GDPR Requirements in Plain English

What it says

EU citizens data now has a variety of protections. If your organization has personal data of EU citizens, this applies to you.

So you should

If you’re in the EU, read the rest of this document and start working on your data protection processes.

Located elsewhere? Yes, The GDPR Will Affect You

Don’t believe me? Separate from any regulations, the GDPR is a very practical approach to how to handle all the different aspects of data security.

Even if you’ve personally determined that you don’t need to necessarily become compliant, you definitely need to protect your user’s data and implementing the GDPR guidelines will help you improve that.

What it says

This covers any file or database that has a person’s name or an ID in it.

So you should

Start tracking all of the data stores that are used in your company across marketing, research, customer service, support, etc.

GDPR Overview

What it says

It doesn’t matter what country the hard drive containing the data is in, if it is about an EU citizen the GDPR applies.

So you should

Know where your data is located and where your marketing is occurring. Is your mobile app (even the free version) available in the European app markets? Did the new “growth hacker” hire decide to put $20 into a trial display ad that happened to include an EU country?

Learn more about GDPR Territorial Scope

What it says

Personal Data – anything that you could conceivably use to identify a person within a larger group. This is likely broader than you think they consider combining data to be personal. aka while being left handed necessarily call you out, being a left handed male making between 30k to 60k who lives in the village of Shropshire on Lee may well.

Profiling – learning anything about a person’s preferences or inclinations. Seems mostly concerned with predicting behavior or future actions.

Controller – if you’re reading this, most likely this means you. It’s whoever decides what to do with the data that’s been collected. If you run a website that uses any marketing or analytics services you’re a controller.

Processor – typically this is any company that the controller tells to handle their data for any purpose. If you run a website and use Google Analytics, Google is the processor as they are acting at your direction.

So you should

Start making a list of all of the outside entities that you use for analytics, marketing or anything else within your company. Note: because humans are digital pack rats, make sure you include things like Box, Dropbox, GDrive or on premise storage systems as they’ll inevitably have files in them like: “Top 10 most common support issues 2015” that are stuffed to the brim with people’s names and IDs.

You’ll also want to really start tracking down any external services used on your website, your web host, etc. you don’t want to go through this exercise only to find out that your site backups are stored on an internet accessible Pentium box running under someone’s desk.

A good example of this is how Paypal has listed the Category, Party, Purpose and what Data is disclosed to each partner: Paypal 3rd Party List

What it says

Personal data should be kept:

– Accurate and up to date

– Secured

– Transparent about how it’s going to be used

– Restricted to the minimum needed to do the job

So you should

• Review what you’re doing with any collected data- Track where you received it- Get consent (opt in) for using it- Have a plan for deleting stale or out of date data

   

  For stale unstructured files consider using an automated application like the Data Transport Engine to continuously purge dangerous data.

What it says

Tell people what you are going to do with the data. Do that. Don’t do things with it other than that.

So you should

Educate your whole staff on what are and are not appropriate uses for collected data.

Provide a contact point and procedure for who to contact if violations are found.

What it says

– Be able to prove consent was given for data

– Don’t bury the consent and usage info

– Use plain language and be specific

– Seriously, don’t use the data for things they didn’t consent to

So you should

• Update any email newsletter or contact forms with improved consent language and links to your online Privacy Policy and TOS- Set up internal documentation linking data to what has been consented.- Be prepared to prove that you have consent for your collected data

What it says

– Humans 16+ years of age and older can give their consent

– Under 16? You’ll need their parent or guardian to give consent

– The choose your DOB form used on things like mature movie trailers is probably not going to cut it.

– Not human? You have other problems than GDPR.

So you should

Add filters keeping out children and don’t track people until consent is given

What it says

Unless required by some other law (employment or real estate) – don’t collect any data about race, politics, religion, union status, health data, sex life or sexual orientation.

So you should

Review the data you currently have on hand and make sure that none of these special categories of data exist and / or could be inferred from the data you control.

It’s important to also consider a seemingly innocuous data field like “hobbies” and what that might indicate about a person.

What it says

Unless you’re working for a legal organization you shouldn’t keep any data regarding convictions, or offenses about a person.

So you should

If you’re one of those places doing “online criminal record checks” you should probably just shut down and open an Etsy store selling band posters.

What it says

If you can legitimately claim that you can’t track a person from the interaction – it’s ok to tell them and then not track them.

So you should

Consider something like an anonymous feedback box at a supermarket.

It’s data. It’s collected. But there’s no correlation with other sources or means of identification, so it’s ok to not get opt in consent.

