
Ask HN: What are you doing to achieve GDPR compliance? - stnmrk
Intrested to hear what kind of strategy or what you are doing to achieve GDPR compliance within your org. Deadline 25 may is not far away.
======
jimnotgym
I'm deliberately going slowly, because I want to see what the big companies
will do. This is because the interpretation of the rules is going to be
important and 'custom and practice could be as important as the directive
itself. I am not treating it as an IT exercise, I'm treating it as a corporate
culture exercise. We are already PCI compliant, so we are already competent at
ticking boxes.

The part that really concerns me the most is around email sign ups on our
e-commerce site. We worked really hard to get the sign-up high and to get
people to respond to the medium, and I am most concerned that 'un-pre-ticking'
the box is going to reduce sign ups.

Regarding security of data, coming from PCI compliance I would say the
fundamental question to ask yourself is do I really need this data in the
first place?

From talking to consultants I don't think many SME's have done very much as
yet.

I don't think there is anything for the SME to be scared of in GDPR, if you
are a running a genuine business and are not a data hording/selling freak. The
fines have been talked up, but the fines were large under DPA and no-one ever
got the max!

On an aside I have been collating (but not yet curating) lots of resources on
GDPR, I was thinking about a small site and mailing list, if that interests
anyone?

------
stnmrk
To simplify, our goals is to have our systems auditable and log everything we
do with sensible data, and to have central control of user accounts and
authorization info. We want to have logs of what happened in case of an
incident aswell as restrict access to only those who need it. We are also
redesigning internal tools to only show relevant data. We want to have alarms
on unusual events aswell. This is most of the system/infrastructure work, we
also introduced new contracts (DPA) for our sub-contractors and cloud
enviroments and a shitload of other risk analysis docs and stuff like that.
This is for an ISP in eu.

