Everybody is talking about GDPR, and many big companies are frantically trying to reach compliance. But what is GDPR anyway, and how does it affect me as a developer?
What is GDPR anyway
The General Data Protection Regulation (or GDPR for short) will take effect on May 25, 2018 and change the rules on how companies collect, store and process large amounts of user information. It will replace the existing data protection framework under the EU Data Protection Directive. Basically, the aim of GDPR is to protect all EU citizens from privacy and data breaks in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
One of the biggest changes in the law is that personal data shall not be processed unless the person opts in. This means no more pre-ticked boxes. Opt-ins need to be a deliberate choice and have to be specific per processing. This means revising thousands of forms, checkboxes, etc. Or in other words, checkbox hell.
Disclaimer: The purpose of this post is to provide developers with a practical guide to GDPR. However, this information should only serve as a starting point for educating yourself about GDPR, not as a substitute for a lawyer. As always, you should seek the counsel of a competent lawyer for specific information on ensuring compliance with GDPR.
But GDPR isn’t just about tick boxes, it’s about transparency and accountability. It requires a complete reboot of your thinking about data protection.
One of the ideas behind the new regulation is to create a framework for the free flow of data across the world’s largest digital single market (or DSM) with 500 million consumers. GDPR represents a huge stride in establishing a functioning DSM in the near future.
The triangle of subject, controller and processor
Before getting into the specifics of the new legislation, there are three terms we need to define: data subject, data controller and data processor. The data subject (or DS) is simply the individual whom the personal data is about. The data controller (or DC) determines the purposes and means of the processing of personal data. The data processor (or DP) processes the personal data on behalf of the controller. The important thing here is that the DC is the central figure when it comes to protecting the rights of the DS because the DC is the one who controls the overall purpose and means. The DP does not control the data and cannot change the purpose or use the particular set of data. However, the big change from the previous directive is that the DC and the DP are both obligated to demonstrate compliant processing and will share joint liability. So, even though the DP does not control the data, the DP is just as liable for any breach in data protection.
The 7 principles behind GDPR
Now, let’s get down to the nitty gritty. The new legislation on data processing basically consists of 7 key principles.
- Lawful, fair and transparent processing
- Purpose limitation
- Data minimization
- Accurate and up-to-date processing
- Limitation of storage in a form that permits identification
- Confidential and secure
- Accountability and liability
Lawful, fair and transparent processing emphasizes transparency for data subjects and makes it easier for them to exercise their rights (which we will get to shortly). Purpose limitation means that DCs must have a lawful and legitimate purpose for processing the information in the first place. Data minimization states that the data must be adequate, relevant and limited and that organizations only capture the minimum amount of data they need to fulfill the specific purpose. Accurate and up-to-date processing requires DCs to make sure that the info remains accurate, valid and fit for purpose. Limitation of storage in a form that permits identification is designed to discourage unnecessary data redundancy and replication. Confidential and secure protects the integrity and privacy of data by making sure its secure (which extends to IT systems, paper records and physical security). And accountability and liability is about demonstrating compliance.
The 7 fundamental rights of the data subject
In addition to these seven principles, GDPR also guarantees 7 fundamental rights to the data subject (DS). These include
- Data access
- Right to be forgotten
- Right to restriction of processing
- Right to object
- Data portability
- Automated decision-making
Data access refers to the right to know what data has been collected about the DS and how much this data has been processed. The right to rectification states that when personal data is inaccurate, the DC needs to correct it. The right to be forgotten, also known as the right to erasure, is where the DS requests that the DC erase their personal data. The right to the restriction of processing requires DCs to limit the processing of personal data. The right to object grants the DS the power to say that the DS doesn’t want their personal data to be processed. Data portability refers to the right to transfer personal data from one electronic processing system to another electronic processing system. And, finally, automated decision-making concerns the DS’s right not to be subject to a decision based solely on automated processing, including profiling.
So, this pretty much covers the theoretical part, but what does it really mean in practice? How does this translate into specific features? Let’s have a look at these below.
Some examples to help you understand better
First, there is the “forget me” button. There needs to be a method that takes the user ID and deletes all the personal data about the user. Closely connected to this is the obligation to notify third parties for erasure. You need to call the third-party API that allows for deletion of personal data. But there’s more to it than just that: you also have to make sure that the data does not show up in search results. If the third party does not have an API, you may have to do it manually.
Then, there is the “restrict processing” button. This button, which restricts access to the user profile, should be built into the user list in the admin panel and the user settings. There also has to be a button to export data. When clicked, the user should receive all the data that you have about them. Users also must have a way to edit their profile. One way of doing this is to make all the fields of your “users” table editable via the UI.
Next, there are the consent checkboxes. For each particular processing activity, there should be a separate checkbox on the registration (or user profile) screen. And finally, you need a method for anonymizing or deleting the data. The idea is to keep data no longer than necessary.
Whether automated or manually, you need to have these processes in place by May 25, 2018. For more information on required features, see https://techblog.bozho.net/gdpr-practical-guide-developers/
It is never too late – start now!
But before you start panicking, remember that it’s never too late – so get cracking! Start by creating awareness in your organization of the importance of transparency and accountability. Identify the use of personal data within your organization and create an index of your processing activities. Work on securing your systems and analyze and execute the changes necessary in your apps and devices. You also need to create and test your data breach crisis plan. Plus, you should check your partner network.
All of this requires a new way of thinking that sees data protection as an ongoing process rather than a one-time event. You need to focus on making conscious decisions whenever processing personal data.
We hope you have found this information helpful, and we look forward to seeing you at the WeAreDevelopers Congress on May 16-18 in the Austria Center Vienna.
Data protection by design and by default – that is the motto from now on.