Photo: Markus Spiske

One of the hottest topics of the year is the fast approaching General Data Protection Regulation (GDPR), affecting organisations and businesses that collect and handle data on EU citizens.

Available information on the GDPR, effective in May 2018, is plentiful and riddled with nominal details. Therefore, we thought it best to recap and distill all the key information regarding the GDPR into a digestible format for developers and publishers working with personal data.

Above and beyond reading through a plethora of texts — to spare you the trouble — I interviewed for this article two experts on the subject, an experienced developer and a specialised consultant, to further elaborate on the caprices of the GDPR.

So, if you develop or run a site or a platform dealing with any personal data on EU residents, best take heed.

The Very Basics

The GDPR (“the Directive”) is a set of regulations and process requirements to collecting, processing, storing and transferring personal data on EU citizens. Once effective, the GDPR replaces the existing Data Protection Directive of 1995 (95/46/EC). The raison d’être of the GDPR is to better

The GDPR applies if the data controller (e.g. businesses and organisations), processor (e.g. cloud service providers), stakeholders (e.g. data architects and DBAs) or subjects (citizens) reside in the EU or collect and handle personal data of EU residents.

In addition, according to the GDPR Article 48, a data controller or processor bound by the Directive may be compelled to transfer or disclose personal data of EU subjects, but only if given third country’s (outside the EU) discovery request is

“based on an international agreement, such as a mutual assistance treaty, in force between the requesting third country and the Union or a Member State”.

However, the way the Directive will affect international discovery requests and other legal proceedings remain to be seen, as resolvent rulings anticipate court precedents.

Legal matters aside, our main responsibility as service providers is to guarantee a solid foundation for customer-centric information security, providing customers with clarity as to which data is collected and why, and rights to affect the collection and storing of said data.

What is Absolutely Required

Companies under obligation of the GDPR must first and foremost make sure that their basic information security is in order, with all the necessary components updated and working. That is, compliance with the GDPR entails data protection by design and by default. This must be the prerequisite to all system updates and development.

According to Tuomas Riihimäki, a developer for Vincit, too loose an attitude towards data security and “bubblegum fixes” postponing proper system updates will likely result in a world of trouble. He emphasised that basic security measures must be in order to enable compliance with the Directive, as well as for

“sheer business reasons such as maintaining a creditable reputation, image and liability for compensation”.

Which are obviously things you should consider regardless.

Beyond the basics, personal data should be handled by personnel who are duly educated and guaranteed by a nominated Data Protection Officer (DPO). All handling of personal data must be logged and documented appropriately.

Transferring data must be done in strict accordance with the GDPR’s legal requirements and in international cases, transfers should be made with legal assistance and authorised by a DPO. Storing all personal data must be done in pre-approved systems and cloud services compliant with the Directive.

Your Main Responsibilities

The main thing about the GDPR is improved customer-centricity and security, which means that you’re responsible to inform your customers on what data is being collected and why. Above all, you must have their consent on the collection and use of their personal data.

Let your customers know which of their data is being collected and what’s the use of that data, and finally have them check a box or click on a button to give you consent to proceed with your business. A simple overlay consent form will do.

You must have, and inform your customers on, a specific use for collecting data. In addition, you should limit the deployment of personal data to given mentioned use purposes.

Say, if you use your customers’ data to offer them personalised content, you must explicitly inform them that this is the case, and offer explanation as to what is it in their personal information you need and why — to offer them better service.

If you have secondary uses for the data, they must be relevant to, and in line with, the primary use purposes. That is, you must limit the use of data to the bare necessities. Whatever they may be.

On top of the previously mentioned, you have a responsibility to handle all data in concert with the Directive’s legal requirements, show compliance (documented!) and inform supervising authorities and affected subjects on possible information security breaches within 72 hours. Easy, innit!

Keeping Your Customers in the Loop

One of the major upturns of the GDPR is the “right to erasure”. And no, I’m not talking about the 80s synth-pop band, although they’re awesome, too!

Erasure, the band

The right to erasure (or “right to be forgotten”) grants your customer the power to withdraw their personal data by requesting erasure. Unless you can present a legally binding reason to sustained storing, you have a responsibility to act in accordance with their wish without “undue delay”.

However, even if they never request erasure, you still have a responsibility to delete or, in some cases, anonymise personal data if and when the collected data is no longer relevant to the uses it was collected for in the first place. As Riihimäki put it:

“You can’t just jam the data in your systems forever.”

This presents a challenge to databases’ architectural design and storing because you need to know how old any given data is, when was the last login etc. Also, going back to the thing about legal rulings, we don’t yet know what this “suitable time” to storing redundant data will be.

Further Risks and Challenges

Markus Lyyra, consultant and owner of a Stockholm-based consultancy Livano, addressed the utilisation of public clouds as one of the main risks to information security.

He asserted that identifiable data cannot be stored in certain public clouds and definitely can’t be, without hassle, transferred to other systems. Lyyra specifically mentioned the risks involved in email attachments and their volatility in cases of macro attacks.

As mentioned above, all the space — data centers or clouds — utilised for storing personal data must be pre-approved and compliant with the Directive. Above and beyond employing proper storage systems, encryption and anonymisation are a must.

If you don’t comply with the Directive and/or fail to notify the authorities of security breaches within due time, the repercussions can be truly business-shattering. I’m not joking and nor are the EU. Even at the lower penalty level, the fines may be

I know you don’t want to try your luck there, mate.

What About the Benefits?

On top of the apparent challenges, there are definitely benefits to the GDPR, too. As Albert Einstein said:

“In the middle of difficulty lies opportunity.”

Operating within a business framework, our main task is to serve our customers as well as possible to improve traction, gain new ones and make money by doing so. Thus, offering a truly customer-centric service that empowers its users, grants them better security and reliability cannot be bad.

From another business perspective, by enabling a coherent system for storing and handling data, we’ll gain better indexing and access to relevant information. Subsequently — especially in cases of data deployment for content targeting — we’ll be able to better keep track of which data is viable and which isn’t.

I’m sure, after jumping through a few hoops to attain a robust information security system, the GDPR will bring plenty more benefits — both measurable, and intangible ones relating to greater reliability and trustworthiness. Believe me, it’ll be good!

Final Checklist

Make sure your basic information security is in check.

Make sure you have a well-informed and capable staff, and a nominated DPO.

Be transparent and inform your customers on your data collection and usage.

Make sure you have consent from your customers.

Document, document, document.

In cases of breaches, inform the authorities within 72hrs.

Guarantee necessary encryption and anonymisation of personal data.

Don’t transfer data from a system to another without making sure you have the rights to do so.

Always be audit logging.

Don’t fail to comply with the Directive.

Don’t be negligent or stupid, because that will cost you.

The GDPR becomes enforceable on 25 May 2018.