Talking to Michael to learn how he took on the ISO security role and kept going with formalising the agencies use of GDPR improvements.
Podcast Show Notes
Michael Bailey has been Senior Web Developer at Pragmatic Web in Brighton for a few years. Joining the Pragmatic team in the spring of 2014 by persuasive director David Lockie. Writing code and working on current role of compliance officer for both ISO security standard and GDPR.
We talk here about Michael's journey through understanding the GDPR regulations to practical steps and learning along the way. How he has been able to set about working thorough issues for improvement in their own systems and client contracts.
- Read more at https://pragmatic.agency/
This episode of Cliff Notes Podcast: Lead manufacturing, host and founder of Holdingbay Tristan Bailey talks to Michael Bailey for the Cliff Notes podcast. Michael is Senior Web Developer at Pragmatic Web and DPO for GDPR.
The websites he builds are clean, modern and elegant in design and function. Most of the websites are built using the WordPress content management system. Which Pragmatic specialises in for large companies.
- Tweet to us @cliffnotespod
0:08 Hello and welcome to another episode of the Cliff Notes podcast
0:11 where we ask some questions and find a way. Today we take Michael Bailey from pragmatic in Brighton about how they've been approaching GDPR and what they've been doing to get compliance. Hello there. Michael interesting.
0:29 Um, could you just give us a little bit of a background like, what's your, your sort of web skills, where's your, where's your
0:35 skill set or background come to, to, to get to this point?
0:38 Well, I was working as a web developer, therefore, pragmatic about a year ago in the school department. And I've been on point maybe three years in a few different web development roles. And one of our big enterprise clients that sort of insisted that we apply for and again, and again, ISO big accreditation, and pretty much everyone in the office didn't really want to do it, you know, especially web developers, they, they want to code. But, um, I have a certain kind of mind, you know, particularly is that I work for pragmatic because I'm a perfectionist. And in fact, part partly I went to work for them to learn to be a bit more pragmatic about how, in a developing websites, that among other reasons, I went to work for them. But that that turns out to be a pretty good skill set in, if you can rein it in, you know, and not be overly perfectionist, you know, and an over scope everything, it's important to be meticulous, you know, with these kinds of legislative jobs, and I, you know, I'm pretty good at writing. And I could do a lot of the kind of document working Confluence in the back end, you know, like style sheet changes and PDF style sheets. So I said, Yes, and I got cracking with that. And that went really well. And in February, we passed the ISO 2701, a, lot, I'm pretty good at that kind of stuff. And, of course, immediately GDPR are came rolling over the hill, and everyone turned to me.
2:03 And so, you know, it's essentially a very similar kind of task as similar in a way. I mean, is, it is a big prescription of a system really, and GDPR always legislation, but ultimately, to deliver full compliance, the GDPR. Are you going to generate a document set that describes a system that has some policies and statements about what you do and don't do and how you might train or monitor your staff and how committed leadership are and it's got a very similar feel, in fact, I use the basic ISO document framework as their kind of skeletal starting point of the statement of compliance for GDPR. And I gave me all the kind of document controls and and and statements about the leadership in practice commitment to GDPR on various really useful resources were already there in the documents sets and. And so yeah, curious route. I'm not a never introduced myself as a security or privacy officer. I seem to be one now. I literally today renegotiated my contract there and I'm now the information security manager at pragmatic and naturally, therefore, I'm the frontline on GDPR.
3:11 And I mean, in terms of a skill set or a piece to take on a role like this, is this quite a sort of technical programming role? Or is it as much a sort of process and sort of almost political roll illegal role?
5:41 But it's not in any way essential. Aside from that, I think any anyone doing GDPR is eventually going to need some web development support,
5:50 Just to give us an idea for people who don't know, pragmatic, I mean, what sort of scaling you having to work with? Is this just for your own sort of products or services? Or have you got other class and things that are going to need to work with this?
