Just like any organisation that handles and processes EU citizen data, we’ve had to jump through the GPDR compliance hoops, too. We want to walk the walk alongside everybody else, including our customers.

Here’s our GDPR compliance journey that is sure to continue well beyond May 25, 2018.

Use our compliance journey as inspiration for yours. Click to see Siteimprove's full GDPR compliance timeline

The First Steps to GDPR Compliance

Around the time the General Data Protection Regulation (GDPR) was announced in late 2015, the world saw what Siteimprove General Counsel Angelo Spenillo called the “perfect data privacy storm”. The Safe Harbor certification scheme in the US had just been invalidated, the GDPR was announced, and it was unclear how to properly transfer personal data across the Atlantic.

So when the GDPR was announced in December 2015, we were already settling into the data privacy mindset and defining our US-based data processors.

At the earliest stage of Siteimprove’s GDPR compliance journey, Spenillo started scribbling down all known data flows on a whiteboard.

Whiteboard drawing of Siteimprove's data flows at the beginning of their GDPR compliance process

Siteimprove’s General Counsel Angelo Spenillo kicked off the GDPR compliance process by documenting data flows on a whiteboard.

Our customers trust us to scan their websites and collect a lot of data—so it was important to honour that trust and get complete insight into our data collection. And while some think GDPR is about exorbitant fines, it’s really about the right to stronger online privacy.

“It just makes good business sense. Why wouldn’t you want to keep track of what data you’re collecting and what you’re doing with it?” said Spenillo. “Especially with the whole Facebook situation, it’s clear that people do actually care about their personal data and what you’re doing with it—and that they can easily figure out what you’re doing with it.”

We formally kick-started Siteimprove’s GDPR compliance process back in 2016, and a key component was getting buy-in from upper management. A struggle for many companies since late 2015 has been convincing upper management to invest the time and resources into GDPR compliance from the get-go.

While we were lucky to have support from the very beginning, we certainly came across our own stumbling blocks—including a shortage of staff to help with compliance efforts and some documentation gaps.

Expanding Resources and Taking the Next Steps

Complying with GDPR is challenging enough for a company with one location. Throw nine global offices into the mix—six of which are in the EU—and the GDPR workload just got a whole lot bigger.

In July 2016, Spenillo began working with a third-party law firm to standardise customer contracts to local data privacy requirements.

And even though the GDPR is an EU-wide regulation, each individual country is responsible for implementing it.

“We might have countries that are a little bit more strict on how they approach the GDPR than others, so it’s a huge challenge,” said Spenillo. “Instead of trying to comply with every single thing for every country, we try to find the strictest country and comply with that one.”

GDPR also requires Data Processing Agreements, a written agreement between data controllers and data processors. In our case, Siteimprove acts as both—but primarily, we are the data processor and our customers are the data controllers. In these DPAs, we outline what we do with each customer’s data, where we store it, and a long list of other important information.

Since December 2015, Siteimprove’s legal staff has grown from one to five in order to accommodate company growth and the uptick in customer DPAs. One team member is solely dedicated to working on them. We also hired an information security manager in July 2017 to assist our director of IT and cloud with ongoing GDPR compliance efforts.

2016 only saw a handful of DPA requests from Siteimprove customers. But as the deadline inched closer in 2017, we drafted our own DPA and shared it with customers. That year, we processed around 200 and are expecting to process around 500 DPAs in 2018 alone.

Objective Feedback in the GDPR Compliance Process

One year before the GDPR deadline, Siteimprove’s GDPR compliance team—made up of our legal, IT, and information security teams—created a plan to audit for any remaining compliance gaps. We needed an outside perspective, of course, and enlisted the help of not one, but two third-party law firms.

“It’s absolutely critical to use third-party vendors in the compliance process and get that objective feedback,” said Spenillo. “We’re not just living in our own Siteimprove world—we’re living in everyone else’s world and asking them what they think about how we’re doing things.”

Turns out, we had some work to do. With any fast-growing company, some of our processes for handling personal data weren’t clear enough or even written down at all. We knew that certain data needed to be handled in a special way, but we also needed to start properly documenting our policies and processes—a major requirement of GDPR.

To overcome this challenge, the legal team began using a third-party tool called Nymity, a data privacy compliance software. They utilised Nymity’s customisable templates to document Siteimprove processes and policies, and also used the software to track and benchmark compliance progress along the way. Being able to quantify progress made it much easier for Spenillo to inform upper management where they were at in the GDPR compliance process.

But it wasn’t just the GDPR compliance team and upper management that had to be involved. Since no single department can have a grasp on all the data coming and going through the company, working cross-departmentally is critical.

Don't forget your website in the GDPR compliance process. Download our e-book to learn how to work cross-departmentally for a compliant website.

Download the GDPR e-book

So in the fall of 2017, Information Security Manager Victor-Alexandru Truica met with every department to understand what data they collected, where and how they stored it, and the internal processes for it all. From HR and marketing to finance and others, Spenillo and the GDPR compliance team had to flesh out the details of every bit of data that Siteimprove touches—data about customers, prospects, job applicants, employees, you name it.

“Promoting security and privacy initiatives in the different departments is easier now that I understand the specifics of their processes and technologies they use,” said Truica. “I also understand that people see their work differently than I do: I see a process where someone sees two clicks in an app.”

The GDPR compliance team took their findings and documented Siteimprove’s data flows into formal “data trees” so they could have visual proof that the company understands where their data is coming and going.

Siteimprove's data tree of the inflow of personal data as part of their GDPR compliance process

This data tree documents the inflow of personal data that every Siteimprove department processes.

Developing Our Own GDPR Solution

In the commotion of GDPR compliance, many organisations tend to overlook the most exposed part of their organisation: their website. Chances are good that there’s a lot of personal data there across web pages, image data, meta descriptions, PDFs, etc.

Like many companies, we have customer information and employee contact details right on our site, and we collect information through forms. It’s not necessarily a problem, but when someone exercises their “right to be forgotten”, we (and every other organisation) must be able to delete that information from the website.

So to serve the needs of our customers and help with our own compliance, we developed and released Siteimprove GDPR in November 2017. The tool helps pinpoint personal data like names and ID numbers throughout a website, identify all cookies on the website, locate all IPs and domains that belong to an organisation, and more.

Several teams are prepared to use the GDPR tool on our websites, including the web team, HR, and different stakeholders in marketing.

Ongoing Compliance Efforts

GDPR compliance is an ongoing process, not a checkbox project. It will be more important than ever to strengthen our data privacy efforts far and beyond May 25, 2018.

We at Siteimprove—and any other company trying to comply—must be able to show at any point in time that we know what data’s coming in, what data’s going out, and when a new data flow begins. GDPR is about accountability, and we’ll continue to implement and optimise a solid audit process.

Siteimprove’s GDPR compliance team is preparing to roll out global training for all 500+ employees. But, as Spenillo explained, the biggest concern with a roll-out that size is participation:

“You’ve probably sat through some corporate training that lasts two hours in front of a computer, trying to click through as fast as you possibly can so you can get it over with. For this, I want something that’s going to be pragmatic; something that Siteimprove employees can apply in their regular lives and can understand when they leave the office—and to do that, we have to make sure we put something out there that’s simple enough and engaging.”

 

Want to know more about how Siteimprove GDPR can help with website compliance efforts? We also have a GPDR-compliant Analytics tool! Read how Siteimprove GDPR and Analytics strengthen data privacy on your website.

Download the web guide