What We’re Doing About GDPR

Author: Garry Shutler

15th February 2018

25 May 2018 – the date when General Data Protection Regulation (GDPR) will be enforced – is rapidly approaching.

While we’re already up to speed with EU data protection laws – one of the reasons we have our EU data center – there are new concerns that need to be addressed.

We optimize our allocation of resources to do things at the last responsible moment. For GDPR, that moment is now – just in case there are any unknown unknowns coming up.

Much of this work is already underway, but we thought we should share some of the things we’ve been working on.

Please note: I am not a lawyer. This isn’t legal advice. I’ll simplify things somewhat to make for a more readable post, and only touch on the things with a visible impact or of technical interest!

Explicit consent

GDPR mandates much more strongly that consent from users must be explicit. That means your sign-up forms and similar must have a checkbox where users agree for you to contact them.

In theory, you only have to do this for EU citizens. In reality, it’s impossible to know for certain if an anonymous user is an EU citizen. We’ll therefore be making the changes for everyone.

For Cronofy this will affect:

  • The OAuth authorization flow
  • The developer sign-up flow
  • The “contact us” forms we use

We’ve already been doing some work on a new-and-improved OAuth authorization flow and that will include the necessary checkbox for consent when that is rolled out. In the other cases the existing pages will be altered to include a checkbox and the required validation.

Right to be forgotten

Another key tenent of GDPR is the right to be forgotten. This is where a user of your service can request all information you hold about them is removed.

You’re allowed to retain anything which you must hold for other legal reasons, for example billing details, but everything else must be removed within a reasonable amount of time.

This is an area where abiding by EU data protection laws gave us a bit of a head start. We already don’t hold on to data any longer than we need it, so in some cases to abide by “a reasonable amount of time” we just need to let the system do its thing and delete older data.

In other cases, we could leverage existing housekeeping processes, but trigger them more proactively.

The main difficulty came from data being held by third party services. These third party services include things such as our support system, CRM, analytics, etc.

Initially we did a review of any personal data we were sending to third party services, and are making changes to stop sending out any that aren’t definitely required. You don’t have to delete personal data that doesn’t exist!

Next came a review of what data these third party services held. We use less of such services with our EU data centre already to avoid problems, so we had a good idea of which ones would require the most investigation. We reviewed them all anyway to be sure we hadn’t leaked any personal data accidentally.

This meant liaising with marketing and sales to see whether they really needed the personal data in a given service in the first place, then stopping sending it where that wasn’t the case, and clearing out the existing personal data to give a clean slate.

This puts us in a place where we are not distributing any personal data that we do not have to. The next step was to automate the removal of that personal data in the face of a GDPR request.

For our own systems that was straightforward. For some third party services, that was the case as well – they have an API call we could make to remove the related data from their system. For others, we got a “you need to contact support” or “we’ll have something and it’ll be ready for May” response. A review closer to the time will be done to see if there are additional steps that can be automated. We’ll fall back to manual processes as necessary.

To cover all these cases, any “forget me” requests are logged. A documented process follows that involves a series of steps such as “trigger GDPR forget me within Cronofy” and “Email service@example.com requesting their details be removed”.

Each step needs to be recorded as being complete before a final step of “remove the email address from this request” is completed, as that is personal data too!

Registering your requests

From our perspective we ask that you email data.protection@cronofy.com with your requests. The reason being that an account may be in use by multiple customers, in which case we may need to liaise with multiple parties – including the person themselves – to complete the request.

As we handle requests we’ll gain a better understanding of what is actually involved and any common “gotchas” that would stop us from automating this more thoroughly.

Keeping you informed

We’ll be sharing more information leading up to the GDPR enforcement date, including procedure documents and more blog posts.

If you have any questions get in touch with us at support@cronofy.com.

Avatar of Garry Shutler

Garry Shutler

Date: 15th February 2018 | Category: Cronofy