6:03 Well, in terms of our compliance, there's essentially two lanes to, if you like, although we'll probably, and you can get into one statement, there's us as a controller, and producer of the personal subject data, we collect and use from our clients, our employees, our suppliers, anyone who we collect data from, and then use as part of our business and our services. And then there's our clients specifically hosting development and support clients whom, because we either retrieve or store data for them, we retrieve it. And we're doing web development, you know, we grab the database, and then locally run up a couple of copy of the website to make changes or as a host, you know, it will sell for hosting services, the very storage of that is processing from the GDPR on view, that's a more nuanced and complex, certainly legally complex, or you could say him into organizationally complex, because you now got a you got a relationship with a client who has a set of GDPR requirements that they want to push on to us as the processor. Yeah, and we're getting, you know, we're getting data protection agreements coming through from clients are saying, sign this and I read it and I'm like, Oh, my God, that's like, at we're responsible for absolutely everything, you know, so we that lane where, where the where the process of our clients collected some personal subject data that's more nuanced and tricky.
7:35 And that that makes the requirement or entry because, you know, more extensive for us? Does that answer your question?.
7:44 No, no, no, I think that's, that's good. What I was trying to understand. And then to bring it on to help you, the audience was where the GDPR are ends up being something that's like a process that you can share. This is the process, we will work with you or without, it's a bit more like a contract and will have to be tailored to every customer and every customer's needs might be a new ones variation.
8:07 It's for sure. The latter. Yeah, I mean, it's clear in GDPR are there must be these contracts that are GDPR are themselves GDPR are compliant. Yeah. So that could be in the form of a service agreement that has the data protection section in it, which we've now we're close to finalizing our new legal ease on that or separate yours, you can pull out the DP a bit of that and make a selection agreement. And that's for sure, something we need to redo with all of our clients. Ultimately, and it's actually an opportunity to, you know, get new new contracts in place, that's for sure. Now, but there's also procedural elements to this, of course, and there's, you know, behavioral change internally at pragmatic, not only in the way we deal with data, but the way we, you know, interact with our clients, and that will be expressed as processes, procedures and policies in the end. So, I think the answer is both. But legally speaking, it's, you know, is the contracts that as far as I can tell, at the moment, and I want to say that I'm in no way an expert on this, I've been about a month in the details of this, and that is not long enough to become an expert. And, but as far as I can tell, there is, you know, regulation or a requirement to have contracts that meet and fully the GDPR on regulation,
9:35 So, is that something, therefore, you've been having to start, or at least direct internal training as well, to get everyone else on board as a company
9:45 That will come for sure, just like with the security work, we did ISO, so there's all bunch of policies that the came out of the scary work, and there'll be a few that come out of this GDPR that we need to, you know, tell us generally on board into the business, ultimately, there will also be monitoring and training around this, and information security, but like I so I know that GDPR are, there's a, it's fine and absolutely necessary to roadmap, a whole bunch of it, we cannot eat this whole elephant at once, what we need to do is get the, you know, the central compliance pieces of the puzzle in place, and have a bunch of policies that we're going to roll out, roll them out intelligently, so that the staff have time to digest and, you know, an X on those, get the training going in good time. But, you know, to try and get all that done. Now, by May, far, would be foolish. Yeah, so, what we will have in place by May a, it's all legal stuff covered, or very clear communications to our clients, very good contractual data protection sections, and a real roadmap for, you know, better and better staff awareness and training, ever improving processes, procedures ever reviewed, and policies in on this, it's not like that ever ends either.
11:06 What I need to get in place by the, is, yeah, all of that legal stuff, sound and a very clear and, you know, let's say, a roadmap that not only clearly covers all the things that we were then going to need to do in terms of improving our data protection practice, but improving the system around that, and all the policies and procedures as a roadmap. But just because there isn't time, like, physically or temporarily isn't time to get that done. And secondly, you can't, you know, out of the ISO workflow, a new policies came, and you can't just you can, you could just email all the stuff, hey, we got is new policies, and you could assume that you've, you know, as it were, implemented those, but that's not something I'm going to do, because I want to make sure they actually read and digest these policies. So that has to be part of our, and now GDPR will be all plugged into our you could say, information security and privacy roadmap at that point.
12:06 So it's very much. It's a layered approach and, and sort of implementing what is required or what is the basis and then layering on the next the next levels.
