Are you ready for GDPR?
Udgivet 2018-04-22 - Skrevet af Philip Sørensen
By now, you have probably heard about GDPR, but what is it really? And how do you prepare for it? Below I have tried to outline the new laws as easy as possible.What is GDPR?
The General Data Protection Regulation (GDPR) is a ruleset that affect all companies handling data of people within the European Union. The rules will take effect on the 25th of May 2018. The fines for not complying is 4% annual turnover, or up to 20 million EUR, whichever is greatest.To give you an overview, the rules contain following topics:
- Right to get notified wihtin 72 hours of a data breach
- Right to gain access to the stored personal data
- Right to be forgotten
- Right to receive personal data in a readable format
- Privacy by design, and by default
What is personal data?
Since the new regulation is mainly concerned about people's rights with regards to their data, we need to talk about what their data is. So, what is really the definition of this personal data? It is defined as:Personal data means any information relating to a directly or indirectly identified or identifiable natural person.
That is quite a broad definition, so let's take a look at various pieces information. The most obvious personal data points are:
- Name
- Address
- Phonenumber
- Social security number
- Fingerprint
- Race
- Sexuality
However, these more atypic pieces of information are also included as personal data:
- License plate
- Usernames/login information/employee ID
- Birthday
- GPS information
- Photo
- CV
- Grades
- Exam papers
- Family information
- Video surveillance
- Logs in IT-systems
- Personalytests
- Job
- Size of shoes or clothing
- Travel information
- IP-address
- Interests
- Credit card information
Data is personal data when the information is so specific that it can be used to identify a specifc person. Either by itself, or in conjunction with other pieces of information. Here it should be noted that a few data points, in conjuction with each other, rather quickly can be used to identify a person. E.g. how many customers do you from a certain area, who is 50 years old, and is an accountant?
3 different roles
With regards to GDPR, there are 3 different roles.- Data Subject
A person whose personal data is being processed by one of the other roles. This could be a user/client, or even data about a person in partner company. - Data Controller
Decides what data is being collected, and what happens to it. - Data Processor
Processes data on behalf of the data controller.
A quick example of this could be my website. I have a newsletter that I gather e-mails for. I use Mailchimp for this, which make it possible to store e-mails and enables me to send out the newsletters. You (data subject) can sign up for my newsletter, and I (data controller) decide what information to collect and what happens to it. Mailchimp (data processor) stores the information for me.
As a data controller, it is my responsibility to make sure all of my data processors are GDPR compliant. This is done with a data processing agreement, and you need such an agreement for all your data processors.
Here are some of the data processors you may be using:
- Webhost (DigitalOcean, Unoeuro, etc.)
- Analytic Tools (Google Analytics, etc.)
- Email Marketing (Mailchimp, etc.)
Check them all for GDPR compliance. Most of them already have agreements prepared for you, like Mailchimp's data processing agreement. If you can't find any information on their website, contact them.
When processing personal data
GDPR also states for what reasons you may process personal data. You may only process personal data for these reasons:- Law
E.g. banks need detailed personal information to comply with anti-money-laundering laws. - Necessity
If you need to ship a product, you need a shipping address. In other words, you need to information to do provide your service. - Consent
In cases where you don't have a “good” reason to have the information, either due to law requirement or a necessity of operation, you need to get consent from the user. - Legitimate interests
In some cases your interests in processing personal data may be stronger than the users interests in you not having it. This is the weakest form, because you need to prove that your interests are more important than the user. Examples could be documentation in insurance cases, like keeping e-mails as proof until a limitation period has passed.
If the personal information that you process cannot be contained within one of the 4 categories above, you simply may not process it.
Right to gain access to stored information
The users are given the right to gain insight into what information you have about them. If they request it, you need to provide them with a full copy of all their data within 30 days.The users can request the following:
- Whether you process information about the user.
- The purpose of the information you are processing.
- What information you process.
- Information about where the data is from, if it is not provided by the user.
- The categories of other businesses/organisations that receive the personal data (primarily other countries and international organisations, but also data processors).
- Whether there is being made automatic decisions about the user in the form of profiling. If so, then the presence of profiling (when, how, why, and how much).
Deletion of data
Citizens of the European Union will gain the right to be forgotten, which means deletion of data. You are required to delete any data that no longer serves a purpose. Furthermore, you are also required to delete data when consent is withdrawn, or it is requested by the user.As an alternative to deletion, you can also anonymize the data. But this requires true anonymisation, so that the remaining information cannot be linked to a person. If it is still possible to link it to a person, you have only done pseudo-anonymisation, which is not good enough.
Conclusion
People in the European Union has gotten some much needed rights with regards to privacy of data. It is quite interesting to follow how this will evolve in the future.The essence of GDPR is that you need to document a purpose for your data collection, and you need to ensure that it also gets deleted when it is no longer necessary. This was merely a brief walkthrough some of the key points of the regulation. If you store any information about your users, you need to make your preparations for the 25th of May.