Welcome to the World of GDPR … And How WSO2 Became GDPR Compliant Using WSO2

Today, May 25th, is the date where GDPR goes into affect. Even if you are unfamiliar with GDPR, over the past week you have probably seen a flurry of emails from different vendors informing you of their privacy policy changes. These are all due to the tremendous efforts of legal departments around the world scrambling to ready their companies to stand strong in the face of complex and far reaching regulation.

We all expect, and hope, that GDPR will have a lasting impact on our privacy and data rights.

WSO2 is GDPR compliant and we got there, in part, with our own products. Our Q1 release theme from April was GDPR, and more than 400 of our customers have installed GDPR-readied WSO2 products.

This blog is dedicated to the legal professionals who are grappling with the immense scope and nuance that the regulation provides. Legal, often the target of water cooler jokes, are really the backbone of the software industry. Sales are not closed, partnerships established, and employees protected without the tireless, every day behind-the-scenes efforts of our legal teams.

With GDPR, our legal team was given a chance to put their competence on display, navigating us through challenges thicker than we face from our toughest competitors. At WSO2, Suranee Gomez, lead these efforts. On top of her knowledge and expertise of the regulation, she also approached the exercise with a bubbly personality that I could never muster if asked to perform the same task.

Welcome to a world of compliance

WSO2 GDPR Compliance Measures

Suranee’s team took on four assessment efforts:

1. Company-wide gap analysis. Every team was prompted to disclose what personal data they dealt with, how they accessed it, what they used it for, where they were keeping it, and any existing protection measures.
2. Cross-team action group. A team from HR, marketing, sales, engineering, legal, operations and cloud was formed to implement measures for personal data accessed by each affected team.
3. Mapping our personal data. Every entry point that personal data could enter the organization from was mapped. This included, but not limited to each separate form on our Web sites, physical personal data obtained through contacts we made at conferences and meetings, support users, data in existing databases, through partners, and through external marketing websites such as Dzone.
4. Formation of a data protection group and DPO. This is the cross-team group along with the data protection officer that would respond to any data breach issues and make any decisions relating to data protection impact assessments.

Key Compliance Measures

This analysis lead to a number of measures implemented by different departments.

1. Staff training. GDPR requires on-going training for staff to handle personal data and respond to breaches. We’ve performed internal training prior to the regulation coming into force and going forward PWC will conduct additional training on data protection. These trainings are incorporated into new employee inductions and refresher training will be conducted annually.
2. UK employee contract changes. We’ve added a section on data protection to employee contracts for the UK/EU region which will cover both their obligations with regard to any personal data handled by them and notification by us on the type of their data we will process and their rights in relation to those.
3. Employee handbook changes. For employees in other regions we’ve added a section on data handling to the employee handbook.
4. HR apps for employees. Our internal employee HR app, “People HR” is provided by a third party and used by employees to modify their employee data and conduct performance reviews. We’ve amended our terms and conditions with the third party to cover their GDPR obligations and reviewed their security certifications.
5. Background screening for data handlers. Anyone dealing with personal data will receive a basic background screening, depending on what is permitted by the country they are located in.
6. Rules on laptop/phone usage. All laptops will be encrypted. Corporate phones with managed access will be provided to those that request and personal phones that need to access data will have an optional managed environment they can use.
7. Privacy policy. We’ve revised our privacy policy to detail data subject rights, exactly what data we collect from site users, why we store it, the legal basis on which we process it, the entities we share it with, who to mail in the event of breach, and how the data is destroyed.
8. Consent mailer campaign. We ran a consent campaign to our UK/EU marketing database asking them whether they wanted to continue to receive marketing mail from us. The consent response rate was, surprisingly, higher than we anticipated!
9. Opt-in check boxes. We’ve included unticked check boxes on our WSO2 site under various forms which collect data. This has a statement which asks users whether they are happy to receive updates and marketing mail from us. The consent ticks are synced to our marketing operations systems with time stamps. For certain double opt in countries like Germany, our systems now send a second mail asking for another confirmation.
10. User profiles. Each user of our website who registers for any service or subscribes to any mailing list gets a User profile they can access to see the personal details we have about them, which they can edit or amend. They will also be able to update their preferences and unsubscribe from lists.
11. Workshop and conference registrations consent. All external conferences, and WSO2 organised conferences and events always have either a manual or electronic consent recording mechanism in place so that we’re able to use the contact lists these events generate.
12. EU-US privacy shield certification. This is a US department of Commerce approval for cross-border data transfer between the EU and US. We have finished our application, which is no small effort.
13. Data breach escalation procedure. We’ve established a procedure in the event of data breach. We are able to respond and, if necessary, inform the UK ICO within 72 hours.
14. Enhanced information security policies. Digital operations has created documentation to reflect our existing security best practices for patch management, network device security, user access management, backup and restoration, change management.
15. AWS and Google DPAs. We’ve entered into “ Data Protection Addendums” with our cloud infrastructure providers which ensure that they are contractually bound to us to also comply with GDPR. Additionally, we have requested and viewed their security certifications as part of our due diligence.
16. Salesforce access limitation based on user need level. The existing customer personal data on SF can be viewed by all sales teams, but engineering team access to marketing and sales leads has been restricted, in compliance with the GDPR principle that personal data must only be accessed by those that have specific need to view it.
17. Salesforce audits. Based on any forget me requests, and the data retention timelines that we will put in place, our CRM and marketing systems will have regular data audits run and with strict clean ups of the data we hold.
18. Tracking a legitimate basis for which we process new contacts in Salesforce. The lead source field in Salesforce will track how and when a lead first entered our databases. This is to track the basis on which we are processing that data whether it is consent or some other bases along with the timelines for which we can store that data.
19. UK-Sri Lanka data transfer agreements. The European Commission has put out model clauses based on which cross border data transfer can be done to third countries. A third country is one that does not have a data protection adequacy decision given by the commission. We have offices in Sri Lanka and established an agreement to transfer data between WSO2 UK and WSO2 Sri Lanka.
20. Binding all service providers to DPAs. All service providers we use to store or process our data including Salesforce, Pardot, PeopleHR, Zoom, and Gotowebinar have either signed DPAs or amended their terms and conditions so that they are committed to uphold GDPR obligations when providing services to us.
21. Legal has created policies for data breach and data retention for all types of data the organization holds. They have established procedures for the destruction of data so that we only hold data for as long as it is strictly necessary to do so.

About That WSO2

Making all of these systems work well together requires some serious integration technology and know-how. We use WSO2 products to bridge our systems together and to foster the movement of data. GDPR compliance has numerous implications on how the data is moved and accessed while in motion.

If you haven’t checked it out, we’ve made WSO2 products really good at providing these controls. And if you are a legal officer that is excited about the software space and want to work at a fast growing, dynamic and GDPR-compliant organization where Suranee always has a smile, drop me a line at tyler@wso2.com. We are hiring aggressively, even if you are a lawyer.

More where this came from

This story is published in Noteworthy, where thousands come every day to learn about the people & ideas shaping the products we love.

Follow our publication to see more product & design stories featured by the Journal team.