12:16 Peeling the onion in reverse? So, starting from the center,
12:22 Yeah, and I mean, how much time did you say, You've so far, you've given yourself as a company, sort of a month, and there will be obviously another month to go to get to the basic point that you want is, is that sort of a guidance, you think, because of a couple of months for, for people to get get this thing sort of up and running?
12:41 And then, where'd you go after that?
12:44 I would say so. I mean, as I said, I think it might have been, before we started, I have a slightly perfectionist mine. So I want to get everything really lined up all the ducks in the row that T's across the i's are dotted. And for me, it will take easily up until the time, you know, the actual deadline to have that core, you know, the core of the onion as it were to stretch that metaphor in a fully in place. And then there's these other light layers, as you say, this layered approach to take on it on the roadmap. After that, because I'm so meticulous and I also want the documents to be easily read and the communication to be really digestible etc. Yeah, it's going to take me I don't know I only work four hours a day, but it's flat out every day, it's probably going to be three months for me but I work four hours a day. So that's four concentrate hours. That's about two thirds of any ordinary employees working day. So let's say two months for a fairly meticulous character to dive in and get the core of this in place. Yeah, from particular character wants to communicate well and have a set of documents that are easy to read, you know, can be printed nicely. You know, it's all of those like refinements around that call now somebody wanted to smash this out, you know, get it done could probably, you know, they would they would compliance and legal advice on tap because they're going to run into questions. I can't answer for themselves over and over again. They could probably smash it out in about three or four weeks. Yeah, if they add the legal and and kind of technical support ready, you know that they need when they need it and then waiting a week for legal response or two weeks to get a web developer involved the weather that's going to delay everything but an actual time I'm going to guess about two months.
14:26 So if you've been able to have legal counsel or be able to get things together in sort of punches to put back to get clarification.
14:35 Yeah, we have a lawyer in house who doesn't exactly sign off on legal things but is a really good you can say the gatekeeper between me in this case and the actual legal team excellent legal team a gatekeeper because they're very extensive the legal team, but they're very, very good. So what what mark our internal legal mind does it sort of gatekeeper and also kind of make sure the question and what we're asking the legal team isn't going to be trying to say time expensive for them because that's cash expensive for us but yeah marks action holiday to take which is bit tricky, but he's my go to guy and you need that you need someone unless you've got a really good legal mind or policy, mind you just need some support even before you go to the the expensive lawyers, you know, someone to sound off on because this is complex stuff and the interconnected ideas in the reckoning the regulations are hard to keep in your mind. You know, to, to, to understand any one line of the red regulation can mean holding three others in mind while you read it. And then you might need someone to backstop and sort of sound shambled on ideally, someone with some legal or at least a really good. I have a technical not technical, it's sort of, you know, the mind that can hold a different things in its in my end, whilst assessing a conclusion based on those eight premises, you know, it is quite complex stuff. And in the end, when you've drawn up what you fill out, legally, sound and GDPR are compliant documents you ultimately need, obviously, professional legal sign off, I'm also finding lawyers are a little reluctant to go beyond offering the the professional advice on GDP, or even our ones are a bit windy, because it's new, there's lots of, you know, there's probably going to be a bunch of amendments that come and it's quite ambiguous in places. So this is really like, it's quite tricky duty moment is such a young piece of legislation.
16:33 I mean, there's, there's the piece of advice that I've been giving similar to that is, and then seeing from the lawyers, though, speak to is, is that they want to give advice as to how to sort of set your processes up. But as there is no tick mark, there's no no qualification for compliance. It's not a setup as much as an ISO standard, or anything else like that, or another piece of law that they're waiting for the case history as much. I guess a lot of us are waiting to see examples of other companies and how it's worked or not worked for their implementations. Absolutely.
