GDPR Compliance Explained. Summary, Requirements, Fines
If you’re reading this, you’ve probably already heard of EU’s General Data Protection Regulation (GDPR) which promises to be the new and universal legislation and standard for ensuring data protection & privacy. Hopefully, it’s bound to make the world a better place by taking personal user data from the hands of “evil marketing organizations” and giving control over this data back to us, the people (pun intended).
However, for many businesses, this imminent change in the approach to data protection and privacy does not seem that much of a cause for celebration. For example, several organizations of the video game industry have already given up on their projects due to high costs of adapting to the new data governance legislation (e.g. Uber Entertainment’s “Super Monday Night Combat”, Edge of Reality’s “Loadout”, Gravity’s “Ragnarok Online”).
Here’s how the representatives of Edge of Reality explained their decision to shutdown the project:
Edge of Reality has also commented and explained why GDPR compliance is such an issue:
It seems like almost every other organization, from small businesses to large corporations and enterprises, is contemplating what it will take to make a smooth transition, incorporate the right strategy and data governance framework to achieve GDPR-compliance. According to a recent survey conducted by SAS, a leader in global analytics, Only 45% of organizations have a structured process in place to comply with GDPR. Out of this 45%, only 66% think that their process will lead to successful compliance.
Europe’s data protection and privacy revolution actually introduces two new regulating documents: the General Data Protection Regulation (GDPR) and a rewrite of the ePrivacy Directive (ePD), which is sometimes also referred to as the “Cookie Law”.
The first half of this process, the GDPR, is a fresh perspective on the existing Data Protection Directive back from 1995. All of the principles of the original directive are inherited by the new GDPR regulation, which now consists of new definitions and requirements that reflect the modern era of communication and data exchange.
The second half is the new version of the ePrivacy Directive (ePD) of 2002. It deals with such data artifacts as cookies, telemetry, metadata, and consent for marketing. The directive was originally planned to be enforced on the same date as GDPR. However, as of writing, it is still under negotiations and should be finalized by the end of 2018.
What brings great hope is that the updated legislation isn’t overly complex or technical, the requirements are common-sense and can even bring many benefits from their adoption.
The GDPR broadens the term personal data and puts the user at the heart of data protection and privacy. Every EU resident will now have the rights to decide and manage how his or her personal data is being collected, stored, used, protected, transferred and deleted. Under GDPR the users can opt out of sharing personal data, forbid its further processing and request all data to be sent to them in a readable form or be erased completely from the system.
GDPR compliance requires large enterprises to make a full review of their data collection, usage and security practices when it comes to substantial amounts of user data. This will require them to create an efficient data governance framework, perform audits, employ specialized personnel, organize staff training and professional development courses to ensure every team member has a clear understanding of the GDPR principles and requirements. As these companies take steps towards compliance, they will inevitably face challenges along the way. Hopefully, this article will serve as a stepping stone for some companies on their way to compliance or to GDPR-compliant software development.
Who Does GDPR Affect?
Companies that collect, store and/or process personal data of EU citizens must comply with the GDPR, regardless of whether they have a business presence within the European Union. So an organization is not exempt from GDPR requirements just because it’s not based within the EU country it collects data from.
This pervasive data protection regulation applies globally to any company that processes personal data of EU residents. The Data Subject (from whom you obtain personal data) could be an employee who lives in the UK but works for a company in New York or a customer from France making a transaction with a US-based retailer or marketplace. This raises the issue of user personal data exchange between the EU, the US and other countries outside the European Union.
EU-US Privacy Shield Framework
Several data privacy projects have recently added even more hype to the trending GDPR topic. One of these developments is the substitution of Safe Harbor, a data exchange management system that existed to govern data-related operations between the EU and the US, by the Privacy Shield, the final version of which was approved on July 8, 2016.
The EU-US Privacy Shield Framework is a data exchange framework designed by the U.S. Department of Commerce and the European Commission to provide companies from both the US and EU with data protection compliance mechanism for transferring personal data in support of transatlantic commerce.
While the United States and the European Union share the same goals of ensuring personal data security and privacy protection, the US has a whole different approach to privacy. The United States uses a sectoral approach, relying on a mix of legislation, regulation, and self-regulation. Thus, given the differences, with the aim to provide US organizations with a reliable way of transferring personal data to the United States from the European Union and to ensure EU residents continue to be protected against unlawful use of personal data under European legislation, the Department of Commerce formulated the Privacy Shield Framework.
EU legislation lays restrictions on transfers of personal data outside of the EU. It states that such transfers should only be performed if “adequate protection” of personal data is provided. The party that is responsible for assessing whether a country outside the EU has a legal framework with an efficient enough data protection mechanism is the European Commission (EC). The EC has never found the US to have “adequate protection”. US companies only have the right to receive personal data from the EU if they establish one of the following:
- Join the EU-US Privacy Shield Framework;
- Provide adequate safeguards (contractual clauses, corporate rules and standards, etc.);
- Refer to one of the GDPR exceptions.
