by Paul Arnote (parnote)
It's about time someone did something about privacy of user data. And, boy oh boy, how the privacy of user data has been addressed. Starting on May 25, 2018, enforcement commenced on the EU's General Data Protection Regulation, a.k.a. the GDPR. It is designed to protect the data security and the privacy of EU residents. You can read the entire regulation here.
The GDPR was ratified about two years ago, but enterprises were given a two year grace period before enforcement of its provisions. But if you look even casually in your email inbox, you might get the impression that there's a lot of scrambling going on to meet those requirements. It is estimated that only 36 percent of enterprises will be fully compliant with the GDPR provisions by the date enforcement begins, according to an IBM report (registration required to acquire the report).
To say that the GDPR has been the topic of a LOT of talk in the latter half of May would be an understatement. There is a lot of scrambling to fully grasp not only all of its provisions, but also the implications of those provisions. Some of those implications have, or are bound to have, global impact.
So, let's take a look at the highlights of the GDPR, and what it all means for not only internet users, but also enterprises with a presence among users in the EU. Keep in mind that this is only an overview, and not a complete review. Also keep in mind that in no way should this article be construed -- or misconstrued -- to represent "official" legal advice.
What Is GDPR?
The GDPR replaces Data Protection
Directive 95/46/EC, which was originally adopted in 1995. It unifies data privacy laws
across all EU member countries, applies to all EU citizens, for all companies doing business
with EU citizens, regardless of that company's location or country of origin. Before processing
any personal data, companies must ask for -- and receive -- explicit permission. That request
must be in plain language, specifically prohibits legal mumbo jumbo, and prevents that request
subsequent consent, must be for a specific purpose, and must be requested separately from other
requests. Those found to be in violation of provisions of the GDPR can be fined four percent
of their annual global revenue, or 20 million, whichever is greater. From the
outset, the GDPR appears to have some real teeth with regards to enforcement.
Who Is Subject To GDPR Provisions?
Any company that does business with EU customers, and who collects data from those customers, is subject to the provisions of the GDPR. This includes companies with an international presence, such as Google, Yahoo, Facebook, Twitter, Instagram, Amazon and many, many more. Thus, to risk non-compliance also risks being subjected to the steep fines for non-compliance. Meanwhile, organizations that "do business" with EU citizens who do not keep, maintain or ask for any user data (such as The PCLinuxOS Magazine), should see no changes in their operations.
GDPR's Key Provisions
Under the GDPR, personal data is defined as any information that can be used to identify a natural person, either directly or indirectly. The format of that data can be a name, a photo, an email address, bank details, posts on social media, medical information, or even a computer IP address.
Those who collect such information, must (under the GDPR) take documented steps to limit access to any such data to only credentialed and authorized employees who have jobs that specifically require access to that data. Any breaches in that security will be met with stiff, heavy fines (as we revealed earlier).
The GDPR also lays out specific user rights that must be adhered to. Let's take a look at those.
Consent: the GDPR specifically prohibits the use of long, chase your tail, terms of agreement statements, and especially those filled with legal mumbo jumbo. All requests for consents, terms of agreements, or privacy statements must be presented in a clear, concise manner, in plain language, without ambiguity of meaning. Furthermore, consent must be as easy to withdraw as it is to grant.
Data breach notification: all companies are required to notify users within 72 hours after a data breach has been discovered. Hallelujah! Gone now are the days where Yahoo! has yet another data breach, but they announce it eight months after it was discovered. Companies must use as many forms of notification as deemed necessary to inform users of data breaches in a timely manner. Those forms of notification include email, phone calls, and public announcements.
Right to access: at a user's request, all companies must provide confirmation regarding if personal information about them is being processed, where it is being processed, and for what purpose that data is being processed. Furthermore, all companies must be able to provide, free of charge, a copy of that personal information in an easy to read, electronic format.
