The GDPR - or General Data Protection Regulation - is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union.
Or in plain English, it's a set of rules for how companies will need to handle personal data of European customers.
But don't let the fact that it's being enacted on the other side of the pond give you reason to think this doesn't effect you. If you've got a digital platform that's used by folks in Europe - or even used by folks with European passports here in the USA - the EU plans on holding your company accountable for the data you collect.
And they are not messing around. The rules are going to mean that lots of companies - ourselves included - are going to need to take a look at how they collect and process customer data. And in a world where database structures are complex and challenging already - it's likely about to get more so. (Sorry Donald)
The rules go into place on May 25, 2018 - which at the time of this writing is less than two months away. So if you're behind the curve on this important topic - here's what you need to know.
Does GDPR effect me?
If your company collects, stores or uses Personal Data, it effects you. It also effects you if you process Personal Data for other companies.
What constitutes Personal Data?
Personal Data includes (but isn't limited to):
- Online Identifier
- Health Information
- Cultural Profile
Okay, so what do we need to do to comply?
The GDPR is both very clear - and somewhat vague - in their rules. The creators of these rules understand the vast discrepancy among technologies and platforms and data collectors, and they recognize that a one-size-fits-all set of rules is going to be incredibly hard for the industry to swallow. So while the guidelines themselves are clear, they recognize that different companies will enact these guidelines differently.
- Communication. In plain language, tell them who you are when you request the data, say why you are processing their data, how long it will be stored and who receives it.
- Consent. Get their clear consent to process the data. And if you collect from children for social media purposes, you need to check the age limit for parental consent.
- Access & Portability. Let people access their data, and if they choose, take it from you and give it to another company.
- Warnings. Inform people right away of data breaches if there is a serious risk to them.
- Erase Data. Give people the ‘right to be forgotten’. Erase their personal data if they ask, but only if it doesn’t conflict with laws or regulations requiring that certain data be maintained.
- Profiling. If you use profiling or algorithms to process applications for legally-binding agreements like loans or insurance, you must:
- Inform your customers;
- Make sure you have a person, not a machine, checking the process if the application ends in a refusal;
- Offer the applicant the right to contest the decision.
- Marketing. Give people the right to opt out of direct marketing that uses their data.
- Safeguard Sensitive Data. Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs.
- Data Transfer Outside the EU. Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.
If you architect data tables for a living, a few of the items on that list are probably making your head spin right now. There's no easy way to say it. Enacting GDPR is going to be difficult and sometimes costly for data companies doing business in Europe or with European customers. Which leads to the obvious questions...
What happens if I don't?
It starts with a warning, then escalates to a suspension of the ability to process data in the EU - and eventually results in fines of up to 20,000,000 Euros or 4% of your company's annual revenue. Like I said, they are not messing around.
So what do I do now?
Rome wasn't built in a day. And securing Roman citizen's data won't happen in a day either. Many of the larger enterprise companies who I interact with have been working on their GDPR plans for months now. Others are now moving quickly to get them in place. Some resources I've read even suggest appointing a DPO (Data Protection Officer) within your company.
Here are a few handy resources to learn more about GDPR. The first one is very simple and easy to follow. And in full transparency, much of my post above was taken from it. The second is more detailed and provides a deeper level of information of what you should know and what you'll need to do.
What if we don't have any European customers?
For now, count yourself fortunate. The rules are limited to companies who have personal data of people from or in Europe. But don't get complacent. With the recent news surrounding data security and privacy, the US may not be far behind in enacting data privacy laws of our own. But that's a subject for another blog post, hopefully a little further down the road.
Dave Swartz is President of MEDL Mobile and serves as the Chair of the Innovation Policy Council for the Developers Alliance, a non-profit global membership organization that supports developers as creators, innovators, and entrepreneurs and promotes the continued growth of the industry, advocating on behalf of members and the development community at large on public policy and industry issues.