Your Data Isn’t Ready, and Your Company Might Not Be Either
As of May 25th, all organizations working with the data of EU citizens will need to be GDPR (General Data Protection Regulation) compliant.
Global Data Protection Regulation (GDPR) is the EU’s new data regulation and it applies to everyone who has customers that are citizens in the EU. That means it applies to almost any internet business.
These new regulations may completely change how your business is required to handle user data and sometimes even how you operate.
Your organization could be fined up to 20 Million pounds ($28M US dollars as of today) or 4% of global turnover (whichever is greater), so pay close attention!
Seven New GDPR Requirements
Here’s a quick summary of seven new regulatory requirements and how they might affect you. Before we get started, here are two important terms you need to understand:
Data Controller: Any entity that “controls” the data by deciding the purpose or manner that the data is or will be used.
Data Processor: Any person or group that “processes” (obtains, records, adapts, or holds) the data on behalf of a controller.
When asking users to consent to your terms, you cannot use indecipherable terms or conditions documents that are filled with legalese. As a user, I’m a big fan of this; from a company’s perspective, this can be a gray area. Read into the official documentation (linked at the end of this post) for details.
On top of clarity, you also need to ensure that it’s just as easy for users to withdraw their consent (after giving it, not just when you present it initially) as it is for them to give their consent.
2. Breach Notification
In the event of a data breach, you have to notify any data controllers and processors within 72 hours. If a data controller determines that the breach “is likely to result in a high risk to the rights and freedoms of individuals” then they also have to notify each individual user that was affected.
These notifications must contain at least:
- The nature of the personal data breach (number of categories of subjects and records affected).
- The Data Protection Officer’s contact information.
- Describe the likely consequences of the personal data breach.
- Describe how you’re going to address the breach.
Thankfully you are allowed to provide this information in phases if it isn’t available all at once.
3. Right to Access
Your users (or “data subjects”) have the right to obtain a free copy of their personal data. In addition, they have a right to receive a confirmation of their personal data being used or processed.
If you’re wondering what providing “a free copy of their personal data” looks like, check out how Google does it1.
4. Right to Be Forgotten
Users (data subjects) have the right to have their data erased from the data controller “without undue delay” if:
- The controller doesn’t need the data anymore.
- The subject uses their “right to object” to the data processing, or withdraws their previous consent, or was a child when the data was collected.
- There is a legal requirement for the erasure.
- The controller or processor is processing the data unlawfully.
As always, there are a lot of exceptions here, be sure to read the detailed resources below if this applies to you.
5. Data Portability
Not only do users need to have access to download their data, you should also offer different tools for portability; such as APIs alongside a direct download. Direct downloads should be offered in multiple formats, again, Google is a great example here1.
This could mean that you need to allow a competitor to be able to directly import your data if the user requests it.
Thankfully, you’re not responsible for protecting the data copy that has been received by the user.
6. Privacy by Design
This means you need to be thinking about data protection all the way down to the design of your internal systems.
Privacy by design calls for data protection in infrastructure too, meaning there may even be non-technical changes you need to make to your company structure. Now is a great time to look for vulnerabilities in your internal practices and even consider getting a security audit.
7. Data Protection Officers
Qualified officers have to be appointed in any public authority or large organization (over 250 employees) that monitor or process personal data.
If your company qualifies, you should dive into the qualifications and start looking for an officer right away. These regulations go into effect May 2018.
If you’re doing business with EU citizens it’s in your best interest to get on top of these new regulations as quickly as possible. Hopefully, this article provided you with enough detail to know where to start and what to expect.
GDPR isn’t the only thing that requires thoughtful implementation, check out our recent guide on Best Practices for Implementing Data Science.
- Full Official Regulation Document
- ICO Guide to GDPR
- EU GDPR official website
- EU Article 29 data protection