The Privacy Shield document has a detailed list of data privacy principles which were developed in consultation with the European Commission and in many aspects overlap with EU’s General Data Protection Regulation.
What is Personal Data?
Personal data, according to the GDPR, is any data that allows to identify the user, directly or indirectly. This refers to the person’s name, gender, age, biometric data (such as facial recognition or fingerprint logins), email, online identifiers, home address, current location, income, etc. This broad definition is expected to expand over time and is important for developers as it also includes such things as IP addresses, mobile device IDs, browser fingerprints, RFID tags, MAC addresses, cookies, telemetry, user account IDs, and any other form of software-generated data that may be used to identify the user of the service.
Beyond personal data, there is also sensitive personal data, which includes:
- Racial or ethnic background;
- Political, religious and philosophical beliefs;
- Trade union membership;
- Health information;
- Sex life and sexual orientation;
- History of criminal activity and convictions.
Sensitive personal data requires an even more strict protection policy than regular personal data (collection is prohibited with exception to cases outlined in Article 9 of the regulation), and the consequences for breach or unlawful usage are much greater.
According to GDPR, personal data of users is gathered and processed by two entities: data controllers and data processors.
Data controller is a person or an entity, such as the service provider or organization, which decides what data is collected, how it is used, and whom it is shared with within the framework of the service. This category actually represents the company that provides services to users and collects, stores, shares, or processes their data in any way within these services.
Data processor is any entity other than the data controller who processes the data on their behalf. As a developer, you may be a data controller, you may be a data processor, and you may be both. This category may also include cloud service providers, payroll companies, accountants, market research companies and other entities involved in data processing.
Data Protection Principles
Chapter 2 of the GDPR regulation stipulates the following principles of data protection and privacy:
- All user personal data is to be processed lawfully, in a transparent manner;
- Personal data should only be collected for specified, explicit and legitimate purposes;
- Data should only be processed with the user’s consent to process such data for the specified purposes;
- User must have the right to withdraw his or her consent at any time;
- Collected data should be adequate, relevant and limited to what is necessary for the specified processing purposes;
- Data should remain accurate and up-to-date;
- Personal data that is inaccurate or obsolete should be removed without delay;
- Data is to be kept in a form which allows identifying the user for no longer than it is necessary for the specified purposes of data processing;
- Data should be processed in a way that ensures appropriate security, applying protection against unauthorized, unlawful processing, accidental loss, destruction or damage.
Data Protection Officer
GDPR requires organizations to put enterprise security leadership responsibilities in the hands of a Data Protection Officer appointed specifically for this role. Companies are obliged to employ the services of a Data Protection Officer in cases when the following is true:
- The company presents a public authority or body, except for courts acting in their judicial capacity;
- The processing requires regular and systematic monitoring of users personal data on a large scale;
- The processing involves monitoring sensitive personal data on a large scale (health information, criminal activity and convictions, etc.).
Although the GDPR does not demand all companies to employ the services of a Data Protection Officer, it is considered good practice to have one and the most practical and sensible way for organizations to ensure adherence to data protection and privacy principles and requirements.
The Data Protection Officer has the following responsibilities within the framework of GDPR:
- Educating the company and its employees regarding GDPR compliance;
- Educating and training the staff involved in obtaining and processing data;
- Performing compliance audits and preventing potential issues;
- Acting as a buffer between the company and EU’s GDPR Supervisory Authorities;
- Monitoring data protection and privacy performance;
- Documenting all data processing activities performed by the company, including the purpose of data processing;
- Informing clients on how their data is being used, informing about their rights to have their data erased, and the measures taken by the company to protect personal data.
Privacy by Design
The General Data Protection Regulation makes Privacy by Design and Privacy by Default a legal obligation. Not only are you required to develop software adhering to Privacy by Design principles, you are also obligated to document your Privacy by Design development processes. Documentation of said processes must be made available to the European regulatory authorities in case of a data breach or the user’s complaint.
The Privacy by Design framework is imperative for GDPR-compliant development and has the following foundational principles:
- Privacy must be proactive, not reactive and preventative, not remedial: this means you must research for potential privacy issues before they arise.
- Privacy must be the default setting: users shouldn’t be responsible for taking steps toward securing their privacy; consent for sharing user data should not be assumed.
- Privacy must be embedded into design: it must be a core function of the product or service, not supplemental.
- Privacy must be a positive sum and should avoid dichotomies: for example, Privacy by Design assumes an achievable balance between privacy and security.
- Privacy must offer end-to-end lifecycle protection of user data: this means adapting proper data minimization, retention and deletion processes.
- Privacy standards must be visible, transparent, open, documented and independently verifiable: in other words, they must stand up to external inspection by the authorities.
