We live in a world where almost every routine task – from booking a taxi to transferring money to finding a flight to an overseas country – can be performed using a mobile phone or a laptop. And as the world’s economy has gotten more and more digital, a lot of companies have started collecting and using sensitive customer data such as basic user information, medical records, credit card numbers, and information about personal choices and opinions.
While collecting all this data on is simply necessary for businesses to operate and provide high-quality service, there are significant risks if this information is stolen and abused. What it means is that the matter of protecting customer data has never been so weighty.
According to a recent data security report prepared by the RSA, more than 40 percent of consumers say they deliberately hide their personal information when registering for a new product or service. One more interesting fact the report reveals is that consumers are unlikely to easily forgive a company that lets a breach of sensitive data happen. Clearly, it was high time to do something to address users’ concerns.
That’s why the European Union has introduced the General Data Protection Regulation (or GDPR) as a standard for how sensitive user data must be handled by businesses that gather and process it.
In this article, we gather useful insights about GDPR that any business should be familiar with in order to successfully comply with this regulation. We also tell you how we at Yalantis (as a third-party service provider) deal with GDPR compliance.
What is GDPR for?
As the successor to the outdated Data Security Directive of 1995, which fails to address how sensitive data should be collected, processed, and kept today, the EU Parliament passed the GDPR in 2016. The regulation was presented as a major overhaul to existing data privacy laws across the EU states and is aimed to provide greater protection to individuals who disclose their data to private businesses as well as to public bodies for further processing and storing.
GDPR contains a number of rules businesses have to meet to more effectively ensure the privacy of customers’ personal data. GDPR also controls how private data is exported outside the EU. Moreover, GDPR works as a great boost to the rights of individuals, giving them more control over their personal data. After a two-year post-adoption period, which let businesses fully prepare for the compliance, the GDPR entered into force on 25 May 2018.
So what exactly do we mean by “personal users’ data?” This is actually any basic information about users such as their names, addresses, and ID numbers. Another category of user data includes sensitive web data like a user’s geolocation, IP address, and cookies.
GDPR also calls to protect health and genetic-related user data, biometric data, racial and ethnic data, data on sexual orientation and, perhaps surprisingly, even political opinions.
Who exactly does GDPR influence?
At this point, you may have a reasonable question: “Is my company affected by GDPR or not?” Well, according to the rules, any business that collects and keeps data about EU citizens must strictly adhere to the GDPR (even if they’re not physically located in the EU), which means that the GDPR is also the standard for foreign companies that have branches in the EU.
GDPR compliance is strictly required for companies that have 250 or more employees. Companies that have fewer than 250 employees but whose data processing and data controlling operations influence the rights and freedoms of EU citizens or collect and use certain types of sensitive personal data (which essentially means almost every company) must also act in accordance with the regulation.
Moreover, GDPR rules also apply to third-party organizations (so-called data processors, which we’ll discuss later) that may collaborate with a business to manage user data – for example, services like PayPal, Braintree, Uber, and Layer that typically provide their public APIs to businesses or niche services with their private APIs. This means that if a third-party company with which you works isn’t GDPR-compliant, your business automatically becomes non-compliant as well.
Penalties for violating GDPR can be really heavy: up to 4% of a business’s annual international turnover.
Roles and responsibilities prescribed by GDPR
There are several roles specified by GDPR for ensuring compliance for businesses:
A data subject is essentially an end user who passes their personal data for monitoring, processing, storage, etc.
A data controller is a company that owns data, defines how users’ data is processed, and specifies the purposes for which it’s processed; it also makes sure that data processors adhere to the GDPR rules.
A data processor is typically an outside company that helps to manage and maintain data; GDPR requires processors to follow in-house rules defined by a data controller even though they’re not part of the company that owns sensitive data. Chances are that both your company and a third-party service can be fined even if a security-related accident is completely the third-party service provider’s fault.
Adata protection officer (DPO) is an employee hired to develop a proper data security strategy and make sure all parties conform to GDPR requirements. Hiring a DPO is strictly required by the GDPR for companies that own, process, and monitor large amounts of personal data belonging to people living within the EU (we’ll get back to this a bit later).
