As big data gets bigger by the day, concerns over security and privacy loom large. The much publicized Equifax data leaks, as well as Cambridge Analytica’s misuse of user data, are but two of the numerous incidents that have horrified internet users worldwide as they wake up to the fact that their lives are not as private as they would wish them to be.
These incidents have contributed significantly in driving home the need for regulation, the most impactful of which is GDPR that went into effect on May 12, 2018. Other countries are not far behind in implementing similar regulations. The UK, after Brexit, aims to implement the Data Protection Bill which will include all the measures covered by GDPR while proposing even more stringent regulations in some areas. The California Consumer Privacy Act of 2018 that was passed a couple of months after GDPR came into effect, also upholds most of the principles of GDPR, while adding to them in significant ways.
With the extremely heavy penalties imposed by GDPR and GDPR-equivalent regulations on organizations, a simple misstep could potentially cost a fortune. Having said that, this is virgin territory and businesses were unclear about the implications of GDPR right until the date of its enforcement. Facebook and Google got hit with multibillion-dollar lawsuits on the first day of GDPR, which resulted in Google being fined 50 million euros earlier this year.
As time passes and we learn more about these privacy regulations, and how the concerned authorities wish to see them enforced globally, it becomes more and more vital to stay abreast of the impact of this revolutionary measure. In this article, we talk about the salient points of GDPR and how you can ensure that the applications you design are GDPR compliant.
Data privacy standards have been around since as far back as 1980. The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data were laid out then and were endorsed by both the EU and the US. These guidelines defined some of the basic principles for privacy and protection of personal data which form the basis for GDPR today. The Data Protection Directive that was put in place in October 1995 was a more updated and actionable version of the earlier guidelines and established independent Data Protection Authorities (DPAs) in each member state of the EU.
With the fast changing technological landscape and rise in the use of social media as well as cloud storage, EU recognized the need for updated and even more specific regulation for the protection of the fundamental rights of their citizens. An updated data protection regulation known as GDPR was proposed in January 2012, approved by the Council of European Union on June 15, 2015, and came into effect on May 18, 2018.
The General Data Protection Regulation (GDPR) specifies the lawful basis for collection and processing of personal data of all individuals within EU (European Union) and EEA (European Economic Area) and the rights of these individuals with regards to their personal data. It makes organizations responsible for protection of the collected data with provision for substantial fines if they fail to comply. GDPR has a total of 99 articles and 173 recitals, some of which also address other aspects of data privacy such as the export of data outside EU and EEA areas. Some salient points of GDPR are:
Data Controller: Any organization that makes the decision to collect personal data from EU residents and exercises ultimate control over that data. Data controllers have the responsibility to make sure that there is a legitimate reason for collecting the data, to store and process it responsibly, to destroy it once the original purpose is met, and to uphold the rights of the data subject.
Data Processor: Any organization that processes personal data of EU residents on behalf of the data controller, such as cloud providers.
Data Subject: Any individual located within EU or EEA.
Personal Data: Any information about an individual that can be used to identify them, profile them, or discriminate against them. Besides such obvious identifiers as name, address, date of birth, etc. the definition of personal data has been expanded to include IP address, sexual orientation, photos, medical information, racial origin, political opinions, and religious beliefs, along with other biometric and genetic data.
Consent: GPDR requires that consent for personal data be requested from data subjects in simple, unambiguous terms with clearly specified reasons for data collection. Consent should not be assumed by default and it should be as easy to opt out for the data subject as it is to opt in.
Right to Access: It is the data controller’s responsibility to provide to the data subject, upon request, access to their individual personal data that is stored with the company, along with information on where it is stored and for what purpose. They also have a right to receive a copy of the data in portable format.
Right to be forgotten: Data subjects have the right to request that any data held by a controller be erased under certain conditions. Some of these conditions are:
the purpose of data collection has been met,
there is no legitimate reason for processing that overrides the fundamental rights of the data subject, or
subject withdraws consent, where consent was the only basis for processing.
Breach Notification: In case of a personal data breach which impact the rights and freedoms of the individuals involved, the controller has to notify the relevant Data Protection Authority within a maximum of 72 hours of becoming aware of the breach. If adverse impact is determined, the impacted individuals have to be notified as well. Data processors are required to report any personal data breaches to controllers without delay.
Privacy by Design: All processes in the controller organization must be designed with privacy and data protection in mind. Data privacy settings for applications and websites must be set at the highest level by default and controllers should provide users with clear and convenient options for privacy. Controllers have a responsibility to make sure that user data is collected responsibly, protected adequately, and destroyed promptly when no longer needed.
