What does GDPR mean for data-first companies?
Mar 21, 2018
On May 25th 2018 the General Data Protection Regulation (GDPR) comes into force. This is a piece of EU regulation that affects companies from any geographical locale with customers within the EU. There’s a lot of confusion around GDPR and what it means for a data-heavy future.
Even SaaS giants are getting it wrong. MailChimp is one of the largest email automation companies around. It has customers across the globe who rely on the platform to drive revenue and keep people informed. In October 2017 MailChimp sent a product update email that demonstrated it hadn’t fully understood the implications of GDPR.
The email announced a change to the default settings for email opt in: all new lists would now be single opt in by default. This would replace the double opt in default, which requires any person signing up to a mailing list to enter their email address in the email capture form and then click a link in an email they receive to confirm they want to join the mailing list. Single opt in, on the other hand, merely requires the email capture form to be filled out and consent is assumed. This is not GDPR compliant.
After feedback from EU-based customers MailChimp changed the announcement to leave EU-based companies with double opt in as the default. But this still doesn’t fully solve MailChimp’s problem: companies based outside the EU are subject to GDPR if they have customers based in the EU.
GDPR is confusing the big tech companies so how everyone else hope to be compliant?
GDPR: a set of underlying principles
GDPR seems complicated and obscure at first glance but it’s driven by a set of core underlying principles. Build these principles into any activity around data collection, processing, storage, and usage and you’ll be on your way to GDPR compliance.
- Transparency
- People should know what data about them is collected and how it is used. This can simply be telling people what data you collect and how it is used at the time of collection.
- Specificity
- Data should be collected for specific purposes and not used in ways other than those specified.
- Control
- People should be able to control what data is collected about them and why and how it is used. This ties in with consent.
- Consent
- People need to give specific, explicit consent to having their data collected, processed, and used. See the MailChimp example above.
- Accuracy
- Any data collected should be accurate and not misleading. For example, misrepresenting demographic data to suit marketing needs.
- Security
- Personal data mustn’t be leaked, stolen, or compromised in any way. This is a good thing because it means companies will need to get better at security and all our data becomes safer.
- Verifiability
- Governance becomes key because companies need to demonstrate that they meet their obligations under GDPR. It’s no good simply saying ‘yes, we’re GDPR compliant’ - you’ll need to prove it with processes and systems in place.
These principles are informed by new rights of ‘data subjects’ (people whose data you hold).
Data subjects and their rights
Most of these are common sense and things we’d all want applied to our own data. Data subjects have the right to:
- Erasure
- People have the right to be forgotten / deleted from any system that holds their data.
- Restriction of processing
- People don’t want you using their data but they don’t want it deleted. You must mark it in some way as ‘restricted’ and don’t use it for anything without further consent.
- Data portability
- People can request all data you hold on them in a machine-readable format (such as JSON or CSV).
- Be informed
- People can request human-readable information opposed to obscure terms and conditions.
- Rectification
- If data is wrong people have a right to have you correct it.
- Access
- People have the right to see all the data you have about them.
- Data minimistion
- Don’t collect more data than necessary.
- Integrity and confidentiality
- Security measures to protect data.
As you can see, the requirements for companies is driven by new rights for data subjects. It’s also useful to think about GDPR from an engineering/design point of view. For example, thinking about things you might want put in place from a product perspective such as:
- Export data buttons
- Consent checkboxes
- Restrict processing checkboxes
- ‘See all my data’ options
This is an in-depth post aimed at helping developers building products that gives a good overview.
Putting principles and rights into practice
How can you begin to put these principles into practice and become GDPR compliant by May 25th? Here’s a simple set of things you can do right now to get you on your way:
- Data inventory
- Develop an inventory of data impacted by GDPR across all systems and non digital sources across your organisation
- Develop new processes for data collection, storage, and processing in relation to GDPR and it’s new requirements
- Data quality and redundant data
- Review data quality levels across systems and improve data accuracy as well as determine what data is no longer required to be held
- Ability to erase
- Determine processes, policies and system changes required to support requests for data to be erased
- Consent management
- Align data subject consent to data inventory and ensure consents are valid, up to date, and transparent
- Data governance and control
- Integrate current data governance and control to include GDPR requirements
A good exercise that you can do now, or any time before May 25th, is to act as if someone has requested information from you about the data you hold on them. This will test every aspect of your GDPR compliance and surface any holes in your processes. A PwC Director has a good post about this with a template letter you can use.
Putting practice into compliance
Much of GDPR is about process. If processes exist from start to finish for gaining consent, informing users, and having internal processes for monitoring data, what it’s used for, and being able to meet data requests GDPR won’t be the hell it’s made out to be.
Adhering to principles and testing with mock data requests is a fantastic way to understand what you need to do in order to comply with GDPR. The sooner you do it, the better.
Worried about GDPR? We can help.