GDPR for IT Services Providers: The Talking Points
In few days’ time – or, more specifically, on 25th of May, 2018 – Europe’s new data protection regulation (General Data Protection Regulation) is coming into force.
In few days’ time – or, more specifically, on 25th of May, 2018 – Europe’s new data protection regulation (General Data Protection Regulation) is coming into force. In other words: it’s about time to make your business compliant with the new rules, unless you want to pay some hefty fines.
After sharing with you our neat, little GDPR-compliant manual for developers last week, in this article, we take a look at what designing safe systems would mean after 25th of May and what you should do to make sure you’re playing safe and by the rules.
What Should You Do?
Having problems to adapt to the new regulations. It’s actually as easy as 1-2-3… and 4.
Without further ado –
#1. Privacy by Design Is a Key Concept: Learn It by Heart!
Defined in Article 25 of the GDPR, Privacy by Design (or PbD, for short) entails the implementation of
#2. Are You a Processor or a Controller? Find Out!
It’s essential that you discover whether your business falls under the “controller” or “processor” category according to the GDPR formulations.
The distinction may sound a bit confusing at the start – as all new things are – but as you dive into the topic, you may not have that many difficulties defining your role.
According to the GDPR (Art. 4.7)
Examples of controllers are applications (mobile or web) which are designed to track user’s behavior, communication and total service providers (CSPs and TSPs), etc.
Processor, on the other hand (Art. 4.8; see Art. 28 as well)
Consequently, processors can be cloud services providers, telecommunication companies, etc.
#3. Learn the Rights and Responsibilities Attached to Your Role. Comply.
So far, so easy, right?
However, the next step is vital.
And if you have any difficulties making it, be sure to request the help of a data protection officer (DPO). Hiring a DPO isn’t an obligation whatsoever, so if your company is small and deals only marginally with personal data, it may even be someone of your current employees – with a relevant knowledge of the GDPR, of course.
Processor, on the other hand (Art. 4.8; see Art. 28 as well)However, if the opposite is true (i.e., a significant portion of your company’s work is related to users’ personal data, and, thus, adhering to the new regulation is destined to become a bit complicated and messy), then hiring an external professional would be the much safer – and better – solution than investing into training your own employees.
According to the "Guidelines on Data Protection Officers (‘DPOs’)"
#4. Document Everything
Documenting your activities may be the most energy-consuming part of functioning under the new regulation. But, at the same time, it’s also one of the most crucial.
The most important things you should document everything about are the following:
- privacy statements which define what kind of information you collect and process, and to what purpose;
- recordings of any data processing activities you perform;
- consent information of data subjects;
- data protection activities (such as encryption policy, security terms, etc.)
Privacy by Design
Privacy by design (or PbD) is a key concept of the new data protection regulation. Loosely speaking, it’s a translation of Benjamin Franklin’s suggestion that “an ounce of prevention is worth a pound of cure” into IT terms.
It implies that sufficient data protection should be established across all possible applications and uses of a platform beforehand.
Initially introduced in Canada in 1990s,
The Seven Foundational Principles of PbD
The seven foundational principles of PbD state that privacy should be:
#1. Proactive, not reactive
This means that you shouldn’t wait for any privacy violations to happen. Instead, you need to prevent them from the start, by opting for an adequate privacy-cantered design.
#2. Provided by default
Privacy should be a default setting, which means that protection should be enabled automatically, and shouldn’t require any additional action from users:
#3. Embedded into design
Privacy should not be taken as a decorative feature – instead, it should be deeply rooted in the core of any technology:
#4. Positive-sum, not zero-sum
There should be no trade-offs when it comes to privacy – it should always be a “win-win” situation:
#5. End-to-end protection
Every technology should have its own lifecycle, during which you should adequately store, leverage and destroy users’ data.
#6. Visible and transparent
Transparency and visibility should be the key features of any privacy-oriented design.
Privacy by design boils down to this: it’s for the users. And it intends to keep the focus on the users’ interests
The Essential GDPR FAQ: The Questions You May Have
#1. Is the GDPR of any interest to me if I am located outside EU?
If your work has anything to do with the personal data of citizens of the European Union, then that’s a resounding “yes”.
Really – it doesn’t matter where your company is geographically located. What it does is – where your users are.
As described in Article 3 of the GDPR, the new regulation
#2. What exactly is “personal data”?
According to the GDPR,
There’s also another subcategory you may want to be aware of: “sensitive data.” Sensitive data refers to some special categories of personal data. The way of behaving with such information is explicitly defined in Article 9.
#3. What if I don’t work with the data directly, but my work is related to the services whch process users’ data?
Then, most likely, you are a controller. As we said above, the new general data protection regulation has introduced two main roles: processors (those who work directly with the personal information of users) and controllers (those who define the purposes of data processing). The responsibilities and rights for each category are separately described in the GDPR.
If you want to find your way around the GDPR, it’s essential to understand how it affects you. Which, in other words, means that it’s vital to first learn whether you are a controller or a processor and then learn your specific rights and responsibilities.
Either way, documenting everything is a must, just as it is complying with the Privacy by Design concept, founded on seven principles which, come May 25th 2018, will become a truncated version of God’s Ten Commandments for the IT world.