Like many out there our first reaction to assessing GDPR was a huge sigh, pained expressions, and general discontent. All this red tape, more legals, what does it mean? Are we doing something wrong? What was wrong with the current legislation?
But as we draw closer to the final date for implementation - 25th May, as we move through the process and make the necessary changes - I admit, we've become fans, we like the changes. The focus on security and privacy builds confidence. Sure there are challenges to overcome, there's been plenty of head scratching, but the additional focus is driving a better Timetastic, for both us and our users.
So here's a run down of what's changed at Timetastic, driven by GDPR in the last few months:
GDPR Changes to date
We have always used hashing to store passwords, but the introduction of GDPR forced us to look further and so we introduced full encryption at rest for the databases using Transparent Data Encryption https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/transparent-data-encryption?view=sql-server-2017
Keep me logged in
We used to store a cookie automatically on users machines to keep them logged in. We switched that off and instead implemented a 'keep me logged in' option on the login form.
To increase security of Timetastic we've started using a service called Cloudflare. Cloudflare helps speed up Timetastic while at the same time helps protect against denial-of-service attacks, customer data compromise and abusive bots https://www.cloudflare.com/security/
We spotted that our existing employee contracts didn't contain a confidentiality clause covering client data. That's been rectified, all staff have since singed a dedicated Confidentiality Agreement.
Work in Progress
Audit and Access logs
The very nature of Timetastic means that users can login and see their data and activity, and the excel reports already contain most of the information most will ever need to satisfy themselves. But to ensure data controllers are able to fully meet their obligations in seeing all the processing activities Timetastic undertakes we are implementing a full audit log, available in excel format.
We had no deletion policy on our customer service requests (I suspect this may be the case for many organisations) these requests could indeed contain personal information, was well as email addresses and contact details people sometimes forward spreadsheet and images.
We are in the process of implementing an automated service to delete all customer service emails 12 months after they were created.
Terms and Conditions
We are in the process of updating these to include the specific requirements laid down in article 28.
Articles 28 - a customers right to audit
This is an interesting one and definitely a cause of heard scratching. The requirement is that Timetastic makes "available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller."
We don't disagree with the principle but as of the time of writing we have over 8,000 organisations registered to use Timetastic, if just 5% of those exercised their right to audit we'd be facing 400 audits!
We don't yet have a full solution to this dilemma, one proposal is to implement an audit fee. That's about the only way to ensure that if we did get inundated we'd be able to financially cover the situation, rather than sinking under the paperwork, which is not in our interest or that of any customer.
What we hope to implement is one annual GDPR audit and make those findings of that publicly available, in essence negating the need for any individual customer audits. Please appreciate though, at the time of writing GDPR is new, not even active yet, and hence post implementation audit services are not well defined. Finding an appropriate auditor or reputable self certification scheme is something we're going to have to pursue after 25th May.