GDPR: how we’ve been getting ready for it

We’ve always believed in transparency and security, that’s why even before the GDPR we’ve been very serious about our customers’ data. With the GDPR coming into force on the 25th of May, here’s a bit more information on where we are now and what’s coming next.

But before going into details about us here’s a short reminder what the General Data Protection Regulation (GDPR) is. In short, the GDPR aims to give more control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying data privacy laws across the EU. One of the main things for businesses is to make sure they have a clear person’s consent to process their personal data – whether it is a name, an email, personal identification code etc., as well as to make sure their users are provided with the ability to extract and delete all the data that is related to them, which is called a right to be forgotten.

Where are we now?

If you know us, you’ve probably noticed our explicit page about the compliance on information security and service provision. We implemented our information security management system (ISMS) according to the best-known international security standard ISO/IEC 27001. Our ISMS has been audited and certified with the certification scope of “online e-signing and e-identification services and custom software development, delivery and provision” by Bureau Veritas, which is a world leader in testing, inspection and certification services. The ISO/IEC 27001 standard is considered as the best framework for compliance with the GDPR regulation and covers almost all the necessary aspects of the General Data Protection Regulation.

However, as the GDPR requires additional appropriate policies, procedures and processes not defined in the ISO/IEC27001 standard (such as a right to be forgotten, rights of the customers to access and delete the data, notification procedures regarding data breaches etc.), we’ve taken care of them too – we have already implemented these policies, procedures, and processes in our existing Information Security Management System.

We have already done our homework. You can see our certificate here.

What else are we doing?

We are taking care of the front-facing things such as updating our agreements, terms & conditions, privacy policy, providing tools to opt-in and opt-out from marketing activities etc. But the most important things have already been there for a while now – the ISO 27001 certification was our initial and very important step towards the GDPR already 2 years ago.

Furthermore, together with our partners – electronic identification providers – we’ve been preparing corresponding data processing agreements (DPA) to make sure every single part related to our services coming not only from us but our partners as well are 100% compliant with the GDPR. As this part depends not only on us but requires more input from other parties too, it’s still in progress. However, we are planning to make it happen in the mid-May.

What’s next? 

To make it one more step further, this year we are planning to get our quality management system certified according to the ISO/IEC 9001 standard. It is an internationally recognized quality management system standard that ensures the company meets customer and legal requirements; the standard provides a framework to respond to changing quality requirements in balance with society, economics, and environment.

At Dokobit, we take things seriously and data protection has always been and will always be our top priority!