12 Jun 2018
Lessons in Digital Transformation from a DPO Post-GDPR
The day of doom has arrived and passed us. Company executives everywhere took a long sigh of relief I am sure, but if you are a member of any compliance, marketing or data protection team, you know that the work has just begun.
Some days it felt like I was in a nightmare, struggling to change processes, but now that it’s all over, I am astounded by what we have accomplished as a team in such short time frames. I wouldn’t ask for another regulation like this, but I have always been pro-GDPR so on the bright side, I was part of a positive change that I believed in and the end outcome is a place I am proud to be.
I can only imagine the varying degrees of work other organizations have gone through in order to be compliant and many that still have a long way to go, but at least the bulk of the work is out the way.
It’s been a hell of ride, so it’s worth taking a minute to reflect on the lessons we have learnt becoming GDPR compliant. I’d love to hear your own experiences and insights about your road to compliance in the comments too. Let’s compare notes!
Auditing and Planning
As daunting a task as it sounds, the best way to plan for implementation is to actually read the regulation. I tried looking for summaries or bullet points but they end up costing you more time as you have to fill in the gaps and you’re always at the mercy of whoever has done the summarizing.
In the end, you have to take the bull by the horns and just sit down and read it from cover to cover. The GDPR is a complex piece of work so the reality is that it took several reads of the more ‘vague’ areas.
HR/Resourcing
Although not strictly mandated by the regulation, it is so important to appoint a DPO within your organization. They not only act as a central point of contact for the GDPR project but also can be looked upon by the rest of the organization as an authority on all data related matters.
A DPO should be responsible for deploying the law to the business, but he will need a team of people to actually implement those policies at a practical level. Where process change is required, an intricate knowledge of departmental procedures is needed and the DPO won’t have that. When selecting a ‘GDPR tiger team’, it’s most valuable to choose somebody from each of your departments so, as the acting project manager, you minimize the number of people that you need to get information from.
Designing the Customer Experience
The customer (i.e. the data subject) is at the very heart of the regulation. After all, it is designed purely to enhance their rights and freedoms. Part of the user experience must be to convey the fact that they are in charge of their data. They own it; we merely borrow it until such time as they want it back.
Of course, there are local law requirements that take precedent (think financial regulations) and industry regulations (think CA/Browser Forum) and there will be processing activities that we cannot avoid and do so in our obligation to perform the duties of a contract. However, that is all back-office stuff and typically of no interest to the consumer. They just want to know that they can manage what communication they receive and that any data they do give us is securely stored and lawfully processed in accordance with their wishes.
Security and Privacy
One of the core principles of the new regulation is privacy-by-design-by-default. What this means is that every data processing activity, every system that you use and anything new that you would like to introduce, whether bespoke or off-the-shelf, must put the rights and freedoms of the data subject at the very forefront of the requirements spec. No longer can you bolt it on as an afterthought. What we did was to sit down with all areas of the business and perform process analysis and tools analysis so that we could map out where our data was coming from and going to. We also performed risk assessments and data protection impact assessments for these activities. This was a very useful exercise for highlighting any areas that needed amending to adhere to the requirement.
Communication
Not only a key requirement, but also good practice is staff education and awareness training. Let’s be honest, unless it’s your day job then you’re not going to know the intricacies of the law and what is means to the organization as a whole, let alone your specific role.
This is where focused and applicable training comes into it. The way I approached this was to spend some time giving a general overview of data processing principles, breach impact, etc. and then, per department/role, made it clear how it applied to them. Giving real life, every day examples was key to an understanding and knowledge absorption. It’s a big topic and in reality, quite dry, so it’s important to serve up training in a little-and-often methodology and I always start a session recapping the previous. Just for added fun, an annual exam always throws up some unexpected questions.
Technology
The bulk of the regulations are about process and procedure, and ensuring that all of that is adequately documented. As a by-product of that, you also achieve excellent change management as if a process or tool changes, so does the document to reflect this. Of course, technology solutions can really help you achieve some of the core criteria from IAM (to ensure verified access control) to encryption (an explicitly provisioned mitigating factor).
It’s important to remember that there is no one ‘silver bullet’. GDPR compliance is a culmination of all of these components coming tougher and acting as one holistic solution. Articles 28 through 30 parallel the liability between controller and processor, so irrespective of how you’ve positioned yourself with your vendors, business partners and other third parties, if they lose your data you are also responsible.
