Mergodon is a typical small family business. Practically it is run by Mate and his wife, Suzy.
Mate is in web development and project management; Suzy is an HR expert. Their businesses are separate legal entities, using the same infrastructure elements. Mate is the IT guy in both cases.
Suzy has customers from all over the world especially from Europe and these citizens are under the EU General Data Protection Regulation (GDPR). Mate works with companies from Europe and the USA. Plus, they must be compliant with the New Zealand’s Privacy Act (NZPA) regulation. The requirements in these regulations can be very different and confusing at the first sight.
Let us hear first the challenges of Mergodon from Suzy and Mate.
“Running these kinds of businesses, we were naturally faced with a couple of challenges related to data protection and information security. Our businesses grow well, and it gave us a lot to do. Of course, we had a previous basic understanding and knowledge of privacy and data protection, but we needed somebody with detailed knowledge of not just the New Zealand legislation but the European legislation too. In addition, these legislations are changing regularly so we needed somebody who can follow these changes and help us to stay up to date. We heard a lot of stories about cyber incidents in the kiwi SME community and we cannot afford to be a victim as it means that most probably we will be out of business soon and it is not in our business plan.
We asked Jozsef for help as he had some knowledge of our activities too.”
What happened?
“The whole thing started with a lot of questions in interviews. At the beginning we were a bit frightened what was requested from us, it looked a lot. On the other hand, we knew from our previous lives at bigger companies that this is always a good start for a project, and this is the right thing to do first. Question about what hardware and software and how we are using, where we work, where and how we collect, use and store data, who are our service providers and so on. Jozsef interviewed us and our accountant too about customer data handling and protection practices. He even checked our websites from security point of view.
Based on the findings we got an initial report. Before finalizing it, we had the opportunity to discuss these. We learnt a lot about the WHYs in security and data protection.
Later we got proposed recommendations to improve our security and compliance stance. We agreed with Jozsef to make sure that we got all the requested documentation, including policies, guidelines, baselines and in-house standards. Of course, we had to implement some changes in our daily work and routines. Now we have some repeating tasks which are very useful. The whole project closed with security awareness trainings for us and for our suppliers. We learnt that without them the whole defence will not work.”
What are the benefits for Mergodon?
“First of all, we are compliant with GDPR and NZPA, we are better organized and prepared. (We can sleep better:). Now we have service to keep us updated on regulation changes. We built a much better protection of our customers data and against the potential consequences of a data breach or an information security incident. We don’t plan to pay hefty penalties or extra costs because we tried to save a few dollars here and there. We feel our customer’s increased trust as they see that we do take care of their data. In addition, we got an enterprise level service without the usual price tag. Actually, we implemented some learnings in our own business processes as well, which is an extra perk.”
How long did it take?
“It was like a very quick well-prepared audit, was less than two months.”
0 Comments