Getting started with GDPR compliance

There are many documents related to GDPR regulation, but they’re not easy to understand for non-technical people. In part-1 “Getting started with GDPR compliance” of the series “Get GDPR compliant”, we’ll look into basic concepts in GDPR and how we can get started implementing it.

What is GDPR?

  • The General Data Protection Regulation (GDPR) will replace the Data Protection Directive 95/46/EC (Directive). It applies to all EU and foreign organisations offering goods/services to individuals in the EU and handling personal data of EU residents.
  • It even applies to companies that are not registered in Europe but have European customers.
  • Approved by the EU Parliament on 14 April 2016.
  • Enforcement date:      25 May 2018

Basic Definitions:

  • Controller: The legal person or agency that determines the purpose of processing personal data.
  • Processor: The organization that processes that data on behalf of controller.
  • 3rd party: Any product/service provided by an organization that you’re using in your system – through their API, like Google APIs and others.
  • Data subject: User – The person who is using your product/service.
  • Personal data: Basically, it’s every piece of data that can be used to uniquely identify a person. Data that the user has explicitly provided, but also data that you have collected about them from either third parties or based on user activities on the site.
  • Supervisory authority:  An independent public authority which is established by EU Member State.

For more details, visit EU Official document and Intersoft-consulting GDPR

Who does the GDPR apply to?

  • The GDPR applies to ‘controllers’ and the ‘processors’.

What is penalty if an organisation isn’t GDPR compliant?

The GDPR establishes a tiered approach to penalties for breach

  • Fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR20 million (eg breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent).
  • Other specified infringements would attract a fine of up to the higher of 2% of annual worldwide turnover and EUR10m.

GDPR – In a nutshell

GDPR Key changes you need to comply with right now.

There are total of 99 articles, divided into 11 chapters. The summary of each chapter is given below:

What should we do to get our system GDPR compliant?

Principles (Articles 5 – 11)

  • Consent – Terms and Conditions, Privacy policy updates – Article 7

This seems to be the biggest change that the regulation brings. “I accept the terms and conditions” would no longer be sufficient to claim that the user has given their consent for processing their data. So, for each particular processing activity, there should be a separate checkbox on the registration (or user profile) screen. You should keep these consent checkboxes in separate columns in the database, and let the users withdraw their consent.

  • Make the consent prominent and separate from “terms and conditions”
  • Give the users an option to withdraw their consent.
  • Avoid making consent a precondition of a service

You should ask for the user’s age, and if the user is a child (below 16), you should ask for parent permission.

Rights of data subject/User (Articles 12 – 23)

There should be another button, “export data”. When clicked, the user should receive all the data that you hold about them.

“Information must be provided without delay and at the latest within one month of receipt. You will be able to extend the period of compliance by a further two months where requests are complex or numerous.”

This is very similar to the “Export” button, except data should be displayed in the regular UI of the application rather than an XML/JSON format.

This seems an obvious rule, but it isn’t always followed. Users must be able to fix all data about them, including data that you have collected from other sources (e.g. using a “login with Facebook” you may have fetched their name and address).

Make sure you provide “Forget me” option in your app/website, where user can click to delete all their data from your system. This is not going to be each piece of information you hold about data. Like if you’ve a chat system, and your user wants to get its profile delete from your system. You’ve delete complete profile info (name, email, phoneNo, other info), but you need not necessarily delete the posts, files shared by user. (You can ask your users to manually delete the message though).

When does the right to erasure not apply?

The right to erasure does not apply if processing is necessary for one of the following reasons:

to exercise the right of freedom of expression and information;

to comply with a legal obligation; more

In your admin panel where there’s a list of users, there should be a button labeled “restrict processing.” The user settings page should also have that button. When clicked (after reading the appropriate information), it should mark the profile as restricted. That means it should no longer be visible to the back office staff, or publicly. –

If you are providing user data to 3rd party, make sure you ask 3rd party to delete all the data when user asks your system to “forget me”. Calling the third party APIs to remove data is not the full story, though. You also have to make sure the information does not appear in search results. Now, that’s tricky, as Google doesn’t have an API for removal, only a manual process. Most other organisations also don’t have regular API to remove data from their system.

Other Considerations

Data Encryption:

  1. Secure communication over TLS (Https):  All the communication should be over secure channel such as TLS, communication between client and server, and server-to-server.
  2. Databases encrypted:  Databases and backups should all be encrypted.
  3. Pseudonymisation: When using Production data on test/staging server for testing purpose, make sure you hide actual users data, such that no person is identified.

Logging data:

  1. Loggin personal data:  If you’re logging data, make sure no personal data is logged to 3rd party.
  2. Analytics:  If you’re using analytics in your system, make sure no personal data is used for analytics purpose.

3rd party:

  1. If you’re sending data to 3rd party for processing, such as data backup, or for analytical processing of data, it’s your responsibility to make sure 3rd party is GDPR compliant.

Make sure you’re not using any data of users who haven’t agreed with specific terms and conditions on your system.

 

Disclaimer:  I’ve prepared this document to the best of my knowledge and studies related to GDPR regulation. Professionally I’m not a lawyer or DPO, I’m a professional Software developer, so I may have missed some important legal matters. For more detailed explanation – check EUGDPR  or consult DPO (Data Protection Officer) who has “expert knowledge of data protection laws and practices”. Responsibilities and appointment of DPO are discussed here.

This document is work-in-progress, so any changes or rectifications are highly welcomed.

Bookmark the permalink

Related posts: