What Preparing For the GDPR Has Taught Me

Rapid technological developments and globalisation have brought new challenges for the protection of personal data.

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

We are now finally in the “final countdown” phase of Regulation (EU) 2016/679, AKA the GDPR. It will soon be legally obligatory for companies who process personal data of anyone residing within the EU to abide by this regulation. Which means you are probably getting loads of emails asking for you to review changes to privacy policies across the board.

In short, the GDPR re-writes a large part of a company’s terms and conditions and privacy policy.

Classmethod Europe GmbH pledges to adhere to the regulation as we continue to serve Europe with leading AWS cloud solutions.

Personally, as a “data subject” residing in the EU, I appreciate the GDPR. I believe in it’s principles, and I believe that it is a “step in the right direction” in so far as empowering people to be more in control of the information that they make public.

It sets the groundwork for companies to see their customers more as citizens and less like dollar signs. Companies are now legally bound to treat the data that people give them with respect, and are responsible in ensuring it’s safety.  “Let your customers know that their property is in good hands” type of thing. The GDPR is like the “golden standard” as to what the EU government believes is the level of respect, care and work ethic a person’s identity should command even if it’s in digital format.  Data travels incredibly fast. It can be in one country, and appear across the globe in a matter of clicks. The GDPR is making a protocol for the people they are responsible for.  The “data subjects” on their turf.

For businesses however, it’s a whole different story. It can be stressful, confusing and extremely vague in certain areas. The regulation is a combination of a contract, a guidebook, an instruction manual for member states, authorities, and companies - on top of what feels like a million of rules and specifications.

I was part of the team that was responsible for making sure that we are prepared, if for whatever reason a supervisory authority wanted to audit us.

Part of my preparation was doing a lot of what most people today would do. I googled. I also youtubed, I read the Wikipedia article, I took assessment tests, I read blogs, and went to events hosted by Mindspace.  But what I found to be the most helpful in understanding the GDPR was reading the official “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016”.

It was not an easy read. It’s around eighty-eight pages, and it took me roughly 3 days to get through it. (I might have skimmed through some parts sshhh..).  I will post bits and pieces of it throughout this blog. I will also post links at the end of the article which I found to be helpful for anyone who might be interested in learning more about the GDPR.

PSA- I am in no way an expert, I cannot offer legal advice. I don’t want to be sued. Please. That being said, I hope I can give some sort of insight into what the GDPR taught me on a personal level and on a business level.  So, let’s get to it.

To easily follow along with the way the Regulation was written here are some not so common key terms:

  • “Controller”– The data controller is someone in a company who determines the purpose(s) and the means by which personal data is processed.
  • “data processing– anytime a company, either through automation, or manually does anything with data.
  • “data subject– you, me, anyone with a pulse. (you have to be a living person to legally claim GDPR rights).
  • “personal data – any bit of information, such as an IP address, or a full name, that can link back to a natural person.

QUICK RECAP

The purpose of the GDPR, and what it intends to accomplish

The following is an excerpt from the:

Official Journal of  the European Union on May 4th 2016

“ 1.   This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

  1. This Regulation protectsfundamental rights and freedoms of natural personsand in particular their right to the protection of personal data.”

Chapter 1, Article 1

 

(6)  Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally.Technology has transformed both the economy and social life, and should further facilitate the free flow of personal ..., while ensuring a high level of the protection of personal data.
(7) Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Natural persons should have control of their own personal data.Legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.

-       Opening paragraphs of the GDPR paragraphs 6 and 7

Just allow all that that to sink in for a second. The GDPR is a huge game changer. I know I sound like a GDPR cheerleader, but as an American where right to be forgotten is far from being achieved, I am super grateful to be a beneficiary of this new law.

Which brings me to just one of the rights stated in the GDPR which I stand to gain:

The right to be forgotten

  • “A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’... In particular, a data subject should have the right to have his or her personal data erased and no longer processed ...”

So now I can say “I invoke my right to be forgotten, please.” Oh the power! (I’m exaggerating a bit here.)

The right to be forgotten, or the right to erasure will probably be extremely beneficial for teenagers, who would like any personal data they provided, taken down from any platform.  Think about it, kids these days are doing all kinds of weird things like putting laundry detergent in their mouths, (God help us). They can now request to have such data deleted before applying for a job as an adult.

Which brings me to another new thing about the GDPR .

Specific regulations concerning the data of children.

How the GDPR plans to protect the data of children.

“…the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.”

-Article 8

 

At one of the events I went to, the speaker explained that they did this because they believe that children, at least younger than 13, or 16, cannot fully “grasp” the concept of personal data or understand what it fully implies when we give rights, or consent to a company to use our data. To me, this makes perfect sense because at that age a person’s brain is not even fully developed.

Of course there are always exceptions to the rules which the GDPR also points out, in regards to national security etc.

These are only a couple of the benefits from the new regulation, now a view into what it means for a company.

What GDPR means for businesses

First, a company's terms and conditions must be written in a way that's easy for people to understand. That means no legal jargon, no confusing sentences.

For businesses, the GDPR can be a bit stressful due to the fact that if you are caught in violation, fines can be 20,000,000 Euros or 4% of your annual revenue, whichever is more. But if you are a super sketchy business, and you’re misusing people’s data, and their trust -in full knowledge, then maybe you deserve to be fined.

While 20,000,000 euros, or 4% is the maximum fine a company can receive, there are also different degrees of violations which can result in various levels of fines. And because the GDPR is 88 pages long, making it full of rules, and stating that each member state (European country) is in charge for delegating the “Supervisory Authority” which will enforce the GDPR, it leaves a lot of room for confusion as to how GDPR enforcement will look like.

The GDPR covers topics such as securing personal data. A company now has to have specific safeguards in place and make absolutely sure that whatever data they have on people is safe. Companies also have to keep records of how personal data is processed, from one controller to another, and keep tight records any time a person’s data is being used.  However, there are exceptions to record keeping if you’re a small to mid-size company with fewer than 250 employees. Sometimes it pays to be small.

The GDPR also sets down rules and limits to what counts as consent. Here is part of the official article:

Article 7

Conditions for consent

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.

The data subject shall have the right to withdraw his or her consent at any time…The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.”

Some New Challenges for Businesses

One major change to note for businesses it that they are now legally required to report data breeches to the authorities, should they occur andto those who were affected by the breech.

On top of implementing new rules, companies (depending on size and based on laws made by member states) have to have an appointed data protection officer(DPO).

The role of a DPO is:

“Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.”

-Digitalguardian.com

Depending on the size of your company you need a person, or maybe even department, whose around to make sure that your company is following GDPR procedures.

Another new challenge for companies is portability. Portability in the GDPR mandates that:

“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided,”

Article 20, section 1

There needs to be a way for people to obtain all the information you have on them in a way where they can give it to someone else.

And the final very important point I will present to you - the GDPR isn’t only for companies handling their customers’ data, it ALSO applies for companies handling employees’ data.

The GDPR is for any company that processes data of people within the EU. It is NOT only for European companies to abide by.  Facebook, Google, and Amazon had to prepare for the GDPR too.

Summary

Helping companies reach GDPR compliancy is no doubt becoming a business, and consultancy has become a valuable, if not a necessary commodity in being deemed as a fully GDPR compliant company. Bottom line though, it is the sole responsibility of a company to make sure that they are handling data responsibly and with respect.  After May 25th,  in order for a company to keep their status, they have to make sure they meet the GDPR standards.

Links

official GDPR document in different languages

A really great website explaining the GDPR

Really friendly girl breaking down the GDPR

Microsoft's GDPR Assesment Test

An organized presentation of the GDPR with links