What it says

Be honest with people, use plain language to describe what you’re doing with their data at the time you collect it.

If people ask for what data you know about them don’t take longer than 30 days (from the request being made) to respond.

If people start trolling by making a crazy number of requests or other abusive actions, it’s ok to deny the request (within reason) or to charge a small fee for it to be completed.

If you think someone might be scamming by making a fake request on behalf of a legitimate person, it’s ok to ask them to prove their identity in another way.

Providing information to people along with standardized icons would be nice, just make sure they’re machine-readable.

So you should

Run any copy you write by a non technical person (or professional copywriter) to see if it makes sense.

Consider checking with a tool like the BlaBlaMeter or WhiterRhino’s Marketing Detector Tool

Have a procedure in place to handle personal data requests to have their data deleted or fixed (note the 30 day deadline).

What it says

In your online forms (or anywhere you collect data from people), provide:

– Contact information for the company (and ideally the Data Privacy Officer)

– Describe what you’re going to use the data for

– List what categories of data you’re collecting

– How long you’re going to keep the data

– How to contact you about issues or to remove the data

– If the data is going to be used for profiling and in general terms the logic involved.

– You just need to do all this the first time, if they fill out a second form 30 seconds after the first we can assume they haven’t forgotten it all yet.

So you should

Provide links to your Privacy Policy, TOS and GDPR communications page (which should include most of these points) at every form entry point.

Here are some good examples of GDPR communications pages:

HotJar

Facebook

What it says

All of the above should be available even if you’re not collecting personal information.

So you should

Same as above

What it says

– People are allowed to ask if you have their data and you need to respond whether or not you do.

– If you do have their personal data, you need to provide them on demand:

– Why you have it

– What categories of personal data you have

– Who in your organization or third-parties accessed it (in particular if they were in another country)

– How long you plan on keeping their data

– That they’re able to request to have their data deleted or fixed as requested

– Source of where data was obtained

– That they have the right to lodge a complaint with the EU Commission if they’re displeased with your response.

– Unless something weird is going on, provide the data electronically

– Don’t compromise other people’s data while doing this

So you should

Be able to answer the questions listed here about the data you have on hand. In particular, the source, how long you have it and what steps to take if there are issues, errors or if they want it deleted.

If you haven’t already, pick an existing customer and run through the exercise of pretending they sent you a so called nightmare letter that would fully exercise all of their rights under the GDPR.

What it says

If someone identifies a problem with your data about them, you need to fix it.

So you should

Have a procedure in place to handle information update requests.

What it says

If any of the following apply, you need to be able to remove their data from your system ‘without undue delay’ which while they don’t come out and say it here, probably means within in 30 days.

– They withdraw consent (aka they feel like it) and there’s not a legal reason to keep it

– Data has been unlawfully processed (used for a purpose beyond what it was intended)

So you should

Have a procedure in place to handle data deletion requests.

This is generally considered described as The Right to Be Forgotten

What it says

People can request that their data be kept, but not worked with if that is what makes sense for a legal claim or while things are sorted out.

This is conceptually similar to a work stoppage on a construction site. Nobody is asking that you fill in the excavated foundation or pull out the pilings, but you can’t proceed with adding new floors or wiring the place up.

So you should

Have a procedure in place to handle data stoppage (pause) requests.

What it says

If you have to do a bulk rectification, erasure or restriction (pause in processing) on a user data you need to inform them.

So you should

Be aware of scenarios that would escalate to this and require notice. For example, if a single person found an issue with your data collection that you then needed to perform on all of your data, you would need to notify all affected.

What it says

People can request the data that you have about them

The data should be machine readable (CSV, XLS, XML, JSON).

The data should be structured and the entire process automated if possible

So you should

Start working on data export features to pull all of a user’s associated data out of your system and into an export format.

You need to handle unstructured data as well as data held in a database.

How to find GDPR data in Word, Excel, Exchange and Sharepoint

What it says

People can object to “profiling”, shaping content or what’s presented to them and request to be opted out.

So you should

Have an opt out system in place to stop remarketing, profiling, etc.

What it says

People can opt out of entirely machine made decisions about themselves.

So you should

Have a system for manual review of automated processes and notifications in place.

What it says

Individual countries can make laws that change these regulations for a bunch of cases like national security, etc.

So you should

You probably don’t have to worry about this if your job title isn’t “Minister of Security” or “Head of DHS”

What it says

You need to document what you’re doing to comply with GDPR and be and be able to prove that in cases where it’s not self evident.

