In preparation for GDPR, Vaimo has dedicated internal resources to make sure that both we as a company and our clients, are ready for its enforcement on May 25th, 2018. We have always treated the area of data protection very seriously, which is why we took a comprehensive and detail-driven approach to ensuring compliance for ourselves and our clients around the world. In this article, you'll learn more about the extensive work that has taken place around the subject of GDPR within Vaimo.
GDPR - What has Vaimo done?
It was back in September 2017 that Vaimo began implementing its GDPR strategy with three key strands in mind:
- Security – our obligations in providing technical measures to ensure the secure storage and treatment of data.
- Internal compliance – being aware of how we operate internally as a controller, i.e. in the areas of HR, finance, marketing and sales.
- End-user data – and finally, how to support our clients, as controllers, to meet their GDPR obligations.
For Vaimo, our approach throughout this process has centred on the themes of transparency, accountability and demonstrating good intent.
Vaimo's GDPR Roadmap:
The first course of action was to conduct a data mapping exercise. We wanted to take stock and get an overall picture of what data we had, its provenance, how we used it, how we stored it, who we shared it with and how long we kept it. This process was conducted internally and in conjunction with our key contacts. It involved reviewing our internal processes, platforms and tools, all to get a complete understanding of the current state of play for both ourselves and our clients. In parallel to these exercises, work was also taking place in assessing our current privacy policies and how these would need to change in moving towards compliance. This was in addition to reviewing the agreements we had with our clients and suppliers.
Following our data-mapping, the next stage in the process was running a gap analysis in order to see how close we were to compliance. When performing our gap analysis, we focused on the two central pillars of GDPR; transparency and accountability. From this, we were then able to form a more concrete implementation plan in moving forward. In conjunction with regular training, this plan was shared with all employees internally in order to raise awareness and knowledge. Indeed, throughout our strategy, employees have been engaged in GDPR through training events, presentations and the distribution of online guides and documents.
Then came the implementation phase; the rolling out of our new policies and testing their robustness against various scenarios and outcomes. Were we providing the right information at the right time? And did we have the right sort of procedures in place? This period included such things as the creation of a new data processor agreement, the adoption of new security policies and the implementation of new 3rd party tools.
Now, with the GDPR deadline over 3 months away, the key focus for Vaimo is to update and test how we deal with both incident management and subject requests. Then all efforts will carry on with the step above in finalising and testing all of our GDPR policies against a number of variables.
How has Vaimo helped its clients prepare for GDPR?
In addition to the internal steps we have been taking, our other main focus has been the preparedness of our clients. We want our clients to feel confident and well equipped to deal with the new regulations. And for this reason, we have shared knowledge and offered advice and support via a number of channels.
Our recent resources have included:
- A client webinar hosted by Vaimo's COO, Brendan Peo, on 'GDPR and your Roadmap to Compliance'
- A breakfast briefing hosted at our HQ in Sweden to our existing clients to ensure they are up to speed with GDPR
- The downloadable Vaimo GDPR Fines Guide which provides detailed guidance on the breaches and fines under GDPR and sets out what you are responsible for as a data processor or a data controller.
- In the article, 'What is GDPR – Back to Basics', we provided answers to the most important GDPR questions.
- Action plan for eCommerce sites before GDPR to guide companies who have not yet started with their own action list
- And in 'Secure your B2B Business Before GDPR' we looked at the potential threats from GDPR and offered advice on how you can keep your business safe during this transition.
Future events in the run-up to May 25th include breakfast seminars and the dissemination of further guidance in various countries at Vaimo offices. Register your interest here. Vaimo has also set up lines of communication with all of its clients specifically for the purpose of preparing each and every one of them for GDPR. We are offering new products and services around GDPR to our existing clients, like security upgrades to incorporate state-of-the-art technologies to reduce security risks and a clearly defined incident management program. In line with data security best practice, we also offer data encryption services where needed (such as network traffic, personal and sensitive data etc). There are also two extensions recommended; the password management extension and GDPR extension, for addressing the issues with weak usernames and passwords and some of the data subjects’ rights under GDPR (for example the right to erasure and data portability).
GDPR is a complex framework, with a plethora of new regulations to adhere to, and serious ramifications for those who don't. But despite the challenges, Vaimo has taken proactive steps in order to secure the compliance of ourselves and our clients.
If you are still to implement your own GDPR strategy, however, and require input, then please note the following services that Vaimo can assist you with today. You can book a call with us or send us an email at firstname.lastname@example.org and a member of our team will get back to you.
The information given in this document concerning technical legal or professional subject matter is for guidance only and does not constitute legal or professional advice. Vaimo assumes no responsibility for such information contained in this document and disclaims all liability in respect of such information.