9 Things to Know When Using the GDPR to Your Advantage
By Koen Van Impe | March 11, 2016
In December 2015, the European Parliament and Council reached an agreement on the General Data Protection Regulation (GDPR) proposed by the Commission. The reform modernizes the principles from the 1995 Data Protection Directive and applies to personal data (cookies, user IDs, device identifications) from individuals who are processed by a controller or processor. These users will benefit in that it strengthens their control on how personal data is processed. Regardless of where their data is stored, the same rules apply across the board. Similarly, companies can benefit from this because they face fewer conflicting obligations.
Regulation and Directives
A regulation is directly applicable in all EU member states with no need for a national implementation. Directives, however, need to be translated into national law, which can take more time and is subject to local interpretation. This regulation in particular is expected to take effect in early 2016, at which time companies have two years to comply before incurring major administrative fines.
Are You Affected?
Yes — that is, if you do business with European residents. GDPR applies to everyone in and outside the EU actively processing personal data about EU residents. In other words, this includes any organization having a service specifically tuned (i.e. tracking Internet use or using EU currency) for EU residents.
Rethink Sign-Up Procedures
What should you do? Better question: What do you need to do? It’s required that you get more explicit and clear consent. For instance, failing to un-tick a pre-ticked box wouldn’t be considered explicit consent. This will influence how sign-up procedures and configuration settings are currently designed.
Individuals can object against the use of personal data in the context of profiling, especially for the purposes of direct marketing. Tracking users on different systems requires you to get clear and unambiguous consent and describe every step: where, how and what data is stored.
The Right to Be Forgotten
If you have made personal data public, you need to inform others using this data in the case that its owner has requested the erasure of this data. For this reason, it’s critical to design your system so that users can review data, request rectification or withdraw earlier given consent.
An individual who uses personal data with a service provider should have the ability to port this data to another service provider. The easiest way to do this? Probably to adapt common used standards (open standards) and have your services accessible via a well-designed API — one that may even allow downloads in a common format, like XML.
Redesign Systems With Privacy and Encryption by Design
There is a new concept of pseudonymization: a privacy-enhancing technique ensuring non-attribution. This means data needed for attribution (such as for logging into the system) is not stored together with transaction data (the actual actions performed by your users). The regulation requires you to report data breaches if the data has not been strongly encrypted within 72 hours of discovery.
Keep in mind the reporting should include the nature of the breach, the contact point for the DPO (data protection officer) and measures to mitigate the effects of the breach itself. Encryption (for storage and communication) of data and using privacy by design go hand in hand when (re)designing systems. Verifying whether everything has been properly implemented can be achieved with auditing processes. In the case you suffer from a breach, having the personal data pseudonymized highly reduces the risk of harm for data subjects.
All member states will have the same single set of rules. Businesses with multiple establishments will have to appoint one central location – i.e. a headquarters – and then the supervisory authority of that country will act as the lead authority when processing data that crosses national borders.
Data Transfers Outside the EU
Because of this one-stop shop principle, and stronger rights for individuals on how personal data is processed, many organizations will consider the use of frameworks for data transfers outside the EU. The Safe Harbor Privacy Principles — enabling U.S. companies to comply with EU regulations — was originally declared invalid in 2015. In early February the EU Commission approved a political agreement on the new EU-US Privacy Shield. Unfortunately, practical details are still unclear. As it stands now, the agreement will include possibilities for EU residents who feel their data has been misused.