So you should

Keep a record of GDPR training, procedures, steps taken, etc.

What it says

You shouldn’t collect more data than you need and what data you do collect you need to pseudonymise.

So you should

Educate your teams on privacy and data protection by design.

Checkout the Privacy by Design Cheatsheet

and Pseudonymization as an Alternative to Encryption

What it says

If you’re sharing your data with another organization, you both need to agree who is responsible for what.

So you should

Get data sharing agreements in writing and clearly spell out responsibilities.

What it says

If you’re routinely collecting data (and for sure if it’s special category or criminal data) you need to designate a person in the EU as your representative for these matters.

So you should

Hire someone who resides in an EU country.

What it says

Services (Processors) that you (as the Controller) use need to be GDPR compliant.

They also aren’t allowed to put personal data into a non EU data center or transfer it to another third party without your say so.

So you should

Make sure all the services you use are GDPR compliant.

Most services should now have some page on their website that indicates their GDPR compliance status. On your own GDPR compliance page you should list and link to theirs.

What it says

Services that have been given personal data for processing should only work with the data as instructed.

So you should

If you’re not a processor, this doesn’t apply to you. If you are, then don’t engage in any speculative cross customer analysis, sell the data for other purposes, etc.

What it says

You need to track what is happening with personal data across your organization and any services it goes to. Including to what purpose.

If you have less than 250 employees and aren’t collecting data every day and aren’t dealing with special categories or criminal data you don’t have to do do this.

So you should

Figure out which data is sensitive, who can access it, and setup auditing so that you have a record of exactly what is happening to that data and can alert and investigate anything suspicious.

What it says

If your countries supervising authority asks to see your GDPR homework, you need to show them.

So you should

Be sure to document all of the steps you’re taking for GDPR compliance.

Perhaps more importantly you need to handle complaints from people regarding their data seriously as they may well escalate into fines and investigations.

What it says

You should keep data secure.

– Encrypted at rest

– Ability to restore/recover from disaster

– Regular testing for security issues

– Take extra care to consider data breaches and consequences

So you should

Implement modern digital security methods.

– Secure Data Storage

– Entitlement reviews

– Data Breach plans

What it says

Once you become aware of a data breach (loss of data control) you have 72 hours to notify the [supervisory authority](https://www.varonis.com/blog/gdpr-data-protection-authority-supervisory-listing/)

So you should

Have a data breach response plan.

Have a method of reporting security issues internally.

What it says

You need to tell people ‘without undue delay’ if their data has been breached.

This will likely be determined to be within 72 hours (matching the supervisory authority timeframe)

So you should

Have a data breach incident plan ready to go.

Have a method of notifying users.

Read the Guide to the EU GDPR Breach Notification Rule

What it says

Before you bring on new services to deal with data, you should figure out what impact that will have on security in terms of what exactly they are going to do with the data, an in particular if they’re doing to do profiling/filtering based on the data.

So you should

Document what impact each new service might have on your internal data protection efforts.

What it says

If you’re doing some kind of data processing that would put data at risk, you need to consult with the supervising authority beforehand.

They’ll give you a written response within 8 weeks. Fun.

So you should

If you’re doing something like releasing an “anonymized” dataset that may still have some privacy impacts, you should get prior approval from the supervising authority.

What it says

There needs to be a single point of contact within your organization who can field requests about GDPR related items.

So you should

You need to designate a Data Privacy Officer.

They should be a competent Infosec professional who can address concerns and has the tools to act on requests.

More reading:

Do You Have to Hire a DPO?

DPO Requirement

What it says

The DPO needs to be involved with data processing tasks and taken seriously.

– They can do other tasks, as long as they don’t have a conflict of interest.

So you should

Many organizations already have a CISO (Chief Information Security Officer) and it’s likely that may CISOs will pick up DPO responsibilities as well.

Whatever the title, what’s important is that data privacy and security concerns are considered within whatever projects happen in your organization.

What it says

The DPO should advise the company on how to comply with the GDPR on an ongoing basis.

So you should

Don’t treat your DPO like a mushroom farmer.

What it says

Industries should draw up codes of conduct describing how GDPR regulations should be implemented within a specific industry.

For instance, the Pan European Game Information association might issue a Code of Conduct describing how game developers should handle the data they collect about gamers. In the same way they make recommendations about video game content around language, violence, and age ratings, they could make recommendations about how user data should be handled.

This makes a lot of sense as what they’re doing has a very different relationship with personal data than other industries like aluminium smelting or car repair.

