January 06, 2017
Coming May 2018, the European Union will enforce a set of regulations designed to protect European citizens’ personal data. It’ll affect all companies that deal with EU citizens’ personal data, meaning that, yes, even your non EU-based company will still need to comply.
Some countries, such as Germany, already have strict data protection regulations in place, though the GDPR brings a major boost for compliance: fines up to €20M or 4% of global turnover for more serious offenses. Significant changes are coming and some of them are not trivial to implement, particularly in more complex organizations.
We’ve rounded up some of the key things you need to know and be prepared for. First things first…
This is how the OECD defines it:
any information relating to an identified or identifiable individual (data subject)
This includes (though not limited to):
The GDPR is only concerned with personal data which means that anonymized data is out of its scope. There’s an important caveat though: if data, even if anonymized, can somehow be tied back to an individual (for example, by combining multiple data sources and inferring an identity from that analysis), then this information can be deemed personal.
There are three simple fundamental definitions at play.
For instance, say you’re selling T-shirts on Shopify.
Your company, AmazingCoolTshirts.com, is making a killing and Shopify is coming in pretty handy. You’re also growing a loyal customer base and retargeting it using MailChimp as a preferred customer channel. Cool!
Shopify and MailChimp are storing and processing your customers’ personal data for the ends you expect them to, but you, the decider, are the one who controls what these services do.
A data love triangle
So in this case, your customers are obviously your data subjects; you are a data controller and Shopify and MailChimp are processors. We’ll delve a bit more on the implications of this later.
This is one example of the possible relationships between subjects, controllers and processors. Many more are possible — controllers can also handle the data themselves and processors are often also controllers when, for instance, they manage their own employees’ personal data.
As a controller you’re responsible for the data you hold. This means that you need to take steps to protect it and be able to demonstrate them to Data Protection Authorities (DPAs).
In practice, you need to secure the data your organization holds. This can sometimes translate into military grade encryption but can also entail tutoring your employees on data handling best practices.
Additionally, you need to make sure that the processors you use to handle the personal information your company controls effectively protect your data (even if those processors are also accountable under the GDPR).
The European Data Protection Board and national DPAs are expected to develop certification mechanisms for controllers and processors so you might want to be on the lookout for certified organizations who ensure compliance.
We know, we know, that’s not how you say that.
Consent is one of the fundamental aspects of the GDPR. Companies will now need to obtain consent from their customers for every usage of their personal data.
And no, 250 pages Terms & Conditions aren’t cool anymore. Neither are pre-ticked checkboxes — consent is only valid if actively given. Controllers are also required to state in plain language the purpose of the usage of the data.
Moreover, subjects have the right to object to each purpose and can’t really be denied service based on refusal unless that usage is critical for the provision of a service (e.g., you do need to use your customer’s address to ship T-shirts, but agreeing to receive newsletters isn’t really that important).
Data subjects must also be able to withdraw consent at any time, preferably utilizing the same interface they’ve used to give it in the first place.
What can you do? If you have a website, make sure your users agree to everything you do with their data and don’t forget to store that information. This might imply changing sign-up forms or checkout processes. There are already some tools that can help you do this, such as ConsentCheq.
The GDPR also grants a comprehensive & enhanced set of fundamental rights to data subjects. These include:
Make sure your organization has the processes in place to enable these. Getting all the data from your users on a neatly packed .zip file might not be a trivial task.
As mentioned, this is likely the biggest driver towards GDPR compliance. Fines are grouped in two categories:
If you’re curious, you can read more on what offenses fall into each category here.
The GDPR is coming, and with less than a year and a half to go, most organizations will need to go through some changes — and that’s not a whole lot of time.
Ignoring the issue is not really an option, given the business killer fines companies may face.
Here are some final thoughts:
The transition process should be fairly smooth for your online T-shirt business but can quickly get tricky in larger and more complex organizations that handle a lot of personal data in many different ways. Most of these will likely require a significant investment to ensure compliance. In a survey conducted with large companies (over 250 employees), over half had earmarked more than $100k towards compliance and 11% over $1M.
When in doubt, do seek professional counseling. The stakes are too high to risk penalties.
WE ARE WATTX
I am Fran and I have been working at WATTx for more than two years....
Talking with experts is extremely valuable in UX. But it can be very hard to...
After a brief break in the past two months, WATTx hackathon recap is back on....