14 June 2018

The GDPR project in CSI Helsinki started in spring 2018 when a global software company told in a webinar about the forthcoming changes in the EU legislation. The speakers got everyone’s attention by stating that infringement of the new regulation would cost them several billions of euros.

The threat of sanctions is something I’m sure everyone working with GDPR projects remembers as the first incentive to learn more about the regulation and to take action.

Where to start?

At first glance complying with the requirements seemed to be overwhelming. The available information was scattered, Finnish Data Protection Ombudsman did inform about the new regulation without giving concrete instructions, and reading the regulation text was very tedious for a non-lawyer. Because we chose not to buy services for GDPR compliance - these were of course readily available - we had to start from identifying the definitions of the terms in the regulation. In other words, we basically started from scratch.

Situation inventory – peace of mind

After getting acquainted with the basics we began to summarize our own situation, with the help of e.g. Excel tools we had obtained from our partner companies. It soon turned out that as data protection had already been handled appropriately, the new regulation wasn’t such a massive reform after all.  What GDPR meant to us was mainly going through and cleaning our registers, plus clarifying our internal instructions. Among other things we gave up an unnecessary CRM system that contained mainly obsolete sales leads. As a result, our registers contain almost solely current and potential customer companies’ and their employees’ contact information.  In the process we updated our HR register as well, with stricter user access control. 

Contracts – the biggest challenge

In certain situations, we inevitably act as a data processor of personal data in our customers’ registers. We discovered the biggest challenge of the project was to make an agreement of personal data processing that our customers would all be willing to accept and sign. Many companies have decided to simply make an addendum but because of the business critical nature of CSI softwares we preferred a separate agreement. We are fortunate to have exceptionally well-informed customers when it comes to agreements, and several law firms were kind enough to offer their comments, thus helping us to finalize the agreement.

Signing hundreds of agreements in a short period of time wouldn’t have been possible by traditionally sending paper documents back and forth by mail. With the help of digital signature, the majority of agreements were signed before the GDPR deadline.  The rest of our customers are sending their signed contracts as their own urgent customer cases allow.

The outcome of GDPR

GDPR caused us a lot of extra work but also offered possibilities and ideas for development. From software’s perspective we got to think about how to best help our customers in their efforts to comply with GDPR. The new personal data report lists a private person’s information saved to CSI software, enabling the customer to send the information either digitally or as a report. Additionally, the customer can now track more closely who, and when, has altered or looked at the information saved in the software. The GDPR functionalities of the software are being added as new needs emerge.

The project brought welcome improvements to our internal processes. In addition to adopting digital signature we updated the agreements with our subcontractors, clarified and documented our operating models and destroyed unnecessary registers. During the personnel training sessions, we also had good conversations about data protection and the ways we operate.

It does not end here

GDPR is an ongoing process. The biggest effort is now over, though, and things will probably get easier. More software development ideas will most definitely come up, which is only a positive thing.

I also consider it a positive thing that the venture has readied us to further improve our processes and to get rid of unnecessary data. The ongoing data protection control and regular personnel trainings will surely keep our minds alert.

Jari Loiri

CSI Helsinki, Technical Specialist

Life is not all about technology. I'm technology's friend whenever it makes human life easier.