What is GDPR:
25th May is going to be a big day for many organizations as they need to comply with the GDPR. Being approved by the European Government in April 2016, this regulation is going to be enforced from 25th of May 2018. The purpose of this regulation is to ensure the data privacy for EU citizens and make reliable data protection laws crosswise over Europe. You are only on the safer side if you are already complying with the DPA (Data Protection Act), the ancestor to the GDPR.
Effect on your business:
It is a concern for all the companies in the world who store or process data of people who reside in the European Union. And the one who does not comply will have to pay hefty fines which is $24million or 4% of the annual global turnover. So, you need to decide, whether you want to fulfill the regulations or pay this huge amount and on that the loss of significant data.
7 key changes that should not be overlooked:
- As we have mentioned above, this regulation applies to your business wherever you are located.
- There are new strict parameters for getting permission to utilize data that require a coherent and effortless form that uses clear and forthright language. Taking back agreement must be likewise simple.
- Breach notice should be done within 72 hours of becoming alert of the breach.
- The right to be forgotten allows people to ask for their own information be eradicated, stop from spreading of the data and third party from formulating the information.
- The GDPR allows the person to ask for and get their own data and transmit it to another data controller.
- GDPR has been made a legal requirement for businesses that Data Protection should be done while building up the system and not an addition or afterthought.
- Some companies would need a DPO (Data Protection Officer).
Preparing for GDPR:
What should you do?
- Review the prerequisites of GDPR to understand the propositions for your business and make sure to keep the decision makers updated about what changes should be made. For some organizations, changes would affect a few departments differently, so the sooner you get everybody on board the better.
- Analyse each and every data you gather and store, where it originated from and who you share it with. One of the prerequisites of the GDPR is to record your handling exercises and have powerful arrangements and methodology set up.
- Probably you should update how you impart to your clients how you will utilize any individual information you gather to be consistent with GDPR. Likewise, your protection notice needs to clarify the legal reason for preparing personal information.
- The information portability part is new, so consider how your systems would deal with a person’s demand to get their information in an ordinarily utilized and machine-readable form.
- Confirm that you can suit the new commands about managing data access requests in 30 days.
- This document covers how you pursue, record and achieve consent. Permission isn’t accepted from silence or inactivity, it must be evident.
How might you deal with a data breach in your organization? This is the ideal opportunity to consider your present procedure and contrast what you do and the necessities of the GDPR.
Here is one example of how GDPR is implemented at Explara.
GDPR Implementation:
GDPR implementation needs to cover the entire business i.e. product, sales, customer support, engineering, operation and any third-party relationships.
- Product
Your software product for GDPR compliance.
- Data Encryption
All your data access must be HTTPs enabled.
- Consent checkboxes
Explicitly get users consent by letting them click a checkbox. This is cases like during sign up. You should keep these consent checkboxes in separate columns in the database.
Let the users withdraw their consent (by unchecking these checkboxes from their profile page/settings). Note that the checkboxes should not be preselected, as this does not count as “consent.”
In case, you are going to use the user’s data to train your ML models, you should get consent for that as well.
- Re-request consent
Ensure you are getting your user consent time to time in case the consent users have given was not clear. Maybe a mass-emailing your users to ask them to go to their profile page and check all the checkboxes for the personal data processing activities that you have.
- User Profile
In case you collect user profile data, this is very crucial for you to protect. In Profile Settings, introduce a section with a checkbox like
[ ] I agree to the terms and conditions of {your service}
Consent: Ask for consent before allowing the user to use. This is in case the user has not given consent earlier.
The user can remove his consent, in such cases, when (s)he logs in, we ask them to give consent for proceeding.
Allow the user to close their account:
- In case the user is a Customer where financials are involved: Handle this manually as the customer might have pending payment/settlement, legal bindings and more such.
- In case the user had signed for your services to consume information only: You can automate this to delete his/her account. Plus, if you have shared this user data with any third-party services, you must forward the request to delete the same.
- Forget me
This is same as Close My Account.
When a user submits a request to close his/her account, your system must do few things:
- Record the request via some email system/your own email id e.g. privacy@yourdomain. Send an info mail from this email id to user email id stating that we have received your request.
