Hysteria around GDPR, part 2. Useful tips
Article published May 21, 2018
The first part of the article is here . If you have not read it, please read for context.
Having dealt with the most common misconceptions about GDPR, let's look at the real impact of GDPR. Then consider the most important useful tips for site owners.
')
In any law, except for its literal text, there is also the spirit of the law, its purpose . In this case, the purpose of the GDPR is to curb corporations that exhibit the worst business practices on the Internet, violating user privacy. Lawmakers seek to return control of the data back to the owners of this data - to individuals who are subjects here (hence the term “data subjects”). There are countless examples of such violations. I am not going to list them here - there is simply not enough time for this. But be sure: the state of affairs is that regulation will not take effect quickly. Regular readers of my blog know that the topic of confidentiality is dear to me, so I welcome the GDPR and hope that the law will lead to the desired effect. Judging by the number of letters from companies that almost beg me to allow them to send spam further, this is probably the only law that clearly had a positive effect on my life even before it came into force. (Ironically, these companies are breaking the law by sending such messages ...).
Confidentiality (privacy) is an important thing. It is so important that the authors of the Universal Declaration of Human Rights found it necessary to include it in the short list of rights that everyone should have on Earth. At the same time, companies are trying to make money in all possible ways, and if the violation of the user's privacy allows you to quickly make a dollar, so much the worse for the user. Therefore, it is not surprising that lawmakers found it necessary to draft a law protecting this right to privacy. And it is not surprising that this legislation was adopted first in Europe. There are very good examples in our European history that lack of privacy can create with people.
Depending on the type of data, the size of the organization and the amount of data to be processed, as well as your relationship with the data owners, the effect of the GDPR can be anything from “zero” to “huge” with corresponding costs. I will try to make a rough guide, how the new EU law will affect your company and how much you are affected by the law.
First of all, let's see what data you are processing. Consider several different scenarios to assess the impact of the GDPR on each of them.
There are different kinds of data: there is data related to a specific person (individual), but there is data that is not related to a specific person. The GDPR does not affect the data of the second type, as long as they cannot be re-associated with this person. This means that for all intents and purposes you should focus on the data associated with a particular person. In the context of most companies on the Internet, this data is stored in a “profile” - a record or series of records containing an identifier that can be used to assign a record to a specific person. Examples of profile data are your social media posts, medical history, including x-rays, advertising agency profile data, and so on. The GDPR simply clarifies (and this clarification was already in the previous directive, which everyone ignored) that the company does not own this data. You are simply their custodian, and such storage places the responsibility on your company. In other words, data is an asset to a business only if its value exceeds the cost necessary to properly manage this data. And proper storage of this data requires the implementation of proper processes (which you should have in any case!), Including the ability to delete data upon the first request of the user, unless you are obliged to store data by law to allow their correction and provision to “subjects data "(individuals) access to the data that you store on them.
If this sounds like a burden to you, then you are right - it really is a burden. But again, data lifecycle management makes sense anyway. In the end, in order to act in the interests of your users, you and without the GDPR should correct incorrect data and tell people the list of collected data upon their request. And this is a key issue: EU legislation is written from the point of view of EU citizens, and not from the point of view of businessmen who manage data on these subjects. Their interests are legitimate, but secondary.
The data types at the company's disposal largely determine the burden of GDPR. Usually, the more critical the data, the heavier the burden. Thus, if the data is already publicly available, then the burden is small or nonexistent. For sensitive data, such as medical records or financial transactions, the burden is much higher. The good news is that this relationship was known long before the GDPR took effect. Therefore, banks usually make more efforts to ensure customer privacy than the e-commerce store where you bought a pair of socks last week. Of course, not all banks are equally concerned about this, and some banks have to do more work because of the GDPR. And some hospitals are probably better at protecting information than others. All the same applies to commercial enterprises. If they put things in order, automated the procedures, and generally put themselves in the position of custodians rather than data owners, then they should be in a better position when it comes to GDPR.
Thus, the type of stored data is important.
There is also data of a special type of PII, a shortcut for Personally Identifiable Information. This is any information that helps to identify a person. Obvious examples of PII are full names and social security numbers. A not very obvious example is an IP address. Indeed not obvious - the fact of the presence of a rare disease in combination with the name of a small town, place of residence. And many more similar examples. The simplest solution is to present all the data about a person as if it were PII. It is better to take unnecessary security measures than to regret. But if it seems to you that some data can be treated more simply, then carefully weigh which of them should be considered as PII and which ones should not.
Companies with thousands of records (for example, an online store that records every sale) are less subject to the new law than a company with millions or billions of records about its users. Usually these are companies of different sizes and they will have to spend different amounts of effort and bear different burdens of compatibility with GDPR. Yes, the above lifecycle management is implemented in the same way, but if you were able to automate data collection, then there is no excuse for not being able to automate the management of data. This is just the cost of business. But SaaS companies that handle large amounts of customer data will want to get maximum compatibility guarantee, because they are much more attractive targets for hackers, and this increases the risk of data leakage. Please note that there are exceptions. For example, your tax authorities may have their own retention rules for storing accounting information. But this is bookkeeping, which probably has little to do with your web services, and only concerns the actual cash flow.
The burden of complying with the requirements for a small organization is lower because a small business does not need a separate data protection officer (data protection officer, DPO) or director of compliance (chief compliance officer, CCO), if the company does not have very large amounts of data or it deals not with the most sensitive data. Otherwise, the company most likely already has such an employee, so the law does not make much difference.
But very small companies (say, a one-person company) that process extremely sensitive data may consider hiring a person for at least some time to make sure that they are not exposed to unnecessary risks.
So if you have a small company and you are dealing with a small amount of non-critical data, then the impact of the GDPR is very limited and easy to handle. For an average company, say, with 20 employees in the state and very important data, the burden is proportionally greater. And if you manage a very large company, then you most likely already have specially trained people who deal with compliance issues. The law does affect everyone in different ways, but given the importance of the issue, the rights of data subjects outweigh the commercial interests of companies. If there is a benefit in data collection, then efforts can be made to protect them and properly store them. And this difference in the impact of the law is mostly relative. In an absolute sense, large companies, as well as companies with large amounts of data or critical data will spend more to ensure compliance with the law. Simply for smaller companies, the impact of the GDPR will be greater relative to their overall turnover. This well-known phenomenon applies to all aspects of doing business, it is called “economy of scaling” and is one of the reasons why software-based software and services are so profitable: the economy of scaling is simply huge.
Until now, the rule for the storage of data on end users, it seems, was this: "Keep until we run out of disk space." But the disks have become cheap enough to stop worrying about it at all - and just add data without deleting anything. Yes, you read that right: before the GDPR, companies had the habit of never deleting anything. Even if you asked them to delete the data - what they may be reluctant to, but react - in the end, the data is simply marked as deleted, but remains in place. Now this will not work: if you request the deletion of data, it can no longer be ignored - and the data really must be deleted. The only exception is if you are required by law to store data. But in this case, I would advise to store them only in the archive storage.