With that in mind, we took the decision to perform some auditing tasks with all of our third parties to ensure their GDPR compliance/readiness, information security measures and other business practices and if we weren’t happy with the response then we gave some time to put correct actions in place or we served termination notice. Why would you voluntarily put your organization at risk from somebody else’s mistake when you can take preventative measures?
Constant Cycling
GDPR became enforceable on 25th May 2018 (having been ratified some two years previous). It’s a massive mistake to think once you’ve done all your preparation and you think you’ve got there and the magic date arrives that it’s all over. It’s not – it’s just beginning really.
Now the hard work begins when you have to maintain compliance, keep up everything you’ve worked so hard on over the last two years and, of course, keep business productivity managers happy. It defeats the object if you have the most secure, the most compliant company in the world, if it can’t actually operate.
It goes without saying that your processes will evolve over time as new technology becomes available and it’s a challenge keeping pace with it all. However, when you do, your organization stands out as the one that knows what it’s about, can deliver products and services competently and stakes its entire reputation on its ability to protect what’s most important –the personal data of every employee, customer, and user.
Share this Post
Write for Us
Apply NowSubscribe to our Blog
GlobalSign Privacy Policy Version 3.1
Updated June 5, 2018
GlobalSign respects your right to privacy. This privacy policy has been developed to inform you about the privacy practices followed by GlobalSign in connection with its websites, products and services. This privacy policy does not apply to GlobalSign services offered by or through our partners, resellers or other third parties, or other third party services or websites, and we encourage you to read the privacy policies of those parties.
This privacy policy will inform you about what data is collected, how we use such data, where data is processed, how you may opt out of your data being used, the security provisions around storing your data and how to correct, update or delete your data.
1. Data Controller
The data controller for personal data collected within the EU is GMO GlobalSign, Ltd., having its registered offices at Springfield House, Sandling Road, Maidstone, Kent, ME14 2LP, United Kingdom. All questions or requests regarding the processing of data may be addressed to: dpo@globalsign.com.
2. Collection of Personal Information
We collect information from you when you (i) place an order for a GlobalSign digital certificate product or other product or service, (ii) scan your servers for digital certificates using our Certificate Inventory Tool (CIT), (iii) apply for access to our managed service platforms, (iv) subscribe to our newsletter, (v) use our online chat service, (vi) download a white paper, (vii) register for a webinar, (viii) respond to a survey, (ix) fill out a form for pre/post sales assistance, (x) open a support ticket, or (xi) your use of social media.
GlobalSign is a Certification Authority and trusted third party. To fulfill requests for digital certificates or other products or services, you may be asked to enter your name, email address, physical address, phone number, credit card information and/or organizational details or other personal information.
- - Contact information such as your name, email address, physical address, and phone number.
- - Relationship information that helps us do business with you, such as the types of products and services that may interest you, contact and product preferences, languages, marketing preferences and demographic data.
- - Transactional information about how you interact with us, including purchases, inquiries, customer account information, billing and credit card information, organizational details, transaction and correspondence history, and information about how you use and interact with our website.
We may develop and acquire additional information about you using third-party (public and private) data sources such as third party databases and government agencies, as well as your browsing and purchasing history in order to process orders for certificates and to improve our services.
GlobalSign treats personal information as confidential, except for the information included in an issued digital certificate. Such information may be verified using third party commercial and government resources, and as such, is deemed to be public information.
3. Purpose of Processing
Your personal data will be used for the purposes specified below:
3.1 To process applications for GlobalSign products and services
Your information is used to provide our products and services and order processing as well as to conduct business transactions such as billing.
3.2 To improve customer service
Your information helps us to more effectively respond to your pre/post sales requests and provide technical support.
3.3 To send renewal notices
The email address you provide for order processing may be used to send you renewal notices for your expiring digital certificate.
3.4 To send service updates
In addition, subject to your consent where required, we may send you new service updates, security updates, related product or service information, and status updates on maintenance windows or service availability.
3.5 To tell you about our products and services
Subject to your consent where required, we may send you periodic company newsletters, information about our products and services that may be of interest to you based on your use of other GlobalSign products and services, your attendance at GlobalSign sponsored marketing events such as webinars, your requests for information about similar products and services, or your sharing of data with social media sites such as LinkedIn or Facebook.
