Does your business operate within the European Union?
If that is the case, no matter if your headquarters are located in EU or if you’re selling to EU citizens – your business is subject to the General Data Protection Regulation (or GDPR for short).
The regulation is applied from 25 May 2018 in all EU countries, and aims to strengthen and unify data protection for individuals within the European Union. Even though it is hard to see how it will be enforced in practice, the regulation also addresses the export of personal data outside the EU.
A primary objective of the GDPR is to give citizens back the control of their personal data.
According to the European Commission:
“personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
There are different classifications of personal data. Sensitive personal data includes health, genetic information, biometric information, sexual orientation, political alignment, religion, union memberships and ethnicity. The fundamental rule is that you shall not process such information, but a person may give their consent for you to do so if you have solid grounds.
The regulation applies if the data controller (organization that collects data from EU residents) or processor (organization that processes data on behalf of data controller, e.g. cloud service providers) or the data subject (person) is based in the EU.
All structured or ”searchable” data is addressed by the regulation.
This means that any data you collect in your digital services, CRM systems, email marketing systems, client lists, customer support tools etcetera are affected by the GDPR. It also includes any personal information sent to you via email.
But, it’s not only digital data that is affected. If, for example, you have a physical address book with an alphabetical index that contains clients, prospects and suppliers, that is data considered to be stored in a structured format, and that address book is subject to the GDPR.
Failure to adhere to the GDPR can result in severe penalties – up to €20 million or 4% of worldwide turnover, whichever is higher.
It is the responsibility and liability of your organization to implement and demonstrate compliance with the GDPR, even if data processing is carried out by another organization on your behalf.
You are required to state, in simple wording, what personal data you store, what it is used for and how long it remains stored. You also have to include contact information for the organization that is the data controller, and the data protection officer (where applicable).
People have the right to question and fight decisions that affect them and that have been made on a purely algorithmic basis… This includes individual decisions made by profiling a user over time.
A general recommendation is to store no more personal data than you absolutely need to conduct your service – especially if it’s considered to be sensitive data.
Article 25 states that data protection shall be designed into the development of business processes for products and services. This requires that default privacy settings are set at a high level, and that care should be taken by the data controller to make sure that data processing routines complies with the regulation. Organizations should also implement mechanisms to ensure that personal data is only processed when necessary and for each specific purpose.
Pseudonomization is a recommended strategy to reduce the risks of the concerned data subjects, and also help controllers meet their data protection obligations.
The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information.
If the personal data is pseudonymised with adequate measures, it is considered to be effectively anonymized.
The regulation does not concern the processing of information that is deemed anonymous, including for statistical or research purposes.
If you are to store personal data about an individual, you need to have explicit consent from that person or, in the case of a child, their parent or custodian.
For consent to be valid, you need to clearly state what data is collected and the purposes the data is used for. The consent for one use case does not equal consent for a different use case with the same data!
In other words, you can not sneak in vague, obscure or omnipotent consent in a large terms of service document. The consent must be asked for in a clear, easily understandable language.
You also need to separate different use cases for data so the user can individually allow or refuse specific data usage. You may never restrict a user from accessing your service with an ”all or nothing” agreement.
The general rule for consent is that it can be withdrawn at any time, as easily as it was given, and that a data controller must be able to prove consent was given.
A person whose data is stored in your system has the right to ”be forgotten” – meaning you have to have systems in place to, without delay, erase all information you have regarding a person.
Even if a person does not demand erasure, you are required to erase data once they are no longer necessary, or when the person withdraws their consent that was the basis for your right to store the information.
Some exceptions exist where you might be allowed to continue to store the data for some time, e.g. to be able to prove that an applicant was not discriminated during a job recruitment.
A person shall be able to transfer their personal data from one data controller to another via a commonly used and structured format. Put simply, they have the right to download all the data that you have about them and move it to another service.
There are many challenges involved in implementing the GDPR in practice.
If you have any questions about how GDPR affects your business, feel free to send me an email.
Do you need help auditing your software for compliance with GDPR? I can help!
Hi, I'm Christoffer Lejdborg! I believe software has tremendous potential to transform your business in amazing ways, but people are too focused on the technology instead of the business case.
I've worked with companies such as BDO, Grant Thornton, Nobina Technology, Run My Security and Whenever.
+46 70-218 17 24