Blog / Apr 1, 2018
How Will GDPR Affect Tech Companies?
Nearly all aspects of our lives today revolve around data. From our interaction on social media to financial sector, retailers and our governments — nearly every other service involves collection and analysis of personal data. All of our personally identifiable information, including name, address, credit card number among other things are collected, analyzed and and stored by organizations.
Data breaches will happen inevitably. Information gets stolen, personal details are released with malicious intent to people who were never intended to see it. Here the question arises; What are the countermeasures put in place to prevent such chain of events.
Recently announced framework for countering stolen data is the General Data Protection Regulation (GDPR).
You can be fined up to 20 Million Euros for breaking GDPR regulations.
The EU’s General Data Protection Regulation (GDPR) is the conclusion of four years of efforts to update data protection for the 21st century, in which people regularly grant permissions to use their personal information for a variety of reasons in exchange for ‘free’ service
The GDPR is a new legislation designed to provide citizens of EU with more control over their personal data. It focuses on simplifying the regulatory environment for business so people in EU can benefit from the booming digital economy.
GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. It entails the following:
- Any organization which collects, processes or stores personal data of EU individuals, needs to ensure compliance with the GDPR.
- Under the terms of GDPR, not only will organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
Why GDPR is necessary?
GDPR is considered as an evolution of the current legislation which includes basic parameters such as name, address and photos. GDPR extends the definition to ‘Personally Identifiable Information’ and includes sensitive personal data such as genetic data, and biometric data which could be processed to uniquely identify an individual. Details are stated here.
GDPR goes in effect across the European Union from May 25, 2018. All the member nations have to integrate it into their own national law by May 6, 2018.
So, why do we need the new GDPR and can’t continue to operate under the Data Protection Directive 1998?
The Data Protection Directive is based upon data protection legislation, first laid down in 1995. In 1995 the internet was not widely available. Hardly anyone had a mobile phone. Phone numbers were written down in address books. Photos were developed. Holidays were booked on Teletext or Ceefax. The amount of data you shared was limited.
Now think about your life as you live it today. How many apps do you have on your phone? How often do you open these apps and what activities do you use them for? Do you buy goods or services? Do you pay bills or check your bank balance?
Virtual Force now offers end-to-end GDPR compliance for tech companies. Interested? Drop us a message here.
The way we use and share information has altered exponentially in ways we could never have imagined in 1995.
Quite simply the DPD 1998 is no longer fit for purpose and the GDPR is updated data protection legislation, designed to ensure the safety of personal data in our modern, technological world.
The GDPR’s definition of personal data is now also much broader than under the DPA. Article 4 of the GDPR states that ‘personal data’ know means any information that can identify a person. It further states:
“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Who will get affected by GDPR?
So who are likely to be affected by GDPR? As per the GDPR, the stakeholders are divided into 3 categories.
- Controller (means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data).
- Processor (means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller).
- Data Subject (Data subjects” are natural persons who can be directly or indirectly identified by the controller or a third party using reasonably likely means).
How this works in real life:
Banks ––––> Controllers
Payment Processing Company ––––> Processors
Account Holders ––––> Data Subjects
Facebook ––––> Controllers
Third Party Apps ––––> Processors
Individuals ––––> Data Subjects
What Rights Do Your Customers Have?
Right to Access
The right for data subjects (“Personal data” are data relating to a data subject.) to obtain from a company confirmation as to whether or not personal data on them is being processed, where and for what purpose. The organization must provide a copy of their personal data in an electronic format, free of charge.
“Data breach notification” refers to responsibility of controllers to quickly provide information on data breaches, such as unauthorized access or other data leaks.
- Companies must notify the Supervisory Authority of any data breaches without undue delay.
- Customers must be notified of a data breach that’s likely to “result in a risk for the rights and freedoms of individuals” within 72 hours of being aware of the breach.
- The notification includes information on the breach itself, the measures taken to fix it, and possible consequences.
Right to be Forgotten (Right to Erasure)
Individuals have the right to require a company to delete their personal data if the continued processing of data is not justified (especially where the data are inaccurate or incomplete).
What it says in effect is that if a controller has no justifiable reason to further processed data, or processed in breach of the Regulation, the data subject is entitled to have the data deleted.
GDPR has been introduced to avoid system designs where data protection safechecks and requirements are added as an afterthought
There are exceptions to this rule however, as a controller may be legally obliged to retain data after it has been used or when it is necessary for exercising the freedom of expression.
- Individuals have the right to require companies to transmit their personal data to another company.
- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without interference from the controller to which the personal data have been provided before.
Data protection by Design and by default
Data protection by design means that, already when designing products and services, data protection requirements should be taken into account. This is to avoid system designs where data protection safechecks and requirements are added as an afterthought. It helps avoid high development costs and lower protection for data subject.
Data Protection by default means that additional and value added services and product should be set to most privacy-friendly settings. More so, this means that by default, personal data should not be made accessible to an indefinite number of individuals.
Organizations handling data can only hold & process data that is necessary for completion of duties. If the data is being sent out to processors, it should also be limited in access (known as data minimization).
GDPR requires people whose data is being used to signal a clear approval to the processor. It also requires parental consent for processing data related to minors (between ages of 13-16, depending on the member EU state).
Consent should be given clearly and explicitly. Consent is one way for data subjects to control how data about them are processed. That is why ‘Implicit Consent’ will not provide such clarity and would not put data subjects in full control of their data.
Fines & Penalties:
The GDPR imposes heavy fines on controllers and processors for non-compliance, varying on the degree of the neglect (or crime).
The following 10 criteria are to be used to determine the amount of the fine on a non-compliant firm:
Nature of infringement: number of people affected, damaged they suffered, duration of infringement, and purpose of processing.
Intention: whether the infringement is intentional or negligent.
Mitigation: actions taken to mitigate damage to data subjects.
Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance.
History: Past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and past administrative corrective actions under the GDPR, from warnings to bans on processing and fines.
Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement.
Data type: what types of data the infringement impacts; see special categories of personal data.
Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party.
Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct.
Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement.
Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, on infringements relating to:
1. Integrating data protection ‘by design and by default’
2. Records of processing activities
3. Cooperation with the supervising authority
4. Security of processing data
5. Notification of a personal data breach to the supervisory authority
6. Communication of a personal data breach to the data subject
7. Data Protection Impact Assessment
8. Prior consultation
9. Designation, position or tasks of the Data Protection Officer
Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher on infringements relating to:
1. The basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data.
2. Rights of the data subject.
3. Transfer of personal data to a recipient in a third country or an international organisation.
Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered as a result of violating the GDPR.
The cost of incurring a penalty is astronomically higher than implementing safechecks. Virtual Force has a comprehensive checklist to tick-off your worries. Drop us a message here if you’re interested.