May 25th, 2018 is going down in history as the day when things have changed on The Internet. It is the day when the General Data Protection Regulation (GDPR) is finally coming into effect across the entirety of the European Union.
Even less than a month before this great event – it is absolutely obvious that GDPR’s full implementation is a game-changing moment in the long and winding issue of internet privacy that was dwindling out of control in recent years.
What is GDPR?
General Data Protection Regulation aka GDPR is the result of six and half year quest to make sense and justice to the basic principles of data protection.
GDPR is a set of rules designed to give users more control over their personal information and impose transparency and accountability on the companies who gather it.
For years attempts to update data protection laws had struggled with lack of awareness and demand of the public, the unwillingness of the companies to abide by, and relentless static of the politicians.
The most recent GDPR predecessor – Data Protection Directive, was implemented way back in 1995 and it is fair to say that it didn’t age well. The problem was that its instruments of influence became outdated and ineffective at the current time.
However, it served as a fine foundation. DPD clearly stated the basic thing – the individuals have ownership rights over their personal information after they’ve shared it with the third party company in exchange for certain services. But the biggest flaw of the DPD was that it was merely a directive and as such, it was interpreted differently by various members of The Union. On the other hand, GDPR is a regulation. That means it is a unified set of rules implemented by the supervisory authority among all the members of the European Union.
In essence – the General Data Protection Regulation was designed to make sense and bring some form of an order to the user-service provider relationship. It is all about bringing transparency, responsibility, and trust in the relationship between the users and various companies who collect their data in exchange for seemingly free services.
For the users, new data privacy laws give control over their personal data and provide them with legal instruments to demand its removal, correction, or simply an explanation of the purposes of its use.
On the other hand, GDPR makes companies accountable for their actions and responsible for the safety of information from malicious intent or leakage.
Another important thing is that GDPR introduces rather a harsh system of penalties designed to humble those who don’t want to play by the rules or act careless enough to expose their systems for malicious intent or data breaches.
Why is GDPR implemented and why now?
The motivation behind the adoption of GDPR is rather obvious – European Union badly needed legislation that would reflect and regulate how people’s personal data is used by various companies, especially those who offer their services for free in exchange for some gathering data from its users (such usual suspects as Google, Facebook, Twitter, Amazon, etc).
For a while the problem with privacy and information security regulation was pitifully dependent on “the kindness of strangers” – there were no solidly defined rules regarding terms of personal data usage. Basically, companies could do whatever they wanted with the gathered data and there were no legal instruments to deal with stretching the boundaries of data privacy.
However, recent data breaches and illicit user gathering scandals (such as Equifax Leak or still ongoing Cambridge Analytica scandal) raised the awareness on the subject considerably up to the point it became painfully obvious that current legislation simply can’t handle such problems.
To put it bluntly, 1995’s Data Protection Directive was absolutely inadequate for the current state of things and it was like that for a long time. In fact, DPD was way past its selling date by the early 2000’s – it was in dire need of either a significant update or complete replacement. Years of pretending that nothing is happening combined with the blatant ignoring of taking action on the burning issue resulted in awkward playing catch-up with reality.
Among the things that were updated and reiterated was the expansion of the definition of personal information and further elaboration on the rights and responsibilities of the parties involved in the data processing.
Back in January of 2012, the European Commission had announced their intentions to substantially update data protection policies across the European Union. GDPR was designed as the centerpiece of the reform. It took four years to get it right and finally in April 2016 it was adopted with a two-year period of transition and preparation for its coming into effect this May.
While GDPR is far from the best solution – it is already something and it is a “better late than never” kind of situation. At least now we have something. The timing couldn’t have been any better because of increased awareness of the importance of privacy and security.
It is a big achievement considering the turbulent history of previous attempts of developing privacy regulations and absolute uncertainty with the future of privacy on the internet.
Stay tuned – we have prepared a series of posts on GDPR and what companies and users should do and expect from this law (and, as a bonus, it’s explained in simpler-than-law-terms language.)
* * *
This blog post is a part of the series. Click to read the other chapters:
You know the drill: those who control the information rule the world. And as we are getting further entangled into the nets of various third-party applications – we are giving away more and more of our personal information for nondescript third-parties who use it as they see fit for their own good.
Even more so – most of the time we do it willfully on our own not fully comprehending the possible consequences of such nonchalant and careless giveaways.
To make matters worse, until recently, there was no actual regulation regarding the use of personal information. That is why GDPR is so important.
