December 2015

European Parliament, Commission, and Council reach agreement on the GDPR

January 2016

Siteimprove GDPR compliance efforts begin by drafting data flows on a whiteboard.

Photo of the whiteboard with the data flows Click here to enlarge image (January 2016)

April 2016

Upper management has initial discussions on the GDPR and agrees to delegate resources to gathering information and scoping the compliance process.

June 2016

Teams begin building GDPR awareness in new business discussions regarding the scope and importance of protecting personal data, initial signs of a data privacy impact assessment.

July 2016

Teams begin updating the website privacy policy and formalising EU Standard contract clauses and Data Processing Agreements between Siteimprove subsidiaries and the Danish parent company.

October 2016

Siteimprove hires third-party provider to assist in drafting data privacy policies and support the information security team.

November 2016

CTO, legal, and information security teams have a kick-off session, where legal department is appointed as the responsible team for GDPR compliance efforts.

January 2017

International sales teams attend first internal webinar on GDPR.

Third-party law firm, upper management, and legal and information security departments discuss GDPR’s impact on Siteimprove and plan to audit for compliance gaps.

February 2017

Internal legal team expands in light of growing GDPR obligations (including DPA negotiations) to ensure sufficient resources for compliance.

Graph showing the uptick in Siteimprove DPAs from 2016 to 2018

March 2017

External law firm begins audit, including interviews with key personnel in each department about data-handling processes.

May 2017

Siteimprove begins considering third-party tools to assist in GDPR compliance efforts.

Siteimprove receives audit report, and efforts begin to prioritise policy and process clarifications and enhancements.

June 2017

Siteimprove begins using Nymity platform to create data privacy policies and processes and benchmark GDPR compliance efforts against similar companies.

July 2017

GDPR compliance team (legal, IT, and information security) begins meeting weekly, as compliance efforts cannot be completed by a single department.

August 2017

Upper management approves a Privacy Charter, establishing Siteimprove’s commitment to data privacy, and the creation of a Privacy Steering Committee that reviews quarterly the state of data protection and expedites improvements.

September 2017

Siteimprove begins reaching out to customers to inform them of their obligation as data controllers to have a Data Processing Agreement with their personal data processors.

Privacy Steering Committee also conducts first quarterly meeting.

Preview of Siteimprove’s Data Processing Agreement Click here to enlarge image (September 2017)

October 2017

Information security conducts workshops with every department to understand the data they control and process, the vendors that are used, and how new employees are made aware of these processes. These results are all documented for the creation of formal “Data Trees”.

An employee Privacy Policy is distributed to all Siteimprove employees, outlining how their personal data is used by Siteimprove and its sub-processors.

Graphic showing the internal data flows Click here to enlarge image (October 2017)

November 2017

Development team updates IP-masking settings in the Siteimprove Intelligence Platform to assist customers in meeting their own GDPR obligations when using website analytics.

Vendor Management Process rolls out globally to ensure that any new data flows or sub-processors are reviewed and approved by information security and legal.

Siteimprove launches GDPR tool to locate and monitor personal data on websites.

December 2017

Third-party law firm schedules second audit of Siteimprove's GDPR compliance for early 2018 to identify remaining gaps in compliance efforts.

January 2018

Siteimprove implements technical measures to enhance security of data protection, including Multi-Factor Authentication for internal access to Siteimprove systems.

Internal legal team expands again to assist with increased requests for Data Processing Agreements.

February 2018

All key data privacy policies and processes are finalised, including Article 30 documentation for data flows. To facilitate understanding of the data flows, the team creates an illustrative “forest of data trees”.

Siteimprove hires external firm to conduct a more detailed audit of select departments and their personal data processing to identify potential gaps between the GDPR, internal policies, and employee training.

March 2018

External firm completes audit and final items are identified for completion by May 25.

May 2018

GDPR comes into force, and Siteimprove compliance efforts continue.

Siteimprove’s GDPR compliance team rolls out global online training program for employees.