One: Understanding the Key Terms
The GDPR begins by outlining the scope and subjects of its regulation. Chapter 1 covers Articles 1-4 of the document. Here are the key takeaways:
The two most important points to note from this section are where it applies and who it applies to. The territory where the GDPR applies to data processing by organizations operating within the EU, even if the actual processing occurs outside the EU. It also applies to organizations based outside the EU that are offering good and services to individuals inside the EU.
Secondly, who does it apply to specifically? The GDPR applies to two parties: data Controllers and data Processors. A Controller is a party that “determines the purposes and means of processing personal data”. So if you’re a beer company that doesn’t build commercial software, but has a website that gathers users’ birth dates, you are a data controller. The processor is the party that processes – performs operation on personal data or sets of data – data on behalf of the controller. So to continue our previous example, the entity that our hypothetical beer company subcontracts to build the beer brand website is a Processor in the eyes of the GDPR. Note that data controllers are still bound by GDPR regulations even if they are using an independent Processor in relation to data collection, storage, or processing.
The final key point of this section relates to the understanding of what information actually constitutes personal data, as this is the only area that GDPR seeks to regulate. Personal data is information that must relate to an identifiable individual. Determining whether information “relates” to an individual is also an exercise in judgment – one must account for not only the content of the information, but the purposes for which it is being processed. For most SME’s, it is advisable to err on the side of caution and treat any piece of user information, even if pseudonymised, as personal data unless explicitly advised otherwise by appropriate legal counsel.
Two: Understanding the Core Principles and their Business Implications
The second chapter of the GDPR covers articles 6-11 and lays out the foundational principles that will be fleshed out in the remainder of the document. Here are the key takeaways:
First and foremost, at the core of the GDPR is the provision that data collection must be lawful, fair, and transparent. Lawful, in this case, has two implications. First, a business must proactively identify a lawful basis for collecting and processing user data. You cannot “shoot first and ask questions later.” Secondly, it must determine that the consequences of that processing are lawful. If a company has legal basis for processing user data, but uses it to do something illegal, then they are in violation of the GDPR.
The lawfulness principle is further expanded in article 6, which lists a myriad of conditions under which data processing can be considered lawful. The most important condition to be aware of is “informed consent”. This is the principle under which many companies derive legal basis for collecting data on their users.
Informed consent requires certain conditions: it must be specific and unambiguous. As a practical example, an online form with consent options as an opt-out selected by default is in violation of the GDPR because it’s not unambiguous. The implications of informed consent are significant. Development and UX teams must work to structure their online data collection forms in a way that balances clean experience with legal compliance, and they also need to make sure they build in easy ways for consent to be withdrawn at any time. If consent can’t be withdrawn as easily as it can be given, then it doesn’t meet the GDPR requirements.
Fairness and transparency are the value-driven counterparts to “lawful”. Under the tenets of the GDPR, an organization must go beyond pure legal compliance and also show that they have considered the impact of user data processing and found it justifiable. Furthermore, they must be open and honest in the way that they are processing the data and comply with requests from data subjects regarding their data – the “right to be informed” will be examined in further detail.
What does this mean for an SME? Put simply, the lawful, fair, and transparent collection of data doesn’t happen on an ad hoc basis. Any organization seeking to collect user data must proactively examine each category of data they want to collect and evaluate whether it is consistent the key principles of the GDPR.
There are other principles in this Chapter that development teams need to be mindful of that are covered here in brief. They are:
- Purpose Limitation: you must limit your data collection to data that serves your intended purpose, and this must be explained to the user in plain English.
- Data minimization: you must keep the data collected to a minimum for serving your intended purpose. So you can’t collect data on the “off chance” that it will serve your purpose. It must be explicit and necessary to your purpose.
- Storage Limitation: There’s a time component to purpose limitation, which requires that organizations must not store personal data for beyond the time needed to complete an intended purpose. This seemingly small requirement has big implications for business is done. Data can’t just be stored in perpetuity once collected; teams must build systems for the periodic purging of data and the re-obtaining of affirmative consent at regular intervals.
Three: Understanding the Rights of the Data Subject
Having outlined the core principles, Articles 12-23 deal specifically with the rights of the data subject. Many of these rights stem directly from the need for lawful, fair, and transparent data collection, but, as we will see, Chapter 3 takes these considerations to new, important territory. It is fair to say that the rights conferred to the data subject in this section are liable to have the largest impacts on how an SME builds its data infrastructure in a GDPR world. Most basically, businesses must be prepared to liaise with data subjects regarding their personal data, and take certain kinds of corrective action to the data residing in their systems upon subject requests. Here are the key takeaways:
Chapter 3 stipulates that citizens have a right to access their personal data information and see how that data is being processed by controllers. Practically, Data processors must have mechanisms in place to quickly and comprehensively share an individual’s data with them if they request. Thus a business with a massive data lake of consumer information is in violation of the GDP if they can’t efficiently pull individual records and disseminate them to data subjects in easily digestible form.
Chapter 3 confers additional rights on the Data subject including the all-important Right to Erasure and Right to Rectification. These are safeguards to protect citizens even in the event that their data has been captured lawfully, fairly, and transparently. Rectification means that organizations must be able to correct inaccurate information about a data subject at the data subject’s request. And the Right to Erasure means that a business must be able to provably delete all data related to a given individual if required to do so by request or otherwise. Once again, these conditions point to the need for strong infrastructure supporting basic capture and processing capabilities – most SME’s have some ways to go in this regard.
