Apart from the occasional headline about FAANG companies tussling with the new legislation, the practical impact of GDPR remains obscure. If you’re a stakeholder in a small-to-medium enterprise (SME), this is a big problem. Unlike Google and Facebook, SMEs are unlikely to have a bottomless legal budget to contest being found in violation of the GDPR. As a result, data compliance over the next five to ten years can quickly become a question of business survival.
This guide is a starting point for understanding the implications GDPR has for these businesses. Let’s examine the document, chapter by chapter, to summarize its content and analyze the practical consequences for companies seeking compliance.
1. Understanding the Key Terms
First, The GDPR begins by outlining the scope and subjects of its regulation. Chapter 1 covers Articles 1-4 of the document.
The two most important points to note from this section are where it applies and to whom. The territory where the GDPR applies to data processing by operating within the EU, even if the actual processing occurs outside the EU. It also applies to organizations based outside the EU that are offering goods and services to individuals inside the EU.
Controllers & Processors
To whom does it correctly apply? The GDPR applies to two parties: Data Controllers and Data Processors.
A Controller is a party that determines the purposes and means of personal data processing. For example, a beer company that doesn’t build commercial software but has a website that gathers users’ birth dates is a data controller. The processor is the party that processes or operates on personal data – data on behalf of the controller.
Continuing our previous example, the entity our hypothetical beer company subcontracts to is a Processor. It’s because they are building the beer brand website. Note that GDPR still binds data controllers even if they are using an independent Processor related to data collection, storage, or processing.
Finally, GDPR seeks to regulate information which constitutes personal data. Personal data is information that must relate to an identifiable individual. Determining whether information “relates” to an individual is an exercise in judgment. One must consider both the content of the information and the purpose of processing such data. For most SME’s, it is advisable to err on the side of caution. Treat any piece of user information, even if pseudonymized, as personal data unless explicitly advised otherwise by appropriate legal counsel.
2. Learning the Core Principles and Business Implications
Second, are the GDPR’s foundational principles, covered in articles 6-11. At the core of the GDPR is the provision that data collection must be lawful, fair, and transparent. Lawful, in this case, has two implications.
First, a business must proactively identify a lawful basis for collecting and processing user data. You cannot “shoot first and ask questions later.” Moreover, it must determine that the consequences of that processing are lawful. If a company has a legal basis for processing user data but uses it to do something illegal, then they violate the GDPR.
The lawfulness principle expands in article 6, listing a myriad of conditions under which data processing can be considered lawful. “Informed Consent” is an essential requirement to be aware of. The principle under which many companies derive a legal basis for collecting data on their users.
Informed consent requires specific and unambiguous conditions. As a practical example, an online form with consent options as an opt-out selected by default violates the GDPR because it’s not unambiguous. The implications of informed consent are significant.
Fairness and Transparency
Fairness and transparency are the value-driven counterparts to “lawful.” Under the tenets of the GDPR, an organization must go beyond pure legal compliance, showing they have considered the impact of user data processing and found it justifiable. Orgs need open and honest approaches to data processing. Orgs also need to comply with requests from data subjects regarding their data, or the “right to be informed.”
What does this mean for an SME? It means the lawful, fair, and transparent collection of data doesn’t happen on an ad hoc basis. Organizations collecting user data must proactively examine each category of data they want to collect and evaluate whether it is consistent with the fundamental principles of the GDPR.
Organizations can ensure systems are in place to signpost (when and how) data is being collected to meet the transparency requirement. They must also receive and respond to requests from their users regarding personal data processing.
More Core Principles
Compliant development teams are mindful of the following core principles:
- Purpose Limitation. You must limit your data collection to data that serves your intended purpose and explain it to the user in plain English.
- Data minimization. You must keep the data collected to a minimum for serving your intended purpose. You can’t collect data on the “off chance” that it serves your purpose. It must be explicit and necessary for your use.
- Storage Limitation. There’s a time component to purpose limitation, which requires that organizations must not store personal data for beyond the time needed to complete an intended purpose. This seemingly small requirement has significant implications for business is done. Data can’t just be stored in perpetuity once collected; teams must build systems for the periodic purging of data and the re-obtaining of affirmative consent at regular intervals.
3. Understanding the Rights of the Data Subject
Having outlined the core principles, Articles 12-23 deal specifically with the rights of the data subject. Many of these rights stem directly from the need for lawful, fair, and transparent data collection. As we see in Chapter 3, these considerations take new and significant territory.
It is fair to say that the rights conferred to the data subject in this section have the most substantial impact. Especially on how SMEs build data infrastructure. Basically, businesses are preparing to liaise with data subjects regarding their data. They make certain kinds of corrective action to the data residing in their systems.
Right to Access
Chapter 3 stipulates that citizens have a right to access their personal data information and see how controllers are processing that data. Practically, Data processors must have mechanisms in place to quickly and comprehensively share an individual’s data with them if they request. Therefore, a business with a massive “data lake” of consumer information violates the GDPR if it can’t efficiently pull and distribute individual records.
Right to Erasure and Rectification
Chapter 3 confers additional rights on the Data subject, including the all-important Right to Erasure and Right to Rectification. These are safeguards to protect citizens even if their data has been captured lawfully, justly, and transparently. Rectification means that organizations must be able to correct inaccurate information about a data subject at the data subject’s request. Additionally, the Right to Erasure implies that a business must be able to provably delete all data related to a given individual if required to do so by request or otherwise. These conditions point to the need for reliable infrastructure supporting necessary capture and processing capabilities.
