GDPR for IT Services Providers: The Talking Points
In few days’ time – or, more specifically, on 25th of May, 2018 – Europe’s new data protection regulation (General Data Protection Regulation) is coming into force.
In few days’ time – or, more specifically, on 25th of May, 2018 – Europe’s new data protection regulation (General Data Protection Regulation) is coming into force. In other words: it’s about time to make your business compliant with the new rules, unless you want to pay some hefty fines.
After sharing with you our neat, little GDPR-compliant manual for developers last week, in this article, we take a look at what designing safe systems would mean after 25th of May and what you should do to make sure you’re playing safe and by the rules.
What Should You Do?
Having problems to adapt to the new regulations. It’s actually as easy as 1-2-3… and 4.
Without further ado –
#1. Privacy by Design Is a Key Concept: Learn It by Heart!
Defined in Article 25 of the GDPR, Privacy by Design (or PbD, for short) entails the implementation of
“appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”.
#2. Are You a Processor or a Controller? Find Out!
It’s essential that you discover whether your business falls under the “controller” or “processor” category according to the GDPR formulations.
The distinction may sound a bit confusing at the start – as all new things are – but as you dive into the topic, you may not have that many difficulties defining your role.
According to the GDPR (Art. 4.7)
“Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
Examples of controllers are applications (mobile or web) which are designed to track user’s behavior, communication and total service providers (CSPs and TSPs), etc.
Processor, on the other hand (Art. 4.8; see Art. 28 as well)
“means a natural or legal person, public authority, agency or other bodies which processes personal data on behalf of the controller”.
Consequently, processors can be cloud services providers, telecommunication companies, etc.
#3. Learn the Rights and Responsibilities Attached to Your Role. Comply.
So far, so easy, right?
However, the next step is vital.
And if you have any difficulties making it, be sure to request the help of a data protection officer (DPO). Hiring a DPO isn’t an obligation whatsoever, so if your company is small and deals only marginally with personal data, it may even be someone of your current employees – with a relevant knowledge of the GDPR, of course.
Processor, on the other hand (Art. 4.8; see Art. 28 as well)However, if the opposite is true (i.e., a significant portion of your company’s work is related to users’ personal data, and, thus, adhering to the new regulation is destined to become a bit complicated and messy), then hiring an external professional would be the much safer – and better – solution than investing into training your own employees.
According to the "Guidelines on Data Protection Officers (‘DPOs’)"
“a public task may be carried out, and public authority may be exercised not only by public authorities or bodies but also by other natural or legal persons governed by public or private law, in sectors such as, according to national regulation of each Member State, public transport services, water and energy supply, road infrastructure, public service broadcasting, public housing or disciplinary bodies for regulated professions.”
#4. Document Everything
Documenting your activities may be the most energy-consuming part of functioning under the new regulation. But, at the same time, it’s also one of the most crucial.
The most important things you should document everything about are the following:
- privacy statements which define what kind of information you collect and process, and to what purpose;
- recordings of any data processing activities you perform;
- consent information of data subjects;
- data protection activities (such as encryption policy, security terms, etc.)
Privacy by Design
Privacy by design (or PbD) is a key concept of the new data protection regulation. Loosely speaking, it’s a translation of Benjamin Franklin’s suggestion that “an ounce of prevention is worth a pound of cure” into IT terms.
It implies that sufficient data protection should be established across all possible applications and uses of a platform beforehand.
Initially introduced in Canada in 1990s,
“the Privacy by Design framework prevents privacy-invasive events before they happen. Privacy by Design does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred; it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.”
The Seven Foundational Principles of PbD
The seven foundational principles of PbD state that privacy should be:
#1. Proactive, not reactive
This means that you shouldn’t wait for any privacy violations to happen. Instead, you need to prevent them from the start, by opting for an adequate privacy-cantered design.
“PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred − it aims to prevent them from occurring.”
#2. Provided by default
Privacy should be a default setting, which means that protection should be enabled automatically, and shouldn’t require any additional action from users:
“If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy − it is built into the system, by default.”
#3. Embedded into design
Privacy should not be taken as a decorative feature – instead, it should be deeply rooted in the core of any technology:
“The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.”
#4. Positive-sum, not zero-sum
There should be no trade-offs when it comes to privacy – it should always be a “win-win” situation:
“Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made.”
#5. End-to-end protection
Every technology should have its own lifecycle, during which you should adequately store, leverage and destroy users’ data.
“This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end.”
#6. Visible and transparent
Transparency and visibility should be the key features of any privacy-oriented design.
“...whatever the business practice or technology involved... [its] component parts and operations remain visible and transparent, to both users and providers alike.”
Privacy by design boils down to this: it’s for the users. And it intends to keep the focus on the users’ interests
“by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.”
The Essential GDPR FAQ: The Questions You May Have
#1. Is the GDPR of any interest to me if I am located outside EU?
If your work has anything to do with the personal data of citizens of the European Union, then that’s a resounding “yes”.
Really – it doesn’t matter where your company is geographically located. What it does is – where your users are.
As described in Article 3 of the GDPR, the new regulation
“applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union”.
#2. What exactly is “personal data”?
According to the GDPR,
“personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
There’s also another subcategory you may want to be aware of: “sensitive data.” Sensitive data refers to some special categories of personal data. The way of behaving with such information is explicitly defined in Article 9.
#3. What if I don’t work with the data directly, but my work is related to the services whch process users’ data?
Then, most likely, you are a controller. As we said above, the new general data protection regulation has introduced two main roles: processors (those who work directly with the personal information of users) and controllers (those who define the purposes of data processing). The responsibilities and rights for each category are separately described in the GDPR.
If you want to find your way around the GDPR, it’s essential to understand how it affects you. Which, in other words, means that it’s vital to first learn whether you are a controller or a processor and then learn your specific rights and responsibilities.
Either way, documenting everything is a must, just as it is complying with the Privacy by Design concept, founded on seven principles which, come May 25th 2018, will become a truncated version of God’s Ten Commandments for the IT world.