GDPR is Coming, But Don’t Worry: We’ve Got Your Back

Quick summary: If you work with EU customers, you’re very likely to possess their personal info, at the very least an email address or credit card number. This May the EU is rolling out stricter privacy legislation called the GDPR. Your business must meet the requirements. We will help you.  

Whether you have a website with a simple newsletter or you run a web app with a sign up form or payment option, any entity collecting and keeping personal data must comply with the GDPR. The GDPR is a new piece of European Union (EU) legislation aiming to enhance and consolidate data protection for all EU citizens.

GDPR stands for General Data Protection Regulation and it will empower individuals with regard to their personal data, even allowing them to request the deletion of personal identifiable information (PII) within 30 days — in other words, the right to be forgotten. It sets a strong precedent in terms of privacy but raises concerns for organizations with client, user or contact databases.

The first thing that business managers ought to know, is that the GDPR is much stricter and more demanding than the UK Data Protection Act 1998 (DPA).

Secondly, understand that the GDPR replaces the DPA. While the underlying principles of the GDPR are similar to those of the DPA, GDPR extends DPA with additional and sometimes challenging requirements for businesses in Europe.

Thirdly, businesses have nothing to worry about if they prepare in advance. The new law is designed to be more preventive than punitive. This article gives a brief overview of the steps you need to take to prepare your company for this regulation which comes into effect on May 25th, 2018.

Q&A about the GDPR

Who does the GDPR apply to?

The GDPR applies to all organizations that obtain, collect or store the personal information of EU citizens.

My business is US based, does this even concern me?

Yes, it does. If you deal with European clients/users, it concerns you directly. Even if your business does not touch the EU market in any way though, it’s only a matter of time before the legislation pushes global security standards. In the event of Brexit, the law will still apply to the British companies and citizens of the United Kingdom.

What data is considered personal?

The broad definition of PII implies that a business with any data that helps to identify a particular person must comply with the GDPR.

What has been PII prior to May 2018?

A traditional set of PII includes:

• postal or email address
• social security numbers and IDs
• phone numbers

What will be the PII starting May 25th, 2018?

Basically, it will extend to all the browser, device and, meta information that allows a person to be identified. This includes:

• an IP address
• geolocation
• login
• demographics
• digital image
• video footage
• any activity history (search, web pages visited, purchases)
• biometric data
• behavioral data
• and social media post(s)

What to do to make GDPR your ally

Fortunately, the measures of the new legal framework are on the whole proactively preventative rather than remedial. The entire functionality of the GDPR is aimed at positive-sum outcomes for both organizations and their customers. To comply with the new privacy law, one has to understand the motivation behind it.

Governance first

The GDPR strives to put privacy back into the hands of customers and therefore, serve as a framework for good privacy practices. In the same way that managers develop a business process flow before starting physical implementation, it helps to keep the GDPR in mind from the outset. It essentially amounts to an individual’s right which must always be respected and remain at the forefront of an enterprise’s activity.

Therefore, your strategy must be simple:

• make privacy as the default setting
• embed privacy into design
• keep it transparent

This can be broken down into the following actions:

1. Include a tick box for the user to agree with storing his/her personal data
2. Generate a documented “opt-in” consent for every user. This consent has to explicitly determine the data collected, its purpose, and period of storage
3. Moreover, users must be able to remove their consent or object to the use of their data at any time
4. They must also be in control of what occurs with their PII. This means honoring their requests to:
   1. delete personal data
   2. correct factual error
   3. view any of their data that is being stored
   4. and export it for their own usage

Ultimately, you need to make user privacy your priority and respect it even before you obtain it. Notably, it does not matter whether the information is public, private, or professional. The regulator does not define any controls for data protection, ultimately leaving organizations to decide for themselves what falls under the GDPR rule. Intellectsoft Blockchain Lab can consult you on this if you need a hand.

Security next

The GDPR is very clear about who the main actors in a private data exchange are. A data subject is an individual whose personal data is being collected. A data controller is an organization that collects the data. In fact, there is also a processor — an organization that processes the data on behalf of a data controller or the GDPR object. Both data controllers and data processors are obliged to maintain written records of the gathered data, how it was collected, and how it was used.

Regarding security:

• Remember that security is a priority
• Understand what PII you store
• Be clear about exactly what you’re using it for

Consider the following tactics to protect personal data:

1. Store PII separately
2. Employ end-to-end security
3. Information must be encrypted or at least password protected
4. No outside party should have access to it or the ability to extract it
5. Finally, consider hiring an official data protection officer (DPO)

Security teams are expected to ensure full cycle protection against known threats while doing it in a transparent, documented, and retrievable way. This might seem to be an unreasonable challenge when faced using traditional technology, one effective solution could be the use of a consortium private blockchain.

What to do if your data was compromised

Nobody can guarantee that they are 100% secure. Yahoo, JPMorgan Chase, and Equifax were among many hacked companies in the recent years, leaking the private data of hundreds of millions of people. If you should be unfortunate enough to find yourself in this situation, it’s crucial to avoid panic and focus instead on the immediate response:

1. Firstly, investigate the accident. Is it a sensitive data leak? If only passwords were stolen, there might be no need to disclose the incident to the public. Just to ask users to update their profiles.
2. Report the breach when it’s likely to result in a risk to people’s rights and freedoms. You have 3 full days to react.
3. Your security team has to fix the vulnerability and attempt to track attackers.
4. At the same time, establish and maintain an internal breach register.
5. In clear and plain language explain to the affected individuals what client data was compromised.

GDPR fines

Article 25 of the GDPR describes a general obligation to utilize technical and organizational measures. While you can ignore the new legislation until May 25th, organizations will be obliged to prove that they are compliant after that date.

If found to be not compliant, they will be fined. If they are hacked, they will be fined. If they do not react appropriately or do not disclose the breach of sensitive data within 72 hours, they will be fined even more — up to EUR 20 million or 4% of a company’s yearly revenue, whichever is larger. Generally speaking, the fines will be 79 times higher under the GDPR than they are now.

In conclusion

Twenty years forward from the original DPA, we are witnessing a tremendous shift in data ownership — from organizations to individuals. This is good news for rank-and-file citizens who often are not even aware of their private data usage.

Consequently, there are serious implications for businesses, and they cannot be avoided. Failure to comply will result in financial penalties, disastrous reputational damage and in the worst scenario, a shutdown. To remain confident and protected, enterprises need to learn about the possible implications in relation to the privacy of their customers, from the basics to actual security implementation.

Becoming an Intellectsoft Blockchain Lab partner removes any worries you might have about GDPR compliance. For all new projects we consider the legal GDPR implications upfront, protecting your reputation from the off. If you’re looking to ensure your existing business is GDPR compliant or if you have more in-depth questions about what these changes mean for you and your business, don’t hesitate to get in touch and request a consultancy.