There are many documents related to GDPR regulation, but they’re not easy to understand for non-technical people. In part-1 “Getting started with GDPR compliance” of the series “Get GDPR compliant”, we’ll look into basic concepts in GDPR and how we can get started implementing it.
What is GDPR?
- The General Data Protection Regulation (GDPR) will replace the Data Protection Directive 95/46/EC (Directive). It applies to all EU and foreign organisations offering goods/services to individuals in the EU and handling personal data of EU residents.
- It even applies to companies that are not registered in Europe but have European customers.
- Approved by the EU Parliament on 14 April 2016.
- Enforcement date: 25 May 2018
- Controller: The legal person or agency that determines the purpose of processing personal data.
- Processor: The organization that processes that data on behalf of controller.
- 3rd party: Any product/service provided by an organization that you’re using in your system – through their API, like Google APIs and others.
- Data subject: User – The person who is using your product/service.
- Personal data: Basically, it’s every piece of data that can be used to uniquely identify a person. Data that the user has explicitly provided, but also data that you have collected about them from either third parties or based on user activities on the site.
- Supervisory authority: An independent public authority which is established by EU Member State.
Who does the GDPR apply to?
- The GDPR applies to ‘controllers’ and the ‘processors’.
What is penalty if an organisation isn’t GDPR compliant?
The GDPR establishes a tiered approach to penalties for breach
- Fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR20 million (eg breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent).
- Other specified infringements would attract a fine of up to the higher of 2% of annual worldwide turnover and EUR10m.
GDPR – In a nutshell
GDPR Key changes you need to comply with right now.
There are total of 99 articles, divided into 11 chapters. The summary of each chapter is given below:
- General Provisions (Article 1 – 4) – This chapter discusses basic definitions and scope.
- The following 2 chapters have significant changes that need to be considered and implemented:
- Rights of the data subject (Article 12 – 23) – The end user has full right on their data. The data should be accessed with user’s permission and should be erased on user’s request. This chapter discusses all the rights of end user.
- Controller and Processor (Articles 24 – 43) – The responsibilities of controller and processor are discussed. Besides, this chapter discusses various roles such as duties and responsibilities of DPO – Data Protection Officer, etc.
- Transfer of personal data to 3rd countries or international org (Articles 44 – 50) – This chapter discussed legal matters related to international transfer of EU citizen’s data.
- Independent Supervisory Authorities (Articles 51 – 59) – This chapter discusses the responsibilities of each EU member state to monitor the application of GDPR regulation.
- Cooperation and Consistency (Articles 60 – 76) – This discusses cooperation b/w supervisory authorities, responsibilities of the board and other entities to make sure the consistent application of GDPR regulation.
- Remedies, Liability and Penalties (Articles 77 – 84) – This chapter discusses how end-user can lodge a complaint with “supervisory authority” against any controller, and penalties are discussed.
What should we do to get our system GDPR compliant?
Principles (Articles 5 – 11)
This seems to be the biggest change that the regulation brings. “I accept the terms and conditions” would no longer be sufficient to claim that the user has given their consent for processing their data. So, for each particular processing activity, there should be a separate checkbox on the registration (or user profile) screen. You should keep these consent checkboxes in separate columns in the database, and let the users withdraw their consent.
- Make the consent prominent and separate from “terms and conditions”
- Give the users an option to withdraw their consent.
- Avoid making consent a precondition of a service
- Age check – Article 8
You should ask for the user’s age, and if the user is a child (below 16), you should ask for parent permission.
Rights of data subject/User (Articles 12 – 23)
- Export data – Article 20
There should be another button, “export data”. When clicked, the user should receive all the data that you hold about them.
“Information must be provided without delay and at the latest within one month of receipt. You will be able to extend the period of compliance by a further two months where requests are complex or numerous.”
- See all my data – Article 15
This is very similar to the “Export” button, except data should be displayed in the regular UI of the application rather than an XML/JSON format.
- Allow users to edit profile – Article 16
This seems an obvious rule, but it isn’t always followed. Users must be able to fix all data about them, including data that you have collected from other sources (e.g. using a “login with Facebook” you may have fetched their name and address).
- Forget me – Article 17
Make sure you provide “Forget me” option in your app/website, where user can click to delete all their data from your system. This is not going to be each piece of information you hold about data. Like if you’ve a chat system, and your user wants to get its profile delete from your system. You’ve delete complete profile info (name, email, phoneNo, other info), but you need not necessarily delete the posts, files shared by user. (You can ask your users to manually delete the message though).
The right to erasure does not apply if processing is necessary for one of the following reasons:
to exercise the right of freedom of expression and information;
to comply with a legal obligation; more
In your admin panel where there’s a list of users, there should be a button labeled “restrict processing.” The user settings page should also have that button. When clicked (after reading the appropriate information), it should mark the profile as restricted. That means it should no longer be visible to the back office staff, or publicly. –
- Notify 3rd party for erasure – Article 19
If you are providing user data to 3rd party, make sure you ask 3rd party to delete all the data when user asks your system to “forget me”. Calling the third party APIs to remove data is not the full story, though. You also have to make sure the information does not appear in search results. Now, that’s tricky, as Google doesn’t have an API for removal, only a manual process. Most other organisations also don’t have regular API to remove data from their system.
- Secure communication over TLS (Https): All the communication should be over secure channel such as TLS, communication between client and server, and server-to-server.
- Databases encrypted: Databases and backups should all be encrypted.
- Pseudonymisation: When using Production data on test/staging server for testing purpose, make sure you hide actual users data, such that no person is identified.
- Loggin personal data: If you’re logging data, make sure no personal data is logged to 3rd party.
- Analytics: If you’re using analytics in your system, make sure no personal data is used for analytics purpose.
- If you’re sending data to 3rd party for processing, such as data backup, or for analytical processing of data, it’s your responsibility to make sure 3rd party is GDPR compliant.
Make sure you’re not using any data of users who haven’t agreed with specific terms and conditions on your system.
Disclaimer: I’ve prepared this document to the best of my knowledge and studies related to GDPR regulation. Professionally I’m not a lawyer or DPO, I’m a professional Software developer, so I may have missed some important legal matters. For more detailed explanation – check EUGDPR or consult DPO (Data Protection Officer) who has “expert knowledge of data protection laws and practices”. Responsibilities and appointment of DPO are discussed here.
This document is work-in-progress, so any changes or rectifications are highly welcomed.
Bookmark the permalink