To be liked

Somebody very old and wise told me more than 30 years ago “Karen, it is better to be loved or hated, over indifference”.

This gives me energy in difficult times, especially now, when I seem to inspire love, but sporadically strong hate. Still, I the feel hate more than love. Hate makes me feel I failed. I still don’t understand how people can feel so.

What is a GDPR expert?

First, there is no such thing as a ‘GDPR expert’ per se. I like to call myself a ‘GDPR Practitioner’, because this is what I do!

I do get called an expert from others, including Privasee marketing 😉

The fact, as I’ve said a hundred times, is that I know enough to know when to call in other experts in. e.g. legal, ITIL/ITSM, Six Sigma, Test data management, infosec, etc., because there is a load of work that can be done without GDPR expertise, just to get the groundwork right.

This is great, because there is no shortage of these competences, at least not on the level of GDPR competences, and well they are less expensive. Although maybe they will figure out pretty soon how important they are to GDPR compliance and start upping their rates 😉

Of course there is loads of GDPR specific work that needs to be done too, but you’d be surprised how much you could fix yourself with just a little guidance from a GDPR Practitioner 😉

CIPT training

Last week I’ve been, at the request of JUC in Denmark delivering 2 days Certified Information Privacy Technologist (CIPT) training created by the International Association of Privacy Professionals (IAPP).

It was the first time I delivered this training, previously I’ve delivered the CIPP/E, which is the privacy training specific for the EU. What I’ve noticed is that if I deliver this training to learners which are predominately business, IT and security, it works great. I do great!

On the other hand if they are pure legal, it does not work optimal. Even though I’m pretty legal savvy for a non-legal professional, legal professionals have a different mindset. They have a different focus on what is important for them, often at a legal depth, places where I’ve never been. I know enough to know when I need to call in legal, but I’m not a legal geek.

Now, delivery of the CIPT was great fun. The room was full of IT guys, and a couple of ladies, one with a legal focus, who worked a lot across business operations. As a trainer I felt that this for me was a great IT privacy training. It was a little too much US focus, of course with IAPP, but I actually had lots of fun during 2 days delivering this content. It was just an awesomely fun 2 days for us all!

GDPR for small businesses

Are you a small business? I talked about SMBs in my previous post, and also life as a startup in Privasee before this.

More and more I’m being exposed to the challenges which the small business faces with GDPR compliant.

Commonalities are that:

  1. They are using a LOT of cloud services which do not have GDPRfher-friendly approaches to privacy. One example is a headhunter which is using a service for their candidates, because they are small they are not given the option to choose where personal data is stored. In fact, in general small controllers are at the mercy of the processor.
  2. Small businesses are not following industry best practices, eg ITIL, ISO27x. This is not their fault, they probably haven’t had exposure to the benefits outside of associated costs. As a sidebar, this is a great place to start on your compliance journey, and no GDPR experts needed!
  3. Due to the fast that a single individual maybe doing the job of more than one person, business functions are not well defined, hence no business processes either. A business function will often contain more than a single process, this means no ownership is assigned to personal data collected by a business process, because there is no business process owner.

There are loads more, I’ll post again on 😉

 

Why so difficult? Recruitment for SMBs which is GDPR compliant!

I’ve been struggling trying to find a portal whereby applicants applying for jobs with Privasee can upload their cv and it stays there. What I mean is that it is not an email, it cannot be downloaded to any device. Within this portal you should be able to manage a process so that the application can be managed in a way which is compliant with GDPR.

At the moment we have an email group account jobs@privasee.eu in Office365 which is terrible! It is possible to download the cv, and there’s no control over the process. I want a portal, so once an application is uploaded, we can’t download again. I want a technical control which has a date of upload so we can place an end-of-life on each application, along with where we are in the HR recruitment process. I want something professional and easy to use which restricts the risks of human intervention!

Bicycle dog (1)

This is not rocket science, and there’s loads of products out there which do this, but we are only 12 employees, and growing rapidly. We need a cloud service. I have talked to a few known HR cloud service providers, but they only deal with companies which have more than 200 employees, they are expensive. There are other cloud services, but they are outside of the EU and have their data stored on servers in the US. I was in a meeting with a headhunter on Friday, and they are having the same problem. The company they are using today is based in the EU, but because they are so small they cannot choose where personal data they collect is stored.