The situation with backups is a bit more complicated - this is one of those areas where there are a lot of rumors and fears that it is impossible to enforce the law. But in fact, the requirements are very simple: you store the keys of the deleted records in a separate log. And if for some reason you restore from a backup copy, then simply re-play the deletion requests on this log, starting from the last backup. Thus, restoring a backup cannot accidentally restore deleted records. If there are any concerns about the unreliability of keys, then you can simply overwrite the relevant data with zeros to permanently delete them. Note that this is similar to pseudo-anonymization, which in the case of PII is not enough to comply with the law, if the deleted data can be restored with the help of saved data. Real removal is by far the safest way to solve a problem. This is all due to the fact that your backups are correctly encrypted, and the keys cannot be restored without the participation of the responsible person.
The burden of requests for deletion, correction or study of data from users (or “data subjects”) can be quite significant. Automation is indispensable here: self-service and a one-time investment of time and effort will pay for itself many times over the coming years. If you ignore such requests, then a frustrated person (perhaps I) will sooner or later contact his local data protection authority to file a complaint. The first time this happens, DPA may ignore the complaint - I think they will be very busy in the near future. But they will probably start a business. And if it gets fatter, because more and more people complain about your company, then sooner or later someone will be asked to talk to you.
The conversation will be something like this: “We have received several complaints that you purposely ignore the legitimate requests of the data subject. Please explain. After which you - as always, brazenly - explain, the law is too burdensome and you have gone to hell with all your DPA. The agency will respond something like this: “It’s a pity that you think so, but you are also obliged to abide by the law, otherwise ...”, where after “otherwise” it will be a warning about what penalty they can impose on you if you continue to ignore the law. Then some time will pass. A new user is filing a complaint. This is added to the cause. And when adding a record, the clerk makes a note that you have already been warned. It gets interesting here. This time, the DPA is likely to issue a “mandatory warning” (binding warning) —a directive with a warning that you ignore it at your own peril and risk.
The third time is best avoided. You really fined. You can ignore the fine because your company is registered outside the EU. But regulators have foreseen this: in order to conduct business in the EU, you must have a “designated representative” in the EU. Yes, you read that right. This is probably the most aggressive change the European Union could have established: you really have to have a legal representative in the EU. If your business is already working there, this will be your designated representative. If not, you'll have to get it. There are already companies that offer such a paid service.
So as soon as you are fined, the appointed representative will be notified. Most likely, he has an agreement with you and he also has a representative in your country. Under the contract, you refund to the representative in your country any fines collected through the representation of your legal entity in the European Union. Thus, you have a choice: fight with your own representative in court in your native country or fork out for a fine.
People are usually shocked when they find out the statistics on registered hacks over the past year. The numbers are just scary. They frighten even before it comes to the understanding that the vast majority of confidential data leaks are never reported, so they are not counted in the statistics. This happens for two reasons. First, many hacks do not notice. Secondly, even those found are not always reported. According to the GDPR this is strictly prohibited. Not reporting a violation is one of the worst things you can do. This is irresponsible towards injured people. And this potentially worsens the consequences, because you take an important tool from regulators: their ability to understand the scale of the problem, to apply efforts where they are most effective.
Of course, hacking is bad PR. But in this case it makes sense to spend some more resources on security and reduce its consequences. If you have done this, then at least you can respond with something positive on the charges. Responsible disclosure in the event of a breach will be of great importance for establishing your good faith. Dealing with the problem on the sly can work, but if you are revealed, you can prepare for the punishment in full.
The data that you process on behalf of users is their data. The GDPR formulates this very directly. Hence the parts of the law by consent / deletion / correction / study (and data portability). At best, you are the custodian of this data, and if users agree to a specific use of the data, then you are allowed to process it. But these are not your files. If you begin to represent them as your own, then it is only a matter of time when you commit an offense. Do not do this.
Companies have a rather strange attitude towards security: it is treated as a net cost with zero profit opportunity - and, if possible, is ignored. The GDPR finally gives security professionals a real “financial” argument if management ignores their arguments. The GDPR penalties are potentially so high that they usually attract the attention of the director. Most companies are not inclined to take such risks. Therefore, managers are more likely to order security to be put in order than to face a potentially very large fine (even if the chances of getting such a fine are small). It may not be the strongest security argument, but better than nothing. And it seems that the desired effect is: managers no longer consider safety as something secondary, which the company will take care of when they retire.
As you cannot sell someone else's car or house, you cannot simply take and sell someone else's data that users have entrusted to you for storage (or that you collect from their devices, including location information and other valuable things). If you want to sell the data of your user, then you need to get his consent. It must be free and given for a specific transaction, that is, for the specific purpose of using this data.
If you want to take a chance, you can try to get a one-time general carte blanche like “Selling your data to undefined partners”. But on the site of the user, I probably would not give such consent. But if — to help your organization stay afloat — ask for consent to sell the data “to Pathfinders Inc. to analyze traffic jams in the city ", then I can agree. So get consent to sell data and look for a balance between multiple requests with a large percentage of consents - and a one-time request that few will agree to. And always remember: once this consent can then be withdrawn, so you should have a procedure for how you will process this consent review with the data buyer.
Of course, the easiest way to handle all of this is just not selling data to anyone .
This is one of the areas where the wording of the GDPR is extremely accurate and clear: if you want to process user data for some new purpose, you should get consent. It's almost ridiculous that many companies suddenly realized that they were sending spam to a large number of people without their permission, and now — shyly and rather late — they find out that they probably need to ask permission before the deadline has passed, because even such a letter will probably be be considered a violation of the law! (So ​​it will be considered, in my opinion). So do not be tempted and do not use the data that you already have for completely new purposes.
Like everything else, information also has a life cycle. Endless accumulation is not an option. You need to plan how to retrieve data, process it, store, allow data owners to make changes and ultimately how to delete them. To be fair to the creators of GDPR: you should have previously set up such processes. Even without any GDPR, it still should be. Just common sense requires competent management of the life cycle of confidential data, and it does not need to adopt a law. Think of this: at some point, your data subjects will die. This means that there is at least one good reason for deleting information about a particular person.
It sounds simple, but it can be a significant amount of work for large companies with large amounts of data and bad processes. If you do not start in time, it is unlikely that you will have time before the start of the GDPR [May 25, 2018 - approx. trans.]. For each data set, the following should be defined:
Increase the security of computer systems, especially those that are exhibited on the web. Read the articles on this topic, find the most experienced information security specialist in your company and ask them to analyze the systems from a security point of view. Implement tips and make security an integral part of your company at all levels.
Try to create a concise, relevant and complete privacy policy. If you plan to do something with the data, get consent and expand all the options for using them in a public document. When making changes to the privacy policy, publish a log of changes.