- Once your Ops team gives go ahead, let your IT team delete the account/anonymize user account.
- Your system must send out API request to notify 3rd party such to delete.
- The system sends out a mail to the user that their account is deleted.
6. Export Data
Allow the user to export their data in a CSV. This contains personal data and transactional data.
7. Contact Us Forms
If you have a newsletter, email subscription, contact forms, web forms, do ask user checkbox consent to proceed.
8. Cookie
Explicitly ask the user for cookie consent.
9. Inform users about IP Address
If you are tracking users to store their IP address and logging, inform them in your privacy policy and/or in their personal settings page.
10. Mobile App
If you are offering a mobile app, allow the user to opt-out of tracking, notification and any other way you are storing/delegating their data.
DevOps/Infrastructure
Get your DevOps team sign SLA and also any third-party infra provider. Database backup and moving data for storage/etc must be encrypted.
You must maintain a log of which user had accessed and when.
Customer Support
All the process for operation & customer support to be GDPR compliant. When your customer support team access user data via CRM, you need to add those to Activity Log/some sort of log that is traceable.
None of your team should able to see user private data unless you have a process to ensure safety and your process has explicit consent from customers to access while providing services.
Sales
Use a CRM that is secure, GDPR compliant and have a basic process in place such as email consent, unsubscribe from emails.
Marketing
Your marketing tools must be GDPR compliant and must have opt-in for various email and communication. This should be one of the super focus areas for your team.
Operation
Your operation team has accessed your user data and also your own employee data. Ensure this is 100% GDPR compliant.
Few References
https://dzone.com/articles/gdpr-a-practical-guide-for-developers-part-1
And https://dzone.com/articles/gdpr-a-practical-guide-for-developers-part-2
https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/
https://www.hubspot.com/data-privacy/gdpr-checklist
GDPR @hubspot https://www.hubspot.com/data-privacy/gdpr/product-readiness
GDPR expands the definition of personal data to include:
- Genetic data
- Biometric data (such as facial recognition or fingerprint logins)
- Location data
- Pseudonymized data
- Online identifiers
Privacy Impact Assessments
Brilliant one via Smashing Magazine. https://www.smashingmagazine.com/2017/07/privacy-by-design-framework/
A Privacy Impact Assessment (PIA), which is required under GDPR for data-intensive projects, is a living document which must be made accessible to all involved with a project. It is the process by which you discuss, audit, inventory, and mitigate the privacy risks inherent in the data you collect and process.
Like all GDPR documentation, a PIA can be requisitioned by a data protection regulator in the event of a privacy concern or data breach. Not having a PIA is not an option.
A robust PIA should document the following information:
Data collection and retention:
- What personal data is getting processed?
- How is that data collected and retained?
- Is the data stored locally, on our servers, or both?
- For how long is data stored, and when is the data deleted?
- Is the data collection and processing specified, explicit, and legitimate?
- What is the process for granting consent for the data processing, and is consent explicit and verifiable?
- What is the basis of the consent for the data processing?
- If not based on consent, what is the legal basis for the data processing?
- Is the data minimized to what is explicitly required?
- Is the data accurate and kept up to date?
- How are users informed about the data processing?
- What controls do users have over the data collection and retention?
Technical and security measures:
- Is the data encrypted?
- Is the data anonymized or pseudonymized?
- Is the data backed up?
- What are the technical and security measures at the host location?
Personnel:
- Who has access to the data?
- What kind of data protection training have those individuals received?
- What security measures do those individuals work with?
- What data breach notification and alert procedures are in place?
- What procedures are in place for government requests?
Subject access rights:
- How does the data subject exercise their access rights?
- How does the data subject exercise their right to data portability?
- How does the data subject exercise their rights to erasure and the right to be forgotten?
- How does the data subject exercise their right to restrict an object?
Legal:
- Are the obligations of all data processors, including subcontractors, covered by a contract?
- If the data is transferred outside the European Union, what are the protective measures and safeguards?
Risks:
- What are the risks to the data subjects if the data is misused, mis-accessed, or breached?
- What are the risks to the data subjects if the data is modified?
- What are the risks to the data subjects if the data is lost?
- What are the main sources of risk?
- What steps have been taken to mitigate those risks?