So my question is this, how are all the SMBs out there going to cope with the GDPR in their HR processes? We cannot. I’ve been looking now for almost 3 months and come up with nothing so far.  I am considering finding a partner to start up such a service. Privasee is not 200 employees, but there’s loads of SMBs needing this service. Is there any company out there which can help, or are interested to help us fix this?

Being GDPR perfect as a start-up

What is it like to be a start-up in a gold-rush? What about if that start-up has succeeded in niching the privacy space in the EU?

OLYMPUS DIGITAL CAMERA

I am back to blogging after taking a break -well not complete- during at least 2 years. Not a complete break, because I have been posting on LinkedIn. These posts have now been migrated to this blog. A break because I’ve been busy as founder of startup Privasee. 18 months ago it was just me, and now we are 12.

I will be blogging about life as a start-up. I am the CEO and founder of Privasee. I will be airing the challenges we face ourselves, not just the normal stuff like cash-flow and getting brand recognition, but how do we at Privasee work with GDPR compliance internally? We must be perfect after all?

That we are privacy advocates by heart, it has created some dilemmas. On the one side are those who say we must practice what we preach to the book, i.e. do not use cloud services if they are not GDPR-compliance, which incidentally is just about all of them today. Yet, as a 12 employee company, it really does not make any sense to host internally.

This view versus, that in order to understand and advise better our clients, we need to do the same as them, fix it and then we can advise beyond what we could otherwise by being ‘pure’.  The fact is if we look at a fundamental flaw to aspire ‘perfection’ although we all strive for perfection for ourselves, when we see it in others it doesn’t inspire any kind of longing or respect. It is through our imperfections that we learn, if we see them, acknowledge and remediate them.

I wrote a post in the Autumn GDPR Paralysis? Originally posted to LinkedIn. It is a story not just of what I had observed happening in the market but of the challenges we have internally in Privasee. What we realised is that we were marketing ourselves almost as ‘purest’ when we are not. We want to help our clients to take this elephant and get it working, and we don’t help them by acting in anyway righteous on how we are operating internally, we help them by being realistic. For example, for a cloud service I am looking to see if they are based in the EU, where is data stored? I want to see on their website, or I ring them and ask about GDPR, are they prepared to work with us? If they are saying the right things, then we can make an intelligent guess that they are on their way.

For example, our website sucks. It is using Wix which is horrible, but it’s easy to use, and we are not web design experts, and free-lance web designers seem to lean towards WordPress, which has not earned any awards for privacy either. It is the dilemma of usability versus privacy. So as a startup we have had some heated conversations internally concerning the website during at least half a year. Yes we must do this right, but how? We will be launching a new website next week, and yes, it will be hosted by Privasee using ELITs platform. ELITs and Privasee are working together to make the GDPR compliance work, but we are not done yet.

Our learning platform was another challenge. Up until end of 2017 we were using Curatr. Which is a social learning platform, and is really a cool learning experience. However, there were privacy defaults which were not following Privacy by Design best practices, and from an Admin angle, it was really difficult to configure in order to be able to respond to requirements such as the ‘right to be forgotten’ part of GDPR. There was more, over which I voiced my concerns on several occasions, which were not taken seriously. We have now retired this platform and are working together with ICE Malta. They are not perfect yet, a DPIA is about to be initiated. But what is great is that if I see something, they act quick. I ring, and they fix, no questions asked.

I’m going to be setting up a webpage on all products/services which Privasee is using in Q1 2018. On this page will be how we find them as a provider on the GDPR scale. Are there some we use because we have no choice, e.g. Office365, but maybe some features should be disabled? Are there some choices we’ve made, e.g. our learning platform and website, because the alternative choices were limited?

Do you have any stories to share where you have contacted cloud providers? Would be great to hear…

All this and more, i.e. the thinking behind our choices I will post here. So watch this space 🙂