Absolutely every company to which you transfer data for processing must have a special agreement with your organization, called the DPA (Data Processing Agreement), without exception. If someone does not want to sign a DPA, refuse to cooperate with such a company. If you do not feel safe by giving the company access to your family diamonds, you do not need to cooperate with it. If you feel that you can do without this particular service, give up the deal. Today, the easiest way to cope with the risks of third parties with respect to the data you control is to ensure that the data never leaves your premises. If this is not avoided, then make sure that the DPA is performed properly. And that the counterparty will cope with the withdrawal of consent after the transfer of data. And that he will under no circumstances transfer the data to others without your explicit consent (in writing!).
Tell users which companies are processing data on your behalf. It is appropriate to mention this in the privacy policy.
Before you can use data provided by individuals, you must obtain their consent. This is not just good manners, it is a strict requirement. This applies to the initial use of the data after collection and all subsequent uses.
Therefore, if you have a brilliant new idea that will lead to a new use of already collected data, you will have to update your privacy policy and re-receive consent.
The consent can be not only given, but also withdrawn. And this conclusion also affects relationships with subcontractors — those who process data on your behalf. Withdrawing consent should be no more difficult than giving it.
If there are violations in the system that exceed the significance threshold for reporting (which is very low!), Report it immediately. You have 72 hours. It is much safer for the response protocol to disclose information on the first day rather than wait until the last moment, because any interference in the process of preparing the report will slow you down and lead to a breakdown of the deadline. If you are dealing with very sensitive data, always report a burglary, even a small one. Damage to data subjects can be significant, which increases the likelihood of contacting your local data protection authority. And if the body does not find your report on the incident, then you will have a rather big problem.
If you do not need data right now and in a real system (for example, data is important from a historical perspective, but not part of the current data set), then it is better to move it to autonomous systems. Thus, in the case of hacking damage will be limited.
Recently, I have met many people who tried to cheat and find a loophole in the GDPR to continue the business as before. Some loopholes are terrible and far-fetched, others are more intelligent, but still clearly contrary to the spirit of the law. If you agree to the consideration of a disputed issue in court, then you can take a chance. But if your budget is limited and you do not want to get a fine or get involved in an expensive lawsuit, please act in good faith . Otherwise, then it will be very difficult to convince the regulators that you did not intend to do anything wrong.
If you put your interests above the interests of people and use their data as yours, you are doing the wrong thing. Imagine lending this data for a while — and be a good custodian to them.If we consider first of all the interests of users, then there are additional side effects. For example, users will be happy. And this is ultimately good for business.
If you have data that is no longer of interest, do not hold it "just in case." Better get rid of them. This will significantly limit the damage. Hacking is already a bad event, you don’t need to worsen the situation by leaking data that you didn’t use. Newspapers love big numbers. If you lose a lot of data, you can easily appear in the worst form on the first pages of the news. Treat your data as nuclear waste: dispose of it as soon as possible.
If ten companies offer the same service, and only one of them decided to comply with the GDPR and actually treat all customers (and their data) with proper care and respect, in the short term, the other nine will benefit. After all, they have not incurred the cost of compliance with the law - and can spend these resources on the functionality of the service and marketing. But I think that in the long run, the company that has set the bar high will win. She will not be penalized, will be able to sell her product to another 100 million customers and will be able to use her GDPR compliance as a mere competitive advantage. The probability of data leakage is much lower (which leads to significant damage to the brand), and user confidence is correspondingly higher.
Good practice is to ask outsiders to test your systems for durability to ensure their safety. This is a relatively expensive event and probably not available for most small companies. But if you have a big enough business, then this will certainly help you sleep well at night. In the end, if your doors are stronger than the neighbors, then the thieves rather pass by. Therefore, do not consider security as an absolute thing (there is no such thing as perfect security), but treat it as a relative concept: it is not necessary to be faster than a tiger, you just have to outrun a guy who runs alongside.
ISO27001 certification does not guarantee compliance with the GDPR. However, non-compliance with the GDPR (at the moment) is a pretty good sign of non-compliance with ISO27001, because although ISO27001 does not directly address confidentiality, it does require substantial processes around security. And this, in turn, will significantly reduce the chances of being subjected to hacking and related mandatory reporting. Companies with an ISO27001 certificate usually have no compliance issues. It forces you to present data as a liability, not an asset, and it is this thinking that is necessary when you are dealing with end-user data.
Reading the law is a real job. If you are not a lawyer, then you will need a whole day, or even more. This is useful because the law has a lot of useful information to form a complete picture of what the law really is, how it applies to your business, and also to you as a private person whose data is processed and stored by other companies. If you don’t have time for this (although I personally think that every business owner should find time to read a fairly compact document that may affect their business), then assign the task to an employee or at least read an excellent Wikipedia article on GDPR , to understand the conditions, intentions and general scope of the GDPR. This will help in discussions and in determining the impact of the law on your business.
The more participants get the data of your users, the higher the probability of failure. Here, the principle of minimizing damage, which we discussed in the section on deleting unnecessary data, is doubly important. An example would be a company that processes medical data about patients in inpatient treatment. You can embed a third-party analytics tag on the pages where data is collected. But your need for analytics in no way outweighs the patient's data privacy needs. Therefore it is better to simply delete this tag. This may represent some inconvenience, but it is much preferable to data leakage.
It is better to always keep in mind the minimum model of the influence of GDPR on your business. It is so much easier to determine where and how a business should adapt to new legislation. In general, it is a good practice to have such a model in my head when some new important legislation begins to operate. If the business is serious enough, you can use the services of a lawyer with experience in this field (protection of confidential data), but even in this case it is good to know the basics - and read the text of the law.
Ignoring the law is never a good defense. You look stupid and careless, choosing the easiest way to protect against every law you don’t want to follow. Pretend you don't know about him - and the problem will disappear. As a rule, small children do this, closing their eyes: “I don’t see you, so you don’t see me.” It does not work for kids and will not work for you.
There are exceptions to the rule. You can read about them and find out whether the law applies to you or not. By examining the question properly, you can find out that the law actually applies to you, even though you thought it did not apply - or vice versa. In any case, knowledge is power. In one case, you will be warned, and in the other you will know that you are safe.
I have seen many such cases: people did not bother to read the law or are looking for only one line that will help justify their position. This is stupid and most likely will lead to serious disappointment. If you read the law and get some idea of ​​it, you will see: it is written in such a way that it gives more freedom for interpretation. This is good, even if you wanted everything to be spelled out specifically. Why is it good? Because so regulators can punish those who are trying to use the narrowest possible interpretation, ignoring the spirit of the law.
Such a narrow interpretation strategy works in some countries (in particular, in the USA), but in Europe it does not work at all. Perhaps this is the most serious difference between the two legal systems, and very important. If you follow the spirit of the law, but violate the letter, then almost always you will be fine. If you try very hard to keep the letter, while at the same time ignoring the spirit of the law, you will hit the wall and you will hit it very painfully.
This is obvious, but I still write just in case: do not consciously break the law. If you do, set yourself up for future failure. Either comply with the law, or close your service for the European Union (if you can really do it, which, as I said, is difficult to implement).
If you have really deep pockets and are ready to go to court, and then, ultimately, to the Supreme Court of the European Union to challenge the law or certain aspects of it, then you will have to break the law in order to consciously challenge the regulators. But for most ordinary companies this is not an option. It is better to leave such adventures to Google and Facebook.