17:08 And if you look at the big players, you know, Cisco, Microsoft, even WP Engine, who are our hosting companies, it's a little while for them, and for the kind of care about their protection, and we're going to do everything we need to legally. But they're not making clear statements that fully wrap in the regulation and present it as a very obvious GDP, our response, whereas Google are doing really well with it, I think, you know, but I'm encouraged by, you know, these huge organizations that are also struggling because as little plug pragmatic, you know, it's a struggle because of yet it's so new allies are waiting, as you say, for a case history, everyone's waiting to see what happens as, as we will try and roll out. But I think that's great for everyone. And I think there'll be leniency in the delivery of, you know, of this regulation around that, you know, because even lawmakers understand that this is a kind of early phase of the implementation of this
18:03 And just to bring it back to some of the practical things is, we talked about sort of roughly how you've got to the point that you're, you're aiming at, for the, the, the start of the regulations in May, and what's the going to be the follow up roadmap, I mean, is that another six months in the year, what's the, to give some sort of flavour to that?
18:27 Well, in terms of the core, say, policies or, you know, internal, you know, stuff that's internally impactful, you know, for, for staff, and leadership, you could probably roll that out in a few months, you know, a few policies, a little bit training, and so on. But then you really want to get into ongoing training and monitoring, and ideally, continual improvement. So there's really no end to it, especially, you know, ongoing training, right, and, you know, testing, you can have random testing of stuff, these are things we can say, during, of course, most of our mind at the moment is in implementation of this core, the core of it, and the rollout of, of, you know, there's net, the next layer, which would be policies and any impactful internal changes that are required. Beyond that, it will be like, Okay, how do we continue to improve this, how do we, which will include a ongoing awareness training for staff, etc. And there's no end to that. But I would imagine that in terms of already robust statement, and then internal change three to six months, in our case, we're going to wrap that all in with the security policy stuff. So it's going to take a bit longer, but if we just silo GDPR are, you know, I would say, four to six month but that's not because it takes that long in actual kind of time, it's just that you deliver a policy, you want to give staff time to read it, you want to go nice presentation on it, you're going to get read receipts on them reading it, you know, you want to take a bit of time with that rollout, giving people, you know, psychological time to get used to all these changes. And with that embedded in the timeline. That's good three to six months, let's say,
20:05 Have you seen. I mean, obviously it's still early days, and it's not not sort of fully in practice with with anyone at the moment but have you seen any things that that you feel are positive outcomes or benefits, even from from using these processes?
22:05 So that's, you know, it's really just the downside is its new legislation is all encompassing, and there's a lot of wrangling and figuring out and refining to do. But this grand scale changing in the way companies must think about an act relative to personal data is more than welcome, is, it's absolutely essential as we go into the next phase of it gets a civilization. I mean, this is really on the back of the internet being born, and all the all this data being available to companies, and then they're just using it nilly for their own, you know, commercial gains. And now it's time that that responsibility is inserted into those businesses, and the way they use that data.
22:48 Yeah, I think it's totally respectful. And I mean, you follow a set of practices, and people follow us at practice to, to either build apart or to converse with someone coming in and, and taking a sale and taking someone's money and things, but to actually deal with that person when the persons not there, but you have a lot of detail about them, and in your innocence in acting things upon them, or potentially things that will come back against them, as has been seen in a lot of the sort of American cases of data loss and privacy, they need to have those processes to you need to be respectful people, people are, are made up of their parts and their history and their, the much of their data about them as much as they are as a physical person. So I think respect is is a good thing to add in. But it certainly is a challenge to add back into to earlier applications or applications that are a bit more legacy older, older things, it is certainly this sort of privacy by design. And starting from scratch. Does, does feel like a greater aspect, especially for for me on this sort of more development. And rather than just just on the process.
23:56 A big challenge, a big chance and this is why it must be roadmaps. Right? You got overly complex application that in the past was legal, but now is no way legal. I mean, you know, if that's the legacy that the time required to turn at that sort of tanker around this can be, you know, tremendous. But I think as long as that's properly, roadmaps and understood and expressed in a compliant statement, that's fine. And then you've got get on and do it, but the doing of it is, yeah, like you say, respecting the privacy of others, you know, something that corporations ideally would have just unnaturally. But as we all know, most corporations, their goal is profit, not respect, you know, so that's why you have to have a legal basis for the thing sometimes.
