TOWARDS GDPR READINESS - CSI'S EXPERIENCES

08 February 2018

”GDPR is coming – are you ready?”

With the above search Google finds 1 960 000 hits in less than a second. However, knowing that we are not alone does not make the pain go away. 


EU's data protection regulation will come into effect in 106 days. The purpose of the regulation is to increase individuals’ control over their personal data and to harmonize legislation within the European Union. From May 25 on, companies must be able to demonstrate that they process personal data in a way that meets the requirements of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality.

We, like most other companies, still have some work to do in order to get GDPR ready. There are regular GDPR meetings in the calendar and even between meetings, the topic does not leave your mind. When sending newsletters, creating an agreement for a new customer, attending a software development meeting or discussing with a subcontractor, you automatically ponder what changes are still required to the process.

From confusion to a concrete task list

Like all new things, also GDPR has been a perplexing experience. When it was confirmed that GDPR would not impact only B2C businesses but also B2B companies, the available information rather attracted new questions than provided answers. We went through GDPR self-assessment excels with a hundred questions and contemplated whether we even understood them correctly. And, as a result we only found out that we were behind 80% of the companies which had taken the same test...

Fortunately, the requirements and impacts of GDPR have gradually become clearer. Recently, it has even been possible to get practical advice from companies that already have declared themselves as GDPR ready. Laggards can still save their necks by investing in clever GDPR tools or support of consultants and lawyers. GDPR has created a completely new business for which the demand is likely to continue; it is not a one-time project, but a continuous process.

GDPR status at CSI

We did not start our GDPR preparations until August last year. As we are not enthusiastic about creating and keeping registers, the fairly limited amount of HR, customer and prospect lists is making it easier to meet the requirements. In order to figure out the actual scope of the project, the training program organized by the Finnish Software Entrepreneurs Association and HPP Attorneys has been of great help. Our registers have now been identified and their location, purpose, data content, access and processing principles documented.

However, as a case management system supplier, we have also had to think about GDPR from the point of view of an information processor. What do you have to consider when customers save their personal data to our cloud service? And, what is the process when we convert  customers’ data from their previous systems to CSI Lawyer- or when we investigate their problem situations remotely?

Naturally, GDPR requires clarifications to agreements, too. We’ll start working on them in the end of February when the new IT2018 contract terms are available with special terms and conditions for handling personal data.

GDPR readiness of CSI Lawyer

However, the most crucial part of our project is to ensure that CSI Lawyer supports customers in meeting their GDPR obligations. According to the Data Protection Regulation, individuals have, for example, the right to know what information has been collected about them, to correct the incorrect information, to restrict processing their data or to be completely forgotten unless deletion of their data is in conflict with other legislation. The software must enable all of this.

As a person is saved only once in CSI Lawyer, management of information is straightforward. For the time being, GDPR has resulted only a limited number of development requests; the most common wish is a report that lists of an individual all information saved in the software.

However, CSI is in a lucky position as our client base, largely composed of law firms, is exceptionally aware of GDPR. Thus, it would be surprising if – when the GDPR requirements are further clarified – we do not come up with a few other new features before the May deadline. 

Taina Malmivirta

CSI Helsinki, Business Development Director, Partner

Devoted to marketing, communications and development projects. Gets motivated by continuous development of customer experience. Believes in the power of customer feedback and light processes that support a company's agility and innovation.