On the 25th of May of this year, the General Data Protection Regulation (GDPR) law will come into force. While many are hearing about GDPR for the first time, it has roots as far back as 1981. Named the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” and held in France, the convention was the greatest data privacy rave held that season.
That’s right, the GDPR is a gift from France, like the Statue of Liberty, camembert cheese, and Daft Punk.
You don’t need me to tell you how that piece of legislation evolved into the “Data Protection Directive 95/46/ec”. That version of data protection applied to companies operating inside the EU that stored or processed personal data. Two years ago, the EU went a step further, approving the current version. The biggest change with the current version is that this latest version will protect EU members no matter where the company resides.
Companies and individuals have had two full years to ensure they are in compliance with GDPR. As stated on the main GDPR website, the legislation wants to reshape how we do data privacy:
“…to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
The reason you are hearing a lot about the GDPR these days is not the looming deadline. No, the real reason has to do with the penalties you may face due to non-compliance. The penalties are as follows:
– Breaches of the lesser provisions: fines up to €10m or 2% of global annual turnover, whichever is greater.
– Breaches of the important provisions: fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater.
That’s a lot of French fries. It’s also a lot of prison time, as you may also face criminal prosecution. The GDPR allows EU member-states the right to impose criminal penalties. If non-compliance with the GDPR runs you afoul of a member-state national law, you won’t be able to buy your way out.
The Original Workaround
For 20+ years, US companies worked around the regulations by not storing data inside the EU. The EU wasn’t happy about this practice, which is why we have the GDPR staring us in the face.
Your personal data is the most critical asset you own. For those not familiar with what qualifies as personal data, the GDPR defines it for us:
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
I applaud the EU for taking steps to protect the rights of EU citizens to have control over their personal data. I wish the USA cared as much about our rights for data security and privacy as the EU does for their residents. It’s also worth noting that the UK is in favor of the GDPR despite not being in favor of the EU.
I’ve been meaning to write about this topic for some time. I’ve had a lot of questions, comments, and concerns about GDPR and this blog. I decided a blog post would be the best way to get these thoughts out of my head. I’m not a lawyer, so don’t take what I write here for advice. But I’ve seen a lot of bad information, scare tactics, and xenophobia in the past few months. I expect that we will see more as May approaches.
It is my hope that today’s post will help you understand more about the GDPR. I’m writing this post as the owner of this blog, and someone that will make every effort to comply.
What You Need to Understand About the GDPR
First, you must understand that consent is a fundamental GDPR requirement. You must ask your EU customers to give consent to the collection of their personal data. Also, you must ask for consent for every process run against their data. And every time you introduce any new process, you have to ask again.
Second, you must be clear in how, where, and when their personal data is in use. No funny language, or double-negative opt-in-or-out from mailing lists. Don’t take their emails and sell them, or switch to different mailing lists, or anything that a salesbag would do.
Third, the user has the “right to be forgotten”. If someone asks for removal of personal data, you must prove it to be complete.
What this all means is that the GDPR isn’t about sales, the exchanging of goods and services for money, or business in general. The GDPR is about the exchanging of data. And we exchange data in many different ways, here are some examples:
- While attending an event in the EU and an EU member gives you their business card, you are likely subject to GDPR.
- While delivering a session at an event in the EU, you invite people to read your blog. When an EU member leaves a comment on the referenced blog post, you are likely subject to GDPR.
- If you have “targeted marketing” material to EU users and customers, you are likely subject to GDPR. This includes the publication of scripts containing references to blog posts and pages.
- If you solicit diagnostic information from someone to help them troubleshoot an issue and it contains PII data from an EU member, you are likely subject to GDPR.
As the Cognitio Corporation describes it:
“This is not just important for firms that operate in Europe, but any firm that interacts with European citizens. Any company that holds data on EU citizens must comply.”
Thinking you can put your head in the sand and avoid GDPR compliance is a mistake.
What I’m Doing for GDPR Compliance
Keep in mind a few things here. As stated before, I Am Not A Lawyer. Second, this blog is a personal blog, nothing more. GDPR rules will still apply here. I want readers of this blog to know that I respect their data security and privacy rights.
During the holidays, I took the time to give this blog a facelift. I also took the time to update my blogger disclosure page. That’s the page that details my activities. It allows you to know who I am affiliated with, who pays me with money, who pays me with bacon, and who I like hanging out with. On that page, I make two things very clear about the data collected via this blog.
