Ask HN: What are you doing to achieve GDPR compliance?

6 points by stnmrk ↗ HN
Intrested to hear what kind of strategy or what you are doing to achieve GDPR compliance within your org. Deadline 25 may is not far away.

2 comments

[ 9.2 ms ] story [ 14.0 ms ] thread
To simplify, our goals is to have our systems auditable and log everything we do with sensible data, and to have central control of user accounts and authorization info. We want to have logs of what happened in case of an incident aswell as restrict access to only those who need it. We are also redesigning internal tools to only show relevant data. We want to have alarms on unusual events aswell. This is most of the system/infrastructure work, we also introduced new contracts (DPA) for our sub-contractors and cloud enviroments and a shitload of other risk analysis docs and stuff like that. This is for an ISP in eu.
I'm deliberately going slowly, because I want to see what the big companies will do. This is because the interpretation of the rules is going to be important and 'custom and practice could be as important as the directive itself. I am not treating it as an IT exercise, I'm treating it as a corporate culture exercise. We are already PCI compliant, so we are already competent at ticking boxes.

The part that really concerns me the most is around email sign ups on our e-commerce site. We worked really hard to get the sign-up high and to get people to respond to the medium, and I am most concerned that 'un-pre-ticking' the box is going to reduce sign ups.

Regarding security of data, coming from PCI compliance I would say the fundamental question to ask yourself is do I really need this data in the first place?

From talking to consultants I don't think many SME's have done very much as yet.

I don't think there is anything for the SME to be scared of in GDPR, if you are a running a genuine business and are not a data hording/selling freak. The fines have been talked up, but the fines were large under DPA and no-one ever got the max!

On an aside I have been collating (but not yet curating) lots of resources on GDPR, I was thinking about a small site and mailing list, if that interests anyone?