The GDPR (General Data Protection Regulation) was designed with good intentions . . . the result may leave you thinking otherwise. Due to an overzealous drive to encourage compliance, combined with little to no analysis on the financial impact the law could have, businesses that violate the GDPR will face minimum fines of ten million Euros. At CiraSync, we originally thought that GDPR was exclusively about data residency; if we domiciled all customer data in an EU data center, we would be in compliance. That assumption was wrong. We felt this presented an opportunity to educate our customers and readers on exactly what the GDPR is about.
Just what is the GDPR?
If the Equifax and Facebook scandals of the last decade are like plagues on the internet, GDPR is meant to serve as a vaccine preventing similar events from occurring again. On May 25th, 2018, the EU will begin it’s rounds to eradicate that plague. Explaining the GDPR in its entirety would take a multi-week course, but for the purposes of conceptualizing it here, the GDPR is a piece of EU legislation meant to safeguard data on the internet. However, unlike a typical piece of legislation, the GDPR is largely—but not entirely—a set of ideals, and not codified laws. This was done so that it could serve as a “living document” (similar to say, the constitution) with many of the actual, tangible standards being decided upon by an appointed committee as need arises. While this sounds excellent on paper, it makes being compliant difficult when many of the requirements are still unknown. The GDPR is a huuuge, sprawling piece of legislation, one of those “We really don’t know everything that’s in it, nor do the creators as it was made by committee ” types of legislation. However, the hope is that it will serve as a set of regulations and ideals to guide the future of data protection and management online. It does this by creating safeguards and regulations for how personal data is stored, processed, and controlled. For example, there must be a system in place for the removal of data at the user’s request.
What’s important for U.S. business operators is that compliance has an “Extraterritorial Applicability”—U.S. companies that aren’t compliant with the GDPR guidelines won’t be doing business inside the EU or with EU entities unless companies want to expose themselves to potentially catastrophic fines. Understandably, compliance is going to be vital if companies wish to keep their EU clients and partners working with them. It’s fair to say that this style of regulation and enforcement is rather heavy handed. While it has left many companies and individuals outraged, compliance will likely be high. So, with that in mind, here’s a breakdown of what the GDPR means for American businesses, along with the guidelines laid out in the new regulations.
What exactly are the new guidelines?
The GDPR aims to protect EU citizens from Data Breaches and increase their privacy through a number of core directives. These directives include the following:
Under new guidelines, companies are required to notify all individuals whose information may have been compromised. In the event of a data breach, notification must be given within 72 hours of becoming aware of the breach.
Right to Access
There are peculiar terms involved in the GDPR, so it’s helpful to understand what a Data Controller, Data Processor, or Data Subject is. For example, both Google and Facebook are Data Controllers, meaning they can act upon, store, transfer, and sell data. These entities generate revenue by using personal information and demographics to create targeted audiences. Once they have groups divided and defined, they sell space on their platforms to advertisers who wish to reach out to those targeted audiences.
On the other hand, a Data Processor is an entity that stores or transforms data on your behalf. CiraSync is a data processor. It processes data according to the synchronization rules that a customer specifies. For example, contact lists and shared calendars are exclusively used by a subscriber—CiraSync treats these as blobs of data to be encrypted and used only for the benefit of the subscriber.
Finally, there are Data Subjects, i.e., users. When the GDPR refers to Data Subjects, they’re talking about you; the individual surfing the web or entering your profile into a social network. The right to access give Data Subjects the right to request information from Data Controllers as to what their personal information is being used for, what data has been collected, and if (and to whom) said data has been distributed. Users have the right to see all of the personal data collected about them free of charge in an easily readable format.
Right to be Forgotten
One of the more publicized aspects of EU data policy, the Right to be Forgotten, aka data erasure, requires that a Controller or Processor delete any and all personal information of the requesting party, immediately halt any dissemination of that information, and in some cases, halt third-party processing of said data. There are some exceptions to this rule, but changes like this are very representative of what the GDPR hopes to accomplish. Some example of this are as follows: your entire social media profile and all data about you, including meta information is purged. A search engine will remove you from their indexes so that your information no longer is seen in search results. Deletion of your information from the databases, such as those used for email marketing or phone solicitations. There’s a number of different forms in which data can and has been gathered; GDPR gives Data Subjects a significant amount of power over where their data goes and who can use it.
