GDPR: An Overview

What is the GDPR?

The General Data Protection Regulation is a framework of legal guidelines for collection and processing of personal info of individuals within the European Union. Or, in short, it’s rules that companies need to follow to collect and protect a user’s data. As of May 25th, 2018, any company, group, or individual, that handles European data must comply with GDPR. This goes for massive players like Google down to bloggers who collect email address for their newsletter. And it likely affects your company even if you don't operate out of Europe.

Four terms to understand:

Personal Data – any identifying information . This includes submitted information such as your name, email, SIN, address, phone number, biometrics, or account numbers. It also includes information that could be used to identify you indirectly such as location data.

Data Subject  – simply put it is the user or the person who is identified by the information.

Data Controller – the person or company who determines the purpose and use of the collected data.

Data Processor – the person or company who processes the data. This includes analytics, marketing, as well as storage such as cloud services.

The controller and processor can be the same or separate. For example, I collect email addresses for my newsletter. That makes me the controller. I can chose to store these addresses on my computer, that makes me the processor. Alternatively I can chose to store them in Mailchimp, which is a newsletter app, or perhaps on a document in Google Drive, which is the cloud. Now I have chosen an outside processor. As the controller, I am responsible for GDPR compliance for both me and my chosen processor. 

New Security and Privacy Features

The full regulation is over 100 printed pages long. It includes your rights as a data subject as well as regulations around how collectors and processors are required to protect your data.

There are the three main pillars:

1 - Data Control - It is critical for companies to take account of the data they collect, process, and store. This is done through a Data Protection Impact Assessment and helps highlight what data is necessary and where safety precautions are required to take care of that data.

The user also has several rights that companies must abide by. Some of these include:

• Right to be forgotten – This is the most talked about and least understood. It is the right for a user to retract their data from storage or processing, from any company at any time. When the Cambridge Analytica scandal broke with Facebook, people wanted to delete their accounts but the data was still out there. This ruling would have forced both Facebook and Cambridge Analytica to delete the data they had on any qualifying individual that requested it. This is NOT an opportunity to have unflattering articles or reviews removed. The rule allows for personal mentions if they fall under freedom of expression, public interest, public health, or research.
• Right of access – As a data subject, this is the right to ask about the purpose for the collected data, the processors involved, and even if the data is being manipulated with artificial intelligence or machine learning. All these answers *should* be covered in the new consent request (see below).
• Right of restriction of processing – You know those pesky ads that follow you from one website to another? That’s called direct marketing. The restriction of processing means a user can indicate specifically that they do not want their data used in direct marketing campaigns.

2. Consent –  For all data collection, the data subject has to have the ability to both opt in AND withdraw consent. Collectors also have to present the information to support right of access. I like to break these down as the 5 Ws:

• WHO – Details of the recipients of the data including links to the controller
• WHAT – List of the data being collected
• WHY – Reason for the collection (under what Legal Basis it is required for operation)
• WHEN – The duration for which the data will be retained
• WHERE – Clear links provided so user knows where to go to withdraw requests

3. Incident Response and Reporting of Data Breaches – In terms of protection of data, this is a big one. In the past there was NO regulation that a company had to report a breach. Uber took 6 months to report their 2018 data breach. Now compliant companies have to report any breaches to the respective Data Protection Authority within 72 hours of their knowledge. If there is significant risk to the individual, then users also have to be notified.

For Businesses and Corporations

Any organization that “processes or stores large amounts of personal data, whether for employees, individuals outside the organization, or both” is required to designate a Data Protection Officer. That person is responsible for ensuring compliance of GDPR.

If a company is caught in non-compliance then they face a fine. Depending on the infraction, a tier 1 offence results in a fine of the higher of 2% of the company’s world wide gross revenue or 10 million euros. A tier 2 offence is the higher of 4% of global revenue or 20 million euros. As an example, when Equifax was breached in 2017 they suffered no penalties. Had GDPR been in place they would have owed 67 million dollars in fines.

Every applicable company needs to run a DPIA, or Data Protection Impact Assessment, that includes an explanation why they are collecting the data requested, an assessment of risks to the rights and freedoms of data subjects, and documented proposed measures for safety and security of the collection.

Loads of Links

For a full picture of what compliance looks like for GDPR, download my FREE GDPR overview page of all ten areas on which you need to focus.

After having gone through multiple sites, here several you may find useful:

• The official GDPR site
• The entire GDPR brown down nicely by links
• The GDPR broken down by chapter and in plain english
• Facebook group: GDPR for entrepreneurs – as written by a lawyer

Actions for Businesses that Collect Data

• Getting consent in Google For Business – as collectors. Includes ads, apps, sites
• Google’s G-suite and Cloud Agreements – as processors
• AWS GDPR site
• Dropbox
• Rules for Email Marketers
• Mailchimp’s New Consent Collection 
• Facebook for Business
• LinkedIn for Business – includes marketing, sales, developers

Hands-on Help

After running some clients through FULL compliance, it became clear that though GDPR provides guidelines, it does not provide a full list of what you need to do to meet regulation. I have developed my own Global Data Privacy Compliance Playbook that includes an in-depth checklist and dozens of templates including the Data Protection Impact Assessment. If you are interested in using our templates or would like hands-on guidance, do not hesitate to reach out for more information or comment below.

---------------------------------------------------------------------------------------

Cat Coode is a data privacy expert and the founder of Binary Tattoo. Binary, for the language of all things digital. Tattoo, for the permanence of what goes online. Her mission is to help people safeguard their data and digital identities. Backed by two decades of experience in mobile development and software architecture, Cat helps corporations and individuals better understand cybersecurity and data privacy. Cat is also an engineer, speaker, consultant, author, and, above all else, a parent. Her motivation to help others was born out of her concern for her kids and the new generations growing up in an ever-changing digital landscape. Visit www.BinaryTattoo.com for more information.