✉️ Fresh day-to-day news directly in your inbox or your WhatsApp? 
Access here.
✉️ Fresh day-to-day news directly in your inbox or your WhatsApp? 
👉YES!

GDPR and its implication, how to deal with it?

GDPR and its implication, how to deal with it?

GDPR is a common term heard either from time to time, either all the time, depending on your CEO anxiety towards personal data storage, encryption, and so on. I'm sure you have already met people who tend to hide every decision behind the "it's not GDPR compliant" in order to actually not deal with an operational issues in a project within your company.

Well, this article is mainly about breaking all these bad "GDPR compliant" habits and to make you be able to answer to these people with the right statement "No Karen, you're talking nonsense here" in order to focus on what's really important on your project at the time.

What is GDPR?

Can't start without a brief section on what really is the GDPR and why has it been created, with this basic information, you'll shine at business meetings and Christmas dinners.

GDPR = General Data Protection Regulation

Voted: 27/04/2016 | Applied:

Regulation was tricky in Europe because countries had their own privacy laws and regulations on personal data, some being very restrictive and some other being lighter: multinational companies were really struggling with the comprehension of each subjective law.


GDPR is here to offer a homogeneous personal data protection and privacy law frame, common for all countries in Europe. This frame applies to any company beyond the European boundaries that offer services there, for example: Uber. Also, GDPR is applied to all actors regardless of their profile: private and public entities are governed under the same law.


All of these aim to smoothen and ease the implementation and expansion of companies and to raise geographical competition, because before GDPR, regional companies could be facilitated in enforcing anti-competitive measures.


Main principles: consent & protection

The most important goal of the GDPR is quite a simple one: protect personal data. Three words, represented by 99 articles in the regulation text. So yeah, you can imagine that there are some specificities within the text. Let's dive into them in order to synthetize only what is needed to rightfully understand it.

What is considered as "personal data"?

This is the question. All the debates come from and gravitate around this sole question. The answer is widely interpreted and somehow and sometimes create comprehension issues within the company where some people say you can't do whatever the ongoing project needs because of "GDPR".

First, let's focus on what is personal data, and later in this article we'll focus on how to deal with these communication issues.

Data is considered as personal as long as it can identify a person, directly or indirectly, or can lead to that person's identification.

This answers to every single GDPR question you may have. Let's dismantle it.

Identifying a person, directly or indirectly

This means that the data can lead you to a person either directly (first name, last name), or indirectly with all sort of indirect identifiers such as numbers (phone, insurance, passport, etc.), biometrical data, elements specific to the person (physical, physiological, genetical, psychical, economical, cultural or social) and even such things as a client ID (yes, as long as it can tie you to a person, it is considered as personal data), the voice and images.

A person's identification

All these above information are considered as personal data, but it goes slightly beyond that. A person's identification can be either straightforward like using indirect data such as Social Number or DNA, but it's not always the case. GDPR has also foreseen the use of personal data for big companies that might have multiple data sources that can talk to each other and the symbiosis of this leads to identification.

In other terms, multiple data sources containing all indirect data can lead to identification and are hence considered as personal data, by construction.

For example, you can aggregate multiple sources to have information on a woman, living at a specific address, born that day, part of a specific chess club and playing Fortnite on weekends. Despite her mediocre video games taste, this woman can be identified. 

Now that you know everything that is or can be considered as personal data, let's give a little focus on what actually is an operation on personal data and how to rightfully process personal data.

What is considered as "operations on personal data" ?

Why do we give some focus on operations on personal data? Simply because GDPR forbids companies to basically collect and store data that you have no current use whatsoever at the moment, just for your own fun, and technically because the Chief Data Officer says "let's store this anyways, we'll use them someday".

GDPR insists in the Article 5 and raises some principles relating to processing of personal data.

  1. Lawfulness, fairness and transparency: the user has given consent to the processing of the personal data and the processes are the same for everyone, and can be audited at anytime
  2. Purpose limitation: the personal data processing must have an objective that is specified, explicit and legitimate, you can't store personal data for archival purposes or because it might be useful later
  3. Data minimisation: the collection must select only the adequate and relevant data, as limited as possible
  4. Accuracy: collected personal data must be accurate and if relevant, kept up-to-date
  5. Storage Limitation: storage of personal data must be limited to only the amount of time where the data is meaningful for the business, when the personal data becomes purposeless, you ought to remove it (e.g.: pseudonymization)
  6. Integrity and confidentiality: using appropriate tools and measures, companies must protect the data against unauthorized or unlawful processing and against accidental loss, destruction or damage
  7. Accountability: companies must respect all of the above and be able to demonstrate their compliance at any time

A data processing is not necessarily automated or informatized, flat documents such as printed documents containing personal data are also concerned and must be protected regarding the 7 data processing principles.

Knowing what is personal data and how to handle their processing, let's dive into the GDPR applications of the law: consent and privacy.

Consent: privacy by design

GDPR brings to Europe a new way of reinforce personal data among companies: content. Companies ought to obtain the consent from the user (European citizen) even before a single data point is handled.

This is why you now see plenty of consent checkboxes and popups on websites, companies need the user's consent beforehand.

Three main notions arose and led to tremendous infrastructural changes for the companies:

  1. The European citizen must be able to call for the GDPR Article 17: the right to erasure (also known as the right to be forgotten), meaning that the company shall remove all personal data related to this citizen as soon as possible.
  2. Also, the citizen can refuse to be profiled by automatic processed.
  3. Last but not least, citizens can ask for a view on all of their personal data and a transfer of these data to another actor. This is a reason why nowadays you can switch from bank to bank more easily in Europe: all the actors have been obliged to adapt their infrastructure in order to apply to the law.