First, I use MailChimp for email subscribers. You can view the Mailchimp privacy policy here, and they have a KB post specific to GDPR here. I state that the emails are not sold or given to any 3rd party. I will only use the emails for my newsletter. You can unsubscribe at any time, and I will make certain to delete your data from my dashboard in Mailchimp.
Second, I use Disqus for comments on this blog. You can view their privacy policy here. You can remove your account from Disqus at any time, but Disqus does not delete your comments from my blog. I will have to clean that up by querying my WordPress database. I will search for your username and email and run the delete statement myself. I’m currently looking for a GDPR compliant comment plugin; if anyone finds one let me know.
Summary
GDPR compliance may be hard, but nothing worthwhile is ever easy. To me, data security and privacy are worth the extra effort. Any person or company that mocks the GDPR sends a message they do not care about customer data privacy. If you don’t want to respect the rights of EU citizens, then you won’t respect the rights of anyone. I’m a believer in treating people the way you want to be treated. If I want people to respect my rights, I must respect theirs.
I see the GDPR as the first step towards something better. See, the GDPR is about the data. But what we need is a way to protect the people, and not only their data. The GDPR doesn’t tackle the issue of voice recognition, for example. And I don’t see the current GDPR keeping pace with advances in similar technologies. This does not mean the GDPR is a failure. I see it more as a way for everyone to understand the dangers in the collection of personal data.
When it comes to good data privacy practices you need to follow a few simple rules:
1. Only collect the data that you need.
2. Don’t misuse that data in any way. Don’t add people to a second mailing list, or sell their data.
3. Know where you store their data so that you can remove it when asked.
As a data professional, the best message you can put out there is that you care about data privacy for your customers, no matter where they call home. That’s the right message we want to send, everywhere, all the time.
The GDPR isn’t perfect and still evolving, but it’s a great first step. Use this as an opportunity to educate everyone about data privacy.
References:
https://premium.wpmudev.org/blog/gdpr-compliance/
https://gigaom.com/2018/01/11/will-gdpr-fail-beyond-the-new-regulation/
Have been running this through in my head for the organisations I write software for. Massive is the only word I can think of! So many places that data would need to be deleted from. I very much doubt that many businesses (espc in UK due to brexit) will be taking this seriously enough. I am impressed that you are for a blog, although the mailing lists and comment bits really show that there are things people won’t think of! 100 internet points to you.
Thank you! What’s the conversion rate on those points to Bitcoin?
The way bitcoins going you might get a few hundred coins for them!
Can I just correct you on the consent thing? It’s not a fundamental requirement: it’s one of six conditions that make processing legal. Only one of the conditions needs to be satisfied. Please see Article 6.
John
Thanks for the comment John. You are correct about Article 6. Let me explain my words in the post a bit more.
In the post above, where I speak about consent, I link to Article 7. This definition is needed to help explain the items in Article 6 where it lists the conditions for lawful processing, and says that at least one condition must apply. The first two conditions reference consent (if I enter a contract then I am giving consent for my data to be used in ways that adhere to the contract). The other four speak to public interest.
As I mentioned, I Am Not a Lawyer, but I read these articles as GDPR making it known that consent is a fundamental requirement. While I am certain in the case of a warrant it is possible an entity could collect private data without consent, to me the GDPR is making an effort to remind businesses that they need to communicate to their customers how their data is being used.
So, perhaps “fundamental requirement” isn’t accurate for 100% of use cases. However, most companies aren’t acting in public interests, and they will need to get consent directly from customers that are not entered into a contract.
Again…that’s just my understanding. There’s a lot to discuss here, I know we could write about the GDPR for weeks. I want my main point for consent to be this: you should get consent from your customers. It will make things a bit easier if you have consent.
HTH
Thanks for the clarification, Thomas – that makes sense.
John
Thanks for the comment! I do hope this post get’s people to see the GDPR in a different light.
I agree with the spirit of this, except for the part about bloggers not respecting rights. The reaction O have seen was about that minimum $10 million fine. There is a perception that it is not worth the risk of making a mistake when the penalty is that high. I do not target EU citizens. I do not sell outside the US because taxes are a mess. But what data does my stat counter (Google analytics) collect and to what degree am I responsible for what they do with information gathered in my site. My personal concern is not that I want to violate privacy. I only see an up address and I make no effort to identify a specific up addressvtonanyone or any action. But I do have third party activity through Google who already has had run ins with EU law. And I do not know what other programs are doing. If the fine were 4%, it would be easier to do my best and not worry about it. When the minimum is 10 million however, the stakes are pretty high for a handful of visitors.
Really nice and helpful information provided thanks for your worthy knowledge sharing..