How we handled GDPR the first time around
It feels like just yesterday we scrambled to get ready for the GDPR deadline on May 25, 2018, even though we had worked for months to be ready in time. New policies were created, processes were altered and Data Protection Agreements with third-party vendors were drawn up, signed, and archived. At the same time, our bigger customers wanted customised DPAs with us and we had to make sure to address all their concerns. Back then, the regulations were very new and no one really understood the implications of all these new scary rules businesses had to follow. Ultimately, we ended up with a list of practically all of our third party vendors to make sure we followed the regulations completely.
Because of all these contracts we had to store, keep track of and reference back to, we quickly realised that this new regulation presented itself with a lot of great opportunities for us and our customers to grow together. We quickly had to re-align our own business to help our customers and prospects send out thousands of DPAs and GDPR notices in time to their own customers and vendors. We also helped onboard customers’ employees and even entire departments to handle these types of contracts and it quickly proved to be a fantastic use-case for our customers.
We value security and privacy
Security, privacy, and trust have been priorities at Oneflow since day one, so watching as privacy and personal information becomes more and more discussed and prioritised during the last two years has been incredibly interesting for us. We are working closely with customers and partners to keep improving the security and handling of personal information we process for them. We continuously build tools to help customers handle and control their data in our platform. Things like Data Retention Policies, Data Exports, powerful search functionality, and additional security such as Two-Factor Authentication, both for our customers’ users and for their contract counterparts, help our customers in their day to day work. We have also hired dedicated security personnel to continue and expand our work in securing our customers’ data.
A huge GDPR change, overnight
Fast forward to July 16, 2020, when the surprise ruling from the EU courts suddenly invalidated Privacy Shield between the EU and the US. This took everyone by surprise, and right in the middle of Swedish vacations and an unprecedented lockdown we had to re-evaluate every single third party vendor we’ve been using and update all our internal processes. Our original response to GDPR was to list practically all of our vendors so we started by looking at our vendors one by one and asked ourselves questions like: “Do we really need to store PII in this system?” and “Do they offer data centres in the EU?”. Because of this, we are now very critical of whether we actually need our vendors to handle personal information at all. It turned out that a lot of data we processed could be cleaned, anonymised, or diverted completely which let us simply reduce our list of sub-processors. Finally, we worked together with the remaining vendors to migrate our accounts with them from their US data centres into their EU data centres.
Rome wasn’t built in a day
After two months of work, I’m happy to say we’ve managed to remove seven sub-processors completely and we’ve migrated four over to the EU. We now have a much smaller footprint of personal information and almost all of it in the EU. While this is a pain for any business, it’s one worth spending time, money, and energy on. We no longer live in the wild west where personal information is shared, sold, and leaked in every way imaginable, and it’s time to get it under control again. We will continue to reduce and consolidate our third party vendors to make it easier for you to trust us with your data.
Our best tips for working with personal data
A few tips and lessons learned from my perspective working with personal information:
- Treat personal information as nuclear waste. It’s incredibly dangerous if (when) it leaks and you should take every measure to keep it safe.
- Enable data retention policies on your data. Removed personal information can’t leak. In Oneflow, you can set up rules to automatically remove old or expired contracts and all their data.
- Demand more of your vendors (even us!). When you buy a service, you also buy a promise from your vendors to keep your data safe. Your data is their responsibility and they better do everything they can to keep it safe for you.
- Consolidate your data and workflows in fewer systems (in the EU!). Re-evaluate if you really need to store customers’ personal information in analytics, ticket systems, or video conferencing tools.
Oneflow’s promise to you
We will continue to be completely transparent in how we handle our customers’ data, and while our competitors might deflect and reduce the importance of these topics, we will work to increase awareness, knowledge, and interest instead. Since we know your contracts are your most important asset, we will do everything we can to keep them secure. Feel free to reach out to our CS team if you have any questions.
If you want to learn more about how we navigated this GDPR update, how we manage your data, or how to get started digitising your business, give us a shout!
Our new Security & Compliance Team
At Oneflow, we know that Security is of the utmost importance. That is why we are building a team devoted to Security & Compliance. Olu Asaolu, our Senior Information Security Analyst, is responsible for keeping Oneflow and all of our employees and customers safe digitally. He will keep us up to date with the latest security measures, vet all suppliers and applications used at Oneflow, conduct risk assessments, and continuously educate Oneflow employees on security measures and compliance.