Just a few short years ago, the idea of User Data Privacy Compliance on the internet was full of hesitation. It was as dubious as the idea of Miranda Rights in the Wild West. Back then, the web was, and many would argue it still is, an adolescent medium growing at supernova speed. Pioneers were only discovering boundaries long after traversing past them. Regarding personal data, the frontier mindset was prevalent: if you could catch it, you could keep it. But in recent years, this particular aspect of online exchange has finally begun to experience welcome regulation. Now, there are real consequences for actors that fail to follow regulatory requirements. Meaning the collection, storage, and exploitation of personal data.
The GDPR in Europe is the most widely-known and powerful piece of data regulation, but it’s essential to realize that many of its tenets are soon to be adopted, in one form or another, worldwide. In California, the CCPA will come into effect January 1, 2020. India is currently finalizing a far-reaching data privacy bill. In Brazil, the LGPD will become the law of the land sometime in early 2020. For businesses all over the world, the need to be user data privacy compliant will only grow more critical. So, let’s assume that you aren’t yet able to pour over the fine print of each legislation to ensure compliance…what are some general steps you can take to protect your business from falling afoul of the regulator?
Be Specific and Get Consent
To capture every piece of data under the sun and try to figure out how to use it after the fact is rapidly consigned to the dustbin of history. Article 7 of the GDPR states data controllers must be able to “demonstrate that the data subject has consented to the processing of his or her personal data.” Furthermore, this consent can’t be tacit or assumed. The request for consent must be presented “in a manner which is clearly distinguishable from the other matters…using clear and plain language.”
A logical, mandatory consequence is that consent for data collection and processing must be clearly stated. You can’t explicitly ask for consent to capture an undefined set of data. Personal data can only be collected for “specified, explicit, and legitimate purposes” (Article 5(1) of GDPR). The upshot for development teams is clear. Define specific data you want your system to capture and obtain affirmative consent from your users.
Be Aware, Users Can Withdraw Consent
Another vital point to note is that obtaining consent does not mean that consent is iron-clad in perpetuity. Article 7 of the GDPR also includes the provision that “The data subject shall have the right to withdraw his or her consent [to having their data captured] at any time.” Furthermore, the GDPR mandates that “it shall be as easy to withdraw as to give consent.” What does this mean for your business? Well, most basically, your website/app/digital product must have a straightforward way for users to retract their consent. Your system must have built-in processes to guarantee it too. If users withdraw permission, the data cannot live anywhere in the infrastructure.
Remember You Can’t Keep it Forever
In the old days of only a few years ago, once a company had your data, it was theirs to keep. However, regulators have stepped in to advocate for data subjects’ right to have their data scrubbed from systems after a certain amount of time has elapsed. The most well-known development around this “Right To Be Forgotten” was a 2014 lawsuit in which the Court of Justice of the European Union ruled that Google had to remove links to out-of-date information regarding a Spanish man. While search engine link results are not the purview of most SME’s, this general principle is now enshrined in the GDPR via Article 17, which is entitled “Right to erasure,” and Article 19, which details the process that must be undertaken by the data processor when they receive a request for Erasure.
Does your system have controls in place to efficiently remove data after a certain period has elapsed? It better!
Published from our Privacy Magazine – To learn more, visit Privacy.dev