You probably heard about this new EU-wide piece of legislation called General Data Protection Regulation (GDPR). Although much has been said on the subject, still many business owners struggle to wrap their heads around it. To make matters somewhat worse, the GDPR neither suggests a single, clear approach to data processing nor does it comprehensively explain how its ordinations will affect businesses of different shapes and sizes.
Addressing GDPR issues in the course of providing IT services and solutions to our clients has been quite a ride for me and my teammates. To put it in simpler terms—the struggle is real.
To clear things up a little, I asked my colleague and Monterail’s in-house lawyer, Kamila Koszewicz, what the new regulation means for digital businesses—ones offering products and services online. Kamila also authored the list of 30 questions every business needs to answer, which I highly recommend you to check out—the list includes her invaluable commentary that will help you stay GDPR-compliant.
As an expert in IT law and personal data protection, Kamila was able to provide me with comprehensive answers to a series of most frequently asked questions about the upcoming changes.
Kamila, I know you’ve been monitoring the preparations undertaken by the IT industry in anticipation of the new GDPR legislation. Could you describe for us what GDPR is and how it’s going to protect users?
Kamila Koszewicz: GDPR stands for General Data Protection Regulation—a new piece of European Union legislation regulating the processing of personal data that, starting on May 25, 2018, will supersede and replace the current EU directive regulating that area, adopted in 1995.
One of the primary objectives of GDPR is adjusting the legal regulations concerning the processing and protection of personal data to better fit the challenges of technological development and globalization which have facilitated the unprecedented availability and pervasive use of personal data. Just to be clear, by personal data I mean any information relating to an identified or identifiable natural person—including identifiers such as a name, an identification number, location data, an online identifier, or, for example, factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
GDPR gives data subjects, such as users of online services, a greater degree of control over the processing of their data—it broadens the scope of their rights, giving them better insight into exactly how much information is stored about them, how it is used, and allowing them to restrict or even completely stop such processing of their data. For example, if you’d like to know what Spotify knows about you, you can ask them for a copy of all the data they store about you or even ask the company to wipe the entire dataset: your name, email, listening history, and so on.
Compliance with GDPR rules is ensured by giving public authorities adequate supervisory powers and rights to impose serious sanctions for infringements.
So what does it change for digital businesses around the globe?
KK: Quite a lot, actually. First and foremost, GDPR regulates how companies store data. For example, from now on, every business has to design data flows in its services having in mind the principle of data minimization, meaning that the scope of collected data, the purposes of their processing, and their retention all have to be reduced to the absolute minimum. So, no more collecting and storing data “because we might need in the future,” which was—and still continues to be—a very common approach to data retention, examples of which include the widespread practice of collecting email contacts for marketing, sales purposes or even designing user account registration forms.
Companies will have to rethink many aspects of their business. What if they don’t comply?
KK: Besides what I already mentioned, digital service providers may encounter big financial sanctions for GDPR infringements that might greatly impact their businesses.
The main, most severe consequence of non-compliance with GDPR is facing administrative fines of up to EUR 20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. That may cause a real harm for both small and large-size companies.
The media usually bring up only these huge financial fines as a consequence of non-compliance with the GDPR, but the legislation gives supervisory authorities of the EU member states a range of other powers that may severely impact IT-focused businesses. These may for example include forcing controllers or processors to take specific actions within specific timelines in order to comply with GDPR rules, imposing a temporary or definitive limitation of processing, or even outright banning it.
Since the GDPR will be coming into force in about 3 weeks, businesses should immediately start auditing their personal data flows (I created a list of questions to help you out here and become more GDPR-conscious), e.g. verify legal basis of the processing, its scope, and the technical solutions they use. At the end of the day it might turn out that they need the help of a lawyer specializing in data protection and IT issues, but a good place to start would be with a checklist, for example the one published by the British ICO.
