May 25 has come and gone. Becoming GDPR compliant was a long, hard road for many companies. I talked to three businesses to learn about their transition to GDPR, and this is what they told me.
Wooden Blinds Direct
GDPR Strategy: Begin early, start with changes to customer contact procedures
Wooden Blinds Direct is one of the largest window furnishing companies in the UK, conducting business solely online. Being in the UK, the company had no choice about GDPR if it wanted to stay in business.
The transition to GDPR happened in multiple steps, according to Jordan Harling, chief digital strategist.
“The first and most important thing we did was change our opt-in process for our customers,” Harling explained. “Instead of having a pre-selected tick box which signed up customers to our mailing list, we made this unselected as a default so our customers could choose to follow our marketing instead of assuming they would want to unless otherwise stated.”
The second step was to launch a re-opt-in campaign for the email database. “While this wasn’t strictly necessary (many companies are leaning on the vague wording of GDPR),” Harling pointed out, “we did it to show our commitment to our customers. Our focus was on making sure that we only sent marketing emails to those people who wanted to engage with them.”
Wooden Blinds Direct’s process to become compliant was smooth, but more time-consuming than originally anticipated. The major hurdle was communicating to customers about GDPR and the need for updated procedures. Like their American counterparts, most UK citizens didn’t understand what GDPR was and how that would improve their online privacy. Part of the company’s transition focused on educating their customers.
The company did meet the May 25th deadline, in large part because they began the process early. Now it is a matter of maintaining the processes they’ve already begun, but also watching closely to see how GDPR unfolds over time.
GDPR Strategy: Build on existing compliance processes, rely on a principled project management approach
LogMeIn is one of the world’s top 10 public SaaS companies. With customers in nearly every country in the world, protecting their personal data and that of their end users is always a priority, and GDPR represents an opportunity to continue to demonstrate commitment in this area.
LogMeIn had already been following other compliance and privacy regulations, such as the EU-U.S. and Swiss Privacy Shield Frameworks. “Our ongoing compliance review and actions build on our existing investments in privacy, security, and the operational processes necessary to meet the relevant requirements of GDPR,” explained Gerald Beuchelt, chief information security officer.
Meeting GDPR compliance wasn’t just a job for the IT department, Beuchelt said. “With every aspect of the business affected, GDPR is a broader business issue that required nearly everyone – from the board on down — to make the process a success. For us, a key factor in the success of the program was to leverage a principled project management approach and develop a scalable communication strategy.”
The transition to full GDPR compliance was a smooth one for LogMeIn, largely because so many of the processes were already in place. “We’ve spent a lot of time and resources on data processing and data flows, and increased transparency via evidence of our compliance on our public, customer-facing GDPR Resource Center, including detailed Security and Privacy Operational Control papers,” said Beuchelt.
“With regard to privacy and the security protocols we follow, LogMeIn is extremely well positioned,” he added. “From our board to our CEO, down to every single department, we have emphasized visibility and transparency. We recently announced the addition of Sara Andrews, CISO of PepsiCo, to our board of directors – evidence that the focus on security and compliance starts at our board and cascades throughout across our entire organization.”
The May 25th deadline wasn’t an endpoint on GDPR, but only the beginning, according to Beuchelt. He predicted the U.S., Australia and others will soon follow due to the increased interest in strengthening consumers’ data privacy.
“In the end, GDPR compliance will become a well-understood compliance program with best practices and a standard approach to defining control standards and validation processes.”
GDPR Strategy: Educate leadership within the company, create program matching requirements to business processes
Credorax is a licensed merchant acquiring bank providing cross-border smart acquiring services to global merchants and payment service providers. As part of its business operations, Credorax deals with processing, transmitting and storing various data categories, especially cardholder data - which is considered personal information as defined by the EU Global Data Protection Regulation.
To become GDPR compliant, Credorax made sure leadership understood the requirements to understand how everything was related to the business, processes, and the nature of the company, and created a program to achieve compliance with all the requirements, according to Nir Chervoni, VP Information Security.
For the most part, the transition to GDPR went smoothly and as planned. Credorax had to make some technological modifications or additions, while some of the other adaptations were process-oriented, and others on the legal side.
Of course, the transition is just the beginning. Now the compliance protocols have to be maintained. Credorax implemented various modifications, especially in the process of data mapping, which emphasizes the focus on privacy-related data, as well as strengthening the security posture of all the environments while focusing on areas where privacy-related data is being handled.
“One of the most important things to do in order to remain in compliance,” said Chervoni, “is to keep track of all the activities related to privacy information, and implement proper controls – both technological and procedural, continuously.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba