We’ve been working on getting ready for the EU General Data Protection Regulation (GDPR) for the past few months, and have made significant progress in advance of when the law goes into effect on May 25, 2018. We had to make some interesting decisions along the way, especially since we’re a small company. I wanted to share a few thoughts on what we learned along the way to becoming GDPR compliant, with the hope that it will help streamline the process for your business.
First, it’s important to note that this is not just another obscure privacy law that you can ignore.
Businesses that are not compliant may get sanctioned up to 4% of the annual worldwide turnover or fined up to € 20M (the higher of the two), per infringement. If your company processes any information of EU citizens you should start paying attention.
TLDR; When you collect data linked to a citizen of the EU, they are entitled to know what data is kept, for what purpose, and for how long. Users are entitled to access (“Right To Access”), export (“Right to Data Portability”), change, and permanently delete (“Right To Be Forgotten”) all their data from your systems (read more here). They should be able to access their data as easily as they entered it in the first place.
Changes every company will need to make to become compliant with GDPR include (but are not limited to):
- Changes to your sign-up process to ensure explicit consent is given to collect this data (no more “by clicking on this button you agree to shenanigans).
- Have a process in place to respond to DSR (Data Subject Rights) requests such as exporting or deleting customer data.
- Make sure that appropriate data security is in place to prevent unauthorized access to customer data (GDPR calls this “Data protection by design and by default”), and make these security measures abundantly explicit. This includes binding commitments on what you’ll do if a data breach occurs. In most cases this will require you to have a Data Processing Addendum (DPA) in place with your customers. (Spoiler: you might find this to be the most time-consuming and expensive part of the process.)
In brief we explain here what exactly what the new law requires with regard to personal information:
- Requires that consent is given or there is a good reason to process or store personal information.
- Gives a person a right to know what information is held about them.
- Allows a person to request information about them is erased and that they are ‘forgotten’ — unless there is a reason not to do this — e.g. a loan account.
- Makes sure that personal information is properly protected. New systems must have protection designed into them (“Privacy by Design”). Access to data is strictly controlled and only given when required (“Privacy by Default”).
- If data is lost, stolen or is accessed without authority, the authorities must be notified and possibly the people whose data has been accessed may need to be notified also.
- Data cannot be used for anything other than the reason given at the time of collection.
- Data is securely deleted after it is no longer needed.
This will most likely result in two fairly major changes for most companies.
I want to stress this again: you will need a lawyer for this part. There is no way you can just wing these changes. The penalties for getting it wrong (or providing misinformation) are huge.
- Put the “Register” button right underneath the call-out line so that it is not possible to miss.
- Retain the following information in connection with each click-through so you can prove you acquired consent properly: who consented, when they consented, what they were told at the time (terms and policies they agreed to), how they consented, and whether they have withdrawn consent (and if so, when).
Data Subject Rights
Data Subject Rights (DSR) is a big topic in GDPR, but for most SaaS apps it will be related to two main things: the right to be forgotten (delete) and the right of data portability (export). For delete requests, all personal data must be deleted within thirty days of receipt of the request. For export requests, customers require all personal information that is held for more that forty-eight hours to be easily accessible upon request.
GDPR law states that DSR requests have to be fulfilled within 30 days of the request being received. So we are committing to our customers that we will respond to their DSR requests without undue delay, thus enabling them to respond to their customers who have made this request within the 30 days required by GDPR. That should give our customers plenty of time to respond to their customers if/when they receive such requests.
We’re in this together
This appears to be every company trying to get ready for GDPR right now:
It’s true that we’re all stumbling around a little bit. But it’s also great to see so many companies take this law seriously — as they should. My sincere hope is that this post contributes a little bit to the discussion, and helps some of you figure out what you need to do to prepare for this law to go into effect.