4. Legal Basis for Processing Personal Data
We will process your data for the purpose of performance of our contract with you or the legitimate interest of GlobalSign, which are our usual business activities. In other cases, we will request your consent for the processing of the personal data you may submit.
Your refusal to provide personal data to us for certain products and services may hinder us from fulfilling your order for those products or services. Also, if you deny or withdraw your consent to use personal data or opt out of receiving information about GlobalSign products and services this may result in you not being made aware of renewal notices, periodic company newsletters, new service updates, security updates, related product or service information, and status updates on maintenance windows or service availability. See Section 10 below for how to withdraw your consent.
5. Use of Cookies and web beacons
The GlobalSign Certificate Center (GCC) uses cookies to enable the fulfillment of services. Cookies may be used when you log into the GCC, purchase products or use certain GCC functions.
In addition, like most online businesses, GlobalSign uses cookies and web beacons on our websites and through marketing related emails to gather and analyze some personal data such as the visitor's IP address, browser type, ISP, referring page, operating system, date/time and basic geographical information.
We use cookies and web beacons to compile aggregate data about site traffic and site interaction so that we can gauge the effectiveness of our communications and offer better site experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.
First time visitors may choose to not have any activity monitoring cookies set in their browser. We use an opt-out identification cookie to tag these users as having made this decision. Those cookies that pertain to site performance, experience improvement and marketing are programmed not to execute when an opt-out cookie is present in a visitor's browser. Opt-out cookies persist until a visitor clears their browser cookies, or until their expiration one year after the set date. A visitor is required to opt out again after one year in order to disable any activity monitoring cookies.
More details of GlobalSign's use of cookies can be found on our website at https://www.globalsign.com/en/repository/cookie-policy/
6. Use of application logs for diagnostics or to gather statistical information
Our servers automatically record information ("Application Log Data") created by your use of our services. Application Log Data may include information such as your IP address, browser type, operating system, the referring web page, pages visited, location, your mobile carrier, device and application IDs, search terms, and cookie information. We use this information to diagnose and improve our services. Except as stated in section 8 (Data Retention), we will either delete the Application Log Data or remove any account identifiers, such as your username, full IP address, or email address, after 12 months.
7. Sharing of Information and Transfers of Data
We do not sell or trade your personal information to outside parties.
Within GlobalSign: GlobalSign is a global organization with business processes and technical systems in various countries. As such, we may share information about you within our group company and transfer it to countries in the world where we do business in connection with the uses identified in section 3 above and in accordance with this Privacy Policy. In cases where your personal data is transferred to countries that do not provide an adequate level of protection according to the European Commission ('adequacy decision'), we ensure your data is protected by entering into agreements containing standard contractual clauses approved by the European Commission with each of our group companies. A copy of these agreements may be obtained by contacting us as outlined in section 15 below.
Third Parties: We may also transfer your personal data to trusted third parties and our partners in order to serve purposes that are specified in section 3 above. GlobalSign uses a third party to process credit card payments and provides credit card numbers and identifying financial data directly to the third party credit card processor.
In circumstances where data is shared with such third parties, they are required to comply with confidentiality terms included in our data processing agreements. This prohibits such third parties from selling, trading, using, marketing or otherwise distributing GlobalSign customer data.
As Required by Law: We may also release your information when we believe release is appropriate to comply with the law or protect our rights, property, or safety.
It is our policy to notify customers of requests for their data from law enforcement unless we are prohibited from doing so by statute or court order. Law enforcement officials who believe that notification would jeopardize an investigation should obtain an appropriate court order or other process that specifically precludes member notification, such as an order issued pursuant to 18 U.S.C. §2705(b).
Mergers & Acquisitions: We may also disclose your personal information to third parties who may take over the operation of our site or who may purchase any or all of our assets, including your personal information. We will contact you using the details you provide if there is any change in the person controlling your information.
8. International Transfers
The third parties, subsidiaries and affiliates to which your personal information can be disclosed may be located throughout the world. Therefore, information may be sent to countries having different privacy protection standards than your country of residence. In such cases, we take measures to ensure that your personal information receives an adequate level of protection, which includes the EU Standard Contractual Clauses to protect your personal information.
9. Data retention
The personal information we collect is retained for no longer than necessary to fulfil the stated purposes in section 2 above or for a period specifically required by law or regulation that GlobalSign is obligated to follow.
