So, what is GDPR? The General Data Protection Regulation is the new privacy law that came into effect in the European Union on May 25th 2018.
It's not like privacy protection isn’t a new thing in Europe. in fact, its expressly established in article 8 of the Charter of Fundamental Rights of the European Union. However, the purpose of this law is to upgrade the old legislation from 1995 to be more up to date with the ever changing technology landscape.
Two Reasons why GDPR has Been Making Such a Fuzz on the Internet
First of all, on a territorial scope, GDPR regulates the treatment done by a natural person or company established in the European Union. But it is also mandatory for those companies located outside of it.
The European Parliament adopted the legislation in 2016.
That means that any company that monitors behavior on the European Union or that offer goods or services to data subjects located in the Union mustcomplytoit. As such, it doesn't matter where you are located. If you are planning on having European users or costumers, you must take it into consideration.
Secondly... fines. GDPR establishes the creation of independent public supervisory authorities in all member states that are in charge of enforcing the GDPR. According to the gravity of the infraction, they can impose fines that can go to up to 2% or even 4% of the total worldwide annual turnover of the preceding financial year.
As you can imagine, this was done to ensure that there’s no company that is just “too big to comply”. Big company? Big fine.
Has it affected companies since release?
Yes it has. While for the first months most national supervisory authorities decided on a more educational approach by guiding those who wanted to comply, several big fines have already been imposed. In Portugal, a hospital was fined $400.000 euro for giving doctors unrestricted access to other patient’s medical records.
In Germany, a social website got a $20.000 euro fine after a hack leaked over 1.8 million users mails, IDs, and passwords. More recently, in France, Google got a $50 million euros fine for failing to provide users with transparent and understandable information on its data use policies.
5 Key Requirements That Demand Action
While there’s lot to do to get a proper and thorough compliance, there are some steps you can take to cover the crucial aspects of the legislation. Let's go over 5 key requirements that demand immediate action!.
Make a Personal Data Map
The first step to compliance is to be aware of all the personal data that you are collecting. This includes cookies, mails, accounts and pretty much everything else you can think of. If you have information that allows you to identify a person, that’s personal data and needs to be accounted for.
Be Transparent With Your Users
You must have full disclosure with your users regarding all of the personal data that you are storing. You must also properly identify and disclose the reason why you are collecting it. Plus, if it’s actually necessary to be collected. The most common hypothesis for data collection are:
The data subject has given consent to the processing of his personal data for one or more specific purposes. This applies, for instance, when you ask a user to subscribe to a mailing list.
When the processing is necessary for the performance of a contract. If a user pays me for storage, it’s necessary for me to process its data so I can fulfill my obligations.
The processing is necessary for compliance with a legal obligation. If you process payments, you may be obliged according to your local law to keep a register of your transactions. This legal obligation must be laid down by either union law or the law of a member state to which the controller is subject.
When it’s necessary for the purposes of legitimate interests pursued by the controller. For instance, let’s say you are a software company and there’s a security upgrade that you need your users to install, you are allowed to contact them or to keep a mailing list for such purposes.
If at any time you want to process data for purposes others than those it was originally collected, you should ask for additional consent.
What's more, you should take into account if there’s any link with the original purposes of the collection and the context in which that personal data was collected.
For instance, you may not need additional consent if you are processing additional data to check for bugs. Specially if the software is sending anonymized crash reports.
Ensure you get Appropriate Consent
GDPR requires you to be able to demonstrate that the person has consented to the processing of his personal data. If the consent has been given in a written declaration, it should be presented in a manner which is clearly distinguishable.
If you want to use someone’s email for a marketing mailing list, you need to expressly disclose this before collecting it. This disclaimer must also use an easily accessible form with clear and plain language. If there’re any infringement, the consent won’t be binding and you’ll be subject to a fine.
Additionally, the user has the right to withdraw his consent at any time. GDPR innovates in this area by demanding that the withdrawal of consent should be just as easy as the process of providing it.
One final consideration is that you should assess whether the consent is actually being freely given or if it’s done under a certain kind of duress by making it conditional to the delivery of a service, when it’s not really necessary for it to function.
Example: Forget about having your user’s just click “agree” o a registration form. You must be honest from the get-go about what you are doing with all the information you are collecting. All email subscriptions should disclose if the email sent is of commercial information, and provide the user a way to say no to that. This will be especially true when you are sending their data to other third parties.
Develop With Your User's Data Rights in Mind
One of GDPR’s key points are the rights it establishes for users. These rights give them more control and visibility on the data they are sharing. Accordingly, a company cannot refuse any request that relates to the exercise of these rights, unless it can prove it’s not possible to identify the data subject. We'll go over the common ones.
Users have the right to information and access regarding their personal data. You should provide your users with information about the identity of the company that is treating their personal data, the purpose of such treatment and the third parties to which that information is being sent to and for what purpose.
Then there's the right to erasure or right to be forgotten. The data subject can ask the controller to ask for the deletion of all his personal data when:
That personal data is no longer necessary in relation to the purpose for which it was collected o processed.
The data subject withdraws consent to the processing.
The data has been unlawfully processed.
A tricky one is the right to data portability. A user has the right to receive all the personal data that it has provided to a company in a structured, commonly used way that allows him to transmit that data without issues.
Example: Have your developers merge all your different tracking into one easily exportable database. That way you can easily answer data user request and be sure that you’ve properly erased all of your user personal data. At Prey, we developed a React GDPR on Rails tool for these purposes.
Upgrade and Document Your Security (Explained)
Although it's not its main purpose, GDPR has certain rules regarding data security. Taking into account the state of the art, the costs of implementation, and the nature of the processing, you’ll have to implement technical solutions to ensure the confidentiality and integrity of the personal data you are storing.
An organization should have the ability to restore access to personal data in a timely manner in the case of a physical or technical incident.
Regarding organizational measures, GDPR ask for the implementation of a process for regularly testing and assessing the security of the processing.
Finally, the law makes it mandatory to notify the supervisory authority, without undue delay, of any data breaches you may have unless it is unlikely to result in a risk to the rights and freedoms of natural persons.
If the data breach does entail a high risk, then the controller shall also communicate the personal data breach to the data subject without undue delay. How can you assess this risk? Well, each case is a particular story, but we do recommend you to stay on the safe side.
Example:At Prey, we have documented our GDPR process for everyone to follow our updates, with detailed explanations on how we take action towards compliance.
Is it hard to comply with GDPR? Not at all. However, a lot of questions can come up in the process. Fortunately, if you had the user's privacy in mind before, you're probably in the right track already!
If you're still doubtful, you should take a look at how GDPR affects IT management. Spoiler alert: It does, and it does so for the best. Truth is that understanding the core management needs will ensure you stay in line with upcoming regulations.