- Privacy must be user-centric: This means giving users granular privacy options through detailed privacy information notices, maximizing privacy defaults, providing user-friendly options and clear notification of changes.
Companies that collect data on residents of the European Union (EU) are required to comply with the strict new rules of client data protection and privacy starting from May 25, 2018. So if you still haven’t taken all the necessary measures to ensure GDPR compliance, we recommend you consider focusing your full attention on the matter, in order to avoid serious litigation, painful GDPR fines and tainted company reputation.
GDPR Fines and Penalties
Financial penalties for GDPR noncompliance range up to 4% of company’s worldwide annual revenue for the preceding financial year or €20 million (currently around US $23 million), whichever is greater.
In addition, users are entitled to file a complaint against a Data Controller or Data Processor if they consider their rights to be compromised. Winning damages and the size of damages is not regulated by the GDPR, so penalties and fines related to GDPR noncompliance issues could be substantial and cause serious harm to any organization, from small companies to large enterprises.
How to Achieve GDPR Compliance
Noncompliance with the GDPR can prove to be a real threat to the future of many companies. It’s not just the enormous fines that pose a problem, it’s the company’s reputation that is also at stake, the competitive edge that GDPR-compliant organizations and services will have over their noncompliant peers. A proper data management system in place creates significant competitive advantage and improves the overall quality of service you provide to your clients. Let’s take a look at the steps that can be taken to achieve GDPR compliance.
1. Performing a Data Flow Analysis
To address GDPR compliance, you should not rely only on common knowledge of where you think you store personal data about your users. You have to examine what data you have already collected from users, and also assess what data you will be gathering in the future. With GDPR in place, you have to always think ahead of time. This means you need to know what personal information you have or will be gathering, where you have obtained that data, where it is stored and the permissions that you were given regarding data storage and processing.
No matter what the technology – traditional data warehouses or cloud-based storage, structured and unstructured data, data at rest and data in motion – you must investigate and audit what personal data is being stored and used across your data landscape. All this information needs to be documented in order to be presented to EU regulatory authorities in case they demand it. This information is also required for putting up a sufficient data governance framework and building a controllable inventory of personal data.
2. Setting up a Data Governance Framework
Managing data first and foremost requires defining what personal data means, and then sharing this understanding across your organization. Privacy rules must be documented and shared throughout your business. This way you make sure personal data can only be accessed by individuals with proper rights, based on the nature of personal data, the rights associated with user groups and the context the data is used within.
3. Ensuring Data Protection and Security
When you’ve established a personal data inventory and governance model, the next step is to set up the high level of data protection and privacy enforced by the GDPR regulation. Data protection and security is acquired in the following ways:
- Anonymization: technology that converts data into an unreadable and irreversible form, including preimage resistant hashes and encryption techniques where the decryption key is being discarded.
- Pseudonymization: method of substituting identifiable data with a reversible, consistent value.
- Encryption: the process of encoding personally identifiable information in data.
You must apply the right techniques based on user rights and the context of data usage while also not compromising the needs for data analysis, forecast, making queries, sending reports, etc. The best way to ensure data privacy is to timely erase all irrelevant data, keeping only the data you need for critical business processes and added-value analysis.
4. Setting up Appropriate Data Management Processes
You will have to make sure your software or web service provide all the required data management mechanisms that allow to properly ask for user’s consent, delete personal data and provide it electronically in a format that is accessible to the user. You should also make sure you have the right procedures in place to detect, report and investigate personal data breaches. Also, make sure that your software adheres to Privacy by Design principles.
5. Employing a Data Protection Officer
Although it is not an obligation for all organizations, hiring a Data Protection Officer (DPO) and transferring all data protection, privacy, security and GDPR-related responsibilities to a specialized staff member is a reasonable thing to do. It is considered good practice in the same way organizations have specialized personnel looking after health and safety or HR issues.
The Data Protection Officer will be responsible for educating the company and its employees on GDPR compliance principles and requirements, training the staff involved in aggregating and processing data and performing regular data protection & security audits. The DPO also acts as the point of contact between the company and EU’s regulatory authorities that oversee activities related to data protection and privacy.
UK’s Information Commissioner's Office Practical Advice
United Kingdom’s Information Commissioner's Office (ICO), an independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals, has introduced a Guide to GDPR where it explains the provisions of the GDPR to help organizations comply with its requirements.
It includes links to related sections of the GDPR, other ICO resources and guidance produced by the EU’s Article 29 Working Party. The Working Party has data protection authority representatives from each EU member state and the ICO as UK’s representative.
The ICO also provides several Data protection assurance checklists for Data Controllers, Data Processors and other entities to help them assess their level of compliance with the data protection legislation.
