GDPR - Actions to Date

Like many out there our first reaction to assessing GDPR was a huge sigh, pained expressions, and general discontent. All this red tape, more legals, what does it mean? Are we doing something wrong? What was wrong with the current legislation?

But as we draw closer to the final date for implementation - 25th May, as we move through the process and make the necessary changes - I admit, we've become fans, we like the changes. The focus on security and privacy builds confidence. Sure there are challenges to overcome, there's been plenty of head scratching, but the additional focus is driving a better Timetastic, for both us and our users.

So here's a run down of what's changed at Timetastic, driven by GDPR in the last few months:

Changes to date

Encryption

We have always used hashing to store passwords, but the introduction of GDPR forced us to look further and so we introduced full encryption at rest for the databases using Transparent Data Encryption https://docs.microsoft.com/en-gb/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql

Gravatar

We terminated our link to Gravatar. From the outset of Timetastic we linked to Gravatar to pull though user profile photos. We see no malice in their service and nothing to suggest ill intentions, but requesting an image related to a given email address does indeed share information with them. Our concern was that we never found any privacy policy or mention of GDPR in their terms, combine that with a) the actual function brought to Timetastic through this data sharing was fairly minimal and b) we already provide an alternative in that users can upload their own photo directly to Timetastic, we felt it cleaner to remove the integration.

Keep me logged in

We used to store a cookie automatically on users machines to keep them logged in. We switched that off and instead implemented a 'keep me logged in' option on the login form.

Cloudflare

To increase security of Timetastic we've started using a service called Cloudflare. Cloudflare helps speed up Timetastic while at the same time helps protect against denial-of-service attacks, customer data compromise and abusive bots https://www.cloudflare.com/security/

Confidentiality

We spotted that our existing employee contracts didn't contain a confidentiality clause covering client data. That's been rectified, all staff have since singed a dedicated Confidentiality Agreement.

Work in Progress

Audit and Access logs

The very nature of Timetastic means that users can login and see their data and activity, and the excel reports already contain most of the information most will ever need to satisfy themselves. But to ensure data controllers are able to fully meet their obligations in seeing all the processing activities Timetastic undertakes we are implementing a full audit log, available in excel format.

Zendesk

We had no deletion policy on our customer service requests (I suspect this may be the case for many organisations) these requests could indeed contain personal information, was well as email addresses and contact details people sometimes forward spreadsheet and images.

We are in the process of implementing an automate service to delete all customer service emails 12 months after they were created.

Terms and Conditions

We are in the process of updating these to include the specific requirements laid down in article 28.

Articles 28 - a customers right to audit

This is an interesting one and definitely a cause of heard scratching. The requirement is that Timetastic makes "available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller."

We don't disagree with the principle but as of the time of writing we have over 8,000 organisations registered to use Timetastic, if just 5% of those exercised their right to audit we'd be facing 400 audits!

We don't yet have a full solution to this dilemma, one proposal is to implement an audit fee. That's about the only way to ensure that if we did get inundated we'd be able to financially cover the situation, rather than sinking under the paperwork, which is not in our interest or that of any customer.

What we hope to implement is one annual GDPR audit and make those findings of that publicly available, in essence negating the need for any individual customer audits. Please appreciate though, at the time of writing GDPR is new, not even active yet, and hence post implementation audit services are not well defined. Finding an appropriate auditor or reputable self certification scheme is something we're going to have to pursue after 25th May.