Please note that it makes sense to do this even in the absence of a law. Just now, when the law exists, these principles will help you improve your security system and in the long run will show your commitment to the interests of users.
Once again: this is not a legal consultation, although it is suspiciously similar to her. If you are going to put something you read into practice, present my interpretation of the law as 80% of what you need to know if you want to minimize your risks. Any advice costs as much as you paid for it, and in this case you pay absolutely nothing. Nevertheless, I tried as best I could not to carry nonsense. Buyer, be vigilant!
It depends on the size of the organization, the type of data and the amount of data available. If the processing of user data is your bread and butter, and the amount and type of data indicates a significant risk in the event of a leak, and your organization is large enough, then most likely the answer is “Yes, I need it”. Thus, medical, financial and advertising companies of any size will almost certainly require a special DPO. If your company processes very little data (say, thousands of records) and the data is not supercritical (say, you sell clothes on the Internet), then you can do with the assigned DPO, that is, you need to assign the DPO role to some employee who performs other duties. This is not ideal, and you have to take care that the DPO has sufficient independence. If you do not process user data at all, then you will not need a DPO.
If you do business in the EU, but are outside the EU, then yes, according to the GDPR you will need a designated representative. This is definitely a burden. And I sincerely hope that the free market will bring the cost of this service to such a level that even the smallest enterprises can afford it without any problems.
Representative functions:
If you think this is unfair, then keep in mind - the rule only establishes equal rules of the game for companies from the European Union and from abroad. The injustice is that a company from the EU does not incur any additional burden for having a registered representative, because they represent themselves. An alternative could be mutual recognition of legislation, something like a violation of traffic rules in EU countries. Member States agreed among themselves to recognize speeding and parking fines and collect these fines for their foreign counterparts. But as long as the GDPR is valid only in the European Union, mutual recognition is not an option. If over time other regions adopt similar legislation, then mutual recognition agreements can be concluded, and then there will be no need for a local representative.
This is a very dangerous question. The implications are largely dependent on your business practice. If you are extremely faithful in handling user data, and all or most of the necessary procedures have already been implemented, but you have not changed anything after the entry into force of the GDPR, then you will attract some attention. Regulators will probably get a vague understanding of this ifthey will need to interact with you. If you are really a small company (say, a private forum with several hundred regular visitors), you can even avoid the consequences. But I would not advise such a strategy. The problem may arise from just a few angry users who will report about you to their DPA agency if you do not fulfill legitimate requests. And it will be difficult for you to explain why you decided to ignore the law. You can take the time to hope for good luck, but if I understand something over the many years of working with commercial companies, it’s that the lack of a strategy is just as stupid as underestimating competitors.
The burden of adherence to the law is definitely higher for a more or less serious company. But again, this opens the way to an audience of 300+ million people. It is not a sin to make some effort for such a purpose. And what can serve as a better signal of your reliability than respect for the personal data of your customers?
Yes, it is possible, but in some cases they belong to PII, and although all the programs register IP addresses by default, but if you really don’t need them, it’s best to do without them. If they are needed, then make sure they are deleted or zeroed out of the last octet when the need for this data disappears. Alternatively, update the logs quickly enough so that the data is not stored there longer than the due date.
Yes, you can, subject to the relevant consent. But after May 25, you can not send letters asking for such consent. Any addresses that you collect without the consent of the users should be considered lost. As a rule, such messages classified as “spam” are prohibited from being sent to private individuals.
No way.
If you can afford it, be sure! But be sure to get recommendations before entering into a contractual relationship with someone.
ISO27001 is not directly related to GDPR. However, this certification raises many questions that will arise in the event of a hack: for example, have you done everything you can to prevent it? ISO27001 certification is essentially an external controller who checks your homework. Of course, after that, data leakage is still possible, it can be the result of an insider or an oversight. But at least you have done everything possible to avoid it.
Another advantage of ISO27001 certification is that at the moment it acts as a kind of indirect indicator (proxy) of conformity to GDPR. Partners will conduct business with you in a new legal climate if you have received this certificate, because they will assume that everything is in order.
The disadvantage is that such an audit is not cheap (only large enough organizations can afford it), and that the costs will be regular (the audit is conducted annually).
In short, no way. Yes, you can ask, but the user can lie. There are libraries for geo-targeting, but they are not absolutely reliable: someone can use a proxy service, satellite communications, and so on. This is annoying, but you cannot determine with 100% certainty where a person is.
You could do this, but this is too time consuming. In the end, do not you want to be polite to all other users, except for residents of the European Union? It seems absolutely waste of resources to support the two systems only in order to deprive users outside the EU of some useful features. Personally, I would use this case for PR: I loudly and clearly advertised that users from all over the world get the same level of protection and the same level of control over their data as EU citizens. Perhaps this will help you in the competition, if the competitors do not do the same. Conversely, it may work against you if a competitor decides to go this way.
The GDPR does not distinguish between a hobby and a business that seems right to me. It does not matter whether you perceive your project as a hobby or not. As soon as you start collecting data on individuals from the EU, the directive will take effect - and you will have to comply with the law.
Open source software is not a service, but a software. As long as you simply write the software and distribute it without collecting user data, your actions are not within the scope of the GDPR. As soon as you start an online service using software that you wrote yourself — even with open source — your project is in the realm of GDPR.
There are many borderline cases, too many to list here, but let's take one that I have seen several times.
If you care how among users to identify EU residents who are abroad, then you are not worried about what you need. EU lawmakers and data protection agencies are not going to jump out of the bushes near your house to fine you in such situations. But you should still consider requests for deleting, accessing, and editing data from these users (and probably all others) as if they were legitimate requests. After all, why ignore them?
There is a high probability that the third part of this article will be released, I have not decided yet, articles are time consuming.
The first part of the article is here . If you have not read it, please read for context.
Having dealt with the most common misconceptions about GDPR, let's look at the real impact of GDPR. Then consider the most important useful tips for site owners.
')
In any law, except for its literal text, there is also the spirit of the law, its purpose . In this case, the purpose of the GDPR is to curb corporations that exhibit the worst business practices on the Internet, violating user privacy. Lawmakers seek to return control of the data back to the owners of this data - to individuals who are subjects here (hence the term “data subjects”). There are countless examples of such violations. I am not going to list them here - there is simply not enough time for this. But be sure: the state of affairs is that regulation will not take effect quickly. Regular readers of my blog know that the topic of confidentiality is dear to me, so I welcome the GDPR and hope that the law will lead to the desired effect. Judging by the number of letters from companies that almost beg me to allow them to send spam further, this is probably the only law that clearly had a positive effect on my life even before it came into force. (Ironically, these companies are breaking the law by sending such messages ...).
Confidentiality (privacy) is an important thing. It is so important that the authors of the Universal Declaration of Human Rights found it necessary to include it in the short list of rights that everyone should have on Earth. At the same time, companies are trying to make money in all possible ways, and if the violation of the user's privacy allows you to quickly make a dollar, so much the worse for the user. Therefore, it is not surprising that lawmakers found it necessary to draft a law protecting this right to privacy. And it is not surprising that this legislation was adopted first in Europe. There are very good examples in our European history that lack of privacy can create with people.
