Today we’ll talk about the “great and terrible” GDPR (General Data Protection Regulation). Despite the fact that the law was adopted in May 2018, many companies are still not fulfilling all its requirements.
We met with our DPO (Data Protection Officer) to clarify what GDPR is and what companies must do to avoid large fines.
The article contains footnotes citing the basic definitions of the law.
- What is GDPR?
- GDPR is an international law, implemented by the EU, that applies worldwide. This is a law that protects users’ rights, regulating, in particular, the transfer, processing, and storage of personal data of each user who is in the EU or is an EU citizen.
¹ “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”.
- Even if they use the services/websites of companies outside the EU?
- Yes, international status allows for the extension of the effect of the law not only in the EU. If someone uses resources available from the territory of the EU or is a citizen of the EU, but is located on the territory of other states, they are still subject to this law.
- What was the reason for its adoption?
- The adoption of the GDPR was preceded by many cases of data abuse, including personal ones. Marketers began to “terrorize” people with various kinds of research. They began to study the behavior and habits of people and use this knowledge, thus making them more defenseless. When a person had performed certain actions on the website, recommendation systems, for example, provoked him or her to a certain behavior. Facebook even began to legally sell user data for research. All biometric data is under protection now, and this is very important as electronic passports are used in the EU.
- What should companies from non-EU countries do in order to comply with the requirements of this law?
- The rules that this law defines must be observed. First of all, you need to notify users on the collection of information. This is the first thing a resource’s visitor faces. The company must clearly convey to users what they want from them, what specific data is collected, and why the company needs it. If, for example, weight parameters are collected, it is necessary to indicate for what purpose it will be used (if their real goal is to offer a drug for weight loss, it should be noted).
- Should the data be stored in anonymous or encrypted form?
- The law obliges companies to anonymize data and store it in separate storage. But the fact is that there are two main roles involved – processor ² and controller ³.
The controller is the one who collects and uses this data. They have to store it anonymously and separately, so that hackers, having access to some databases, would not be able to compare this data with a real person. For example, your name, address, card number, height, weight, marital status, etc. Each item should be stored in a different database. But each company has algorithms that allow you to connect all these databases and use for your own purposes.
Thus, providing data storage is one thing. But processing ⁴ is completely different. There should be data access protocols. Without these protocols, in case of a data leak, this will be investigated by the commission, and if there are no measures taken on the company's side, the commission can sue or fine the company.
²‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
³‘controller’ means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
⁴‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- How is the transmission process of existing websites/businesses organized to meet the requirements of this law?
- First of all, it is necessary to analyze the current state of data collection and processing situations. If only one server is used, it is necessary to divide it into several servers, so that it is impossible to hack all the databases from one source. Protection should be at the input of information, and the server should be constantly monitored by antivirus software. It is advisable to provide a second channel with the Internet, so that in case of a leak through one of the channels, it would be possible to turn it off and take certain actions to eliminate all problems on the other channel. Access should only be possible via a secure VPN connection. Now all major browsers show warnings when users try to access pages without https-protocols.
If https is used, everything is fine. By the way, Google, which for a long time ignored some requirements of this law, takes the availability of an SSL certificate as one of the ranking factors in its search net.
- What happens if a company does not comply with the requirements of this law?
- If we are talking about an EU resident, then, of course, it can incur penalties, which will be issued by the regulatory authorities after analysis and investigation. Usually, at the macro level, this is all regulated by a high fine of up to 20 million EUR, or 4% of the annual turnover. The European Court, which will consider the case, would rather prefer 4% of the turnover, rather than 20 million euros.
But this is the maximum cost. It’s been a year since GDPR came into force, and there have already been practical cases. In cases where the data leak caused no harm, the attackers were identified and the company was simply issued a warning. If by negligence, something hadn’t been fixed, they were subjected to pay a fine, from a couple to hundreds of thousands of euros. To date, Google has got the largest fine of € 50 million for the continued neglect of certain requirements of the law. Companies that lose biometric data get the biggest fines and experience consequent trouble.
- Which companies must comply with this law, and who can leave things as they are?
- Anyone who does not store personal data ⁵ – data that allows to identify a person or determine their location. IP is also included, but at the moment the commission does not consider IP as personal data. Name and phone number are personal data if they are collected with the intention of not only contacting the person but also using them in some other way. If it serves communication purposes, then the data does not have the force and limitations on the storage period. These goals do not involve selling goods or predicting user behavior.
We should also be kept in mind that emails, usernames or passwords, stored separately, are not considered personal data. Only those parameters that allow to identify a particular person or find their location, for example, IP + mac addresses are considered as personal info.
In post-Soviet countries, we got used to the fact that “if something is not allowed, it means it’s forbidden”, in more liberal countries, on the contrary, “what is not forbidden is allowed”. These are two completely different paradigms, and attitudes towards the law. So, the presumption of innocence is valid here – you are innocent until proven guilty.
⁵‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Now the commission has submitted another law on the protection of personal data, the law on cookies, tell us a bit more about this.
It comes down to that IP issue. Via IP, it’s possible to identify where the person is and the entire configuration of the equipment. But at the same time it is necessary to comply with this law. Now, IP is beyond the scope of the law. But it still requires regulation. Two editions have taken place, a third is coming but it’s already clear that there will be some serious limitations. The United Kingdom has already started moving in this direction.
If the law is adopted in its current version, Google and similar companies simply will not be able to work in the EU. Now everyone is lobbying for the mitigation of this law, but the EU cares about their citizens and residents, and they are promoting this law in favor of people. The law still has not been adopted, and is not even in its final phase. But even if it’s accepted by 2019, it will take up to 2 years to make it work as it should.
Now, the only question is how deeply companies will be allowed to interfere into people's personal lives.
- Which set of specialists are needed to implement measures to comply with the requirements of this law?
- Usually this implies part-time activities, in other cases it is necessary to involve the whole team full-time. An analyst will conduct an audit of the current state in the company, as well as generate specifications for execution, a system administrator or DevOps who will be responsible for hardware, communication channels and more, and a programmer, will implement the changes on the website.
- What will be the result of the work of the team and company of the client?
If you want to learn more about GDPR go to https://www.gdpreu.org/ (the source is available in English only).