As necessary and compelling as the GDPR regulation is, most companies might not recognize the value of the GDPR requirements when it comes to their business internal communication. GDPR compliance instead feels like more of a pain than a gain. From another perspective, GDPR is an admirable initiative that puts consumers first by giving end users back some kind of control over how their data is processed and assurance that a company is accountable in all matters concerning their data privacy. This not only bodes well for the company’s reputation, it protects the company. GDPR principles provide a welcome opportunity to re-examine the data security of a company’s internal communication solution, which should mirror the measures taken to protect the data privacy of their customers.
At Beekeeper, innovation is never sacrificed for data security. Meeting GDPR requirements and ISO 27001:2013 Information Security Management System requirements informs the day-to-day functioning of the product engineering team on every level to continuously strengthen the Beekeeper platform infrastructure.
To provide a high-level overview of the product approval lifecycle, I’ve broken down three of the primary aspects that go into building new product features that meet GDPR requirements and ISO 27001:2013 best practices from an engineering standpoint.
Assess Proposed Product Feature Pain Points
When a customer fills out a feature request form, our customer success team submits this to the product team. What follows is the review process:
- The first step before implementation is to look at a feature based on the pain points it’s trying to solve and address.
- All features then go through an approval process to assess what will be achieved with the proposed features.
- After analyzing these findings, we conduct a Privacy Impact Assessment (PIA). For example, say that a customer requests the ability to back up business messaging app data. This requires that product engineering build export functionality from Beekeeper. To ensure we are compliant, our DPO (Data Protection Officer) reviews the PIA for GDPR compliance within ISO 27001:2013 ISMS framework and either approves or denies the product feature.
- If the product feature is approved, after our product engineers build it, they must then submit the completed feature again to our DPO to make sure the finished product is compliant.
Ongoing Quality Assurance to Ensure Data Privacy
During the entire internal product feature review process, we make sure reviews are conducted by more than one person from Beekeeper to:
- Make sure the new features, such as secure messaging, are indeed secure
- Assess what needs to be further encrypted
- Create user access controls as a further data security measure
Completed by an entirely separate department that operates independently of product engineers, our Quality Assurance team focuses on actively testing our business messaging app against these criteria.
Annual Third-Party Data Security Testing
At Beekeeper, in addition to automated security scanning, we have yearly penetration tests performed by third-party trained professionals. Each year, Beekeeper hires these independent and highly-trusted third-party testers to actively find gaps and rigorously assess vulnerabilities in our business messaging app infrastructure. Monthly security trainings that cover the latest in data security best practices are required.
The most important task for the Beekeeper product engineering team is to protect our customer’s data privacy. Truly caring about end users involves continuous, demonstrative efforts that put customer data protection first without compromise to our business messaging app’s performance and usability.