10to8 handles millions of pieces of customer information a month and is used in all of the current, 28 members of the EU. GDPR was always going to be a big thing for us and our customers.
We’ve always separated our security at 10to8 into two streams: The first is Practical Security - The useful stuff to do with being ‘actually secure’, and is something we’ve taken extremely seriously from the very start. The second is Compliance - which we define as ‘appearing to be secure’ and includes things like complying with local regulations and often is unrelated to actually making peoples’ or company’s data safer (e.g. some rules on password security).
GDPR is one of the few regulations that is both: It actually improves the security of an individual's data at a fundamental level.
In mid-2017 there was little guidance out there that helped any particular business in any industry. There were some helpful things from the ICO and other bodies, but the reality is that it’s only now, when the rules are in place, that the best advice is being written.
We started in September 2017 with a ticket (everything we do is a ticket) called “As a 10to8er I want to know what GDPR means and its implications for us and our Customers.” and work was split into: Things that help our customers be GDPR compliant, Technical things that help 10to8 be GDPR compliant, and Non-Technical things that help 10to8 be GDPR compliant.
We also created a hugely useful internal FAQ. Our internal FAQs for a project are where anyone can ask anything and whoever owns the project has to provide an informal but correct answer. They are very useful when you want to keep everyone on the same page.
The project went quite well, but it exploded: We started with about 20 bits of work to get done. This is about 2-4 weeks of work for the entire company, resulting in delays to some other key improvements we have planned. The workload then tripled, as we learned more and as the advice in the public domain started improving. It felt like tidying a room or doing the washing up; most of it is done quickly, and then for ages you’re discovering one-more-thing. It was a huge slog that has delayed planned improvements to our system.
The wave of GDPR opt-in emails that hit everyone on the planet gave us a comforting feeling ‘we weren’t alone’. And 10to8 was on top of things.
More and more information was being provided in public, industry bodies were coming off the fence and recommending specific courses of action and the amount we had left to do was falling.
Finally we had our project wrap up meeting with the head of customer support, product owner and customer representative to answer the question: “We’re legally covered, we’ve introduced new things for our customers, have we done enough”. The answer to this question was, frustratingly, “no”.
We could see that our customers hadn’t read our messages about GDPR, hadn’t used our new features to get consent from their clients, and hadn’t looked at our new Ts&Cs. We needed a once-over to make what we had clearer, more effective and as useful as possible.
By the time GDPR came, we were in reasonable shape; The number of things we had to do had more pretty much tripled and we delayed work on other projects. But 10to8 became more secure, our customers compliant and our client data protected.
The frustrating thing is that there’s more we'd like to do. There are a million ways we can help businesses and we have to pick the right ones in the right order in order to survive, grow and thrive - it's tough, but that’s a topic for another day.
The GDPR as a piece of privacy legislation seems to have created a real change in business - and as an individual I, and as a company we are pleased that it has come in.
Why not take my favourite GDPR quiz, yes I have a favourite, and see how well your knowledge shapes up.