So you should

You should check if there are any codes of conduct that your trade organization have published.

Codes of Conduct are still being developed and for the time being appear to be voluntary. It is something to keep an eye on as that may change or compliance may become entwined with other industry certifications or requirements.

For instance, PEGI ratings are not required for new video games, but the vast majority of retailers won’t stock your game in their store without one.

Similarly, there may come a time when PEGI releases a Code of Conduct describing the data protection standards needed to meet certification.

What it says

Associations (like PEGI in the above example) may monitor organizations to see if they’re complying with their published Code of Conduct.

So you should

If a Code of Conduct is available in your industry the association has final say over whether or not you meet the requirements of it.

What it says

Associations can establish certifications (a stamp of approval) that can be granted to organizations who meet the terms of the Code of Conduct

So you should

Check if a certification is available for your organization.

What it says

Certification groups need to be approved by the supervisory authority.

So you should

Check if the certification you’re working towards has been approved by the supervisory authority

What it says

You should get permission before transferring data.

So you should

Have a process in place for documenting data transmission actions and agreements

What it says

If the Commission says another country meets their rules, you don’t need the permission to transfer there.

So you should

Check what countries are included before going through the transfer agreements.

What it says

If you transfer data to another country it will need to have adequate data safety laws and guarantees.

So you should

Read the fine print on each country’s approach to data safety.

What it says

If a company that is not in the EU wants to handle EU data they can create binding corporate rules that match the GDPR regulations.

If these are strictly followed then it could be ok to transfer data to them out of the EU.

So you should

If you are planning to work with a company outside of the EU/GDPR requirements, find out if they have corporate rules that could make them GDPR compliant.

What it says

If a judge orders data to be transferred it needs to not violate international law.

So you should

It seems odd to have to write this, but “don’t violate international law”

What it says

If there’s no rules in the country you’re transferring data to, you need to at least get the user’s permission first (or have another good reason)

So you should

If you’re following the other directives to get user consent before taking action, you should be covered for this as well.

What it says

Countries should get along.

So you should

Hope they do get along, it would make all of our jobs easier.

What it says

Countries should monitor whether companies are paying attention to these GDPR rules.

So you should

You should find out what agency or division within your country is handling GDPR enforcement.

What it says

Supervising authorities shouldn’t take bribes or have conflicts of interest.

So you should

Refrain from bribing your supervising authority. This isn’t FIFA.

What it says

The people in the supervising authority should be appointed by the government.

So you should

No need to run a political campaign, the people are appointed not elected.

What it says

It’s up to each country to figure out the job requirements and terms for the people in the supervising authority.

So you should

Polish up that LinkedIn resume and start looking at the ads in the Economist for a hot new career in authoritative GDPR supervising.

What it says

There’s a lot of technical details involved with GDPR (encryption, data storage and transfer). The people who have oversight on this should be able to understand the concepts at play in the field of data security.

So you should

Check out the Troy Hunt courses on Web Security Fundamentals, Computer Security and the GDPR attack plan.

What it says

Supervising authorities should handle issues that mostly happen in their own countries.

So you should

While the GDPR is EU wide, your interactions with it will most likely be with the supervising authority of your own country.

What it says

If you’re a Supervisory Authority, you should hear complaints, promote data safety and be a force for good in the efforts of data safety and security.

So you should

There’s nothing you directly need to do with respect to this article, but I think it’s nice that they aspirationally added it anyway.

It at least gives me hope that the supervising authorities will do more than draconically enforce GDPR requirements.

What it says

Supervision Authorities can issue warnings to companies, force companies to issue data breach notices, withdraw certification, order the suspension of data flows.

So you should

If you’re in communication with your authority, they can cause your organization significant distress. Listen to them.

What it says

Every year you should publish a report to the public stating what actions you have taken.

So you should

You should do your best to keep your company off of this report.

What it says

If some new technology or process is developed (like quantum brain data telepathy) that’s outside the bounds of current regulations, and it’s time sensitive, the SA can implement a new regulation without going through the Board.

So you should

Refrain from inventing any technologies that will disrupt the secure communications infrastructure and data storage of the world’s economy. AKA no practical quantum computing

What it says

The Commission will figure out how to get supervising authorities to securely share information with each other later.

So you should

Find out if the Commission sorted out how to do this in a GDPR compliant manner.

What it says

There is now a European Data Protection Board (because we said so). Every country gets to pick one person from their supervising authority to be on it.

So you should

Find out who your country’s representative is and wish them luck with this new endeavor.

