GDPR – Another Gosh-Darn Privacy Regulation

As Mike Meikle recently put it, you can now add another acronym to the “Certification Industrial Complex” which includes, but is in no way limited to: ISO, PCI, SOX, SOC, HIPAA, PIPEDA, NIST…

So, what is GDPR? How is it different from the other members of the alphabet soup compliance club? And, what does it mean for SaaS software companies?

What is the General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is the biggest shake-up in the history of online privacy regulations in the EU. It replaces a more than 20-year-old European data protection requirement known as the European Data Protection Directive. The 1995 law was no longer relevant given recent technological advances and the obstacles to privacy that they present.

The new legislation has been designed to harmonize data privacy laws across Europe, as well as give greater protection and rights to individuals. It goes into effect on May 25, 2018.

What makes the GDPR new and different?

1. GDPR is far-reaching

GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens. This means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, making it a global data protection law.

2. GDPR widens the definition of personal data

While the definition of personal data has always been fairly wide, GDPR broadens it even further, bringing new kinds of personal data under regulation.

GDPR considers any data that can be used to identify an individual as personal data. This includes, for example, things such as genetic, biometric, mental, cultural, economic or social information about individuals.

3. It affects both “Data Controllers” and “Data Processors”

A Data Controller is an entity which determines the purposes and means for processing personal data. A Data Processor is the entity which processes the data on behalf of the Data Controller. The GDPR introduces direct obligations for data processors for the first time, whereas the current directive only holds data controllers liable for data protection noncompliance. Processors will also now be subject to penalties and civil claims by data subjects for the first time.

4. GDPR tightens the rules for obtaining valid consent to using personal information

Having the ability to prove valid consent for using personal information is likely to be one of the biggest challenges presented by the GDPR.

5. GDPR makes the appointment of a DPO mandatory for certain organizations.

Any business that depends on processing personal information will have to appoint a Data Privacy Officer (DPO) to ensure personal data processes, activities and systems conform to the law.

6. GDPR introduces a common data breach notification requirement

The GDPR harmonizes the various data breach notification laws in Europe and is aimed at ensuring organizations constantly monitor for breaches of personal data.

The regulation requires organizations to notify the local data protection authority of a data breach within 72 hours of discovering it. This means organizations need to ensure they have the technologies and processes in place that will enable them to detect and respond to a data breach.

7. GDPR introduces the right to be forgotten

Organizations cannot store data for any longer than absolutely necessary, and they cannot change the use of the data from the purpose for which it was originally collected. Additionally, they must delete personal data at the request of the data subject.

It also means organizations must ensure they have the processes and technologies in place to respond to those requests.

8. GDPR expands liability beyond data controllers

As noted, in the past, only data controllers were considered responsible for data processing activities, but GDPR extends liability to all organizations that touch personal data.

GDPR also covers any organization that provides data processing services to the data controller, which means that even organizations that are purely service providers that work with personal data will need to comply with rules such as data minimization which refers to the practice of limiting the collection of personal information to that which is directly relevant and necessary to accomplish a specified purpose. It should be noted that while there is no independent certification board to impartially assert to a company’s compliance with GDPR, the penalties for violating the regulation are substantial should a company not respond to a privacy issue or suffer a data breach.

What is a commercial SaaS company (like Chrome River) to do?

1. Appoint a Data Privacy Officer to ensure that GDPR’s processes and procedures are implemented and followed.
2. Evaluate and identify the types of personal information that are being collected and establish appropriate protections around that data or decide, if the information is not critical, not to gather the information at all.
3. Work closely with their clients (specifically data controllers) to assure that the clients’ employees and contractors understand their rights and responsibilities under GDPR, and ensure that the clients obtain any necessary consents.
4. Establish processes to delete or obfuscate data that an individual might want ‘forgotten’ in core databases.
5. Develop and test data breach response processes and remember to respond to all inquiries in a timely and open manner.

At Chrome River, the processes and procedures to support GDPR are already in place. As a global software organization serving clients in over 100 countries, it has been a foundational concept that we protect our customers’ information, comply with all applicable privacy laws and regulations and respond in a timely fashion to any questions about our security protocols or the data that we store. As the technological and regulatory landscape continues to evolve we expect to maintain these foundations and serve customers and users in more geographies with the attendant privacy requirements that they will bring.