changes in corporate processes to meet GDPR standards

30.08.2018 / 18:54

Things we've changed in corporate processes to meet GDPR standards

Once upon a digital time, the GDPR came into force. Now more and more people whom we communicate, wonder if we do business in accordance with GDPR.

Good news - YES! Key measures that we have taken:

  • We’ve added a role that is responsible for compliance with GDPR in the company’s processes of interaction with EU customers. Certainly, GDPR applies not only to the communication from marketing and sales department, but also to interaction with customers in production processes.
  • We’ve reviewed our customer base, segmented clients in accordance with Data Processing Basis (Contracts, Legitimate Interests, etc.) and changed the policy of communication with the relevant categories.
  • Updated Privacy Policy and Terms of Use for www.exposit.com and related landings.
  • Improved the functionality of sending contact forms on the site and related landings. If the user does not confirm that he agree to our Privacy Policy and Terms of Use, he is not able to send us personal data.
  • Reconfigured all the web analytics that collect data about our web-visitors, turned on anonymization of users. Now analytics does not even collect IP addresses and other highly accurate data on the users’ location.
    P.S. There is no question about collection of personal data such as names, emails, phones, etc. through analytics, because such services prohibit this by default.
  • All personal and corporate mailers, cloud drives and similar services have been tested by our employees. All corporate files, if they were accessed by personal accounts (especially Google Documents, Tables, etc., where files can be opened from any account if the link is shared), were transferred to corporate accounts. Unused files were deleted.
  • We checked all the roles and access rights to various corporate systems. Limited access to spaces for employees who do not require the materials contained for performance of their duties. Access to documents is given only by corporate emails.

Besides, currently, the Belarusian project (an alternative to GDPR) is being discussed. Some differences:

  • Obtaining consent only on paper or in electronic form;
  • Data transfer is allowed only to countries with an appropriate level of data protection;
  • The Belorussian project requires the mandatory assignment of Data Protection Officer, DPO, etc.

But we can say with certainty that companies that comply with the GDPR standards should not be afraid.