Data Portability is less discussed in most media but equally impactful for individual business and the way they manage data. Article 20 of the GDPR stipulates that controllers must make data available to subjects in a “structured, commonly used, machine-readable format.” What this means for a small business is that if a Subject Access Request (SAR) comes in, the company needs to be able to turn around a response in a directly transferable format quickly. With this in mind, the artifact can’t be a printout or even a PDF. It’s more likely to be a file in CSV or JSON format that’s easily portable and can be opened and interpreted on the average citizen’s computer.
Furthermore, a business consideration that stems from the fluid requirements for data hosting is around building systems that are agile enough to respond to constant updating and extraction of data-sets. Development teams have to think carefully about requirements regarding data schemas and the versioning and specification of those schemas in the case of frequent changes.
4. Exploring the Obligations of Controllers and Processors
This chapter of the GDPR is chock-full of information with necessary business implications, and spans 19 articles, making it the lengthiest section of the GDPR.
Here are the key points to take out if you’re dipping your toes into the data protection waters:
Data Protection by Design and Default
Addressed in Article 25 is a core data management system under GDPR. What it means in principle is that organizations are obligated to take “appropriate” measures when collecting, to store, and processing data. In practice, this means that privacy-by-design engineering is now a vital consideration for any dev team. Depending on the size of your team, a dedicated privacy engineer may or may not be feasible, but in any case, responsibility for privacy considerations must be delegated and prioritized among team members.
Other measures that may be considered appropriate, taking circumstances into account may be pseudonymization of data, encryption of data, and system routine security checks. With these safeguards in place, the ability to notify relevant parties of a data breaches should be straightforward. However, the GDPR goes far in codifying the obligatory response time for each party.
Organizations must notify the data subject immediately if there is a breach of their data. They must inform the relevant supervisory authority within 72 hours too. Has your business run a fire-drill to train for data breach response? If not, it should have! At the moment, GDPR’s requirements mean that no time can be lost aligning on the process.
Data Protection Officer
Lastly, Chapter 4 describes the role of a Data Protection Officer (DPO). A DPO is becoming increasingly common among data-dependent businesses. Nevertheless, if your business relies on processing large amounts of data (i.e., online behavior tracking), you’re required to appoint someone to this position. While the exact threshold for an obligatory DPO is still being hashed out via GDPR-related rulings, we recommend that businesses get serious about data management. Proactively recruit for this position.
5. Understanding the Transfer of Data to Third Countries and International Organizations
Chapter five of the GDPR provides additional detail on data transfers when it involves parties outside or above EU jurisdiction. If a business seeks to transfer data to one of these parties, specific steps are taken, then sanctioned under GDPR. Namely, “appropriate safeguards” and vetting of the third-party organization with the relevant EU supervisory authorities. In the absence of a positive green light from those authorities, transfers are permissible if proven that the appropriate safeguards get put in place.
Chapter 5 states that companies need to follow data protection best practices inside and outside of EU jurisdiction. GDPR ensures all data emanating outward from European-supervised entities gets transferred with due caution and security of data subject rights.
6-11. Understanding the Additional Detail Contained in the Remaining
The structure of the GDPR document outlines most of the key terms, concepts, and prescriptions in the first five chapters. The back half of the regulation paper is less concerned with introducing new ideas and more concerned with firming up processes of compliance, enforcement, and sanctions related to GDPR compliance. Nevertheless, in this part of the document, there are essential points to note due to tangible business impact.
Establish a Supervisory Authority
Chapter 6 calls for the establishment of at least one supervisory authority in each European Member state. Authorities monitor and enforce GDPR compliance in a given country and businesses in that country submit annual reports proving GDPR compliance. SME’s, therefore, should look to incorporate streamlined reporting capabilities as part of their data operation. Chapter 7 describes in further detail how these supervisory authorities are to cooperate and work together to promote EU-wide GDPR compliance.
Chapter 8 of the GDPR breaks down compliance processes and penalties imposed by failing to comply with GDPR rules. We recommend that all critical stakeholders in SME data operations read through these articles in detail. Does your business need more convincing of the unique and financially significant consequences of taking the GDPR lightly? Then remember, GDPR violations can result in fines of up to 4% of the business’s global turnover (per annum). Consequently, this can turn into billions of dollars, as recent GDPR cases involving the FAANG companies have demonstrated. Forewarned, forearmed!
Outstanding Business Items
Finally, Chapters 9-11 results in a final tidy up of outstanding items of business, including some discussion on exceptional data cases and adoption of different member state data measures. Development teams or other SME stakeholders do not need to focus on this part of the document. Especially when they’ll need to work so hard to process and incorporate all of the detailed instruction that has come before.
In conclusion, the GDPR is a significant and wide-ranging piece of legislation that will have a big impact on the business and technology landscape. Though the many implications of the document may seem daunting if you’ve made it to the end of this paper: congratulations. You’re now significantly better informed on the steps you need to take to get data compliant. Now it’s time to round up key players in your business –developers, management, marketing teams, and more – and start to gameplan for the changes that lie ahead.