To meet public CA audit requirements as detailed in the GlobalSign Certification Practice Statement, personal data used to fulfill verification of certain types of digital certificate applications will be retained for a minimum of 10 years depending on the class of product or service and may be retained in either a physical or electronic format. Please refer to the GlobalSign Certification Practice Statement for full details.
After the retention period is over, GlobalSign securely disposes or anonymizes your personal information in order to prevent loss, theft, misuse, or unauthorized access.
10. Opting out; withdrawing consent
If at any time you would like to unsubscribe from receiving future emails, we include unsubscribe instructions at the bottom of each email.
Renewal notices may be cancelled on a per digital certificate basis by logging into your GlobalSign Certificate Center (GCC) account and disabling renewal notices.
Email preferences for CIT related/collected information can be updated and changed within CIT.
If GlobalSign is processing your personal data based on your consent, you may withdraw your consent at any time via the GlobalSign Preference Centre at https://downloads.globalsign.com/acton/media/2674/preference-center-login or by contacting us at one of the addresses shown in section 15 below.
11. Your Rights
You are responsible for providing GlobalSign with true, accurate, current and complete personal information. Also, you are responsible to maintain and promptly update the information to keep it true, accurate, current and complete.
You have the right to access and modify your personal data stored on GlobalSign systems. You can exercise your rights by contacting us in writing. We will require you to provide identification in order to verify the authenticity as the data subject. We will make reasonable efforts to respond to and process your request as required by law.
To the extent of applicable law, you may have the right to request erasure of your personal information, restriction of processing as it applies to you, object to processing and the right to data portability. You may also have the right to lodge a complaint with a supervisory authority.
If you provide any information that is untrue, inaccurate, not current or incomplete, or if we have reasonable grounds to suspect that such information is untrue, inaccurate, not current or incomplete, we have the right to suspend or terminate your account and refuse any and all current or future services.
12. How we protect your information
We implement a variety of security measures to maintain the safety of your personal information when you place an order or enter, submit, or access your personal information. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL).
After a transaction, your transaction-related information will be kept on file to meet audit requirements and facilitate renewals. We do not retain any credit card details.
13. Relevant laws
GlobalSign commits itself to protect the personal information submitted by applicants and subscribers for its public certification services. GlobalSign declares to fully respect all rights established and laid out in European Union and Member States' laws and regulations:
- - European Directive 95/46 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and as replaced by Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the EU General Data Protection Regulation); and
- - Provisions of the GlobalSign CPS.
14. Changes to our Privacy Policy
If we make material changes to our privacy policy, we will inform customers by emailing a notice of the availability of a new version with a link to the new version.
15. Contact Us
If you have any inquires, or questions regarding our privacy policy, please contact us at:
- We use the data you submit only for purposes identified in section 3 of this privacy policy.
- You have the right to review your personal data that GlobalSign holds and check it for accuracy.
- You have the right to correct data in the case that errors may be found in our records.
- You have the right to request that any of your personal data be erased. i.e. right to be forgotten.
- You have the right to obtain and reuse use your personal data for your own purposes
- You have the right to request that GlobalSign restrict the processing of your personal data under certain circumstances.
- You have the right to object to our processing of your personal data.
14. Changes to our Privacy Policy
If we make material changes to our privacy policy, we will inform customers by emailing a notice of the availability of a new version with a link to the new version.
15. Contact Us
If you have any inquires, or questions regarding our privacy policy, please contact us at:
https://support.globalsign.com/
https://www.globalsign.com/en/company/contact/support/
https://jp.globalsign.com/support/
or
Deputy Data Protection Officer
GMO GlobalSign, Ltd.
Springfield House Sandling Road
Maidstone, Kent ME 14 2LP
United Kingdom
dpo@globalsign.com
16. Our Office Locations
GMO GlobalSign K.K., Tokyo, Japan
GMO GlobalSign Ltd., Maidstone, Kent, UK
GMO GlobalSign N/V, Leuven, Belgium
GMO GlobalSign, Inc., Portsmouth, NH, USA
GMO GlobalSign Russia LLC , Moskva, Russia
GMO GlobalSign Pte. Ltd, Anson, Singapore
GMO GlobalSign Certificate Services Pvt. Ltd., Delhi, India
GlobalSign China Co., Ltd., Shanghai, China
GMO GlobalSign Inc., Manila, Philippines
GMO GlobalSign FZ-LLC, Dubai, UAE