We live in a tumultuous time. At the current moment, information is probably the most valuable resource and it seems like there is some kind of a gold rush regarding getting bits and pieces of this precious matter. Everyone is digging for information in one way or another. Why? Because that is how companies make money these days.
And because of that – this is something that must be thoroughly regulated in order to prevent even the slightest possibility of abuse and misuse of personal information by any means – intentional or not. Users should know their rights and companies should know their responsibilities.
In GDPR, personal information is defined as a set of the following characteristics:
Health and genetic data / Biometric data
DPD stated that the users have ownership rights over personal data after sharing it with the third party company in exchange for their services. GDPR elaborates on that and brings it to the solid grounds. It is designed to bring balance to the relationship between companies and users. Basically, it brings the principles of “fair game” to the data operations and installs a clearly defined “code of conduct” regarding users and companies – something that was barely regulated by the GDPR predecessor DPD.
GDPR principles of Data protection include:
Lawfulness, fairness, and transparency
Limitation of purpose
Minimization of data
Limitation of storage
Integrity and confidentiality
For the companies, GDPR outlines the rules of gathering and usage of the user’s information. It’s the biggest innovation is making user’s consent an absolute must. It is a requirement ignoring which can lead to significant fines. Any kind of data gathering is illicit unless there is the user’s official consent.
GDPR stresses the importance of accountability in the process of building and maintaining trust between users and the company. It urges every company to follow its guidelines and demonstrate compliance with the updated regulation.
GDPR Rights & Responsibilities
One of the major goals of implementing GDPR was to clearly define who does what and how and why in the data processing operation. While it might seem really simple – the legal peculiarities are no joke and it all needed precise clarification.
The entire set of rights and responsibilities regarding data processing is divided between several parties:
Data Subject aka User – a natural person who provides personal data for processing;
Data Controller – an organization or company which determines the purposes and means of the processing of personal data;
Data Processor – an organization or company that processes personal data on behalf of the controller. (Controller and Processor may be represented by one company)
Every involved party has a distinct set of rules and requirements. The document specifically describes procedures that should be undertaken in cases of system failures, hacks, or data breaches.
GDPR requirements for the companies are the following:
Perform data processing in a law-abiding, fair, and transparent way with valid consent from the subjected user that can be revoked at any time.
Thoroughly explain the purpose of the data usage;
Provide evidence of consent in a form of a signifying document;
Limited data gathering to what is necessary for the specific purpose;
Set time constraints over data storing to a period when certain data is necessary for correct operation;
Maintain the accurateness of the data (by cooperating with the user’s AKA data subjects)
Adoption of the “privacy by default” principle. Basically, data protection must be considered for every new process or system at the design stage;
Store records of data processing that could be reviewed by regulators;
Provide foolproof, sealed off data storing;
Inform the authorities about data breaches within the 72-hour time frame;
Inform user (AKA data subjects) about data breaches;
Implement technical and organizational measures to ensure the protection of the user’s data rights;
Conduct regular privacy risk assessments;
Explain how and why personal data is going to be processed;
Appoint a Data Protection Officer for overseeing the data processing activities;
Aside from that GDPR introduces a system of rather harsh fines for violating the guidelines. The way of imposing the fines is considered on a case by case basis and dependent on the level of the perpetration and the amount of damage done by the violation. Overall, fines are ranging up to €10 or €20 million or 2% and 4% of the company’s global annual turnover of the previous financial year depending on the severity of the case.
On the other hand, GDPR gives users (AKA data subjects) an elaborate set of privacy rights that gives them tools to control the use of their personal information. Believe it or not, but while these rights seem obvious, until the adoption of GDPR they were not legally imposing.
Want to Learn More About The APP Solutions Approaches In Project Development?
Right to be forgotten – i.e. erasure of gathered data;
Right to object to automatic data processing;
Right to restrict data gathering, processing, or storing;
Right to be informed of the means of the gathering of the personal data;
Right to get a copy of the gathered information in its entirety;
Right to revoke given consent;
Right to have the personal record corrected at request.
The most important innovation for the users is giving the right to be forgotten which enables requests for the deletion of the personal data from the companies databases unless there is legal ground that justifies keeping the information. GDPR also regulates the conduct of automated decision-making routines and gives users the instruments to object or rectify certain elements.
While it is hard to say how successful it will turn out, but judging from the documents, it seems like GDPR is going to force certain overachieving companies to pay their dues.
On the other hand, it finally gives the user distinct instruments to control their personal data and counter any possibility of its unlawful use.
