If you’re reading this, it means you’ve already heard about it or you’re about to receive some flash-news: there’s a new all-encompassing data privacy regulation in the EU. Ready or not, 25th of May 2018, the date when the General Data Protection Regulation (GDPR) becomes effective, will wait for nobody. If there’s any buzz around it, it’s because of a good reason: businesses will have to comply, software will have to evolve. In case there was no privacy training in your company or you’re the company, join me in the quest of debugging and fixing the way we collect, store, manage and analyze any form of Personal Identifiable Information (PII).
We’re living in an era where personal data is used for building business empires (Facebook, Google, Amazon, etc.). If you’re an organization, you know its value. Now, if the business holds, controls or processes data from EU citizens (marketing, sales, surveillance, etc.), there is also a risk to it and a price to pay for noncompliance (up to 4% of your global revenues or up to 20 million euro).
Due to the open clauses in the regulation, there is a lot of uncertainty around it, so changes are expected according to the region from where you’re handling the main operations – even if it’s not within the EU borders.
GDPR is switching the way we develop and offer services to a data protection by design mindset. Preparation is not the sole responsibility of the legal, IT or organizational pillars and it has to be a cross-functional effort from all parties.
For any business decision that is being taken, keep in mind transparent policies for data privacy, data controls and notifications. What does this mean?
- Discover and document the purpose of the data that is being collected. Outlining use cases of how and why the business needs it will make the discovery transparent. This documentation on the data will support the legal basis for processing and using it. Make sure to define who operates it and why it is necessary, where the data is stored and until when.
- Collect and store only the information that the business requires. If it is not demanded by law (e.g. information required for a bill) or not needed for the type of services you offer (e.g. marital status for job application, travel purpose for booking), don’t ask for it.
- Clearly define roles and responsibilities in the management and the usage of the collected data. Train the personnel and instruct them in regards to how the data can be processed and stored (emails, contracts, statistics).
- Define retention periods and deletion policies. The ownership belongs to the customer who can ask to be erased from your system.
- Protect the data that is collected. Use secured providers and partners for processing and storing your databases and files.
- Trace any changes that happen with the data. It should be transparent who accessed it, changed it or erased it, in what emails or contracts it appears and when. Proceed to risk assessment to establish the impact of data changes.
- In case of data breach, notify the authorities within 72 hours (Art. 33,34). Don’t avoid planning and rehearsing any incident response plan.
- Employ a data protection officer (DPO). Get guidance from experts. GDPR insists on one if the company’s core activity consists of processing special categories of data (religion, health, criminal convictions) on a large scale.
- Look out for existing GDPR-ready solutions. It doesn’t sound so impossible now, right? While one of the advertised frameworks for IT governance and management is COBIT 5, Microsoft comes in handy with its own helper kit: www.gdprbenchmark.com.
By going through these checkpoints and making adjustments wherever they’re needed, you will be able to easily respond to requests from the customer, partners and supervisory authorities.
Data privacy is an issue that surrounds technology and it is very rare that we develop a nuanced understanding of how it will affect the product design. If you are a developer like me, chances are you won’t have to deal with the fines, but you have to keep in mind the same principles as above. Just as it goes with keeping our code clean, let’s keep the processes and flows the same:
- Identify what customer data your use cases collect (medical information, bank details, cookies, social media content).
- Register the data sources (checkout, contact form, add-to-cart action) and where it is stored (database, email, log files, backup).
- Apply security measures to storing sensible information (user credentials, conditional access for other parties, encryption).
- Create the designed roles and permissions for each segment of your application. Read/write access to orders, customer information, logs.
- Any change that affects customer information (how it is processed, when it was changed) has to be traceable to who, when and why.
- The architecture should comply with the retention and deletion policies of personal information. Since information will not be kept any longer than necessary, set up jobs to manage the storage limitation.
- On the front-end actions, where there’s a need to collect data (checkout, register), check if the user gave his consent. According to GDPR, the consent must be specific to each data processing operation (Art.5,7).
- Hello, UI. Offer the customer the possibility to view, edit, delete or export the information that is stored on him.
- Hello, UX. Explain to the user how his information is processed and why. Don’t miss out on any other recipients of the data. A transparent and much broader notice will have to be provided.
It might seem like a lot of work to get compliant, but don’t forget that the protected and the privileged piece of the puzzle in the new order is YOU. When you are just browsing through websites, making orders online, signing petitions, answering quizzes or simply being on social media, you’re the one to pay the price of free. In effect, this does not make you the customer – but the product in a highly lucrative business of collecting personal data. We don’t know the internet, but the internet knows everything about us.
The currency for 2018 will be trust and consent. You can stop paying it at any time. GDPR implies that you have granting and revoking rights over the access to your personal information. It gives you the power to decide when to share information about you and when not to. You should be provided with access to the data that has been collected (birthday, email, biometrics, payment records) to view, correct, export or erase it.
The future is about data and this makes data privacy more important than ever. For those of us who are entitled to provide services and assist businesses, let’s remember to discover, manage, protect and report.
Now that GDPR is knocking on your door, what is your action plan?