Just a few short years ago, the idea of User Data Privacy Compliance on the internet was as dubious as the idea of Miranda Rights in the Wild West. Back then the web was (and many would argue still largely is), an adolescent medium growing at supernova speed. Boundaries were only being discovered long after pioneers had traversed past them, and regarding personal data, the frontier mindset was prevalent: if you could catch it, you could keep it. But in recent years, this particular aspect of online exchange has finally begun to experience welcome regulation. Now there are real consequences for actors that fail to follow regulatory requirements in the collection, storage, and exploitation of personal data.
The GDPR in Europe is the most widely-known and powerful piece of data regulation, but it’s important to realize that many of its tenets are soon to be adopted, in one form or another, worldwide. In California, the CCPA will come into effect January 1, 2020. India is currently finalizing a far-reaching data privacy bill. In Brazil, the LGPD will become the law of the land some time in early 2020. For businesses all over the world, the need to be user data privacy compliant will only grow more important. So, let’s assume that you aren’t yet able to pore over the fine print of each piece of legislation to ensure you’re in compliance…what are some general steps you can take to protect your business from falling afoul of the regulator?
Be Specific and Get Consent – Capturing every piece of data under the sun and figuring out how to use it after the fact is rapidly being consigned to the dustbin of history. Article 7 of the GDPR states that data controllers must be able to “demonstrate that the data subject has consented to the processing of his or her personal data.” Furthermore, this consent can’t be tacit or assumed. The request for consent must be presented in “in a manner which is clearly distinguishable from the other matters…using clear and plain language.” Of course a logical consequence of a mandatory, clear request for consent is that the data points which are to be captured must be specifically defined – you can’t explicitly ask for consent to capture an undefined set of data. Indeed, in Article 5(1), the GDPR states that personal data can only be collected for “specified, explicit, and legitimate purposes”. The upshot for development teams is clear: Define the specific data you want your system to capture, and obtain affirmative consent from your users to capture that data.
Be Aware That Consent Can Be Withdrawn – Another important point to note is that obtaining consent does not mean that consent is iron-clad in perpetuity. Article 7 of the GDPR also includes the provision that “The data subject shall have the right to withdraw his or her consent [to having their data captured] at any time”. Furthermore, the GDPR mandates that “it shall be as easy to withdraw as to give consent”. What does this mean for your business? Well, most basically, your website, app, or other digital product must have a straightforward way for users to retract their consent for you to use their data. And your system must have built-in processes to guarantee that, if consent is withdrawn, the data does not live on anywhere in the infrastructure.
Remember You Can’t Keep it Forever – In the good old days of only a few years ago, it was generally accepted that once a company had your data, it was theirs to keep. However, regulators have stepped in to advocate for data subjects’ right to have their data scrubbed from systems after a certain amount of time has elapsed. The most well-known development around this “Right To Be Forgotten” was a 2014 lawsuit in which the Court of Justice of the European Union ruled that Google had to remove links to out-of-date information regarding a Spanish man. While search engine link results are not the purview of most SME’s, this general principle is now enshrined in the GDPR via Article 17, which is entitled “Right to erasure”, and Article 19, which details the process that must be undertaken by the data processor when they receive a request for Erasure. Does your system have controls in place to efficiently remove data after a certain period of time has elapsed? It better!