* * *
This blog post is a part of the series. Click to read the other chapters:
Believe it or not, up until late 2017 the majority of the companies seemed to be blissfully unaware of the impending “doom” of the GDPR full implementation.
If you look at Google Trends — you will notice a rapid growth of interest by January 2018. For the record, GDPR was adopted in May 2016.
In many ways, no one was really ready for the coming of the GDPR. While it was adopted way back in 2016 and there was a lot of time to prepare yourself — the majority of the companies didn’t bother up until the heat was around the corner.
While it can be written off to a general careless attitude that prevails in many technology-oriented companies — it is also absolutely mystifying why it took so long to realize that GDPR is the real and it is here to stay and you either adjust to it or go away with a somber solemn look on your face.
The entire process of implementation of the GDPR principles is a considerable challenge both for the companies and the users. Not only there is a lot to do in order to follow the guidelines, but there is a need to adopt certain practices that will ensure the exclusion of any possibility of a violation.
In this article, we will break down all the major challenges that come with the adoption of GDPR and describe its possible benefits for the companies and the users.
GDPR Challenges for Business
An overarching GDPR challenge for any company that uses personal data is the sheer scope of the work to be done in order to be fitting according to the updated guidelines. It is humongous and it needs a very delicate and thorough approach.
Overall, the challenges of implementing GDPR for the companies can be divided into technical and organizational.
Let’s break it one by one.
Adapting to many-many new requirements
The imposing number of requirements that constitute GDPR compliance is designed to increase the accountability of those who process personal data. This is made specifically for means of making the whole process as transparent and trustworthy as possible.
You have to ensure that the policies for personal data usage, consent, rectification, access, deletion are composed according to the regulations.
Also, cooperation with the third parties under GDPR is considered a key risk and as such it must be reassessed and adapted accordingly.
You can read about the requirements in detail in our previous article.
The challenge lies in the fact that the entire GDPR thing is extremely process-driven. While it is designed to improve such practices as decision-making and risk assessment — GDPR also adds another layer to them and thus complicated the already complicated process.
One of the major challenges regarding the implementation of GDPR can be considered an initial audit of the system. It may be an easy task if the company’s data is stored in one place. But that is not always a fact. The whole process is conducted through a stack of tools that helps to centralize data from different sources and subsequently monitor its use. Basically, it is a separate data management platform dedicated solely to security issues.
There are several key elements to determine during this operation:
What data is collected?
What are the sources of the data gathering?
Where is the data stored?
How is it used?
Who has access to what data? For how long?
Next, you need to audit the way the company process in order to see which of them will be affected by GDPR. This will give you a picture of which elements should be changed in order to maintain a steady workflow.
Basically, it boils down to three key elements:
How is data encrypted?
Is access to data sufficiently restricted?
Is data trackable?
Team Compliance and Training
Preparing the team for GDPR might be a tricky thing. While the technical aspect is dependent on the clarity of the methods — it is way harder to teach people to follow the guidelines, especially such tangled ones as are in GDPR. It takes time and requires patience.
Your team needs to understand what it means and how it works and how it affects their working process. There must be clarity on the following issues:
Data subjects AKA User rights;
What information can be divulged under which circumstances?
What kind of activity is permitted and what is not?
What constitutes consent?
What constitutes non-compliance?
Aside from that, GDPR compliance recommends the appointment of a Data Protection Officer (DPO) — whose responsibility will be to ensure that the company is operating according to the regulations. However, there is a question about the place of DPO in the company’s organization. DPO must report to the highest management of the company and must be absolutely independent in its judgment in order to maintain a balanced view of the state of things regarding Data Privacy.
GDPR significantly expands the user’s rights over their personal data. One of the primary user’s instruments of influence over the use of personal data by the companies is a request. Because of the muddled nature of the data gathering — there will be a lot of questions from the users regarding the processing of their personal information. And it is better to know what to say in such cases (alternative for it is paying a fine which a little bit counterproductive for business).
The company must be ready to provide information on the following matters:
Purposes of the processing;
Categories of the gathered data;
Involved parties to whom the user’s personal data will be disclosed;
The approximate time frame over which personal data will be stored;
Compliance with requests for correction, erasure, or restriction of processing of personal data;
Rethinking Budget Planning
Anything regarding money spending is challenging. The coming of GDPR means that there must be a significant rethinking of the budget in order to include provide adequate maintenance of the data privacy and security operations.
The problem is that even though an audit can help get the picture — there are still too many unknowns in the equation that can significantly inflate the budget over time.
