GDPR: Basics, Principles, and Tips for Compliance
You have probably heard about the General Data Protection Regulation (GDPR), a new European privacy law that everyone is concerned about. We already have an introductory article on this topic. So this time we are going more in detail and will focus on both–general aspects that are relevant to all businesses, as well as some specific issues that will be especially helpful to you if you have a website or plan to develop any digital product.
We tried to keep it as simple for you as possible. So let’s start with the very basics and then gradually progress to more in-depth information.
What is the GDPR and who needs to comply with it
The GDPR is the EU data protection and privacy law that came into force on May 25, 2018. It regulates the processing of personal data that relates to the residents of the European Union. Such residents are usually referred to as data subjects.
Unlike the previous rule (i.e. Data Protection Directive 95/46/EC here link), the GDPR applies not only to the businesses that process personal data using the equipment based in EU member states but also to businesses that do not have any establishment there but process personal data of European customers. This, basically, means that if the companies fail to comply with the rules, they may be fined regardless of their location. And that’s how your business might be affected by the changes even if it’s not in the EU.
Personal data and its processing
So what does “processing of personal data” actually mean? To get started, let’s see what the law says.
According to the GDPR, personal data means “any information relating to an identified or identifiable natural person”. At the same time, an identifiable natural person is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
As you may see, the definition is quite broad and it literally covers every piece of data that is clearly about a particular person, including cookies, IP addresses and demographic details used to define an audience. You may wonder why is it so since it’s definitely impossible to identify a specific person by such information.
The answer is hidden in a context. If the pieces of information collected together allow to reduce the number of possible people to the extent when you can reasonably assume someone’s identity, the GDPR rules come into action. Also, it’s worth emphasizing that the identification by its essence is not narrowed down to the determination of an individual’s name. So if you don’t know the name, it doesn’t mean that the data you collect is not covered by the GDPR.
Speaking about “processing”, as with the “personal data”, it has a broad meaning under the GDPR. Specifically, it includes anything you can do with personal data–from collection and recording to storage and alteration and to erasure and destruction.
Hence, if your company does any possible actions with the information that either identifies individuals from the EU or can be used to identify such individuals, you should ensure the compliance with this new data protection regime. Let’s talk about this in more details.
How to properly handle personal data
In general, a new privacy regime gives individuals more control over their personal data. The GDPR has many technical requirements and rules specifying what exactly should be done to enable data subjects to execute such control. But all of them are based on the following main principles which pretty much cover the whole security checklist most CTOs have:
- Lawfulness, fairness and transparency. A company must have a lawful basis to process personal data (e.g. consent of data subject, contract, vital interest etc.). Also, it should process the data fairly meaning that it must be processed in the way as it’s described in the privacy policies. And, finally, individuals should know what and how their personal data is processed.
- Purpose limitations. Companies cannot use personal data for any other purpose than the purpose it was collected for.
- Data minimization. Only the minimum sufficient amount of data required for a specific purpose should be processed by a company.
- Accuracy. Companies should ensure that the processed data is accurate and up to date.
- Storage limitations. The data should be processed for no longer than it’s required for a determined purpose.
- Integrity and confidentiality. Companies should implement appropriate security measures and ensure the protection of personal data against unlawful processing, accidental loss, destruction or damage.
The cyber security requirements also include privacy by design approach which is the subject of our next section.
Privacy by design and how to achieve it
Privacy by design means that the individual’s privacy should be embedded in the design of a product, i.e. taken into account before the engineering process even begins. For this reason, any company that develops a digital product to serve European customers must have appropriate policies and procedures ensuring data protection standards from the beginning of a software development process.
As the responsibility in most cases lies with a company that orders the development services, if you plan to create any digital product, you are obliged to make sure that your development team knows how to comply with the GDPR in terms of both–project management and coding.
Specifically, the developers must know what legal and policy requirements the product they work on should meet. In addition, there should be Privacy Impact Assessment in place, a document that outlines the main aspects of data protection within the development process (e.g. what personal data is collected, how it is encrypted, who has an access to the data etc.).
The coding process is also impacted. In particular, the unnecessary data collection or loss must be avoided, developers should work with the approved standards and methodologies and unsafe modules have to be disabled. Speaking about design, it should be built with the assumption that only a minimum amount of personal data is collected and different pieces of such data are not linked with other information stored in the same location.
All web development projects GBKSOFT delivers to its clients are compliant with the GDPR. If you need reliable software engineers to build your new web or mobile app, our team is ready to help.
How to make your website GDPR-compliant
- Review your contact forms. Such contact forms should not ask for any information besides the information you absolutely need for providing the services. The compulsory element is a check-box for users to express their consent with the terms and conditions. It’s essential that all the checkboxes are unticked, so users themselves can make a choice. If you want, you may also add some explanations of why you need particular data (e.g. “we need your phone number to have an opportunity to contact you”).
- Make sure that users agreed to receive newsletters from you. As a website owner, you should not send any marketing materials to users who did not explicitly agree to receive them (e.g. by leaving their email addresses). Besides that, there you be an option to unsubscribe.
- Let the users be forgotten. One of the most important individual’s rights under the GDPR is the right to be forgotten. This means that users can request to remove their data from a website and as a website owner you should ensure that there is the relevant procedure in place.
The GDPR might seem scary to CTOs and other companies’ management at first sight, but this law is indeed an important milestone in the regulation of personal data protection. Information is a weapon and the GDPR prevents anyone from using this weapon against us. If you haven’t started the GDPR transformation of your business yet, it may take you a lot of efforts to establish all necessary processes, but it will pay off in the global perspective.