Depending on the type of data, the size of the organization and the amount of data to be processed, as well as your relationship with the data owners, the effect of the GDPR can be anything from “zero” to “huge” with corresponding costs. I will try to make a rough guide, how the new EU law will affect your company and how much you are affected by the law.
First of all, let's see what data you are processing. Consider several different scenarios to assess the impact of the GDPR on each of them.
Data types
There are different kinds of data: there is data related to a specific person (individual), but there is data that is not related to a specific person. The GDPR does not affect the data of the second type, as long as they cannot be re-associated with this person. This means that for all intents and purposes you should focus on the data associated with a particular person. In the context of most companies on the Internet, this data is stored in a “profile” - a record or series of records containing an identifier that can be used to assign a record to a specific person. Examples of profile data are your social media posts, medical history, including x-rays, advertising agency profile data, and so on. The GDPR simply clarifies (and this clarification was already in the previous directive, which everyone ignored) that the company does not own this data. You are simply their custodian, and such storage places the responsibility on your company. In other words, data is an asset to a business only if its value exceeds the cost necessary to properly manage this data. And proper storage of this data requires the implementation of proper processes (which you should have in any case!), Including the ability to delete data upon the first request of the user, unless you are obliged to store data by law to allow their correction and provision to “subjects data "(individuals) access to the data that you store on them.
If this sounds like a burden to you, then you are right - it really is a burden. But again, data lifecycle management makes sense anyway. In the end, in order to act in the interests of your users, you and without the GDPR should correct incorrect data and tell people the list of collected data upon their request. And this is a key issue: EU legislation is written from the point of view of EU citizens, and not from the point of view of businessmen who manage data on these subjects. Their interests are legitimate, but secondary.
The data types at the company's disposal largely determine the burden of GDPR. Usually, the more critical the data, the heavier the burden. Thus, if the data is already publicly available, then the burden is small or nonexistent. For sensitive data, such as medical records or financial transactions, the burden is much higher. The good news is that this relationship was known long before the GDPR took effect. Therefore, banks usually make more efforts to ensure customer privacy than the e-commerce store where you bought a pair of socks last week. Of course, not all banks are equally concerned about this, and some banks have to do more work because of the GDPR. And some hospitals are probably better at protecting information than others. All the same applies to commercial enterprises. If they put things in order, automated the procedures, and generally put themselves in the position of custodians rather than data owners, then they should be in a better position when it comes to GDPR.
Thus, the type of stored data is important.
There is also data of a special type of PII, a shortcut for Personally Identifiable Information. This is any information that helps to identify a person. Obvious examples of PII are full names and social security numbers. A not very obvious example is an IP address. Indeed not obvious - the fact of the presence of a rare disease in combination with the name of a small town, place of residence. And many more similar examples. The simplest solution is to present all the data about a person as if it were PII. It is better to take unnecessary security measures than to regret. But if it seems to you that some data can be treated more simply, then carefully weigh which of them should be considered as PII and which ones should not.
Data volume
Companies with thousands of records (for example, an online store that records every sale) are less subject to the new law than a company with millions or billions of records about its users. Usually these are companies of different sizes and they will have to spend different amounts of effort and bear different burdens of compatibility with GDPR. Yes, the above lifecycle management is implemented in the same way, but if you were able to automate data collection, then there is no excuse for not being able to automate the management of data. This is just the cost of business. But SaaS companies that handle large amounts of customer data will want to get maximum compatibility guarantee, because they are much more attractive targets for hackers, and this increases the risk of data leakage. Please note that there are exceptions. For example, your tax authorities may have their own retention rules for storing accounting information. But this is bookkeeping, which probably has little to do with your web services, and only concerns the actual cash flow.
Organization size
The burden of complying with the requirements for a small organization is lower because a small business does not need a separate data protection officer (data protection officer, DPO) or director of compliance (chief compliance officer, CCO), if the company does not have very large amounts of data or it deals not with the most sensitive data. Otherwise, the company most likely already has such an employee, so the law does not make much difference.
But very small companies (say, a one-person company) that process extremely sensitive data may consider hiring a person for at least some time to make sure that they are not exposed to unnecessary risks.
All together
So if you have a small company and you are dealing with a small amount of non-critical data, then the impact of the GDPR is very limited and easy to handle. For an average company, say, with 20 employees in the state and very important data, the burden is proportionally greater. And if you manage a very large company, then you most likely already have specially trained people who deal with compliance issues. The law does affect everyone in different ways, but given the importance of the issue, the rights of data subjects outweigh the commercial interests of companies. If there is a benefit in data collection, then efforts can be made to protect them and properly store them. And this difference in the impact of the law is mostly relative. In an absolute sense, large companies, as well as companies with large amounts of data or critical data will spend more to ensure compliance with the law. Simply for smaller companies, the impact of the GDPR will be greater relative to their overall turnover. This well-known phenomenon applies to all aspects of doing business, it is called “economy of scaling” and is one of the reasons why software-based software and services are so profitable: the economy of scaling is simply huge.
What can no longer be done
- store forever all the data
Until now, the rule for the storage of data on end users, it seems, was this: "Keep until we run out of disk space." But the disks have become cheap enough to stop worrying about it at all - and just add data without deleting anything. Yes, you read that right: before the GDPR, companies had the habit of never deleting anything. Even if you asked them to delete the data - what they may be reluctant to, but react - in the end, the data is simply marked as deleted, but remains in place. Now this will not work: if you request the deletion of data, it can no longer be ignored - and the data really must be deleted. The only exception is if you are required by law to store data. But in this case, I would advise to store them only in the archive storage.
The situation with backups is a bit more complicated - this is one of those areas where there are a lot of rumors and fears that it is impossible to enforce the law. But in fact, the requirements are very simple: you store the keys of the deleted records in a separate log. And if for some reason you restore from a backup copy, then simply re-play the deletion requests on this log, starting from the last backup. Thus, restoring a backup cannot accidentally restore deleted records. If there are any concerns about the unreliability of keys, then you can simply overwrite the relevant data with zeros to permanently delete them. Note that this is similar to pseudo-anonymization, which in the case of PII is not enough to comply with the law, if the deleted data can be restored with the help of saved data. Real removal is by far the safest way to solve a problem. This is all due to the fact that your backups are correctly encrypted, and the keys cannot be restored without the participation of the responsible person.
- ignore user requests to delete, correct, or examine data
The burden of requests for deletion, correction or study of data from users (or “data subjects”) can be quite significant. Automation is indispensable here: self-service and a one-time investment of time and effort will pay for itself many times over the coming years. If you ignore such requests, then a frustrated person (perhaps I) will sooner or later contact his local data protection authority to file a complaint. The first time this happens, DPA may ignore the complaint - I think they will be very busy in the near future. But they will probably start a business. And if it gets fatter, because more and more people complain about your company, then sooner or later someone will be asked to talk to you.