But hey, let’s look on the bright side of things! The GDPR doesn’t only mean new obligations and expenses, it also offers a bevy of new business opportunities. Under the GDPR, terms and conditions of providing services for users located in the EU will no longer depend on the location of the service provider. This means that businesses in the EU and outside the Union’s borders will compete and operate on the same level.
Kamila Koszewicz (L), Karolina Gawron (R)
You mentioned how new regulations will impact all businesses, big and small alike. What about Google, Facebook, and other companies which rely heavily on data collection?
KK: Well, they will definitely feel the changes—they provide services for EU users, so they will have to comply with the GDPR. And because of the scope of their businesses, the amount of data they collect, and, in consequence, the impact they have on our everyday lives, they will surely be one of the first companies whose compliance with GDPR will be verified.
This, in turn, means that their organizational and technical decisions, in particular the solutions they choose to implement in order to comply with the new regulations, will surely serve as reference points for other businesses and will probably influence future industry standards.
As an ordinary user of the platforms offered by these companies, you will probably be provided with a plethora of new information and policies, and repeatedly asked whether you consent to this or that use of your data. Maybe you already were. As Google and Facebook are mostly advertising businesses, if they don’t ensure that their data collection processes are legal by getting GDPR-compliant consents, they may lose serious money by losing access to invaluable data.
If GDPR applies to Facebook and Google, I assume it applies to other US-based businesses?
KK: Yes. It applies to all businesses, including those based in the US, that process personal data of EU data subjects in relation to offering goods or services or monitoring their behavior that takes place within the EU.
For example, if an online service is available in the EU, regardless whether it’s a paid service or one available free of charge, its owner needs to comply with all the rules specified in the GDPR. If you want to send marketing messages to EU subjects, like a newsletter, for example, you must comply. If you want to keep the data of your European customers in a CRM—you must comply as well.
So even as a small company I’m obliged to follow the regulations. How can I minimize the impact of the GDPR on my business if I don’t have the right experts in my team?
KK: Since a service provider cannot avoid being subject to GDPR by changing its location, the only way to minimize the impact of these new regulations is by minimizing the scope of the processing—for example by collecting less personal data, avoiding the processing of sensitive data categories (including health records, data on racial or ethnic origin, religious or philosophical beliefs, etc.), and limiting the scope of purposes of the processing and transfers of personal data to other entities.
You can do that by, for example, anonymizing the data you collect—it’s often the case that a broad scope of personal data is collected for statistical purposes, where storing just numbers instead of IPs would absolutely suffice.
What should be my step one if I want to stay compliant?
KK: It is crucial to immediately start an internal audit to identify all data flows within a company—what data is collected, where it comes from (data subjects or other sources), what the data is processed for, what’s the legal basis of processing, what data is shared with other entities, and whether the technical solutions used to process data are GDPR-compliant.
After performing an audit to identify and document data flows, you should verify whether personal data processing meets GDPR rules, such as data minimization, for example, and whether there are appropriate organizational and technical measures in place to allow exercise of data subject rights (e.g. to access data, rectify them, to facilitate data portability, to restrict their processing, object to processing, withdraw consent for data processing, right to be forgotten). Answering questions from this list and challenging them with my commentary would be a good first step.
What will change from a designer’s and developer’s perspective?
KK: Software designers and developers will have to know at least the basic GDPR rules to be able to create apps that can address the clients’ needs—they are obviously not lawyers, so they will not be able to fully ascertain that an app complies with the GDPR, but they have to know what mechanisms should be implemented.
For example, they will need to know about the rule of “data protection by design and by default,” referring to the implementation of appropriate technical and organizational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed. This applies to the amount of data collected, the extent of its processing, the period of its retention as well as its accessibility.
They will also need to plan an extended system of logs that will track what happens with stored data—who and when enters, modifies, erases, accesses them, etc.
If you could share the single most important piece of advice to digital companies with regard to staying GDPR-compliant, what would that be?
KK: Don’t do this on your own. The stakes are way too high for that. Especially if you’re not a small company anymore, you should talk to experts who will help you manage your data flows and point out vulnerabilities in your existing product, website, and database.