Less discussed in most media but equally impactful for individual business and the way they manage data is the concept of data portability. This is outlined in Article 20 of the GDPR and stipulates that controllers must make data available to subjects in a “structured, commonly-used, machine readable format”. What this means for a small business is that if a Subject Access Request (SAR) comes in, the business needs to be able to turn around a response in simply transferable format quickly. So the response can’t be a printout, or even a PDF. It’s more likely to be a file in CSV or JSON format that’s easily portable and can be opened and interpreted on the average citizen’s computer.
Another business consideration that stems from the fluid and easily accessible requirements for data hosting is around building systems that are agile enough to respond to constant updating and extraction of data-sets. Development teams have to think carefully about requirements regarding data schemas and the versioning and specification of those schemas in the case of frequent changes.
Four: Exploring the Obligations of Controllers and Processors
This chapter of the GDPR is chock-full of information with important business implications, and spans 19 articles, making it the lengthiest section of the GDPR. Here are the key points to take out if you’re just dipping your toes into the data protection waters:
Data Protection by Design and Default, addressed in Article 25, is a core tenet building data management systems under the GDPR. What it means in principle organizations are obligated to take “appropriate” measures when collecting, storing, and processing data. In practice, this means that privacy-by-design engineering is now a vital consideration for any dev team. Depending on the size of your team, a dedicated privacy engineer may or may not be feasible, but in any case, responsibility for privacy considerations must delegated and prioritized among team members. Other measures that may be considered appropriate taking circumstances into account may be: pseudonymisation of data, encryption of data, and system routine security checks.
With all these safeguards in place, the ability to notify relevant parties of a data breach should straightforward, however the GDPR goes to far as to codify the obligatory response time for each party. Organizations must notify data subject immediatelyif there is a breach of their personal data. Furthermore they must notify the relevant supervisory authority within 72 hours. Has your business run a fire-drill to train for data breach response? If not, it should have! In the moment the GDPR’s requirements mean that no time can be lost aligning on process.
The last key point in Chapter 4 is the description of the role of a Data Protection Officer (DPO). A DPO is becoming increasingly common among data-dependent businesses. But under the terms of the GDPR, if your business relies on processing large amounts of data, for example, online behavior tracking, you will be required to appoint someone to this position. While the exact threshold for an obligatory DPO is still being hashed out via GDPR-related rulings, we recommend that businesses getting serious about data management proactively recruit for this position.
Five: Understanding the Transfer of Data to Third Countries and International Organizations
Chapter five of the GDPR provides additional detail on data transfers when it involves parties outside or above EU jurisdiction. If a business seeks to transfer data to one of these parties, certain steps must be taken before the act is sanctioned under GDPR, namely, “appropriate safeguards” and a vetting of that third-party organization with the relevant EU supervisory authorities. Even in the absence of an affirmative green light from those authorities, transfers may still be permissible if it can be proven that the appropriate safeguards have been put in place. In real business terms, what Chapter 5 means is that business cannot disregard best practice data protection measures just because they are engaged with organizations outside EU jurisdiction. GDPR ensure that all data emanating outward from European-supervised entities is transferred with due caution and protection of data subject rights.
Understanding the Additional Detail Contained in Remaining Chapters 6-11.
The structure of the GDPR document means that most of the key terms, concepts, and prescriptions are outlined in the first five chapters. The back half of the document is less concerned with introducing new ideas and more concerned with firming up processes of compliance, enforcement, and sanctions related to GDPR compliance. Nevertheless, in this part of the document there are still important points to note due to tangible business impact. Here are the key takeaways:
Chapter 6 calls for the establishing of at least one supervisory authority in each European Member state. These authorities are responsible for monitoring and enforcing GDPR compliance in a given country, and businesses in that country are required to submit annual reports that can prove GDPR compliance. SME’s, therefore, should look to incorporate streamlined reporting capabilities as part of their data operation. Chapter 7 describes in further detail how these supervisory authorities are to cooperate and work together to promote EU-wide GDPR compliance.
Chapter 8 breaks down the complaint process and the actual penalties that can be imposed for failures to comply with GDPR rules. We recommend that all key stakeholders in SME data operations read through these articles in detail, lest they need to be convinced of the very real and financially significant consequences of taking the GDPR lightly. Certain GDPR violations can result in a fine of up to 4% of a business total worldwide annual turnover. This can easily reach into the billions of dollars, as recent GDPR cases involving the FAANG companies have demonstrated. Forewarned is forearmed!
Finally, Chapters 9-11 amount to a final tidy up of outstanding items of business, including some discussion on exceptional data cases and adoption of unique member state data measures. There’s little need for development teams or other SME stakeholders to focus on this part of the document, especially when they’ll need to work so hard to process and incorporate all of the detailed instruction that has come before.
In conclusion, the GDPR is significant and wide-ranging piece of legislation that will have a big impact on the business and technology landscape. Though the many implications of the document may seem daunting, if you’ve made it to the end of this paper: congratulations. You’re now significantly better informed on the steps you need to take to get data compliant. Now it’s time to round up key players in your business –developers, management, marketing teams, and more – and start to gameplan for the changes that lie ahead.