The conversation will be something like this: “We have received several complaints that you purposely ignore the legitimate requests of the data subject. Please explain. After which you - as always, brazenly - explain, the law is too burdensome and you have gone to hell with all your DPA. The agency will respond something like this: “It’s a pity that you think so, but you are also obliged to abide by the law, otherwise ...”, where after “otherwise” it will be a warning about what penalty they can impose on you if you continue to ignore the law. Then some time will pass. A new user is filing a complaint. This is added to the cause. And when adding a record, the clerk makes a note that you have already been warned. It gets interesting here. This time, the DPA is likely to issue a “mandatory warning” (binding warning) —a directive with a warning that you ignore it at your own peril and risk.
The third time is best avoided. You really fined. You can ignore the fine because your company is registered outside the EU. But regulators have foreseen this: in order to conduct business in the EU, you must have a “designated representative” in the EU. Yes, you read that right. This is probably the most aggressive change the European Union could have established: you really have to have a legal representative in the EU. If your business is already working there, this will be your designated representative. If not, you'll have to get it. There are already companies that offer such a paid service.
So as soon as you are fined, the appointed representative will be notified. Most likely, he has an agreement with you and he also has a representative in your country. Under the contract, you refund to the representative in your country any fines collected through the representation of your legal entity in the European Union. Thus, you have a choice: fight with your own representative in court in your native country or fork out for a fine.
- hush up hacks
People are usually shocked when they find out the statistics on registered hacks over the past year. The numbers are just scary. They frighten even before it comes to the understanding that the vast majority of confidential data leaks are never reported, so they are not counted in the statistics. This happens for two reasons. First, many hacks do not notice. Secondly, even those found are not always reported. According to the GDPR this is strictly prohibited. Not reporting a violation is one of the worst things you can do. This is irresponsible towards injured people. And this potentially worsens the consequences, because you take an important tool from regulators: their ability to understand the scale of the problem, to apply efforts where they are most effective.
Of course, hacking is bad PR. But in this case it makes sense to spend some more resources on security and reduce its consequences. If you have done this, then at least you can respond with something positive on the charges. Responsible disclosure in the event of a breach will be of great importance for establishing your good faith. Dealing with the problem on the sly can work, but if you are revealed, you can prepare for the punishment in full.
- assume that the data at your disposal belongs to you and not to end users
The data that you process on behalf of users is their data. The GDPR formulates this very directly. Hence the parts of the law by consent / deletion / correction / study (and data portability). At best, you are the custodian of this data, and if users agree to a specific use of the data, then you are allowed to process it. But these are not your files. If you begin to represent them as your own, then it is only a matter of time when you commit an offense. Do not do this.
- treat data protection as an optional procedure
Companies have a rather strange attitude towards security: it is treated as a net cost with zero profit opportunity - and, if possible, is ignored. The GDPR finally gives security professionals a real “financial” argument if management ignores their arguments. The GDPR penalties are potentially so high that they usually attract the attention of the director. Most companies are not inclined to take such risks. Therefore, managers are more likely to order security to be put in order than to face a potentially very large fine (even if the chances of getting such a fine are small). It may not be the strongest security argument, but better than nothing. And it seems that the desired effect is: managers no longer consider safety as something secondary, which the company will take care of when they retire.
- sell data to meet
As you cannot sell someone else's car or house, you cannot simply take and sell someone else's data that users have entrusted to you for storage (or that you collect from their devices, including location information and other valuable things). If you want to sell the data of your user, then you need to get his consent. It must be free and given for a specific transaction, that is, for the specific purpose of using this data.
If you want to take a chance, you can try to get a one-time general carte blanche like “Selling your data to undefined partners”. But on the site of the user, I probably would not give such consent. But if — to help your organization stay afloat — ask for consent to sell the data “to Pathfinders Inc. to analyze traffic jams in the city ", then I can agree. So get consent to sell data and look for a balance between multiple requests with a large percentage of consents - and a one-time request that few will agree to. And always remember: once this consent can then be withdrawn, so you should have a procedure for how you will process this consent review with the data buyer.
Of course, the easiest way to handle all of this is just not selling data to anyone .
- do not get consent
This is one of the areas where the wording of the GDPR is extremely accurate and clear: if you want to process user data for some new purpose, you should get consent. It's almost ridiculous that many companies suddenly realized that they were sending spam to a large number of people without their permission, and now — shyly and rather late — they find out that they probably need to ask permission before the deadline has passed, because even such a letter will probably be be considered a violation of the law! (So ​​it will be considered, in my opinion). So do not be tempted and do not use the data that you already have for completely new purposes.
What to do
- manage data lifecycle management
Like everything else, information also has a life cycle. Endless accumulation is not an option. You need to plan how to retrieve data, process it, store, allow data owners to make changes and ultimately how to delete them. To be fair to the creators of GDPR: you should have previously set up such processes. Even without any GDPR, it still should be. Just common sense requires competent management of the life cycle of confidential data, and it does not need to adopt a law. Think of this: at some point, your data subjects will die. This means that there is at least one good reason for deleting information about a particular person.
- find out what data fall under the regulation of GDPR
It sounds simple, but it can be a significant amount of work for large companies with large amounts of data and bad processes. If you do not start in time, it is unlikely that you will have time before the start of the GDPR [May 25, 2018 - approx. trans.]. For each data set, the following should be defined:
- determine what is specifically contained in the data;
- determine compliance with the GDPR;
- if the data falls under the GDPR, then make a decision: save or delete them;
- safely remove data that you do not want to store (and update the appropriate programs if necessary);
- as an option, anonymize the data in such a way that it cannot be used to identify individuals (this is much more difficult than it might seem at first glance);
- document personal data that you have stored, and procedures for their processing.
- make sure the systems are protected
Increase the security of computer systems, especially those that are exhibited on the web. Read the articles on this topic, find the most experienced information security specialist in your company and ask them to analyze the systems from a security point of view. Implement tips and make security an integral part of your company at all levels.
- disclose in the privacy policy all uses of the collected data
Try to create a concise, relevant and complete privacy policy. If you plan to do something with the data, get consent and expand all the options for using them in a public document. When making changes to the privacy policy, publish a log of changes.
- enter into DPA (data processing agreements) with everyone you transfer data for processing
Absolutely every company to which you transfer data for processing must have a special agreement with your organization, called the DPA (Data Processing Agreement), without exception. If someone does not want to sign a DPA, refuse to cooperate with such a company. If you do not feel safe by giving the company access to your family diamonds, you do not need to cooperate with it. If you feel that you can do without this particular service, give up the deal. Today, the easiest way to cope with the risks of third parties with respect to the data you control is to ensure that the data never leaves your premises. If this is not avoided, then make sure that the DPA is performed properly. And that the counterparty will cope with the withdrawal of consent after the transfer of data. And that he will under no circumstances transfer the data to others without your explicit consent (in writing!).
- uncover the companies you have DPA with
Tell users which companies are processing data on your behalf. It is appropriate to mention this in the privacy policy.