24:39 And that's great. And I mean, as we come come back on that, that legal topic. And of course, all of this is, is our understandings and our discoveries for it, it doesn't am standards, legal recommendations, you should still go and consult your own legal counsel. And it is the thing that there is a process. It's very similar and hands off between companies, but each company does have their own needs and their own data and should be looked at separately. So, absolutely. So that's good. Um, so just to leave us on then, do you have any pieces of insight that you could give us as to things you wish you'd known at the beginning of this process that took longer or shorter or just things that were very actionable and you felt there was a good result? We're not not that one out that you could pass on to people? Yeah, I think in terms of what I wish I'd known earlier.
25:27 Well, you mean, I learned it at the right time, you know, I guess for me, but if I if someone could have given me a heads up on the well, the definition of processing in the GDPR means that a lot of companies that don't think they process. The others do, and that's where you really must see that, if that's true for you have nearly everyone's going to be a controller and process where the data they collect and use but you if you touch anyone elses in any way data, you know, even just retrieval. Once you become a process of that data. And that's another set of requirements that you have to as many the article processes as a processor. Yeah, I would love to know that because I would have, you know, a couple of awkward interactions with clients who knew that, and I didn't, you know, early on, so that was a bit awkward. And additionally, what else would I want?
26:15 Well, I did find maybe I'll find if you have and just say it out loud. They're just wonderful GDPR-info.eu, it's a really excellent version of the GDPR is a web document is an interlinked hyperlinked, beautifully presented version of the GDPR. Yeah, if you go to the actual European Union GDPR document is just enormous PDF, which isn't no there's no hyperlinks in it. So when you mentioned article in Article, challenge, you just click the link and I was just I would have liked to have known about that earlier that wonderful online version of the GDPR Doc. And that was one of the thing. Oh yeah, just know that actually the important thing now is the core layer a layered approach and to be just to relax around not being able to cross every T dot every I and and take care of every loose end, you cannot it's too vast and you're in the same position as Microsoft and WP Engine and Cisco and all these other huge companies who are still wondering exactly how to deal with all the edge cases and loose ends and it's going to take a lot of time to for everyone to synergy is around how we do that and rest, you know, rest of it easier.
27:41 Therefore, get the core right and roadmap. The, the next couple of layers and make it clear and your statement but you know some you know some things like the rock clauses in like the definition of sorry this is worth mentioning. Yeah, there's a there's a whole I think it's a one or it is the one where as a controller and appropriate processor, you've got all these requirements relative to the data subjects, some of which don't apply if then then this great big paragraph that includes vitally something about the processing being occasional yeah now that's interesting because one of the types of processing is storage that storage cannot be is you can't you can't apply the question of occasion ability to storage. It's just a constant thing. So these kinds of, you know, you could say definitional difficulties in the in the legislation itself. I just cannot you know fathom how to solve right now. And that's why lawyers need case law to count, you know, case histories to come about and the determining of what occasional means and how that in any way you can illuminate what processing is relative to storage is something I can't deal with right now is I'm deal with a ball, I just need to be clear on that and be relaxed about it for now. That's so that was a long way of saying, relax about the sort of refined difficulties at the edges.
29:12 Yeah, the thing that's my sense, I mean, the previous version of these, these laws were more that you had documentation for it, that it was a sort of like a one, not exactly one and done. But in that sense of it was written down as a process. Whereas I think definitely, this is designed to be a perennial roadmap, forever roadmap I it's a, it's a, it's taking on this policy, it's embedding it into your company, and the sense that you can do a load of things now. But the, the idea is never that you have it done, it is a living process. So it is acceptable. But as long as you've got a roadmap, and it's not I will look at this in that years, it is some sort of practical roadmap is totally applicable. And obviously, you still may get caught out with with with me issues and things. But if it can be made clear that this is part of your process, and you do have a way of action in it, it's almost most important to get that legal stuff up front and have a process for action in any of this stuff should should issues arise and then stop filling in the gaps to sort of layering and improve that process.
30:21 And so just just to give us a wrap up on that, because I think there's been a great sort of talk through what what gt berries or how how you've been able to more action it rather than a sort of covering specific or legal issues and sort of point by point and coming, coming back to yourselves and pragmatic, is there anything that you guys are working on or we can see coming out from you either in this area or something else that might be interesting to catch up them
30:48 in terms of GDPR?
