Changes to Data Protection under GDPR – A Developers View
GDPR stands for General Data Protection Regulation. This EU regulation will be law and enforceable from 25th May 2018.
What is Personal Data?
GDPR defines personal data as:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Article 4, GDPR
- As important as all that data is GDPR also lists some special categories
- racial or ethnic origin
- genetic data / biometric data / health data
- political opinions
- religious or philosophical beliefs or trade union membership
- data concerning a natural person’s sex life or sexual orientation
If your collecting, processing or storing any of this data you need to treat it very carefully.
Why is there a need for GDPR?
Back in 1995 the internet was a completely different beast than the one we have at our disposal today. Why am I talking about 1995? Because that is when the EU Data Protection Directive which is currently in use was written.
The Data Protection Directive has done a pretty decent job of protecting our personal data this far however as the internet has evolved the requirements for keeping people’s personal data private has also and will continue to, hence the need for the updated GDPR.
Key Changes under GDPR
Arguably the biggest change to data protection under GDPR is the increased territorial scope, as GDPR applies to all companies processing the personal data of people residing in the EU regardless of the companies’ location. This means that even US based companies will have to conform to GDPR if they want to continue to process EU resident’s data. Given the lacklustre approach to data protection adopted by several US states surely this can only be a good thing.
Organisations breaching GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine imposable under GDPR for example for violating the core principles of Privacy by Design. Fines will be tiered depending on severity of the breach and apply to both controllers and processors so even ‘clouds’ will not be exempt.
It also must be as easy to withdraw consent as it is to give it. For example, if a user registers for a website and that process creates them an account area, within that account area there should be a clear way to request the account be deleted.
Right to Access
One of the rights of the data subject under GDPR is the right to be able to request from the data controller confirmation whether their data is being processed, who by, where and why. Also, the controller should provide a copy of the data being stored on a data subject in an electronic format free of charge.
Right to be forgotten
A data subject has the right to request the data controller erase their personal data and have third parties stop processing the data. For example, a data subject withdrawing consent.
Data Portability is introduced in GDPR this is the right of the data subject to receive the data being stored on them and the ability to transmit it to another data controller. In practice, I see this being quite tough to implement for example, pressing a button and porting all data from one electricity supplier to another but some sort of export to CSV functionality would be a step in the right direction.
Privacy by Design
While Privacy by Design or Privacy by Default has been around for a while now, it is only now becoming part of a legal requirement within GDPR. Privacy by Design calls for data protection at the start of the process of designing systems, rather than implemented as an afterthought.
As a developer, a Privacy Impact Assessment being conducted as part of the discovery phase of a project is something I welcome, it is far easier to implement privacy and for that matter security from the start of a project rather than attempting to retro fit it later.
Another part of Privacy by Design is data minimisation, only collect and therefore, store and process data required for the purpose you have gained consent.
Better yet, if you don’t need to store the data for the data to be used for purpose, don’t store it. Do you really need to store a record of the data submitted in a contact form in a database, or is submitting the data to an email address sufficient?
Privacy Impact Assessments
Privacy Impact Assessments are a tool to reduce the risks of privacy in a project by identifying the risks at the start of a project you will be able to reduce the risk of harm to a system user by misuse of their personal data. Privacy Impact Assessments will also help developers like myself in the pursuit of building secure and efficient systems from the start.
A win win.
Before I wrap up, a quick word on Brexit. Leaving the EU will not get us out of having to comply with GDPR, even in a post Brexit UK we will need to have GDPR or a similar equivalent in place to be able to keep doing business with EU member states.
GDPR or its equivalent is here to stay and while its implementation will have cost and time implementations on projects moving forward, better and safer storage of people’s personal data in the modern digital age should surely be a priority.
While Internet Marketers and Email Marketers are likely to be most affected I must say I will be quite happy not to have my Facebook news feed overtaken by adverts for GDPR training courses just because I once googled “What does GDPR mean?”.
DISCLAIMER: I am not a lawyer so please don’t take the above as legal advice, it is the opinion of a web developer and furthermore one who didn’t realise when I decided I wanted to be a web developer that I would need a law degree but GDPR, PCI Compliance and the Cookie Law have left me wondering.