Basically, the additional spending is aimed primarily at three elements:
its subsequent implementation;
human resources to do the job.
Challenges For Users
But companies are not the only ones who are going to be affected by the coming of GDPR. Users are going to get a significant kick of it too. The thing is — GDPR is the latest in the long line of privacy-related EU initiatives. In fact, the European Union has always maintained a “consumer-first” approach regarding privacy.
However, this dedication to privacy and all-round consent can be overwhelming and downright challenging for the users.
Knowing your rights
While knowing your rights may seem like a relatively simple task (wink-wink) — it is not exactly like that. In fact, it is a tough thing to do. Take a quick look at Chapter 3 of the GDPR document and read into what constitutes the rights of the Data Subject AKA user.
That’s a lot. Whole lotta rights to know. The challenging part of it is that the user needs to know under which circumstances he can exercise his rights and what are the limits of data subject rights.
Also, it is important to understand the possible consequences of abusing these rights.
Anyway, misunderstanding of the rights will probably lead to many-many ugly situations where users unwittingly gave away their information and later were trying to get some justice even though it is their own fault.
Consent is the key concept of GDPR. It means a clear affirmative indication of giving permission to use one’s personal information for further processing. It is absolutely mandatory for every company. They need to ask the user’s permission to use personal information. Otherwise, they will be unable to operate legally under GDPR.
Now think about how many of the various applications you are currently using. Most of them require some form of personal data processing. They use your e-mail, geolocation, IP Address, and so on in order to enable their services. All this goodness needs a clear affirmative indication of consent.
Given the fact that there is no chance they will be written in any semblance of Homosapienese language — chances are the common user will click it off without giving it much of thought only later to realize and attempt to backtrack his decision.
Dealing with data breaches
In many ways, GDPR means the coming of the New World Order regarding the relationship between users and the companies. Since users are in control of their personal data — they are also subjected to informing about what is happening with their data. That, unfortunately, also includes instances when their personal data was breached.
Because of mandatory informing of the data breaches — users need to learn how to react to such situations.
The thing is extremely complicated due to the fact that every instance of a data breach is unique and requires close assessment in order to provide an adequate reaction. Another complication is that every case allows a varying level of user involvement. That is something beyond the user’s or companies control and determined solely by the court.
Benefits of GDPR
If there are so many challenges, are there ANY benefits to this data protection regulation?
In many ways, GDPR is a blessing. It is well-intentioned and rather well-mannered (especially if you compare it with DPD which is just sad). There are many benefits of clearly defined rules of engagements for both sides. Its implementation is a chance to improve the vital elements of your company and make it overall a much better functioning entity.
GDPR’s biggest achievement is a clarification of the key terms regarding user/company relation in terms of personal data use.
A direct result of this clarification is basic definitions of rights and responsibilities of the involved parties. This gives a proper map of what is permitted and what it is banned. Which in turn provides a set of tools to react in a variety of situations.
The most obvious benefit of GDPR is trust. By implementation of diverse data security practices and appointing of DPO whose job is to keep data privacy intact — companies can significantly increase their trustworthiness in the eyes of the users.
Alignment with GDPR will serve as a seal of approval for the users that the company services of which they are using will not mess with them by any means.
This, in turn, will increase customer loyalty which will directly result in positive developments of brand recognition.
Better Decision Making
Another direct benefit is the improvement and refinement of decision-making practices. GDPR adds a couple of new factors for consideration that significantly change the perception of the state of things.
To put it simply — the stakes are higher and the possible consequences of the failure to comply are severely uninspiring.
Under the weight of increased responsibility and imposing punishment, GDPR will indirectly lead to a more calculated and cautious approach to decision-making.
Better Risk Assessment
Risk assessment is probably the biggest winner of GDPR adoption. While it is considered to be a part of the standard operation — chances are it receives less attention and care than it probably deserves.
GDPR shifts the tables in favor of a more thorough and responsible approach to risk assessment. For one simple reason — the notion that slight oversight and risk underestimation may result in significant monetary and reputation damages for the company.
Security Framework Improvement
GDPR guidelines stress the importance of a well organized, impenetrable, and highly regulated security framework. While it seems to be an obvious reasonable requirement for any company — the fact the data breaches are common these days state the opposite.
However, GDPR provides clear and realistic guidelines on how to make the security system better and how to maintain it.
A combination of regular system audits, monitoring and cautious employee culture is the key to effective improvement.
Along with the improvement of the practices comes increased alignment with cutting-edge technologies.
