GDPR on the nose - stop panic and begin to escape
Judging by the growing panic in the network, many people either only found out about the GDPR, or pulled the pleasure to the limit.
Already on May 25, the threat of a fine of 20 million Euros or 4% of the global turnover (which one of these will be more) will become a reality - panic or not fall? Since I already threw a bucket of gasoline into the fire, I feel obliged to show the way to the fire exit without waiting for the event announced in the previous article . I beg your pardon for roughness - impromptu, very fast and very dirty, but the utility rolls over (hopefully).
On the one hand, the threat is quite real. On the other hand, it is unlikely that on May 25, the European commissioners in dusty helmets will rush into the offices of all violators without exception - only the most experienced villains of “reputation”, Facebook level, can count on this honor. Why fear and how to fend off threats, if under your responsibility a project of the second million in popularity - that is, widely known in narrow circles, like the Fleshgod Apocalypse group?
The answer was suggested by our German colleagues on the experience of the entry into force of the law on Impressum . It turned out that they had found a fair amount of unemployed lawyers, eager for easy money - they massively found violators and tyrannized them with large bulk. That is, I consider the main threat to third-tenth echelon projects is not a thorough investigation by the European bureaucracy, but an attack by a private initiative with a superficial search for typical problems and the distribution of pattern claims.
')
Therefore:
Write down all the personal data that you collect, the goals and how to use them - each combination of “data set + goal + method of use” separately.
If any personal data is collected "just in case" "suddenly come in handy" - this is a serious violation, get rid of them.
Determine the legal basis for each combination - the GDPR identifies 6 possible legal grounds:
This is a very important topic - choose carefully.
Let's analyze the most useful for us:
Consent in terms of GDPR is a very, very difficult thing:
In general, the topic is well disclosed in ICO's GDPR Consent Guidance (draft) - in fact, I brought one page from there.
It’s pretty obvious - if you have a business relationship (of any kind - selling goods, providing services, hiring for work, etc.) with an individual, then you have the right to collect and process the personal data you need to fulfill your obligations. This legal basis also covers the situation when an individual has just taken certain steps (for example, sent a request) aimed at establishing relationships.
Again a difficult topic:
What is easy to detect (including automatically), for example, in online projects:
It is worth all this fix - the spiders can already stand under pairs, waiting for hours…
Already on May 25, the threat of a fine of 20 million Euros or 4% of the global turnover (which one of these will be more) will become a reality - panic or not fall? Since I already threw a bucket of gasoline into the fire, I feel obliged to show the way to the fire exit without waiting for the event announced in the previous article . I beg your pardon for roughness - impromptu, very fast and very dirty, but the utility rolls over (hopefully).
On the one hand, the threat is quite real. On the other hand, it is unlikely that on May 25, the European commissioners in dusty helmets will rush into the offices of all violators without exception - only the most experienced villains of “reputation”, Facebook level, can count on this honor. Why fear and how to fend off threats, if under your responsibility a project of the second million in popularity - that is, widely known in narrow circles, like the Fleshgod Apocalypse group?
The answer was suggested by our German colleagues on the experience of the entry into force of the law on Impressum . It turned out that they had found a fair amount of unemployed lawyers, eager for easy money - they massively found violators and tyrannized them with large bulk. That is, I consider the main threat to third-tenth echelon projects is not a thorough investigation by the European bureaucracy, but an attack by a private initiative with a superficial search for typical problems and the distribution of pattern claims.
')
Therefore:
- The first priority is to eliminate gross violations of the basic principles of the GDPR.
- The second is the elimination of violations that are easy to detect, especially automated scanning.
Elimination of violations of the basic principles of GDPR
Write down all the personal data that you collect, the goals and how to use them - each combination of “data set + goal + method of use” separately.
If any personal data is collected "just in case" "suddenly come in handy" - this is a serious violation, get rid of them.
Determine the legal basis for each combination - the GDPR identifies 6 possible legal grounds:
- Consent
- the contract
- Law requirement
- The vital interests of individuals
- Public interest
- The legitimate interests of the controller (i.e. yours)
This is a very important topic - choose carefully.
Let's analyze the most useful for us:
Consent
Consent in terms of GDPR is a very, very difficult thing:
Consent must be:
- Dedicated: consent requests must be separated from other conditions. Consent should not be a prerequisite for registering for a service if this is not required for this service.
- Active: pre-marked input flags are invalid - use unchecked flag fields or similar active selection methods (for example, choosing two equivalent options).
- Granular: give separate options for separate coordination for different types of processing, where necessary.
- Personified: Name your organization and any third parties that will rely on consent. Even well-defined third-party categories will not be acceptable under the GDPR.
- Documented: keep records to show what the person agreed to, including what they were told, and when and how they agreed.
- Easy to withdraw: tell people that they have the right to withdraw their consent at any time, and how to do it. It should be as easy to withdraw as consent. This means that you need simple and effective revocation mechanisms.
- Without an imbalance in relations: consent will not be given freely if there is an imbalance in the relationship between an individual and the controller - this will make consent especially difficult for government agencies and employers who must look for an alternative legal basis.
In general, the topic is well disclosed in ICO's GDPR Consent Guidance (draft) - in fact, I brought one page from there.
the contract
It’s pretty obvious - if you have a business relationship (of any kind - selling goods, providing services, hiring for work, etc.) with an individual, then you have the right to collect and process the personal data you need to fulfill your obligations. This legal basis also covers the situation when an individual has just taken certain steps (for example, sent a request) aimed at establishing relationships.
The legitimate interests of the controller
Again a difficult topic:
You can process personal data without the consent of the owner of personal data if you have a genuine and legitimate reason (including commercial advantage), unless this outweighs the harm to the rights and interests of the individual.That is, you can assess the balance of your interests against the risk to the individual and decide that your interests are more important. Of course, this will have to be documented and, on occasion, defended.
Elimination of easily detectable violations
What is easy to detect (including automatically), for example, in online projects:
- Tracking behavior without consent.
- Invalid consent form.
- Default consent.
- Request extra personal data (for example, too many required fields with personal data in forms).
It is worth all this fix - the spiders can already stand under pairs, waiting for hours…
Source: https://habr.com/ru/post/354494/
All Articles