GDPR was approved by EU parliament on April 14, 2016, went into effect May 25, 2018, and impacts any business handling any personal data of any EU resident. Many businesses still do not comply with its regulatory requirements however, and for other organizations the implementation remains a complete mystery. The following is an overview of what the law encompasses, and why you should care.
If you don’t have a thorough understanding of what personal data means exactly, there’s a post about that here.
At a high level, GDPR is a directive on the protection of personal data and can be scoped twofold. First, the law protects persons concerned by processing of personal data. Second, it enforces additional accountability on businesses involved in the processing of personal data.
Let’s dive in.
GDPR increases territorial scope
The law applies to all companies processing personal data of subjects residing in the EU. Again, if your systems handle any PII of any person residing in the European Union, you are responsible to comply with any and all privacy regulation.
Are you a Boston-based business and serve EU customers when they visit as tourists every summer? You need to comply.
Are you a US-based business with a European presence? You need to comply.
Are you a European-based business with no international presence? You need to comply.
Are you a European-based business with significant international presence? You need to comply.
GDPR mandates explicit consent when tracking behavior
Implicit consent, which is common in the United States, is not adequate according to GDPR.
Consent language must be clear, accessible, and intelligible.
Instead of privacy policies being filled with often-intelligible legalese, GDPR mandates that privacy policies, cookie banners, or other forms of gathering tracking consent must use clear and accessible language which makes the purpose and scope easily understood.
Purpose of consent must be attached.
Vaguely requesting consent for “cookies” is no longer enough - GDPR states the purpose of the tracking be expressed. If your systems (like remarketing, advertising, or event tracking pixels) persist site visitor PII, you now have to provide the visitors with a reason for said tracking.
Tracking must be accepted (and is opt-out by default).
In the United States, tracking is typically opt-in by default with a notice effectively stating, “if you continue to use this site, you have implicitly allowed us to track you”. This is not acceptable according to GDPR, as tracking must be opt-out by default and the site visitor must explicitly give their consent to be tracked.
It must be as easy to withdraw consent as it is to give it.
Since post-GDPR tracking is opt-out by default and a user must give consent with full knowledge of the intended purpose, companies are naturally incentivized to make it as easy as possible to give consent. But wait, there’s more! Once consent has been granted, it must be as easy for a user to revoke consent as it was to initially give it.
GDPR provides specific rights for data subjects
Not entirely unlike the United States’ Bill of Rights or the United Nations’ Universal Declaration of Human Rights, GDPR establishes a notion of “basic digital rights” for data subjects. These rights are outlined as follows:
According to GDPR, all individuals have a right to be notified if a company experiences a breach involving their personal data. This breach notification process is mandatory if the breach is likely to result in any risk to an individual’s rights or freedoms. It must also be done within 72 hours of first awareness of said breach. If your company is a data processor that serves controllers, you must notify those controllers in the same manner.
Right to access
Data subjects can now obtain confirmation from a controller as to whether their personal data is being processed, where it is being processed, and what purpose the processing serves. They can also request the controller provide a copy of all personal data, free of charge, in a “common electronic format”.
Right to be forgotten
This “basic digital right” really means one thing: upon request of an individual, a company must erase all personal data generated by or relating to that individual. The controller must cease dissemination of said data, and third parties must halt the processing of it.
Lastly, a data subject can request all personal data concerning them and retains the full right to directly transfer the data to another controller. The data must be generated and transferred in a common format.
GDPR mandates privacy by design
A privacy-first approach to data and systems engineering is another major component of GDPR. The law is written rather vaguely (since it’s very difficult to give overarching directives on how a system should be built) and states, “a controller should implement appropriate technical and organizational measures” for securing personal data. It also declares a controller should “hold and process only necessary data”, and should “limit access to personal data to those doing the processing” of it.
Ensuring your systems have been built in a way that enables your business to comply with the above is no small feat, and I’ll dive into specific implementation details in an upcoming post.
GDPR establishes data protection officers
If your core business activities consist of processing operations which require regular, systematic monitoring of subjects on a larger scale, special categories of data, or data pertaining to criminal offenses, a data protection officer must be designated.
This officer should be appointed on the basis of professional qualities and expert knowledge of data protection law and practices, must be a staff member or external service provider, and must report directly to the highest level of management.
The data protection officer must be provided appropriate resources to carry out tasks and maintain expert knowledge and must not carry out tasks that could result in a potential conflict of interest.
Finally, contact information of the data protection officer must be included in all relevant DPA’s.
GDPR defines the enforcement of non-compliance
What happens when you don’t comply with GDPR? The law makes it pretty clear: organizations can be fined up to €20 million or 4% of annual worldwide revenue for the prior year (whichever is greater). GDPR fines are tiered and apply to both controllers and processors.
Clouds are not exempt from enforcement.
When it comes to processing and storing data, GDPR changes a lot of things. Properly complying with the regulation listed above is non-trivial, but ultimately gives individuals basic digital rights. As an engineer, it’s incredibly important to understand the provisions listed and their implications on the systems you build.
Would you be able to secure a breach, identify all affected parties, and communicate the magnitude within 72 hours?
Do you have a good audit of all personal data moving through your systems (or third-party systems)?
Would you be able to provide a data subject with a copy of all of their data if asked to do so?
Would you be able to truly erase all personal data of an individual, if requested?
It’s hard, but is by no means impossible.
The next post in this series will get into data engineering methodologies for helping maintain compliance, so stay tuned!
I’ve found the following resources to be incredibly useful when learning about GDPR law (and the implications of it when building systems):