On the 25th of May 2018 the new General Data Protection Regulation (GDPR) comes into force. Over a year ago, our company begun taking the necessary security measures to be compatible with the new regulation, and also to strengthen the protection of our customers’ personal information.
In this blog post, we will describe to you the first completed actions that have been taken on our side, and other blog posts will follow, to include every process that we will be completing from now on. See the steps that you need to follow for your business here.
1. New associates for security and data protection
Since the announcement of the new regulation, two new associates joined our team to take over exclusively the security and data protection actions. Antonis (Head of Security & Engineering) and Lefteris (Data Protection Officer) are essentially the two persons who take care of all the necessary processes, making sure that we will be ready when the GDPR enters into force. We need to be in compliance with this Regulation, but also lay the ground for compatibility with future legislation on information security and data protection.
2. Νew password management application for storing our passwords
For years we have been using password managers to store our passwords, but a few months ago we were transferred to one of the safest applications that works a bit differently: in 1Password, all passwords are protected mathematically, using cryptography rather than the use of code from an online page that could be attacked. This means that even if someone can get a password file, they will not be able to decipher it, as they will not know the master password that the account holder has set.
This transition was very important for us, as well as for our customers, as some of the above passwords can “unlock” personal data. Although the data protection was already strong, with the new application, our passwords are now stored in an impregnable fortress!
3. Internal trainings on GDPR
The motive for our internal education and development may have been GDPR, but the internal seminars we started to participate into a few months ago, aimed at a holistic approach to security. So, we first started a basic training on information security and then proceeded to the specifics of GDPR.
It is worth noting that the trainings were mandatory for everyone in the company, regardless of whether they come in direct contact with personal data of the customers. The education on such a critical issue is important for all departments.
4. Revision of policies and procedures
We have entered a phase of review on the policies we have adopted, and of the procedures we follow to practically implement them, based on ISO27001:2013. Access to our systems has been restricted and it is now granted exclusively to the authorised technicians, we have all installed 2 Factor Authentication in the applications we use and the policy on using the internet within our network has been upgraded.
At the same time, procedures for vulnerability management, risk management, disaster recovery and business continuity have improved. Through the internal audit that is being carried out by our Data Protection Officer, we will surely implement other necessary improvements. We will present everything that is complete in following blog posts, so that all our readers and customers are informed! In the meantime, you can get informed about the rights you have on your personal data as a citizen of the European Union.
Many of the things that we have done to be able to provide these levels of security and privacy for our company, will follow in future blog posts. At the same time, we are planning to provide the tools and processes we have created for this purpose as open source, for everyone who wants to use them.