GDPR is a common term heard either from time to time, either all the time, depending on your CEO anxiety towards personal data storage, encryption, and so on. I'm sure you have already met people who tend to hide every decision behind the "it's not GDPR compliant" in order to actually not deal with an operational issues in a project within your company.
Well, this article is mainly about breaking all these bad "GDPR compliant" habits and to make you be able to answer to these people with the right statement "No Karen, you're talking nonsense here" in order to focus on what's really important on your project at the time.
Can't start without a brief section on what really is the GDPR and why has it been created, with this basic information, you'll shine at business meetings and Christmas dinners.
GDPR = General Data Protection Regulation
Voted: 27/04/2016 | Applied:
Regulation was tricky in Europe because countries had their own privacy laws and regulations on personal data, some being very restrictive and some other being lighter: multinational companies were really struggling with the comprehension of each subjective law.
GDPR is here to offer a homogeneous personal data protection and privacy law frame, common for all countries in Europe. This frame applies to any company beyond the European boundaries that offer services there, for example: Uber. Also, GDPR is applied to all actors regardless of their profile: private and public entities are governed under the same law.
All of these aim to smoothen and ease the implementation and expansion of companies and to raise geographical competition, because before GDPR, regional companies could be facilitated in enforcing anti-competitive measures.
The most important goal of the GDPR is quite a simple one: protect personal data. Three words, represented by 99 articles in the regulation text. So yeah, you can imagine that there are some specificities within the text. Let's dive into them in order to synthetize only what is needed to rightfully understand it.
This is the question. All the debates come from and gravitate around this sole question. The answer is widely interpreted and somehow and sometimes create comprehension issues within the company where some people say you can't do whatever the ongoing project needs because of "GDPR".
First, let's focus on what is personal data, and later in this article we'll focus on how to deal with these communication issues.
Data is considered as personal as long as it can identify a person, directly or indirectly, or can lead to that person's identification.
This answers to every single GDPR question you may have. Let's dismantle it.
This means that the data can lead you to a person either directly (first name, last name), or indirectly with all sort of indirect identifiers such as numbers (phone, insurance, passport, etc.), biometrical data, elements specific to the person (physical, physiological, genetical, psychical, economical, cultural or social) and even such things as a client ID (yes, as long as it can tie you to a person, it is considered as personal data), the voice and images.
All these above information are considered as personal data, but it goes slightly beyond that. A person's identification can be either straightforward like using indirect data such as Social Number or DNA, but it's not always the case. GDPR has also foreseen the use of personal data for big companies that might have multiple data sources that can talk to each other and the symbiosis of this leads to identification.
In other terms, multiple data sources containing all indirect data can lead to identification and are hence considered as personal data, by construction.
For example, you can aggregate multiple sources to have information on a woman, living at a specific address, born that day, part of a specific chess club and playing Fortnite on weekends. Despite her mediocre video games taste, this woman can be identified.
Now that you know everything that is or can be considered as personal data, let's give a little focus on what actually is an operation on personal data and how to rightfully process personal data.
Why do we give some focus on operations on personal data? Simply because GDPR forbids companies to basically collect and store data that you have no current use whatsoever at the moment, just for your own fun, and technically because the Chief Data Officer says "let's store this anyways, we'll use them someday".
GDPR insists in the Article 5 and raises some principles relating to processing of personal data.
A data processing is not necessarily automated or informatized, flat documents such as printed documents containing personal data are also concerned and must be protected regarding the 7 data processing principles.
Knowing what is personal data and how to handle their processing, let's dive into the GDPR applications of the law: consent and privacy.
GDPR brings to Europe a new way of reinforce personal data among companies: content. Companies ought to obtain the consent from the user (European citizen) even before a single data point is handled.
This is why you now see plenty of consent checkboxes and popups on websites, companies need the user's consent beforehand.
Three main notions arose and led to tremendous infrastructural changes for the companies:
Companies got to adapt their infrastructure to these new enforcements and that is also why there were two complete years between the signature of the law and the application.
Now, companies have to build themselves with respect to this law, meaning that they ought to emphasize privacy, by design, in their construction and growth. Companies have to take into account data privacy in their core components during the construction of their business, related application(s), creating the rightful services, by API or whatsoever, in order to fulfill these three requirements.
How to handle all this stuff together? Who can help in order to make sure that all these principles are respected and avoid any sanction?
Here goes the Data Protection Officer (DPO) that the GDPR now introduces. DPO has 4 main responsibilities:
A DPO is only mandatory for specific companies, but is highly recommended for all the other ones, in order to avoid huge infrastructural changes when the GDPR administrations start to look over a specific company and start auditing it.
Most companies with a Chief Data Officer (CDO) that can't afford a unique job for a DPO but still want to be GDPR compliant as much as they can usually give the CDO also the DPO role because he's the closest CO-level individual to the data and the processes.
With all this information you should now be able to handle these "it's not GDPR-compliant" random persons within your company. However, they tend to sometimes care for the company, because if it gets audited, the sanctions are higher than a bag of candies.
As any regulation containing rules, it contains sanctions. To avoid them, you can be the good kid and apply for a GDPR audit alongside your commitment to GDPR-compliant services, to make sure you're rightfully compliant and no sanction will be raised. Or you could be that bad kid, and play the probabilities.
All the GDPR sanctions can be found within Articles 83 and 84. These articles clearly stipulate that if you're risk-averse you should be the good kid. Why so? Because sanctions are between 10 and 20 millions of euros for the small and medium companies (& between 2% and 4% of the annual turnover if you're a big company).
Yup, that is why you should take it seriously.
But as data scientists, we might want to go more in-depth with the real data, shall we? Using the provided GDPR data (that you can download below), at the time of writing, out of 600+ emitted fines since the beginning:
With the largest fine being €50,000,000 for Google Inc. (unsurprisingly) and the lowest fine being €28 for... Google (Ireland Ltd.) (surprisingly).
As you can see, the said amount is mainly dissuasive and in reality, fairly low amounts are fined depending on the importance of the personal data infringements, the size of the company, and so forth.
As mentioned in the introduction: all private and public companies are now regulated by this common regulation. You can find fined companies, from Sweden universities to French doctors, alongside Italian hospitals.
No worries, you can prevent all that.
Yes, you can. You can apply for audits and specialized company will dive into your business to ensure everything's alright and on the right track in order to grow under the GDPR principles without focusing all your time on it, becoming paranoid.
Companies offer these kinds of services cost about €2,000 (of course it depends on the size of the company and the amount of personal data & processes to deal with, this is a roughly average). Remember this number, don't you? 21% of the fined companies had to pay fines for less than this amount. Half of them are fined less than 10k€. This is a trade-off you have to handle and a decision you have to live with.
Usually, a first audit is made and the auditors help the employees and DPO to emphasize the "GDPR way of thinking" into building new projects within the company. This means that there would not be a need in adopting a frequency in the audits, but more on adopting a routine to ensure that the projects and tasks are GDPR-compliant. In doing so, you make sure that the whole company is compliant. And you don't need to pay for frequent audits.
Being the good kid sometimes pays off. Eventually.
This summer, the European Commission issued a report on the whereabouts of the two years of regulation. Within this report, the Commission says it will keep going on the same direction in order to protect the citizen rights, and amending the actual text with some flagged issues that need to be either fixed, or better explained:
There you go, I hope I could answer to some of your questions about the blurry GDPR text, but now you have everything in your hands to deal with these issues within your project, company, or else!