This includes infringements relating to:
- Integrating data protection 'by design and by default'
- Records of processing activities
- Cooperation with the supervising authority
- Security of processing data
- Notification of a personal data breach to the supervisory authority
- Communication of a personal data breach to the data subject
- Data Protection Impact Assessment
- Prior consultation
- Designation, position or tasks of the Data Protection Officer
- Certification
The higher level of fine, up to €20 million or 4% of the company's global annual turnover, will be considered for infringements listed in Article 83(5) of the General Data Protection Regulation.
This includes infringements relating to:
- The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
- Rights of the data subject
- Transfer of personal data to a recipient in a third country or an international organisation
Introduction to GDPR
The implementation of General Data Protection Regulation, or GDPR, will begin a new chapter in data protection and privacy. GDPR is a European Union regulation that governs data protection and security for all the individuals that come within the EU. The regulation is also intended to monitor the transfer of any personal data to outside of EU. Even though it was adopted back in 2016, it is about to become enforceable only now, starting from 25th May 2018. Being a regulation in itself, GDPR is going to be directly applicable and binding.
The regulation defines a new common strict standard in managing and using personal data for all EU citizens. Not just European companies but also foreign companies or non-European businesses are required to adhere to the GDPR regulation when processing and handling the data of EU citizens. Non-compliance with the regulation can cost businesses severe monetary penalties.
Therefore, it's important for any business that deals with European customers to upgrade their systems and working methodology to be in compliance with the GDPR regulation.
Pros and Cons of GDPR
Pros:
- Presents a common data protection standard that can be followed for users in entire Europe.
- Promotes the use of best practices when it comes to protecting customer's personal data.
- Enhance the security standards of the current systems being used in an organization.
Cons:
- There is certain lack of clarity regarding how-to-implement.
- Burden for the organization to upgrade most of its systems.
- Still doesn't resolve all the issues related to data security.
Who Does GDPR Concern?
Anyone in a company who deals with user data in any capacity needs to know about GDPR. There may be GDPR related upgrades in their company's systems.
GDPR Principles
- Purpose limitation
- Accuracy
- Integrity
- Confidentiality
- Storage restriction
- Lawfulness
- Data minimization
Personal data should be processed only with user's consent, as part of contract execution, as a legal requirement, due to legitimate interest of the data processor, or a combination of these reasons.
GDPR Functionalities
Right to Erasure ("Forget Me")
This refers to deleting all user data and anonymizing the user. Developers could create a method that accepts user id as input and then deletes all the data corresponding to that user id. If deleting all data leads to a foreign key violation, you could try two options: cascade delete all the related data too or allow nullable foreign keys. This strategy works for most standard data models. In event-sourcing data model, delete a past event and reproduce intermediary snapshots. In blockchain model, avoid putting
any personal data at all to begin with. Bottom line is that regardless of the data model you're using, you should have a functionality that deletes the user personal data.
Informing the 3rd parties for data erasure
If you have sent user data to any 3rd party, it's your responsibility to notify them too about deleting the user data. You can call an API of the 3rd party for this purpose, one that allows the deletion of user data. Apart from this you also need to ensure that the data doesn't appear in search results. For the removal of the personal data page, make it return a 404 HTTP status.
Restrict Data Processing
Mark the user data profile as restricted. You can do so from the admin panel, if there's an option there to restrict processing. The idea is to prevent accessing and processing of the data by any irrelevant personnel or publicly. To do so you can also mark "restricted" flags in the users table and use some if-clauses to work out the conditions.
Data Export
Export data functionality should export all the user data that you have to the concerning user. The data specifics would depend on the context and use case. At the very least, it will be the data that comes under the purview of "Forget Me". To determine the structure of the dump, keep using schema.org definitions for either XML or JSON. A XLS or CSV export works easily for simple data. For more time-consuming data exports, a background process can be tasked with the duty to inform the user when the data export is done. An automated export is a good idea. Make sure that users have a way using which they can request to see their data.
Allow Editing By Users
Users should be able to edit all the data about them that are in your possession, including that which you gathered through other indirect sources. Users should be given a user interface through which they can perform all the edits, which should then be reflected in the users table. A manual request and support process can be inconvenient for some users.
Checkboxes for Consent
The typical script of "I accept the terms and conditions" will no longer suffice for obtaining user consent for granting access to their data. Now there will need to be a separate checkbox for each of the processing purpose for which the user data is required. These should be provided at the time of user registration. Checkboxes should not be pre-selected. They should be stored in separate columns in database. Users should be able to uncheck these boxes and retract their consents any time they want to. If you plan to use user data for AI or machine learning, get consent for that purpose too.
Re-requesting User Consent
Re-obtain consent from the users if their consents in the first place don't seem clear. Broadcast an email to all users, asking them to check their user profile for verifying each checkbox there is for each data processing activity.
"View All My Data"
Don't just allow the users to export all their data in JSON or XML format, but also allow them to see all their data via the normal user interface. You should even allow the unregistered users to check in to see if there is any data stored about them. Implementing feature "check by email", that allows you to scan if you have any data pertaining to a particular email, should be the minimum that you do. It's
important that you inform the users about all the purposes for which their data is being processed. To accomplish this you can simply display the records from your data processing register.
Age Constraints
Ask user for his age, and any user below 16 years should give proof for parental supervision. You can work out a sequence of steps where the child user provides contact details of the parent using which you can seek confirmation for parental permission. It's possible that the user offers faux parent contact details or faux birth date and year, but at least you would have done right by what the regulation demands of you.
Restricting Data Retention to Only Until Necessary
When you've collected data for a particular purpose, you're required to delete or anonymize the data once that purpose is over. Have a scheduled cron or job that does the job of deleting or anonymizing the data when certain conditions are met. You can even include a separate field in the database that contains the deadline until when the data can be in storage and after which the data should be deleted.
Cookies
As far as cookies are concerned, they are subject to another regulation, ePrivacy directive that is soon about to become ePrivacy regulation. It sheds some light on the issues of traffic data, tracking cookies, and direct marketing.
Do's and Don'ts
Do's
- Encrypt data that's in transit, at rest, in backups.
- Protect data integrity.
- Use pseudonymization.
- Maintain your GDPR records of data processing activities using something more advanced than Excel.
- Register all API consumers.
- Log all access to user personal data.
- Notify data protection regulator, data controller (in case you are a data processor), users, of any data breach.
Don'ts
- Don't dump off users personal data on public servers.
- Don't think being an ISO organization would make you compliant of GDPR.
- Don't use data for any purpose other than what the user consented to.
- Don't put unneeded fields for user registration.
- Don't log the user personal data, only use the ID.
- Don't presume that 3rd parties are in compliance with the regulation.
Conclusion
It can take 2 to 3 rounds to implement maximum of the changes required by GDPR regulation. For anyone handling user personal data, it will now be even more crucial to acquire better comprehension about protecting the data.