Are you prepared for the new EU data privacy regulation, effective May 25, 2018?
Whether you are an outsourcing software company or you build your own products, if your users are EU residents you should keep your eye on the EU data privacy regulation. As we in Atlantbh do both, we needed to understand the regulation from different perspectives to ensure we are compliant on time.
If you already did your due diligence and made sure your software is compliant, then props to you (go read our other blog posts). Even with 2 years to prepare, we won’t judge you if you didn’t start yet, but hurry up! GDPR is in effect starting May 25th, 2018, and is here to stay.
We will try to make this blog short and easy to read, but as the topic is pretty Law-ish, there are some definitions you should understand.
General Data Protection Regulation (GDPR) requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states and to create uniform conditions across the EU.
Any company that stores or processes personal information about EU residents within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
When preparing for compliance, these are some things you should do:
Start talking about GDPR
Make sure that decision-makers and key people involved in a company or a single project are aware of the regulation and understand their role and the consequences of non-compliance. GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance.
Understand your role
You need to determine whether you are a Controller or Processor in a specific project constellation and learn what appropriate measures need to be implemented.
- The Controller refers to a person/company which determines the purposes and means of the processing of personal data. Under the GDPR, controllers still bear the primary responsibility for compliance.
- The term Processor refers to any entity that processes personal data under the controller’s instructions (for example an outsourcing software company). The processor is also responsible for GDPR compliance
Learn what “personal data” and “processing”
You need to know what is treated as personal data and document what personal data you hold, where it came from, and who you share it with. Also, you should audit what you do with the data in terms of processing and saving it, including the physical location of the data.
If you use some 3rd party applications to track user behavior, check if they are compliant, and what information you share with them. For example, the IP address is considered personal data. Make sure you exclude it from your analytics tools (as most of them use it by default).
Check your procedures to ensure they cover all the rights individuals have (right to be informed, right to be deleted, and to restrict processing are just a few). Plan how you would approach the implementation of these rights.
Depending on your user base, it might be worth your while to build features that will ensure the implementation of some of the subject’s rights.
Know if you need data consent and how to get it
Under the GDPR, knowing how and when you need to seek consent can be tricky. Many people mistakenly think that organisations must get consent to process personal data, but consent is one of six lawful grounds for processing data, and you’d be advised to seek it only if none of the other grounds apply. Make sure you understand all of them and seek professional/legal counselling for better understanding.
Determine whether or not you need a Data Protection Officer
The GDPR calls for the mandatory appointment of a DPO for any organization that processes or stores large amounts of personal data, whether for employees, individuals outside the organization, or both. Make sure you seek counselling and appoint a DPO if you need one.
Keep up with data security
You don’t need a regulation to know you should always make sure your data is secure and software is properly security tested. With GDPR in power you will need to ensure that you notify the appropriate parties of any potential security breaches, should they occur.
Neglecting security standards is probably the worst violation you can make and would mean great consequences for both controllers and processors.