OWASP Top 10 Privacy Risks Project
Another good practice to make sure your software services adhere to GDPR principles and requirements is to check for vulnerabilities from OWASP Top 10 Privacy Risk Project list. The list also overlaps with GDPR requirements and in some cases even provides a more technical and practical approach to ensuring personal data protection and privacy than the regulation.
The OWASP Top 10 Privacy Risks Project provides a list of countermeasures that can be applied to avoid the most widely spread risks to personal data privacy. We compiled our list of privacy measures based on the Top 10 Privacy Risks Project’s countermeasures that we think is vital to ensure GDPR compliance:
- Perform regular data protection audits;
- Avoid using third-party software and components with known vulnerabilities;
- Prevent sensitive data exposure by using encryption;
- Prevent SQL injection by eliminating injection flaws;
- Implement Privacy by Design;
- Research cloud provider’s reputation and reliability, ensure that the provider is certified according to ISO 27001 or ISO 27018;
- Apply anonymization, pseudonymization and encryption of personal data;
- Perform awareness training for all employees regarding the handling of personal data;
- Monitor and detect classified data leakage from endpoints, web portals and cloud services;
- Make sure you have a data breach response plan in place and that you timely detect breaches, notify relevant parties, including the individuals themselves, in a timely manner;
- Personal data has to be deleted after termination of the specified purpose and after an appropriate time frame;
- Personal data has to be deleted on rightful user request;
- Data retention, archival and deletion policies and processes have to be documented and followed;
- Evidence should be collected to verify the deletion in accordance with the policies;
- When deleting data in the cloud, be aware of data stored in older snapshots;
- Delete user profiles after long periods of inactivity;
- Check if policies, terms and conditions are easy to find, fully describe data processing, are understandable for non-lawyers, available in the user’s language, explain which data is collected and the purposes for data collection;
- Define the purpose of the collection of personal data and only collect personal data required to fulfill the purpose;
- Terms & Conditions should be specific for each purpose of data usage and processing;
- Use separate Terms & Conditions for use and data processing;
- Provide an opt-out button for the users;
- Default is to collect as little data as possible unless the user chooses otherwise;
- Avoid providing user data to any third party without obtaining the user’s consent;
- Use third-party content only where it is required, not by default;
- Implement a procedure to update the user’s personal data by obtaining inputs from them after a certain time period, provide a form to enable users to update their data;
- Provide mechanisms to effectively enforce session termination: automatic session expiration should be set. Expiration time could differ widely depending on the criticality of the application and data;
- Enforce secure data transfer through HTTPS and other secured protocols.
By following these OWASP privacy risk countermeasures, you are very likely to be in compliance with most of GDPR principles and requirements.
GDPR Compliance Benefits
While the new GDPR requirements are more strict and challenging, the main privacy principles have remained the same for many years now. So for most companies, the introduction of GDPR means reviewing their compliance rather than building a data protection strategy from scratch. In this sense, the GDPR brings more benefits rather than actual barriers for organizations that emphasize on leveraging user data.
The General Data Protection Regulation brings the following benefits to organizations:
- Improved data governance framework and business efficiency. Reevaluation of data governance processes will drive forward such factors as the company’s overall efficiency, IT capabilities, customer satisfaction and company image.
- Improved cybersecurity. No company can afford taking risks in their approach to cybersecurity. The costs of data breaches, business downtime and loss of critical user data are just too high to be disregarded. GDPR compliance is the most sensible way of providing a high standard of personal data privacy and security to avoid these complications.
- Companies gain competitive advantage. With correct policies in place, companies will not only comply with GDPR, but also build a competitive advantage by improving analytical processes, optimizing operational efficiency and reducing expenses. This will in a significantly positive way affect the work of customer intelligence and risk management departments, and other departments working with advanced analytics.
- A head-start in the future fully-regulated personal data market. GDPR is just the beginning: the EU is headed for a fully-regulated personal data market with a number of initiatives on top of the GDPR that are already being discussed and negotiated. This includes the ePrivacy Directive, regulations for the free flow of data, the internet of things and artificial intelligence. Organisations that invest in their data strategies will remain compliant and competitive in the newly regulated market and business environment.
GDPR compliance is not an issue to be taken lightly, as we have outlined in the contents of this article. Not only does it impose harsh fines on organizations which neglect user’s personal data protection and privacy, it also poses serious risks in terms of company image, affects company’s competitiveness on the market and the overall quality of services it provides.
However, organizations should not look at this regulation as a stipulation, but rather as an opportunity to gain an advantage over competitors in the future fully-regulated market, build on customer loyalty and trust, and improve their data management systems. The General Data Protection Regulation is a big step to the bright future of the modern personal data market.
In our next article we will talk about GDPR compliance in software and web development, design and QA requirements in GDPR, technical tips and advice, as well as examples of good GDPR practice.
Require GDPR-compliant software or web development services? Contact us and we will help.