- obtain user consent to use their data
Before you can use data provided by individuals, you must obtain their consent. This is not just good manners, it is a strict requirement. This applies to the initial use of the data after collection and all subsequent uses.
Therefore, if you have a brilliant new idea that will lead to a new use of already collected data, you will have to update your privacy policy and re-receive consent.
- schedule consent withdrawal
The consent can be not only given, but also withdrawn. And this conclusion also affects relationships with subcontractors — those who process data on your behalf. Withdrawing consent should be no more difficult than giving it.
- immediately report hacking exceeding the threshold of significance
If there are violations in the system that exceed the significance threshold for reporting (which is very low!), Report it immediately. You have 72 hours. It is much safer for the response protocol to disclose information on the first day rather than wait until the last moment, because any interference in the process of preparing the report will slow you down and lead to a breakdown of the deadline. If you are dealing with very sensitive data, always report a burglary, even a small one. Damage to data subjects can be significant, which increases the likelihood of contacting your local data protection authority. And if the body does not find your report on the incident, then you will have a rather big problem.
What should probably be done
- store data offline if not needed online
If you do not need data right now and in a real system (for example, data is important from a historical perspective, but not part of the current data set), then it is better to move it to autonomous systems. Thus, in the case of hacking damage will be limited.
- act in good faith, try to respect the spirit of the law
Recently, I have met many people who tried to cheat and find a loophole in the GDPR to continue the business as before. Some loopholes are terrible and far-fetched, others are more intelligent, but still clearly contrary to the spirit of the law. If you agree to the consideration of a disputed issue in court, then you can take a chance. But if your budget is limited and you do not want to get a fine or get involved in an expensive lawsuit, please act in good faith . Otherwise, then it will be very difficult to convince the regulators that you did not intend to do anything wrong.
- first of all, consider the interests of your users (“data subjects”, “individuals”)
If you put your interests above the interests of people and use their data as yours, you are doing the wrong thing. Imagine lending this data for a while — and be a good custodian to them.If we consider first of all the interests of users, then there are additional side effects. For example, users will be happy. And this is ultimately good for business.
- delete data that is no longer used
If you have data that is no longer of interest, do not hold it "just in case." Better get rid of them. This will significantly limit the damage. Hacking is already a bad event, you don’t need to worsen the situation by leaking data that you didn’t use. Newspapers love big numbers. If you lose a lot of data, you can easily appear in the worst form on the first pages of the news. Treat your data as nuclear waste: dispose of it as soon as possible.
- use GDPR as an opportunity
If ten companies offer the same service, and only one of them decided to comply with the GDPR and actually treat all customers (and their data) with proper care and respect, in the short term, the other nine will benefit. After all, they have not incurred the cost of compliance with the law - and can spend these resources on the functionality of the service and marketing. But I think that in the long run, the company that has set the bar high will win. She will not be penalized, will be able to sell her product to another 100 million customers and will be able to use her GDPR compliance as a mere competitive advantage. The probability of data leakage is much lower (which leads to significant damage to the brand), and user confidence is correspondingly higher.
- annual pentest and audit
Good practice is to ask outsiders to test your systems for durability to ensure their safety. This is a relatively expensive event and probably not available for most small companies. But if you have a big enough business, then this will certainly help you sleep well at night. In the end, if your doors are stronger than the neighbors, then the thieves rather pass by. Therefore, do not consider security as an absolute thing (there is no such thing as perfect security), but treat it as a relative concept: it is not necessary to be faster than a tiger, you just have to outrun a guy who runs alongside.
- if the company is large enough, it makes sense to get an ISO27001 certificate
ISO27001 certification does not guarantee compliance with the GDPR. However, non-compliance with the GDPR (at the moment) is a pretty good sign of non-compliance with ISO27001, because although ISO27001 does not directly address confidentiality, it does require substantial processes around security. And this, in turn, will significantly reduce the chances of being subjected to hacking and related mandatory reporting. Companies with an ISO27001 certificate usually have no compliance issues. It forces you to present data as a liability, not an asset, and it is this thinking that is necessary when you are dealing with end-user data.
- read the law at least once or ask a member of staff to do it
Reading the law is a real job. If you are not a lawyer, then you will need a whole day, or even more. This is useful because the law has a lot of useful information to form a complete picture of what the law really is, how it applies to your business, and also to you as a private person whose data is processed and stored by other companies. If you don’t have time for this (although I personally think that every business owner should find time to read a fairly compact document that may affect their business), then assign the task to an employee or at least read an excellent Wikipedia article on GDPR , to understand the conditions, intentions and general scope of the GDPR. This will help in discussions and in determining the impact of the law on your business.
- reduce the number of participants to whom you send user data
The more participants get the data of your users, the higher the probability of failure. Here, the principle of minimizing damage, which we discussed in the section on deleting unnecessary data, is doubly important. An example would be a company that processes medical data about patients in inpatient treatment. You can embed a third-party analytics tag on the pages where data is collected. But your need for analytics in no way outweighs the patient's data privacy needs. Therefore it is better to simply delete this tag. This may represent some inconvenience, but it is much preferable to data leakage.
It is better to always keep in mind the minimum model of the influence of GDPR on your business. It is so much easier to determine where and how a business should adapt to new legislation. In general, it is a good practice to have such a model in my head when some new important legislation begins to operate. If the business is serious enough, you can use the services of a lawyer with experience in this field (protection of confidential data), but even in this case it is good to know the basics - and read the text of the law.
What probably should not be done
- pretend not to know about the law and hope that it will disappear
Ignoring the law is never a good defense. You look stupid and careless, choosing the easiest way to protect against every law you don’t want to follow. Pretend you don't know about him - and the problem will disappear. As a rule, small children do this, closing their eyes: “I don’t see you, so you don’t see me.” It does not work for kids and will not work for you.
- assume that the law does not apply to you without proper research
There are exceptions to the rule. You can read about them and find out whether the law applies to you or not. By examining the question properly, you can find out that the law actually applies to you, even though you thought it did not apply - or vice versa. In any case, knowledge is power. In one case, you will be warned, and in the other you will know that you are safe.
- pretend to be a lawyer and try to avoid complying with the law
I have seen many such cases: people did not bother to read the law or are looking for only one line that will help justify their position. This is stupid and most likely will lead to serious disappointment. If you read the law and get some idea of ​​it, you will see: it is written in such a way that it gives more freedom for interpretation. This is good, even if you wanted everything to be spelled out specifically. Why is it good? Because so regulators can punish those who are trying to use the narrowest possible interpretation, ignoring the spirit of the law.
Such a narrow interpretation strategy works in some countries (in particular, in the USA), but in Europe it does not work at all. Perhaps this is the most serious difference between the two legal systems, and very important. If you follow the spirit of the law, but violate the letter, then almost always you will be fine. If you try very hard to keep the letter, while at the same time ignoring the spirit of the law, you will hit the wall and you will hit it very painfully.