Data Portability requires that companies turn over all personal information they have on an individual at that individuals request. Data must be turned over in a timely, easy-to-read manner for free.
Privacy by Design
A bit less tangible of a tenant, but the aim of Privacy of Design guideline is to have data protection systems in effect at the creation of system design, not as a later addition. Pretty much an unenforceable, meaningless tenant. It’s a nice ideal, but without actionable guidelines, it’s basically useless.
Data Protection Officers
Without going into too much detail, companies that have one of the following: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37) will need to hire a Data Protection Officer to oversee the proper handling and control of individuals personal information. There are a myriad of rules and regulations associated with this individual that we won’t cover here, but can be researched further on the GDPR website. There’s a long list of the rules regarding a Data Protection Officer, but here’s two which do a good job of illustrating the absurd guidelines:
- The Data Protection Officer must report directly to the highest ranking officer within the company, and no one else. (That’s right, the CEO / Board / etc).
- The Data Protection Officer must have no other duties within the company, must be sheltered from all political aspects / inclinations of the company, and must have a neutral role in the company…while being an employee of said company.
DPO’s are only required for Data Controllers so if you are a small company providing services and fall into this classification, you might find this as absurd as it sounds.
With the GDPR, changes have been made to how companies are allowed to collect user information. Starting in May, when collecting user information, a threshold of Informed Consent must be met.
In the Past—Companies could actively buy mailing lists, between data mining, general collections, etc. A marketing firm could effectively collect users email addresses without their consent.
In the Present—Companies could no longer (typically) buy email lists; instead, users had to opt in to a mailing list, often by signing up.
In the Future—Informed consent, i.e., double opt-in. Users have to first opt in to an email, and from there, they must then be informed extensively of how their data will be used, how it will be processed, who will handle it, etc, etc, etc. It creates a rather large barrier to collecting user information. In fact, many marketing firms believe that the average companies mailing lists will drop by over 50%.
Furthermore, users who opted in, even recently in the past, have to be updated regarding the changes in data policy—these previously existing opt-ins no longer pass the bar of what is considered informed consent.
The GDPR outlines special considerations if EU data is stored outside the confines of the territorial EU or transferred outside said territories. Many companies will now find it necessary to rent storage space on servers physically located within the EU itself in order to be compliant with this mandate. If you access data inside the EU and want to process it elsewhere, additional red tape may apply.
This is a long list of changes that will take some time to fully come into effect. In the meantime, here’s what we’re doing at CiraSync to ensure GDPR compliance and protect our user’s personal information:
- We have set up worker servers in an EU data center. All data is processed or resides within the EU. In other words, we are in compliance with GDPR Data Residency requirements
- CiraSync has to read a contact list and then write many dozens or hundreds of times back to user mailboxes. We couldn’t do this without an intermediate database to cache this data. For EU subscribers, all cached user data is now stored on EU servers.
- Encryption of all Personal identifying information will be implemented in Q2 2018.
- Website improvements to meet GDPR compliance.
Regardless of the industry, the guidelines put forth by the GDPR signal a massive change in how companies will have to handle and approach user information. While the changes themselves are not overly difficult to implement, you may find that hiring a Data Protection Officer may be necessary.
What this means for businesses is still left to be seen. It will likely take several years for the full impact of these changes to be understood in their entirety.
We’d like people to walk away from this asking themselves these questions and consider if the GDPR in fact goes too far:
- What exactly happens to a business that does a half-baked job implementing the regulations and gets fined?
- Do changes need to be made?
- How high will compliance be?
We’ll follow up once the legislation has gone into effect. By the way, we took some editorial liberties with the title. It’s not true; not yet anyway.
More Tales from Tech Support
• Mandatory Password Updates Hurts User Security: Microsoft Password Policy Change
• Stirred, Not Shaken: New Tools to Defeat Robocallers
• The Repeal of Net Neutrality: What Smartphone Users can Expect in 2018
• SaaS Security: How CiraSync Keeps User Data Safe