GDPR (General Data Protection Regulation) will be taking effect on the 25th of May this year, and it is going to affect a lot of companies. At Audacia, we've been preparing ourselves and our customers for the changes that GDPR will bring about.
Our key considerations include:
- Explicit consent for storing data on users
- Breach Notifications
- Right to Erasure
What is GDPR?
GDPR is a new set of regulations which have already been ratified into UK and EU law, but do not take effect until May 25th 2018.
GDPR extends the 1998 Data Protection Act, has the full support of the EU and UK government, and is designed to help protect the personally identifiable information of EU and UK citizens.
This adds a positive step in protecting businesses, their IT systems, and their customers by ensuring that any and all data captured is for a specific purpose and is afforded all necessary protections available in both UK and EU law (where applicable). With data being ever more fundamental to business actions and one of the most valuable assets that a business can have, this legislation will help ensure that companies are applying the necessary level of rigour when storing and processing data.
The GDPR Model
GDPR uses names for the different actors in software applications, as follows:
- Customer
- Processor
- Controller
The Customer is the actor for whom GDPR has been written to protect. They are an EU or UK citizen and they are providing their personally identifiable information in order to use some software applications.
The Controller is the entity who stores the Customer data and obtains consent from them. The Controller is fully obligated to safeguard the Customer's data.
The Processor is (often, but not always) a third party who will be given access to the Customer data via the Controller in order to provide a service.
An example would be an e-commerce site:
- A user (the Customer) registers with an e-commerce site (the Controller) and provides their information.
- The user then places an order, and their data is passed to a payment system (the Processor) in order to invoice them for the goods or services they are purchasing from the e-commerce site.
- When the user provides consent, it will have to be made clear to them who the Processor is, and this consent will give the Processor the right to access this data only for the purpose that has been explicitly consented to.
Consent
We are no doubt all familiar with the consent boxes that we see in modern websites and software applications. The user may be presented with an agreement in the form of a wall of text or a link to a separate page, and the checkbox that asks for consent to store their data may well be ticked by default. Alternatively, the user might simply see an "I agree to the terms of service..." checkbox, with a link to the terms of service.
GDPR changes all of that, as consent must be explicitly obtained from users when they register for a service or install a piece of software which requires 'Personally Identifiable Information'. The checkbox cannot be ticked by default, and the way the data will be used must be explicitly stated – especially if the data is being shared with or accessed by third parties. An example could be a fitness tracker (see: GDPR Article 4, item 14: 'Definitions') most of which will record the following data:
- Biometric
- Location
- Time
This data is routinely kept alongside a 'profile' which contains a user’s:
- Name
- Weight
- Age
Each of these six data points require separate consent from the user, as they are personally identifiable.
Also, if and when the Fitness tracker software is updated and requires some other personally identifiable information to be collected, separate consent must be obtained.
But what is Personally Identifiable Information?
The short answer is: anything which can be used to personally identify an individual.
Some examples of this are:
- Name, address and unique identifying numbers (e.g. your NI Number)
- Demographics - such as age, gender, income or sexual preference
- Behavioural data - web searches, purchase history and more
- Social data - who your friends are, your emails, etc
- Sensor data - biometrics, health tracking devices
- User generated content - videos, photos, blogs or comments
- IP and MAC addresses – as these (especially MAC addresses) can be traced back to an individual user, or subset of users and their access to a web service.
Breach Notifications
GDPR states that if a personal data breach occurs, all affected users of the software system must be informed within 72 hours of the breach being identified.
“Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”
Source: GDPR document in English, page 53
A breach in this context refers to any scenario that will or could lead to unauthorised data access. This could be a hacking attack, unauthorised personnel gaining access due to a system error, or someone leaving a laptop on the train. Naturally in order to meet this requirement, organisations will first need the ability to identify a data breach. In many cases this will mean investing in tools for monitoring traffic and the usage of their software system.
Right to erasure
The right to erasure allows Customers to have their personally identifiable data erased. This will likely be the hardest of the new GDPR regulations to implement for pre-existing software systems, as it may require extensive data model changes.
Customers are permitted to have their data erased under the following circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child. For instance, a social services support worker who has been assigned to aid a family would need to have records on all immediate members of that family.
Source: ICO description of the GDPR Right to Erasure
If a Controller receives a Right to Erasure request from a Customer then they must also send that Right to Erasure request on to any involved third parties who must also erase the Customer's data.
GDPR states that requests should receive a response ‘without undue delay’ and within a month unless specific circumstances apply.
Source: GDPR document in English, page 140 (Article 17)
Summary
GDPR affects almost all companies in the UK and the EU, and may require extensive work to software applications which retain personally identifiable information.
The above list of changes is a sample of some of the bigger changes which we will all have to be mindful of while developing forward-thinking, bespoke software solutions.
GDPR is wide reaching and requires that we take a step back and focus on the "what" and "why" of the data we are collecting from our users, along with the impact of the requirement that application can request removal of their data.
Time is running out for businesses and their customers to become acclimated with GDPR and how it will affect them. We would strongly recommend having a look through the GDPR legislation itself and holding meetings now to ensure you are well prepared for the changes ahead.
Useful links:
Please note that the information provided in this blog post does not constitute legal advice, and is presented as opinion only.