The European Union’s General Data Protection Regulation (GDPR) and the increased fines that come with it will come into effect in May of 2018, making it more crucial than ever to stay in control of your data collection. Protecting the rights of your users is obviously important, but no one wants an increase in workload or complexity to impact the quality and value of their data.
Lakeside is committed to ensuring SysTrack’s GDPR compliance for our EU customers and we are continuing to develop our product in line with one of GDPR’s core principles, Data Protection by Design and by Default.
GDPR Compliance: The Basics
There are hundreds of pages of dense GDPR legislation to go through, so I’ve condensed some of the key points to keep in mind to reach GDPR compliance. Everything contained in this post represents my conception of the law and in no way constitutes legal advice. It is highly recommended to seek legal counsel regarding GDPR for your organisation.
Who's Who – GDPR applies to any company processing the personal data of anyone who lives in the EU, regardless of where that processing happens to take place. This personal data includes any data that, through reasonable effort, could be used to identify an individual. Examples include an individual’s name, IP address, web browsing history, and any data that could be used for profiling. Both the controller (company that determines how processing is done) and the processor (company that does the processing) can be held accountable for failing to take appropriate measures. One of those measures is that the processor must facilitate the controller and their end users in exercising their rights and collect and process only the personal data necessary for the purposes agreed upon by any user/individual. SysTrack configurations allow for user anonymisation (barring cases of disproportionate effort) and extensive limits to be placed on what data is being processed, with things like web history being a popular option.
Users' Rights Under GDPR
GDPR expands upon existing legislation regarding the rights of end users, stating them more explicitly as follows:
Right of Access
If an end user asks to see their personal data and you have enough to identify them, then you need to be able to provide it to them unless doing so would adversely affect the rights of others. Utilising a standardised database architecture can help ensure that processing remains lawful and data subjects’ rights are supported.
Right of Rectification
If an end user believes the personal data that the controller has on record is incorrect then you need to able to update it. SysTrack data collection and processing relies on what can be objectively observed and measured in the environment. You can edit data or changing processing to prevent known issues if it happens to come up.
Right to Erasure
Also called the “Right to be Forgotten.” If an end user wants or needs their personal data removed from processing, you need to do so and prevent any further processing. Again, SysTrack configurations can be updated to prevent processing where needed.
Right to Restriction
Similarly, within the Right to Restriction, the user has the right to request a cessation of processing whilst requiring the data processor to keep the data already processed for the purposes of legal proceedings.
Right to Data Portability
Think “Right of Access” plus the end user can take a copy of the data with them. SysTrack data can be processed into a standardised and exportable format.
Right to Object
The end user can object to and withdraw consent from the processing of their personal data at any time. If that happens, SysTrack has the required functionalities to update the processing accordingly.
Right to Avoid Automated Individual Decision Making and Profiling
If decisions pertaining an end user are being made solely by automated processing of their personal data and they haven’t given consent to the decision-making as part of the processing then they can request human intervention to review the data and make the decision. SysTrack is a data collection and monitoring tool, not a decision engine.
GDPR Lawful Process
For processing to be lawful each end user must be informed of what personal data will be used, what it’s being used for as well as what their rights are and how to enforce them. Each end user also needs to provide their unambiguous consent to the processing and can withdraw that consent at any time.
There are several other areas that should be kept in mind:
Each nation in the EU can and is encouraged to create one or more organisations that oversee GDPR compliance for companies operating in or with data originating within their borders. Additionally, each nation may impose additional restrictions or requirements upon controllers and processors. It is important that you stay current on all relevant supervisory authorities beyond GDPR via reliable sources. As of the time of this writing, guidance on existing DPD can be found here.
Data Protection Impact Assessments
GDPR states that an assessment needs to be done whenever there’s a high risk to end users as to ensure the controller’s stated purpose and the processor’s methods follow the regulations. This includes the use of new technology for processing, such as SysTrack. Your supervisory authority may have a formal version of this assessment, but if not, it should be included as part of your contract with any new processor. This assessment should be re-evaluated and updated regularly to maintain compliance.
In the event of a breach that could impact end users’ rights or result in social or economic damages, you must be able to notify end users and your supervisory authority within 72 hours with what types of data were breached and to what extent. SysTrack's standardised data formats and its ability to programmatically determine and verify what personal data was in use during the event are two key features that can prove handy given a data breach.
Where Next for GDPR Compliance Research
GDPR compliance in an end-user environment may seem overwhelming. If you’re interested in further GDPR resources, I would recommend the UK’s ICO Overview of the General Data Protection Regulation for a full general overview and the ICO Consent Guidelines, which go over how to define and properly get consent.