at my current job. A lot of system wide changes need to be implemented, data needs to be consented or deleted. At my current company we have had this in the works for a couple of years so it's all planned work.
We have to analyse all our systems as well. Most of them are going fine, but I have a problem with a few. We not only have to take care of customer data, but also for employee data. This is personal data, too. And with GDPR we have to define how long we keep the data and there must be a process to delete the data as soon as it is no longer needed. There is also the "right to be forgotten".
I have no answer yet, how to deal with versioning systems like GIT. There is personal data in every commit (username and email), But it is not build to delete its history after a while. You can delete the history on purpose of course, but this is more a surgery and breaks all your processes based on the commit id.
How do others deal with such systems? There are also document management systems where you have to keep such history.
We are taking the new regulations very seriously. We've prepared an impact analysis of the GDPR ruling and have come up with an action plan for all the things we'll have to account for to be in compliance. It's definitely going to take up a good chunk of our time this year and it will have to be something we keep in consideration just like WCAG compliance as we build new features.
We have mandatory trainings for each employee, in depth meetings (5-10 hours) to gather information what we already have and what the gaps are followed by tasks to document and implement. The worst things are basically the need to export all user related data and the need to delete data compeletely. If you have large systems running, that’s a lot to do.
Loads of meetings and time away from the keyboard :(
Reading the posts here make me think that the primer I read earlier today isn’t nearly enough...
They are basically doing this: 🙉🙊🙈
Nice for me it has been a good way to drum up new business, have to say I love the idea. US lack of privacy/data harvesting has to stop.
High priority tasks assigned in this year for GDPR already.
The world is turning upside down, basically.