Companies got to adapt their infrastructure to these new enforcements and that is also why there were two complete years between the signature of the law and the application.

Now, companies have to build themselves with respect to this law, meaning that they ought to emphasize privacy, by design, in their construction and growth. Companies have to take into account data privacy in their core components during the construction of their business, related application(s), creating the rightful services, by API or whatsoever, in order to fulfill these three requirements.

How to handle all this stuff together? Who can help in order to make sure that all these principles are respected and avoid any sanction?

Security: a new job in the house, welcome the Data Protection Officer

Here goes the Data Protection Officer (DPO) that the GDPR now introduces. DPO has 4 main responsibilities:

  1. Establishes a good communication within the company to raise the information level of the employees
  2. Applies an internal advisory and control of the GDPR within the company
  3. Ensures the legal security on the personal data and its processing
  4. Is generally the principal representative of the company to the legal administrations

A DPO is only mandatory for specific companies, but is highly recommended for all the other ones, in order to avoid huge infrastructural changes when the GDPR administrations start to look over a specific company and start auditing it.

Most companies with a Chief Data Officer (CDO) that can't afford a unique job for a DPO but still want to be GDPR compliant as much as they can usually give the CDO also the DPO role because he's the closest CO-level individual to the data and the processes.

With all this information you should now be able to handle these "it's not GDPR-compliant" random persons within your company. However, they tend to sometimes care for the company, because if it gets audited, the sanctions are higher than a bag of candies.

Sanctions, auditing, and prosperity

As any regulation containing rules, it contains sanctions. To avoid them, you can be the good kid and apply for a GDPR audit alongside your commitment to GDPR-compliant services, to make sure you're rightfully compliant and no sanction will be raised. Or you could be that bad kid, and play the probabilities.

Sanctions

All the GDPR sanctions can be found within Articles 83 and 84. These articles clearly stipulate that if you're risk-averse you should be the good kid. Why so? Because sanctions are between 10 and 20 millions of euros for the small and medium companies (& between 2% and 4% of the annual turnover if you're a big company).

Yup, that is why you should take it seriously.

But as data scientists, we might want to go more in-depth with the real data, shall we? Using the provided GDPR data (that you can download below), at the time of writing, out of 600+ emitted fines since the beginning:

  • Only 1% of the fines are above 10M€, wait what? Alright, let's dig.
  • Only 3% of the fines are above 1M€. Huh, come on.
  • Only 13% are above 100k€. Yeah, seriously.
  • 52% of the fines are below 10k€
  • 21% of the fines are below 2k€

With the largest fine being €50,000,000 for Google Inc. (unsurprisingly) and the lowest fine being €28 for... Google (Ireland Ltd.) (surprisingly).

As you can see, the said amount is mainly dissuasive and in reality, fairly low amounts are fined depending on the importance of the personal data infringements, the size of the company, and so forth.

As mentioned in the introduction: all private and public companies are now regulated by this common regulation. You can find fined companies, from Sweden universities to French doctors, alongside Italian hospitals.

Find the related GDPR fines dataset here at Hoxn to check all the sanctions issues by the authorities since the application of the GDPR.

No worries, you can prevent all that.

Audit

Yes, you can. You can apply for audits and specialized company will dive into your business to ensure everything's alright and on the right track in order to grow under the GDPR principles without focusing all your time on it, becoming paranoid.

Companies offer these kinds of services cost about €2,000 (of course it depends on the size of the company and the amount of personal data & processes to deal with, this is a roughly average). Remember this number, don't you? 21% of the fined companies had to pay fines for less than this amount. Half of them are fined less than 10k€. This is a trade-off you have to handle and a decision you have to live with.

Usually, a first audit is made and the auditors help the employees and DPO to emphasize the "GDPR way of thinking" into building new projects within the company. This means that there would not be a need in adopting a frequency in the audits, but more on adopting a routine to ensure that the projects and tasks are GDPR-compliant. In doing so, you make sure that the whole company is compliant. And you don't need to pay for frequent audits.

Being the good kid sometimes pays off. Eventually.

GDPR: What's next?

This summer, the European Commission issued a report on the whereabouts of the two years of regulation. Within this report, the Commission says it will keep going on the same direction in order to protect the citizen rights, and amending the actual text with some flagged issues that need to be either fixed, or better explained:

  • changes in arrangements around data transfers from the EU to third countries
  • codification of Article 28 controller/processor terms: explaining more in-depth who really is concerned by this text - in this article I've said "company" for the comprehension, the text is wider than that and call them "Processor"
  • some possible relief for Small and Medium Sized Enterprises in terms of compliance
  • a reminder to Member States to properly fund national regulators
  • a wish for less divergence amongst Member States in areas such as the balance between data privacy and freedom of expression
  • a greater focus on requirements to appoint EU representatives for directly regulated entities based outside the EU
  • the latest position on the process for determining whether the UK will obtain an Adequacy Decision after the end of the Brexit transition period.

Find the full report here.

There you go, I hope I could answer to some of your questions about the blurry GDPR text, but now you have everything in your hands to deal with these issues within your project, company, or else!

We need your help to grow!
SUBSCRIBE TO THE ACADEMY 💘
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
SHARE THE ARTICLE
FOLLOW US
If you have any comments, thoughts or questions about the current article or ideas about new ones, please feel free to leave us a message!
CONTACT US