- deliberately break the law
This is obvious, but I still write just in case: do not consciously break the law. If you do, set yourself up for future failure. Either comply with the law, or close your service for the European Union (if you can really do it, which, as I said, is difficult to implement).
If you have really deep pockets and are ready to go to court, and then, ultimately, to the Supreme Court of the European Union to challenge the law or certain aspects of it, then you will have to break the law in order to consciously challenge the regulators. But for most ordinary companies this is not an option. It is better to leave such adventures to Google and Facebook.
What will make your life easier
- apply the principles of GDPR all over the world
Please note that it makes sense to do this even in the absence of a law. Just now, when the law exists, these principles will help you improve your security system and in the long run will show your commitment to the interests of users.
Frequently asked questions about GDPR
Once again: this is not a legal consultation, although it is suspiciously similar to her. If you are going to put something you read into practice, present my interpretation of the law as 80% of what you need to know if you want to minimize your risks. Any advice costs as much as you paid for it, and in this case you pay absolutely nothing. Nevertheless, I tried as best I could not to carry nonsense. Buyer, be vigilant!
- Do I need a (special) data protection officer?
It depends on the size of the organization, the type of data and the amount of data available. If the processing of user data is your bread and butter, and the amount and type of data indicates a significant risk in the event of a leak, and your organization is large enough, then most likely the answer is “Yes, I need it”. Thus, medical, financial and advertising companies of any size will almost certainly require a special DPO. If your company processes very little data (say, thousands of records) and the data is not supercritical (say, you sell clothes on the Internet), then you can do with the assigned DPO, that is, you need to assign the DPO role to some employee who performs other duties. This is not ideal, and you have to take care that the DPO has sufficient independence. If you do not process user data at all, then you will not need a DPO.
- Do I need an appointed EU representative?
If you do business in the EU, but are outside the EU, then yes, according to the GDPR you will need a designated representative. This is definitely a burden. And I sincerely hope that the free market will bring the cost of this service to such a level that even the smallest enterprises can afford it without any problems.
Representative functions:
- authorized agent for obtaining legal documents;
- the subject of enforcement proceedings in the event of non-compliance by the company;
- direct contact with the authorities
- direct contact with data subjects in connection with their processing.
If you think this is unfair, then keep in mind - the rule only establishes equal rules of the game for companies from the European Union and from abroad. The injustice is that a company from the EU does not incur any additional burden for having a registered representative, because they represent themselves. An alternative could be mutual recognition of legislation, something like a violation of traffic rules in EU countries. Member States agreed among themselves to recognize speeding and parking fines and collect these fines for their foreign counterparts. But as long as the GDPR is valid only in the European Union, mutual recognition is not an option. If over time other regions adopt similar legislation, then mutual recognition agreements can be concluded, and then there will be no need for a local representative.
- What happens if I ignore the GDPR and just continue the business as before?
This is a very dangerous question. The implications are largely dependent on your business practice. If you are extremely faithful in handling user data, and all or most of the necessary procedures have already been implemented, but you have not changed anything after the entry into force of the GDPR, then you will attract some attention. Regulators will probably get a vague understanding of this ifthey will need to interact with you. If you are really a small company (say, a private forum with several hundred regular visitors), you can even avoid the consequences. But I would not advise such a strategy. The problem may arise from just a few angry users who will report about you to their DPA agency if you do not fulfill legitimate requests. And it will be difficult for you to explain why you decided to ignore the law. You can take the time to hope for good luck, but if I understand something over the many years of working with commercial companies, it’s that the lack of a strategy is just as stupid as underestimating competitors.
The burden of adherence to the law is definitely higher for a more or less serious company. But again, this opens the way to an audience of 300+ million people. It is not a sin to make some effort for such a purpose. And what can serve as a better signal of your reliability than respect for the personal data of your customers?
- Can I store IP addresses?
Yes, it is possible, but in some cases they belong to PII, and although all the programs register IP addresses by default, but if you really don’t need them, it’s best to do without them. If they are needed, then make sure they are deleted or zeroed out of the last octet when the need for this data disappears. Alternatively, update the logs quickly enough so that the data is not stored there longer than the due date.
- Is it possible to do marketing mailings?
Yes, you can, subject to the relevant consent. But after May 25, you can not send letters asking for such consent. Any addresses that you collect without the consent of the users should be considered lost. As a rule, such messages classified as “spam” are prohibited from being sent to private individuals.
- Can I check the box to allow users to waive their rights under the law of GDPR?
No way.
- Should I hire a lawyer?
If you can afford it, be sure! But be sure to get recommendations before entering into a contractual relationship with someone.
- Do I need to pass ISO27001 certification?
ISO27001 is not directly related to GDPR. However, this certification raises many questions that will arise in the event of a hack: for example, have you done everything you can to prevent it? ISO27001 certification is essentially an external controller who checks your homework. Of course, after that, data leakage is still possible, it can be the result of an insider or an oversight. But at least you have done everything possible to avoid it.
Another advantage of ISO27001 certification is that at the moment it acts as a kind of indirect indicator (proxy) of conformity to GDPR. Partners will conduct business with you in a new legal climate if you have received this certificate, because they will assume that everything is in order.
The disadvantage is that such an audit is not cheap (only large enough organizations can afford it), and that the costs will be regular (the audit is conducted annually).
- How can I reliably determine whether a user is an EU resident?
In short, no way. Yes, you can ask, but the user can lie. There are libraries for geo-targeting, but they are not absolutely reliable: someone can use a proxy service, satellite communications, and so on. This is annoying, but you cannot determine with 100% certainty where a person is.
- Should there be a separate system on the site for residents of the EU and the rest of the world?
You could do this, but this is too time consuming. In the end, do not you want to be polite to all other users, except for residents of the European Union? It seems absolutely waste of resources to support the two systems only in order to deprive users outside the EU of some useful features. Personally, I would use this case for PR: I loudly and clearly advertised that users from all over the world get the same level of protection and the same level of control over their data as EU citizens. Perhaps this will help you in the competition, if the competitors do not do the same. Conversely, it may work against you if a competitor decides to go this way.
- What about my “amateur project”?
The GDPR does not distinguish between a hobby and a business that seems right to me. It does not matter whether you perceive your project as a hobby or not. As soon as you start collecting data on individuals from the EU, the directive will take effect - and you will have to comply with the law.
- What about an open source project?
Open source software is not a service, but a software. As long as you simply write the software and distribute it without collecting user data, your actions are not within the scope of the GDPR. As soon as you start an online service using software that you wrote yourself — even with open source — your project is in the realm of GDPR.
- What about ... [insert some wild borderline here]?
There are many borderline cases, too many to list here, but let's take one that I have seen several times.
If you care how among users to identify EU residents who are abroad, then you are not worried about what you need. EU lawmakers and data protection agencies are not going to jump out of the bushes near your house to fine you in such situations. But you should still consider requests for deleting, accessing, and editing data from these users (and probably all others) as if they were legitimate requests. After all, why ignore them?
There is a high probability that the third part of this article will be released, I have not decided yet, articles are time consuming.
Source: https://habr.com/ru/post/359180/
All Articles