Penalties: For lesser infringements including, but not limited to, not reporting breaches in a timely manner, failing to keep records of data, and failing to do impact assessments of data breaches, controllers could face fines of up to 10 million euros or 2% of their annual worldwide turnover, whichever is higher. For bigger infringements including, but not limited to, failing to acquire proper consent, failing to build in privacy by design, and failing to give data subjects access to data upon request, fines of up to 20 million euros or 4% of the company’s annual worldwide turnover could be levied, whichever is higher.
GDPR applies to all organizations located within EU or that conduct business with EU. It is also applicable to all organizations that collect, store, or process data of users located within EU or EEA.
Even if your business is not located within EU or EEA and even if your target customer base does not specifically include EU users, you should still be concerned about GDPR if your application collects data from users regardless of their location or if your business dealings with other companies involve processing or storing the personal data of EU users.
Another, more indirect, reason to take GDPR seriously is the fact that due to EU’s economic power and reach, EU regulations quickly become world standard. This has been called the Brussels effect. Many countries, independently or inspired by EU, have already followed suit in adopting EU privacy standards or equivalent privacy regulations of their own, while many more are in the process of doing so. Considering this, adopting transparency and data security measures as a matter of course is a smart move for businesses at this time, regardless of their location or target customer base.
Review all data that your application collects or stores. Determine how much of it is personal or identifiable data about users.
At this point, it is important to review and decide which of the data you collect is absolutely necessary. Some applications will need more data than others. However, the best course is to collect only the bare minimum required.
Encrypt all personal data that your application collects. Where encryption is not possible, consider using pseudonymization or anonymization so that the data is rendered unidentifiable and the data subjects protected in case of a breach.
Often, for applications that don’t collect any data, a secure protocol like HTTPS is not considered a necessity. Do consider employing HTTPS if there is any section of your application where users are likely to enter ANY personal information (name, location, phone numbers, etc.), such as Contact Us forms. Also, ensure that your SSL certificate is from a credible authority and that it is installed correctly.
GDPR requires that Terms & Conditions be in clear, simple language with no room for ambiguity or misinterpretation. They should also be clearly displayed on the landing page of your application. Make sure your users read them and provide agreement clearly before proceeding.
User consent forms should be separate from Terms & Conditions. Write them in clear and explicit language with easy opt out options. Pre-ticked boxes that users have to uncheck to opt out or forms that assume consent by default are a big “no-no.”
Inform users about any data that is collected and stored as part of business intelligence, how it is stored, and how long it is going to be stored. Provide them with an easy way to withdraw their consent.
If user data is going to be shared with any 3rd party, the consent forms should mention the 3rd party by name. Consent to share their data will need to be granted individually by the user for each of the 3rd parties involved.
If your app tracks IP addresses or location data for authenticating, inform users about how they are stored and for how long they will be stored. Make sure that this data is encrypted.
Security questions should not request any personal data. One alternative is to allow users to decide their own security questions with a warning against sharing any personal data.
It is no longer acceptable to hold on to user data after they have stopped using your service. Put a process in place whereby all personal data of a user is deleted within a reasonable timeframe if they cancel their service or delete their account. This is also applicable to any personal data that remains within your system after the user is transferred to a payment gateway.
It is more important than ever for applications to be secure, especially applications that operate on personal user data. Put processes in place to regularly assess for cyber risks and fix any vulnerabilities or problems instantly.
GDPR requires that concerned authorities as well as users be notified, in case of a personal data breach, within 72 hours of the organization becoming aware of it. Put in place policies to deal with such a situation. Make sure any and all employees that monitor the application are trained on these policies and are aware of the next point of contact to quickly escalate with all the relevant and required information in case of a potential data breach.
There is no doubt that designing applications around the new privacy norms has made it a more challenging task. However, there are benefits to embracing these new standards.
Cybersecurity ignorance has cost businesses worldwide, not just in data losses, but also through the loss of customer trust and damage to their brand reputation. Applications designed along the line of GDPR compliance will not only be aware of consumer privacy, but also be more secure and robust. Increased awareness of data workflows will help reduce the attack surface for potential hacks and breaches.
Emphasis on collecting minimal data means lessened costs for data storage and processing, as well as better management of existing data. Lessened emphasis on data also paves the way to conceptualizing and building applications that are truly light and fast, unburdened by the need for heavy data transfers.
Access to a streamlined customer base that opts in to receive updates and notifications boosts the potential for increased conversion rates and better ROI.
In the light of the recent high profile data breaches, choosing a clear, convenient, and transparent customer engagement approach is a great way to regain customer trust and build a loyal audience.
The big data landscape has changed for good and there is no going back. Under the circumstances, businesses that do best will be the ones that embrace human-centric privacy measures and reinvent their business strategies around the new norm, rather than the ones that scrape by with doing the bare minimum.
VSH Solutions is already building GDPR-compliant applications. Contact Us with your requirements to know more about how we can help you build secure applications.