Disclaimer: this article contains only some general information about GDPR. In order to make sure that your business is GDPR compliant, you should get professional assistance of a lawyer.
General Data Protection Regulation, better known by its abbreviated name GDPR (which has already grown to be an omnipresent buzzword), is a European Union’s law on data protection and privacy for individuals within the EU. It will update the existing Data Protection Directive enacted in 1995 – long before widespread internet use when, quite naturally, the way we share and store information has drastically changed since then.
The aim of GDPR is to give residents control over their personal data and unify the regulations within the whole Union. As GDPR states: “The protection of natural persons in relation to the processing of personal data is a fundamental right”. And indeed, it is.
Why do we need GDPR in the first place?
In the era of social media, we’re now used to granting permissions to anything in exchange for “free” services. Let’s say: Facebook. When the user signs up for Facebook, they need to agree to the Terms and Conditions. Now, not only are these clearly comprehensible to no one else but lawyers, but they can also vary from one website to another.
Google, Facebook, and other tech giants are given permission to collect, store, and process data. They collect not only their name and date of birth but it goes far beyond that. Every action taken on any website is tracked and processed helping them to create highly accurate profiles that include hobbies and interests, political preferences, and many others.
What is this information needed for? Well, advertising, obviously. If you’re better understood by the site, the ad will be better targeted as well. That, in turn, will give the advertiser better conversion – more people will buy whatever they’re trying to sell. But have you heard of the Cambridge Analytica scandal? The company, engaged in e.g. Donald Trump’s presidential campaign, improperly gained access to more than 50 million Facebook users’ profiles. The data they obtained may have been used to target potential voters.
All will change now. GDPR gives companies guidelines and limitations, thus offering more clarity as to how they can operate, and the mindset must change from the now popular tick-box compliance to actual understanding and lawful data management.
Does GDPR apply to me?
GDPR applies to anyone who processes data of EU residents. Whether you’re an international company or a local business, you must comply with the regulations regarding the collection, storage, and usage of personal information.
There are, however, slightly different rules for small businesses – companies that have fewer than 250 employees will not be as rigorously bound by the regulations (for more details, you should get familiar with Article 30 of GDPR: https://gdpr-info.eu/art-30-gdpr/).
If a smaller business processes data frequently (and not just occasionally), or the processing is likely to pose some risks to the rights of the subjects, GDPR applies just like in the case of bigger companies.
What are the changes?
It is stated that ‘’controllers’’ and ‘’processors’’ of data are the ones who shall abide GDPR. A Controller is a party that states in what ways and for what purpose the data is processed, while a Processor is a party that does the actual data processing part. It’s the controller’s responsibility to make sure all data is processed in the right way, but both the controller and the processor are subject to the regulations. With GDPR, in the case of a data breach, parties are more liable than they were under the Data Protection Act. Here are some GDPR takeaways:
The geographical scope is bigger. GDPR does not only apply to companies that are based in member countries, every company dealing with the data of EU residents will be subject to GDPR. That means that it applies both to every EU-based company and to international companies that process the data of individuals in the EU.
The definition of “personal data” was updated and expanded. GDPR identified the kinds of data companies gather about people, including IP addresses and mobile device identity – these are also seen as personal data now. Any economic, health or cultural information will also be seen as personally identifiable. Apart from that, anything that was previously included in the Data Protection Act as personal data stays this way.
Data Protection Authorities will have the power to enforce severe penalties for data breach. The biggest fine that can be imposed is 4% of annual global turnover or 20 million Euro (whatever is greater). That will be the penalty for the most serious infringements, such as not having sufficient customer consent for data processing.
Terms and conditions will have to change. Let’s say goodbye to pre-ticked boxes. Not only will the consent have to be explicit, but also the companies will be required to have their terms and conditions written in plain language. As the consent will now be an affirmative action (and not just a passive click, hopefully), the controller has to keep a record of when and how the user gave their consent. Also, the data you have to provide must be necessary for the given service and specified in the contract.
The age barrier for data collection is rising from 13 to 16.
If any data is not used for its original purpose (defined in the contract), it must be deleted. Any individual is granted the right to erasure, known also by its more catchy name ‘’the right to be forgotten’’. We now have the right to withdraw our consent at any time. What’s more, the process of revoking one’s consent mustn’t be complex – it must be easy for the individual to do so.
Data Protection Officer
Large data controllers will have to appoint Data Protection Officers (DPO). In the case of a data breach, the controller must notify regulators within 72 hours.
What are the rights of Data Subjects?
Data subjects, meaning the people whose data is processed, have the following rights:
- Transparency and modalities
- Information and access to personal data
- Rectification of data
- Restriction of processing
- Erasure of data
- Data portability
- Right to object to the processing of personal data
As you can imagine, GDPR’s provisions will affect various industries, but the areas we want to focus on most are marketing and web apps.
It’s clear that a lot will change for marketers now, as GDPR changes the way we see handling data completely. The data collected has to be relevant to the purpose of the said collection – so if you’re organizing a contest, this is the only purpose you can use this data for. When you create another purpose to use that information, you must acquire consent for that as well. And remember that consent must be given and not just assumed.
Now, with web apps, this may all get a little tricky. Does your app need all the data that is required when a new user signs up? Do you encrypt it? Have you thought about OAUTH? Is HTTPS needed when there’s just a contact form on your website? Do sessions and cookies expire and are destroyed after logout? And are you sure that your terms and conditions are comprehensible? There are so many questions. We know that some app developers will struggle with GDPR and we’re dedicating our next article to GDPR for web apps. Keep up to date with our posts to learn more.
The new regulations may seem confusing at first. After all, it’s not a one-time action that will keep us safe forever, it’s an ongoing process and companies have to pay utmost attention to how they deal with personal data of all their employees, suppliers, and customers. Step by step, all of us will get accustomed to the new rules. Disclaimer: this article contains only some general information about GDPR. In order to make sure that your business is GDPR compliant, you should get professional assistance of a lawyer.