Since you never know what kind of unfortunate event can happen to your system — the company will need to constantly evolve its data security stack in order to stay current and prepared for any possible danger.
If anything, that will probably cause the rapid development of new technologies.
GDPR is a game-changing document the influence of which is hard to underestimate. To put it simply, it will cause seismic shifts over the world — no less. There is no doubt that in the long term perspective GDPR will cause a drastic transformation in the business landscape of not only the European Union but also the entire world.
The way it reiterates the definition of personal information and rearranged the balance of power in the realm of data processing is nothing short of revolutionary. It is challenging in many ways but as you can see — there are also considerable benefits of GDPR compliance.
* * *
This blog post is a part of the series. Click to read the other chapters:
With the day of GDPR coming into effect getting closer and closer and tension of impending “doom” that it “might be” getting higher than ever — it seems reasonable for all involved to get ready for it on all fronts possible before it is too late and the fines will come in full swing.
Cue numerous think-pieces that describe “what you need to know” or “what you need to know” and more of the same all over again in other words with a sacred anchor “GDPR compliance”.
However, none of those raving and drooling pieces are actually telling anything about particular approaches the companies are using in order to get ready for GDPR implementation.
Because of that, we thought it would be a great idea to share a thing or two about a way of adapting to GDPR that we have figured out for ourselves.
It is not as much bragging as a well-mannered sign of confidence in the face of coming changes.
The APP Solutions is a kind of company that favors getting ready beforehand and not on the fly. Because of that, we have spent a considerable amount of time studying every existing possibility of improving and evolving our data protection and privacy policies.
What We Did for GDPR Compliance
First things first — we needed to know what is coming where and to what extent.
Regarding “what”, our first step was to analyze the sources of incoming data. The main purpose of the operation was to determine which of the elements are coming from the European Union and thus are covered by GDPR.
Regarding “where”, we have conducted the general assessment of services that we were using for personal data managing purposes, i.e gathering, processing, and storing.
In order to get a clearer picture and determine the exact scope and depth of state of things, we have performed a complete and thorough audit of all the personal information our company was storing. We’ve studied its strong and weak points and considered a variety of options for improvement or replacement.
This operation was divided into several steps:
Assessment of information stored on third-party service beyond the company’s control (for example, personal Dropbox or Google Drive);
Determining circumstances upon which sensitive information was going to the third-party services beyond the company’s control.
Determining the physical location of data storage
Develop tools for preventing unsanctioned access to personal information. In order to realize that we defined types of information and based upon that determined several levels of access for sensitive information.
During risk assessment, we’ve determined several risk types of information that require reporting in cases of breaches.
We studied possible threats for every industry we are working in. We determined types of threats, ways they can affect our products and also possible consequences of their outbreaks.
We also developed a code of conduct and standard operating procedures in cases of data breaches and other dangerous situations.
This included expanding Users AKA Data Subjects rights to those defined by GDPR and adapting the documenting procedures of data storing accordingly.
Our primary goal was to redefine and reassert legal grounds upon which we are using certain personal information and reiterate respective documents. In order to do that we have determined several levels of sensitivity for personal information.
Also, we developed guidelines for maintaining User Consent.
Statement of consent must be clear and specific
It must be written in plain, easy to understand the language
All parties involved in operation relying on user consent are named
Nature of data and purpose of its use must be specified
In order to keep User Content intact we are running the following procedures:
record of when and how user consent was obtained
record of the exact agreement
User Consent review over certain time intervals
Processes of updating user consent over certain time intervals
GDPR Compliance Services for Clients
Regarding our project, we have defined several types of data protection services that we can provide.
These are divided into two sections — standard and those that can be implemented for an additional fee.
Standard options that are always adhered to (even before GDPR became a popular thing to do):
Documenting the process of data storing
Tools for age verification (child-oriented)
General network security
For additional fees, we can also provide the following automated tools:
Tools for user consent management with optimal user experience low
Tools for managing user requests for erasure, rectification or download of personal data;
Automatization of data gathering and segmentation processes
Hack attempts monitoring and intrusion detection tools
Data anonymization (complete or partial)
Data export at User Request
Suspicious activity determining and monitoring
Monitoring of super administrator activity
This is how we do it. GDPR is not as imposingly scary as it seems. In fact — it is actually beneficial for the companies because GDPR compliance serves as a guarantee of maintaining certain rules. This, in turn, makes the companies more trustworthy which is always good for business.
* * *
This blog post is a part of the series. Click to read the other chapters: