Before I write my retrospective about how our GDPR audit went, let me first share with you my very personal opinion about Exponea.
Exponea has the aspirations to become the fastest growing SaaS company in the world. Among the steps of how we are going to achieve it, Exponea has collected an amazing amount of smart, ambitious and highly motivated young people who are performing miracles on a daily basis and yet they still (they confess) feel that it is still not good enough.
When I first came to Exponea less than six months ago as an ISO 9001 and ISO 27001 external consultant, I was amazed how easily and quickly everybody did what I explained to them, in order to be prepared for the first ISO 9001 and 27001 audits (Those were in Q4 2017 OKRs). Certification of Security Management System was seen as a necessary step to provide a valid assurance about Exponea’s compliance altogether with product readiness to GDPR for our customers.
My background is IT security auditor as well as consultant and having audited 100+ companies through till now. I have never witnessed something that I that I have seen here. A tremendous pace of growth, steep learning curve, extreme dedication to customer satisfaction, frighteningly advanced technology and weekly releases of SW product as a service (SaaS) just to name a few.
I believe that I have learned more in a month than I have learned in the past 10 years and before I thought that I was a quick learner (well this I do not think anymore). It was no wonder that we finished the first project earlier than scheduled and with great results. I just found myself yearning to become part of that team. So, I have abandoned my own consulting company, my auditing practice and consulting, in the area of privacy governance, after more than 17 years just for the opportunity to see from a close distance how far Exponea’s story will go. Probably helping a bit to get there. So enough about my expressions and let us come back to the audit.
What is the GDPR audit, actually?
By selecting an experienced auditing company means that you have auditors with proven quality at your disposal. The process of keeping experienced auditors is one of the biggest challenges for accredited companies since they are regularly reviewed by internal and external (accreditation) procedures and it does not matter if the audit is accredited or not. As I see it, to be a good auditor you must be very strict.
The added value of auditing generally means that you provide assurance about compliance with agreed requirements. In this case, those requirements have consisted of all relevant GDPR parts elaborated in a complex questionnaire.
GDPR requires security but does not specify complete and exact criteria. Security was to be proven by criteria based on ISO 27017 and ISO 27018 (extension of ISO 27001 standard for cloud computing and privacy in a cloud). In this audit, we also agreed to have it as a surveillance audit for existing ISO 9001 and ISO 27001 certificates to check on ongoing compliance as well.
Challenge #1: Both of us were going above requirements
Even with the agreed criteria, it is always a challenge to align how we see to it that we fulfill all asked standards of GDPR. We agreed to have the 1st stage of audits based on reviewing the documentation and procedures. This lasted 3 weeks and was executed as regular remote sessions and an offline study of our documents by auditors that have had gone through it and compared it with questionnaires to cover all requirements.
Just to have an idea, only the explanation of our pseudonymization in Artificial Intelligence modules for the DPIA (Data Protection Impact Assessment) lasted for more than 3 hours.
As both sides (auditee and auditors) were doing this for the first time, just for sure, we both were going above the general GDPR requirements.
On our side, anytime there was a doubt (Are we obliged to have a DPO? Is DPIA compulsory for us?) we selected the more difficult path. We have a DPO and we did DPIA rather than defend the situation as to why we thought it wasn’t mandatory.
Challenge #2: We see different ways to become compliant
Another challenge was that in Exponea we do not have complex internal procedures. We rely on extensive trainings, explaining principles on practical examples and pure theory plays second fiddle. This is supported by continuous personal education and re-evaluation of what we had previously learned.
But, as the auditing company understood GDPR requirements, they asked for policies and procedures for more than 22 topics.
We had to align their understanding of implementing requirements and more precisely document all of our approaches that are in use. That means a lot of internal time to make sure that everybody was aware of what is written in extremely long documents.
Sorry guys this is why you have to have read all of those documents!
Another good example of the strong dedication and determination to get where we wanted to be is that the first version of the excessive Privacy Handbook was created with the CEO’s personal dedication (Thank you Peter!). And, our CEO went through all GDPR requirements and was presenting it at “All Company Meetings” as training for our GDPR Fundamentals Internal Personnel Certification.
Challenge #3: Do not try to find logic!
In Exponea, the result of having a bunch of extremely smart people together is that rarely can you ask colleagues something without having them come back with the question of ”WHY?”.
We have had many discussions that I had to end (sorry, I ran out of better arguments) by “Please do not try to find the logic, it is in GDPR !” I would love to have more smart arguments but if the objective is to pass through certification, there is no real benefit to discuss what we cannot change.
There are many requirements in GDPR where only the practice will bring the smartest applications and despite the fact that we are trying to be pioneers in the most compliant way, some implementations are far from perfect and cost-effective.
Being able to demonstrate compliance means a lot of evidence to be kept and also many security measures are not the least cost-related investments. And what I was also trying to explain to my colleagues was that it is definitely not a good idea to discuss the requirements with auditors during the audit. They are here to examine us and we want to know every possible weak point that must be improved.
Challenge #4: Privacy by Design, Privacy by Default
One of the hardest parts of implementing GDPR requirements is, in my opinion, the Privacy by Design and Privacy by Default.
I can only imagine how hard it must be for companies that are using software and implemented processes a long time ago. In my previous consultant practice, I know how much time and effort must be invested into changes.
GDPR has been here for almost 2 years, letting companies prepare for the requirements but in my opinion, for most of the companies, it is just too short of a time e.g. to change their SW if it is not compliant. We are lucky that even our oldest code is probably not more than 4 years old, with most of all the developers still in the company. I can hardly imagine how, in some other place, the code needs a review for privacy compliance, if your developers’ team is gone or has significantly changed. It might be cheaper or faster to start from scratch.
Also, it is difficult to even create requirements for change as these are only based on principles and they are to be adjusted based on risk evaluation. There is nothing more exact on this topic in GDPR. Most software is designed to cope with functional requirements and I have rarely seen such strong security requirements and even less privacy requirements before I came to Exponea.
GDPR brings security and privacy into focus, which is great but very difficult to execute in practice for such a short period of time. Working on most GDPR features and having security backlog identified already in the past by penetration tests, by internal audits, and by a growing SecOps team, we have dedicated a lot of effort to be compliant to GDPR with the product, in 2017 (4Q 2017 OKR). We also elaborated some great features to have “ammunition” for how to help our customers go through GDPR readiness process as smoothly as possible.
Challenge #5: They thought that we were messing with them!
Surprisingly, my previous experience worked against us during the audit. As the expert for the national accreditation body, I used to go with accreditation teams to check how auditors are auditing (another challenge for the certification body: witness audits are a compulsory part of the accreditation process where the national body, through assessment audits, goes with auditors and checks how they audit their client).
Simply speaking, there are only a few auditors that did not meet me during assessments of their work or I was doing training for them with some of the schemes preparations that I was asked to consult on for the national body. That puts them in quite an uncomfortable position and they wanted to make no mistakes, like forget to ask a tricky question or let the answer be vague or without proof.
No wonder the atmosphere was thick during the whole 1st stage, and also during the first days of the 2nd stage, which was dedicated to checking everything that was in the documents for proof of established practice.
Also, there was a problem if I answered, as holding the position of DPO, they just knew that I was aware of all the requirements. But they did not believe that it was the same for the rest of the company. So I was asked to let my colleagues answer their questions even when it was my turn.
Asked for the truth
I suddenly saw the devil’s’ grin on Michal’s face (the Head of Customer Value Delivery) and the last sentence I said to the auditors was: “Be careful of what you ask for, you might just get it”: they asked for practical examples of those claims in our reports that showed off how great we do. Auditors obviously thought it was too good to be true.
Michal became unstoppable. They let him show them all of what they managed to ask for the proof, and he was lucky that questions went far from policies and documentation to practical experience. I could have just sat and shut up from that moment until the end of the audit as auditors got what they asked for.
Auditors in trouble
People in our company are continuously asked to be proud of what we do and they are ready to prove it at any time.
It was difficult to keep to the time schedule and the auditors stated that they were pressured for time. The rumor spread quickly.
What to show them?
Everybody wanted to present how great their results were. The fact that all of our guys have terribly full calendars and that they had to leave to other meetings or calls with clients, saved auditors from losing track of the audit schedule at all.
Our gambit paid off
As the audit had a strictly allotted duration (according to ISO standards relevant for accreditations) there were several parallel audit teams simultaneously auditing different topics to cover them all in a reasonable time.
I was just coming back from my visit with the SecOps team which was coping with our vulnerability management, when I walked into the room where the DevOps team was and upon spotting something on the big screen, managed to only shout “Don’t do that, you don’t mean it?! But I was too late. Our Head of DevOps just killed one of the servers to present our Disaster Recovery Test LIVE. I have never seen anything like that during any of my previous audits (walk around test always worked fine for me as any audit shall have no influence on the live production ever).
But as usual, the Head of DevOps knew what he does and auditors could observe the self-healing of our architecture in front of their own eyes.
I think this particular moment was the game-changer.
They stopped trying to catch us cheating and just did their job by finishing the list of the questions and filling the spots they wanted to see live after checking our documents. Suddenly they ran out of questions and the drama was over.