30:50 indeed I mean GDPR are or other other activities that you guys are working on at the moment that that might be of interest.
30:57 Well, I'm a little bit. I mean internally, where we ever evolving Dave our bosses aggressive is an odd word to use in this case, but he's, he's a growth is a grower. He likes to grow the business and often a lot of internal
31:11 changes. And, you know, we went from five to clear men and women in two years. Last deal going on, but I don't know what's going on much in the south. I know that there was a real push for more enterprise level projects and clients and there's definitely a big push for more and better agile development methodologies to be used in house, but I don't really know on the grand scales strategy. What's, what's a foot so much there, I got my head so far into this sort of privacy stuff at the moment that I can't see that I can't I can't see any of that. And, but in terms of GDPR, or no, not really, you know, our goal is to be super compliant, we're not man. Well, maybe when the dust settles, you know, as a web developer,
31:59 I can see that as a great WordPress GDPR are plugin possible to write and the ones that are out there so far aren't great. And we may eventually do some of that. But at the moment. Now, we're just it's quite new, you know, ISO and now this is part of pragmatic moving to a much more professional mature agency phase. We might even lurch into at night ISO just one day, you know, really just want to become an ever more robust mature agency. And this is part of that.
32:33 And in terms of how we're achieving that, in terms of sales and marketing or any other activities, I simply don't know I'm so far inside this little bit of it, which is becoming a more, you know, if I so you have to take in health and safety logistic all legislation in any way relevant to the business is also part of my remit. And we've always done that, like any, any early agency, a little bit ad hoc, you know, covering our bases, making sure we were essentially legally compliant and that was about, you know, document control being really robust, having it all really coherent, cogent set of policies and that's my job and my head so far inside that I'm not even looking at the south channel in slack or the moon as summary. Therefore, and I know that the pragmatics very sort of leading light in the UK for for WordPress development.
33:19 I mean, what sort of clients or people might be interested to come and talk to you is this sort of local stores e commerce large large enterprise, but what sort of companies or products might be useful for for working with you.
33:33 Right. Yeah. So, is anyone anyone really probably more like medium to large local businesses and then now we've got a fairly robust offering for enterprise clients who want a WordPress website or want to host a WordPress website or or want support you know we do site audits and literally anything around WordPress and websites. We don't do anything that isn't WordPress but pretty much it. You know, we have this I department development departments of all department we have SLA is available. You can do hosting we do a maintenance package apart that hosting, which is, you know, updating the site every month that with a new version so it's really anything inside the WordPress ecosystem. You could say we can handle and we don't do anything else.
34:19 So we're a WordPress web agency which includes design development hosting and support. We do that fully and we don't do anything else. And that's cool. And I think that's I mean that's sort of sums up sums up yourselves and what's, what's the web address or a good point to both contact pragmatic and yourself works is a good expression of where we're at, is just a https://pragmatic.agency great nice
34:45 and yourself Is it best to just sort of contact through the through the website if people are interested to learn more about what you've been working on and things.
34:55 Yeah. Certainly if anyone wants to know about our you know information security or privacy
35:02 standing and compliance. I would be eventually the one to speak to you can certainly if you ask that question on the contact form on our website. It will come through to me yeah like I just go by the website or my email address at work is m at pragmatic agency that's em for Michael at pragmatic the agency, you know, feel free to email me.
35:22 Well, thanks very much for your time today has been a good good education and good piece around as to where I want to run a big agencies been working through this and making a good a good steps to to get this stuff into into practice.
35:36 So thank you. It was my pleasure. Thank you Tristan.
35:40 Thank you for joining us for another episode of the cliff notes podcast. I love to hear feedback. And if you'd like to get in contact with a guest on myself. You can message me on twitter at Justin Bailey or on https://holdingbay.co.uk/podcast.
35:55 As always, please like, share and subscribe to this show on iTunes. See you next time where we can see how people are using digital technologies to move manufacturing forward.
Do you know someone who would make a good guest?
Send me your recommendation, recording is on a 4-6 weeks schedule so can book around their schedule.