Right to be forgotten: all personal data must be erased by a company when asked to do so by the user. Once such a request by a user has been made, the company must immediately stop all further dissemination of that data, and stop any further processing of that data. Valid conditions for erasure include situations where the data is no longer relevant, or the original purpose has been satisfied, or merely a user's subsequent withdrawal of consent.
Data portability: companies are required to provide a way for a user to receive any previously provided personal data in a commonly used and machine readable format. This essentially means that the data must not be in some proprietary format that is not in widespread or common use. Users can also request that the company transmit the data to another processor, free of charge.
Privacy by Design: To be in compliance, companies must follow Privacy by Design principles. In essence, this means that companies will process only the data absolutely necessary for the completion of its business, and limit access to that personal data to only those employees needing the information to complete the process consented to by the user. Companies must use appropriate technical and organizational measures effectively to meet GDPR requirements and protect the rights of users.
Data Protection Officers: if a company that collects user data a) employs over 250 employees, or b) processes personal data of over 5,000 users in any 12 month period, they should employ a data protection officer. That person's job will be to oversee the collection and processing of that data, and insure that the provisions of the GDPR are being adhered to, as well as protect personal data from misuse, unauthorized access, and other security breaches. If a company meets the criteria, the employment of a DPO is not optional, but a requirement.
Reprinted from XKCD.com, under the Creative Commons Attribution-NonCommercial 2.5 License.
GDPR penalties for noncompliance
As we stated earlier, those companies found to be in violation of provisions of the GDPR
can be fined up to a maximum of four percent of their annual global revenue, or 20
million, whichever is greater. Typically, those companies who fail to get sufficient customer consent to process data, or those who violate the Privacy by Design concept, subject themselves to the maximum penalty. Lesser infractions are assessed on a tiered basis. As an example, a two percent fine can be assessed against companies who don't have their records in order, those who fail to notify the supervising authority and users about a security breach in a timely manner, or who do not conduct a required impact assessment following a security breach.
How it's affecting the digital landscape
A lot remains unclear at this time, and we'll ultimately have to wait until the dust settles over the GDPR's enforcement. And, man is there a lot of dust to settle. But some things are quite obviously changing.
At Google, for example, they have completely revamped their terms of service and privacy policies to conform to the GDPR. Additionally, Google has revamped many "controls" and tools for users to manage the data collected about them via Google's services. You can read about them here. There are many improvements coming to Google as a result of the GDPR.
Not everything is completely rosy, though. There are some struggles as companies struggle to comply with the GDPR before the enforcement commences. Even at Google, who appears to be fairly well prepared for the enforcement phase of the GDPR, there are issues. As reported in The Register, those Android app developers who heavily rely on ad revenue from Google Ads as their source of revenue, things are still in a state of flux and uncertainty. They are still (as of May 15) waiting for an updated SDK that Google promised them, but that cannot be implemented until the deadline expires. The SDK cannot be tested until GDPR enforcement is underway. Even then, a Google representative said in the Mobile Ads forum that the company couldn't guarantee that apps using the Consent SDK would actually be compliant.
Meanwhile, over at ICANN, the organization that is responsible for internet's domain name system, they are reeling in chaos. Specifically, they are scrambling to insure that whois data, used by the tool of the same name that allows you to look up who is responsible for a web page or site, is compliant with GDPR provisions. If they don't, they face extensive fines that may be ruinous to the organization.
While it has been a LONG time coming, the GDPR is a huge first step towards ensuring that users' private data has a seat at the table, so to speak. This most likely won't have any effect on the three and four letter government spying agencies slurping up our private data, but then they operate under a whole separate set of rules that we often aren't even privy to. Heck, I'm betting that sometimes (often times?), they make those rules up as they go, so there's no one really who knows what those rules are.
I only hope that other countries take the EU's lead in protecting the private data of users from the abuses that we've witnessed and encountered over the years, especially lately. Your private and personal data ARE the currency of this digital age. The GDPR gives users some heavy hitting tools to help protect that data against the large and faceless corporations whose only desire is to monetize and capitalize on that data.