The General Data Protection Regulation, or GDPR, will come into effect from May 2018. Replacing the Data Protection Directive 95/46/EC.
Like most new legislation, it introduces a new set of challenges to ensure compliance.
Specifically, GDPR will affect how you collect and process data, how you ask for consent to collect the data and how you report a breach of security. If it is enforced as it is written, it will dramatically affect online data capture.
How GDPR will affect data collection
You will need to specify what data is being collected, why you want the data and what you will do with it.
Why you are collecting data needs to be relevant to the purpose of processing in all circumstances. You are collecting data that isn’t necessary for you to provide the service, you might be breaching the regulation.
It is also looking like that the consent needs to be given before the data-collection form becomes active. This change alone is significant.
The explanation to gain consent must be concise, and separate from other terms and conditions. The wording used needs to be plain English, easy to understand, clear and presented in an intelligible form.
Writing in plain English about why you are collecting data is probably something that you are doing anyway, therefore the impact should not be that great.
That said, your request for consent must be under constant review and up-to-date with the purposes of data collection and processing.
The highest level of privacy must be the default and granularity must be offered so that individuals can give consent to certain purposes while rejecting others.
It will be good practice to have all policies for data collection and processing accessible by individuals at the Account Settings level, for example. Somewhere where they can review them and be notified when updated.
New functionality needed for the ‘right to be forgotten’:
Additionally, the GDPR introduces the ‘right to be forgotten’ within your data collection process. Going forward, individuals will be able request their data to be erased by withdrawing consent.
This applies to data shared with third parties too. You must notify them with details of the request for withdrawal.
We recommend you to build a specific functionality to manage the erase of customer data. This can be done either manually by updating customers’ records when they submit a request for erase, or by building a programmatic functionality that can be updated in the back-end or the customer controls.
To avoid incorrect data handling, your database also needs to be compliant with the regulation. This will affect the way you store and monitor it.
Not only the data must be encrypted, GDPR introduces the concept of pseudonymisation, which consists on the separation of a set of data into different tables, so the attribution of data to an individual cannot take place unless additional information is provided.
This is good practice anyway, but is something sometimes overlooked.
Protocols for reporting a data breach:
The Information Commissioner’s Office (ICO) calls a data breach a “breach of security that leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.”
If that happens you need to report any data breaches that might result in a risk to the rights and freedoms of individuals.
You will need to notify the ICO of a data breach within 72 hours.
We recommend that you implement an Escalation Protocol for this purpose as failing to report a data breach could be penalised with a fine of up to 10 million Euros or 2% of your global turnover.
Additionally, organisations are required to appoint a Data Protection Officer when:
- The processing is carried out by a public authority.
- The core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.
- The core activities involve processing of special categories of personal data and relating to criminal convictions and offences.
There are a number of challenges ahead, but none are insurmountable if planned for and addressed methodically.