If you’re interested in finding out more about the specific role the data protection officer plays in GDPR compliance and how to hire a really good data security specialist, check out this article by Forbes that’s full of interesting and useful insights.
Meanwhile, let’s find out specific GDPR requirements.
The GDPR defines a number of terms that require companies to reconsider the way they treat users’ personal data. These provisions include seven major areas:
Consent – To get consent for data use from a customer, companies can’t use indecipherable terms and conditions filled with legalese; moreover, withdrawing consent should be as easy for a customer as giving it.
Breach notifications – In the case of a sensitive data breach, a data processor should inform their data controllers and customers about the accident and any associated risks within 72 hours.
Right of access – Customer's who provide their data have the right to know whether a data controller is processing their data; a data controller must provide an electronic copy of personal data for free to a customer upon a request.
Right to be forgotten – When a user’s personal data is no longer needed for its initial purpose of processing or of a user has withdrawn their consent, they have the right to ask a data controller to destroy their personal information so it’s no longer available to anyone.
Data portability – Individuals can freely obtain and reuse their personal data by transferring it across different IT environments (for example, from a controller’s IT system to the system of a data subject) in a standardized machine-readable format.
Privacy by design requires a data controller to take appropriate technical and infrastructural measures to include data protection from the very beginning of designing systems.
Data protection officers – The obligation to hire a DPO affects all companies who are engaged in large-scale systematic monitoring and scaling of users’ sensitive data.
You can find more precise information about general and final provisions, data subjects’ rights, principles and remedies, liability, and penalties for companies in the official text of the regulation.
How to make sure you’re in compliance with GDPR
There’s no one-size-fits-all solution when it comes to assuring GDPR compliance. However, there are basic recommendations you should pay attention to.
For example, you should consider having a data protection officer on staff. A DPO may help you develop an effective strategy for dealing with GDPR. This investment is worth serious consideration, especially taking into account the huge fines and penalties your company may expect in the case of non-compliance.
For larger companies, you may consider hiring a whole security department that will take care of different data security activities.
Even if the biggest responsibility is laid on the shoulders of your security staff, as a business owner you should also educate your staff members who work in some way with users’ information (for example, sales managers who constantly work with new customers and maintain CRM systems). By doing so, you can be sure that sensitive data is processed correctly.
Read also: How to Build a Web-Based CRM System
We’re sure that we’ll soon see the rise of numerous compliance-oriented products and services. Two companies, SAS and M-Files, have recently announced products for businesses to enable GDPR compliance. However, you may also want to consider building your own in-house product for managing your security activities that would fit your unique needs.
Another important thing is to use third-party services that are GDPR-compliant.
As a service provider who merely builds software for our customers and their end users, Yalantis neither owns sensitive end user information nor processes it, which means that we don’t have to directly adhere to GDPR. However, acting as a mediator between a data controller (a business owner and our customer) and a data processor (a third-party service we use to integrate our projects with different functionality), we should be aware of the regulation’s particularities and use only secure, industry-standard, compliant products so as not to let our clients down.
For example, we actively use Twilio to enable phone confirmation for web and mobile apps we develop; the Twilio platform is fully GDPR-compliant now, so we can securely use it for our projects.
We also often use PubNub (a hosted real-time messaging solution for enabling web and mobile apps with chat functionality), which has also recently declared itself fully GDPR-compliant.
When it comes to enabling payments in our clients’ apps, we can easily use Braintree, which is also GRPR-ready now.
In the course or preparing for GDPR, many popular companies have offered some guidance on how to comply with the new and quite severe rules (ICO, for example). There are also numerous online training courses that can help you to better understand the GDPR; check out Udemy’s recent course or the GDPR Essential Training on LinkedIn.
Please note, however, that there’s no such thing as official GDPR certification so far. The courses mentioned above are only designed to instruct and inform, not to make you a certified GDPR specialist.
We hope our insights were helpful for a newcomer. If you have any question regarding how we ensure the GDPR compliance for projects we develop, don't hesitate to message us at firstname.lastname@example.org