Ask HN: How is your company preparing for GDPR? - ktaube
======
ptype
Trying to limit both the probability of a data breach happening and the
severity of it should it still happen, e.g.:

1\. Enforcing FileVault etc. on company laptops. 2\. Internal storage:
Reviewing servers' security, limit duplication of sensitive data, review
access control 3\. Checking external dependencies: where do third parties
store data? E.g. Dropbox is not GDPR compliant yet[0], they are cutting it
fine. 4\. Enforcing 2FA. 5\. Ensuring we have an audit trail of having
assessed the GDPR impact.

[0] [https://www.dropbox.com/help/security/general-data-
protectio...](https://www.dropbox.com/help/security/general-data-protection-
regulation)

------
iends
Currently product managers and some dev leads are currently working with our
legal teams to build requirement epics around GDPR to be worked on very early
next year by development teams.

About a year ago we had a big push to be fully HIPAA compliant, so we're
following a similar process. Luckily, we are hosted on Amazon and already "do
the right thing" in terms of encrypting PII and storing it in the closest AWS
region, so hopefully it's not too much of a huge lift.

