A Guide to GDPR and Internet Regulation
It’s been a little over a year since Europe’s General Data Protection Regulation (GDPR) went into effect and the threat of GDPR has been much talked about. Analysts often write about how it will change company structures. Many more break out in a sweat over fines – 4% of a company’s total global turnover, or some 17 million pounds.
On the other side of the pond, some US states have passed GDPR-inspired laws such as the California Consumer Privacy Act and Washington State Privacy Act to help businesses properly handle customer data coming from Europe.
Let’s take a closer look at where we are with GDPR.
The full force of the GDPR has yet to come down the pipeline. Businesses and enforcers alike have treated this past year as largely a transition phase. “For now, it has not changed one thing we do. Since June of 2018, I have not had one compliance questionnaire or entity come to me to validate my GDPR compliance” admits Mark Houpt, DataBank’s CISO.
During the first 9 months of implementation, total penalties amounted to €55 million Euros. Dreadful, until you consider that Google footed 90% of that amount for a single penalty levied against them in January 2019.
But the GDPR is no joke. Google’s penalty will spark a new era of consumer awareness, one that many will find startling. “It is likely that many people will say no to being profiled by Google when they learn the truth,” says Johnny Ryan, policy officer at web browser company, Brave. Houpt predicts enforcers knocking at his company’s doors soon as local governments find practical ways to enact the law in their respective jurisdictions.
To better appreciate the changes GDPR will enact, let’s look at how the law looks from both consumer and business side of the Internet.
Consumer data used to be locked behind marketing black boxes and endless CRMs. Users had virtually little to no understanding about how their data was used–largely because of obscurely worded consent forms. Most of us just click accept and hope our data doesn’t come out with the next big data leak.
But now under new rules data is treated very similarly to physical property. While some of the GDPR is already built on existing laws, it shifts the nexus of control from business to users by outlining 8 new rights:
- Right to be informed: Users have to be told where their data will be used and stored, before giving it over
- Right of access: Users need to be given control over their data, anytime
- Right to rectification: Users should be given the ability to update, correct, or complete data
- Right to erasure: Users should be able to request their data be permanently deleted from the collector’s systems
- Right to restrict processing: Users should be able to restrict what their data is used for
- Right to data portability: Users should be able to ask organisations to safely give them a copy of their data, or transfer their data to another organisation to improve the service they’re getting
- Right to object: Users should be able to stop data processing
- Rights in relation to automated decision making and profiling: Users can choose to opt out of being targeted by algorithm-based ads
So if you feel like you’ve seen more elaborate pop-ups asking for consent this past year, you’re not seeing things. These forms enable users to manage their new rights, which translates to a few more boxes to check than we are accustomed to.
Businesses will face the most challenges in transparency. However, unless you’re a conglomerate who makes their billions off the back of consumer data and ads, the GDPR won’t require you to do major renovations to your business model. Elizabeth Denham, the UK’s information commissioner, says that the new rules are a step change step change for businesses who followed pre-GDPR rules.
The full repercussions and changes of a policy as widespread as GDPR will take years to appreciate. Many areas remain cloudy and up for debate, such as liability when ad partners leak data, not publishers. But this past year has shown businesses how to stay compliant with the parts that are cut and dry.
Look into hiring a Data Protection Officer (DPO)
Under Article 37 of GDPR businesses who have more than 250 employees and who process a “large scale” of user profiles a year are required to hire a Data Protection Officer. Unfortunately, the law doesn’t clearly outline specifics for companies who fall under these requirements.
SMBs who don’t rely on consumer data may not need a DPO. But many popular ad-targeting tools arguably place businesses under the scope of the mandatory requirement, as does the use of sensitive personal data, which the GDPR places under its own special category. For instance, if you’re an app developer who uses geolocation data for a mobile AR game or even simple biometrics for a sleep tracking app, then you may need to hire one.
This can be problematic for small companies who don’t have the budget for new people, especially given the already stiff competition and shortage in IT personnel hiring. Some turn to outsourcing. A group of companies can also share one DPO, provided that this person can efficiently cover all organisations.
Clean out your data silos
With the GDPR cracking down on excessive data collection, it’s time to take a long, hard look at what your business really needs, and what it can do without.
To some, the leaner approach will come as a welcome relief against the data deluge. The GDPR challenges businesses to become more efficient, collecting only what is needed, and disposing of it immediately afterwards. No more hoarding. No more gigabytes of user data stagnating on a server somewhere, taking up pricey storage space.
Don’t make users jump through hoops for data
Businesses need to build access highways in and out of their databases for users. Ensure that they have an easy way to download, delete, and alter data. These features should be very easy to understand–no legalese hoops.
Documentation will also be critical, especially with the possibility of an auditor visiting at any time to check compliance. Document all data-related processes. For instance, how you collect data, where they’re stored, and how they’re used.
Create a process structure for leaks
One of the areas the GDPR truly changed is reporting data leaks. Before the law, countries had their own mechanisms for reporting security breaches. Germany required businesses to disclose breaches to affected users and the government, but in Norway, you would only need to notify state authority.
The GDPR upended all these differences. Under new regulations, all EU countries are required to report breaches to users and authorities no more than 72 hours after the incident. Amidst the chaos of data leaks, properly reporting to authorities can be overlooked. Businesses should set up a protocol to make the process smoother and to avoid incurring penalties.
How will Brexit affect GDPR?
As the GDPR concerns the data privacy of EU citizens, many British business owners wonder how the rules will change in the event of a “no deal” Brexit.
The answer – not a lot, if you’re already GDPR compliant. Whatever kind of Brexit the UK ends up with (presuming we actually leave), the UK’s Data Protection Act essentially mirrors the rules of the GDPR, largely to help UK businesses transition smoothly and stay compliant with EU laws after Brexit, with a few key differences. For instance, the Information Commission Office (ICO) is now granted the power to audit both public and private companies. The right of erasure doesn’t apply to data used for criminal investigations and scientific research.
The GDPR sets data privacy precedents for the rest of the world, with penalties that will make any business, regardless of size, pay attention. However, most organisations who were already compliant with pre-GDPR privacy laws have little to be concerned about.