The General Data Protection Regulation (GDPR) was adopted by all European Union member states in April of 2016 and comes into effect May 25, 2018. The regulation will apply not only to companies who are operating in the European Union, but also to companies who acquire, process, or store data on European nationals regardless of their place of business. It applies regardless of where information is acquired or stored and may confer considerable penalties to businesses who are found to be non-compliant.
Here at Ballistiq, we design web products from a user-centric perspective. When we view matters of privacy from a user-centric perspective, a lot of the requirements of GDPR and other legislation like it become easier to understand. Are you ready for GDPR? Here’s an outline of some things you should consider:
First, examine your user experiences to look for places where you might collect or acquire personal data that might be subject to regulation. GDPR includes restrictions on basic individual identifiers (e.g. name, address, ID numbers such as a social insurance number or healthcare identifier, email address, etc). GDPR also includes restrictions on location data - in particular if you capture basic individual identifiers (like an email address) and an IP address of your users, the IP address will be considered personal data and is subject to the requirements for handling and security outlined by the GDPR. Like many privacy regulations, GDPR also defines a sensitive data category, these are data the must be handled more carefully and with stronger security than basic individual identifiers. Under GDPR examples of sensitive data include race, gender, sexual orientation, health data of any kind, political opinions, and economic status or trade-union membership. Be honest with yourself, and ask, yourself two questions:
-Do we need this data?
-Will users want to share this data with us?
If the answer is that you don’t need the data. Stop collecting it before May 25, 2018.
If you determine that you need the data and that users will share the data with you, then you need to consider your obligations under the GDPR and other applicable legislation worldwide.
Once you have received the personal data, there are other important responsibilities. Personal data should only be made available to individuals within your business who need to know the information. This means you need to have access controls in place for who can view the data you collect. You must only store data for as long as you need it. This means that at some point you may need to get rid of data on individuals who you haven’t interacted with for some time. Remember the purpose you collected the data for, and that will give you an idea of what interactions matter with respect to how long you can keep the data. Consider how you handle stored data. In particular look at how readable the data is, and when, how, and if the information can be or is disclosed.
If you collect data on minors, be sure to seek legal assistance on any additional responsibilities that might apply to you. Similarly, if you use personal data to profile your users for the purposes of marketing or other business activities, you should get some additional guidance on restrictions under the GDPR that may apply to you.
Under the GDPR and some other legislation worldwide (e.g. Canada), individuals have the right to request access to view and make changes to the personal data you have collected from them. Again, reviewing your user experience is a good place to assess the compatibility of this need with your system. Can you give your user access to view their data or edit their data easily? If not, be prepared to create an export of an individual’s data that can be shared with them. Make sure you can do this within 30 days of receiving their request to do so. Think about how users will request this access. Note that if you collect data electronically, a user must be able to make a request to access and change their data electronically as well.
Under the GDPR, individuals also have the “right to be forgotten”. This means, an individual can contact you to request deletion of their personal data from your system and in principle, after such deletion, your system must appear as if that person never existed. This may not mean you have to delete everything, but where data may be retained they will need to be completely unidentifiable as the individual. The deletion of personal data must be comprehensive including backups. Considering your user experience - is there an easy place for a user to trigger deletion of their data (e.g. closing their account?). If not, be prepared to take action on a request for deletion within 30 days. Consider changing backup windows longer than 30 days to 30 days or less to ensure that you can be compliant with requirements to forget personal data in entirety.
Note that if you disclose user personal data to a third party or parties, you will be responsible to also notify the third party(ies) of the need to delete the personal data if you receive a request to be forgotten.
Only use the data you collect for the purpose for which consent was provided. If you change your mind about what you want the data for, or you add business services, be sure to seek the appropriate additional consent and retain proof of this.
This is a difficult area of GDPR. The regulations only indicate that “reasonable measures” must be taken. You should ensure you have consulted with your software team and your legal counsel as to what choices you might make and the risks and benefits of these choices. However, there are some general considerations that may be helpful in this regard.
Data must flow through a system that maintains its confidentiality and integrity at all times. Examine how data flows through your system and the points at which it might be exposed. Consider how you can minimize these risks or exposures. During data collection, are you using secure socket layer encryption (HTTPS)? This service can sometimes be added for free as part of your server hosting arrangements, and if not, purchasing a certificate can be done relatively easily and for reasonable costs. When data flows between servers in your cloud environment, how is it protected? In your data store, how readable are the data? Can some data be encrypted? If the data can’t be encrypted, could other measures be taken to reduce the ability of the data to be used to identify someone? For example, separating key identifiers like name and birthdate, from other information such as gender or income could allow gender and income to be stored without encryption. Using what’s called a pseudonym you link the data back together when needed and when being viewed by someone with the right authorization. Also from the organizational perspective, consider who has access to the personal data and what measures are used to safeguard that access? (e.g. two-factor authentication)
Ensure you have a Service Level Agreement (SLA) in place with your hosting provider and that your hosting provider has the appropriate authorization to store European data. Create organizational policies and procedures that ensure personal data are kept confidential by your staff who have access to such data and so that your staff will know how to handle any breach of these data. Note that breaches need to be reported to appropriate European authorities within 72 hours of detection. Consider engaging in regular testing and evaluation of technical and organizational measures you are taking to safeguard personal data.
At the end of the day, if you empathize with your users about the data they share with you and how they will want that data looked after, privacy obligations are easy to see and choosing the system features needed to create them becomes manageable. If you have questions about how your system handles private data, or you are thinking about redesigning your experience with privacy at the core, feel free to reach out! As Your Trusted Development Partner, Ballistiq looks to support all of our clients with systems designed to serve user needs, contribute to business objectives, and obtain and appropriately handle the data in those exchanges.