Tudock GmbH is a Digital Commerce Agency with a focus on Adobe and Magento based platforms as well as search and navigation in eCommerce platforms. Michael Wolf is their founder and CEO with more than 20 years of experience in digital consulting, developing digital strategies and sales channels.

Michael explains that privacy starts with the employees, or even before that, within the recruiting process. Using a special hiring management software that meets the highest standards in GDPR, legal compliance is protected: No applications are sent via email to ensure GDPR and streamlines the whole recruiting process. Furthermore, the interview is designed so that no personal questions, e.g. regarding the individuals’ health, will be asked.

The onboarding process then follows educating the new hires about how and when the data is used, stored, and processed and for what purposes. This opportunity is used to create awareness for privacy and the high standards of data protection at Tudock. A general introduction to data handling and protection is extended to handling and processing personal data on your own device, where your work-life meets your private life.

At Tudock, those are called ‘Richtlinien für mobiles Arbeiten’ (Policy for mobile work), which bears special relevance in pandemic times where lots of people are working from home, taking sensitive customer or co-worker data home.

Another step that they are currently working on is aspiring towards a paperless office . Michael points to the personnel files, which are currently available both digitally and on paper, with the plan to be fully digitised by the end of this year.

‘All in all, and considering we’re a small agency with about 25 staff, we are on a good way and striving for more protective measures for privacy’, Michael concludes.

The conversation moves over to maintaining this awareness after the onboarding process. Michael explains that high awareness is always present due to the nature of the services Tudock offers.

Security and data protection are extremely important for their work, especially for their developers in eCommerce. This awareness is transported into other departments as well. It results in 2-factor authentication, password management (instead of sticking it to the screen or similar) and, most importantly, hiring an external data protection officer that can be consulted by employees anytime or during consultation hours to clarify questions or concerns. 

New or updated regulations are being presented in meetings with our solicitor, who also manages training for our new hires.

Within project work and for internal processes, we have an audit in collaboration with TüV Süd (author’s remark: independent service company from Germany and Austria that test, inspect, and certify technical systems), even before 2018 i.e. before GDPR was put into practice.

Why data protection is important, an advantage, not a legal nuisance

At Tudock, there is a higher priority overall for GDPR and privacy standards due to the services offered. This is an important message that they strive to transport to the clients - the more Tudock knows about data protection and privacy, the more of this knowledge can be conveyed to the customers. This establishes trust, especially because the eCommerce clients work with sensitive data like credit card details of their customers. Hence, the whole topic is a never-ending process and constantly evolving, not single events that need renewal every five years.

The challenge lies in maintaining those privacy-enhancing standards in everyday work, especially when deviating from your usual routine.

But it does not suffice to provide employees with legal documents as this does not resolve the problem but pushes the responsibility over to the employee. Instead, they need active support through training and the support of our data protection officer.

What are the GDPR standards you commonly find in your clients, and how do they typically react to Tudock’s high standards in GDPR and privacy compliance?

A certain awareness, of course through legal GDPR requirements, can be found in all the companies. But especially for the larger ones, this is an important topic. At Tudock, this begins during the lead stage with the signing of an NDA, which is then intensified during onboarding in a contract processing agreement that sets the framework to state they can process clients’ customers’ data. 

In smaller companies, this often requires a bit more education and discussion of why this is important and necessary, as enhanced protection often entails additional costs when developing a platform. Those costs represent a more significant challenge for smaller companies than bigger ones. Nevertheless, those regulations must be met.

Sometimes with projects taken over from another agency, data protection is ensured by running safety audits. Michael remembers two cases in which the audit revealed a data leak, in one occasion redacted rather indifferently. Even though that was even before GDPR was in place, safety audits, not least for Tudock’s own safety and compliance, are now standard practice with every customer.

Today there is a general higher awareness through stories like this and similar ones published in the papers. This awareness is also taken to the workplace.

In the end, in case of a data breach, a transparent way of handling the situation is key. Dealing with its consequences is a way to maintain trust, which is of utmost importance for Tudock.

The conversation takes a slight detour to homeschooling during the pandemic. Both Michael and Nina share their experiences and conclude that data protection and privacy standards were often abused and disregarded, let alone no one educated the children about how to protect their own data online or why this is important.

How can saving and processing of personal data be avoided in eCommerce: Do you think that’s possible?

\ In eCommerce, a certain amount of personal data is required to process the order; think of the address or credit card details to process returns or complaints. However, in order to increase security and protect privacy, that data can be encrypted and only decrypted on demand. Furthermore, now with web 3.0 and blockchain technology, data can be stored and decentralised. But not storing them at all, I think that is hardly possible at this point. Just for visiting a webshop and searching for items, it is certainly not necessary to store personal data at all, Michael concludes.