What it says

The Board is a strong independent Board that lives life on its own terms and doesn’t take guff from anybody.

So you should

Respect the Board.

What it says

We’re going to make guidelines for your guidelines.

So you should

Read the guidelines.

What it says

Every year there will be a public report of our activities which will include practical suggestions and best practices.

So you should

Look for this report as when it comes out it could be genuinely useful and informative.

What it says

Most votes wins for decisions, but if you want to change the rules you need a 2/3 vote.

So you should

Start lining up a super majority of representatives if you want to make substantive changes to the GDPR regulations.

What it says

There will be a chair and two deputies who are elected. 5 year term. 2 term limit.

So you should

Find out who the chair of the committee is and follow them on Twitter.

What it says

The secretariat will handle the day to day business

So you should

Keep it firm in your mind that this is a serious and responsible position held by a respected individual within an august institution and not the horse that won the Triple Crown in 1973.

What it says

Board business can be confidential if it’s sensitive.

So you should

Opt to not hack the Board. That would be in poor taste.

What it says

Anyone can make a complaint to the supervising authority about any company that is in possession of their data.

The supervisory authority needs to take this complaint seriously and keep the person making the complaint updated on their investigation into the issue.

So you should

You don’t need to take any direction action with respect to this article, but it underlines one of the primary ways that you and your organization may come to the attention of your supervising authority.

In particular, you should note that it’s a requirement of your GDPR compliance that you inform and direct people to the supervising authority where they can make a complaint.

– Look up the Data Protection Authority in your country and note the others in case you’re contacted by one.

What it says

Individuals can sue the supervisory authority if they feel that their complaint wasn’t appropriately handled.

So you should

This article is highly unlikely to affect you (as I can’t imagine a supervising authority reading this article for legal advice).

However, I think this article is really illuminating as to how serious the Commission is about implementing GDPR.

It’s explicity writing in ways for people to escalate up through organizations > supervising authorities > legal systems to protect their data and discover how it’s being used.

What it says

Users have a right to a “judicial remedy”

So you should

Involve your corporate legal counsel as you could be brought to court in parallel with or as an escalation from a complaint.

What it says

Users can create a non profit legal entity to more effectively sue companies (controllers and processors) together in court.

So you should

Be prepared to get lots of class action lawsuit emails.

What it says

If a controller is being sued in another country the case in the starting country can be suspended.

So you should

Good luck to you if you’re a controller or processor embroiled in lawsuits in multiple countries simultaneously.

What it says

1. Who can receive compensation?

Anybody who had their data right infringed (even if they weren’t directly harmed)”

2. Who is liable?

Any controller or processor who messed up. ”

3. Any outs?

If you can prove that you were not in any way responsible (including negligence) then you’re stuck.”

4. How is compensation split?

Where multiple entities are responsible. They are all each responsible for the full payment.”

5. Claim backs?

After a processor/controller has paid the user they can sue each other in court about who is really liable.”

6. What jurisdiction is this?

The country you’re in.

So you should

Significant thought and weight has been put into the GDPR describing exactly how you and your organization are going to pay out fines.

The process greatly favors the individual raising a complaint against you.

What it says

Fines for violations shall be “effective, proportionate and dissuasive”

Depending on how well you’ve been securing data and getting user consent this could be millions of dollars or 2% of your revenue.

So you should

Do all you can to comply with GDPR regulations as this isn’t a lightswitch of fine/no fine.

It is a sliding scale that takes into account what you’re doing with the data, what controls are in place, documentation, processes, etc.

What it says

Countries can add on fines above and beyond what is laid out here.

So you should

Limber up your checkbook.

What it says

Supervising authorities can’t hinder journalists, academic or artists freedom of expression with their rules (in general).

So you should

If you’re dealing with data that is generally in the public interest you should look more closely at your data handling procedures.

What it says

Governments and entities still need to hold onto your information if it’s in the public interest.

So you should

Not expect to be able to get out of a parking ticket by invoking the Right to be Forgotten.

What it says

Each government needs to set rules on how their National ID is treated

So you should

It’s not sufficient to just treat your own country’s ID information as personal and sensitive. You need to find and alert on the IDs from each EU country.

What it says

Governments can set more specific laws around employment data

So you should

Employment data in your organization’s HR department may well be kept in a separate system than your user data. It has its own set of rules governing access and what needs to happen with it under GDPR.

What it says

Archiving in the public interest can occur, but needs to be deliberately safeguarded

So you should

It’s unclear how exactly the limits of archiving in the public interest will be set.

But if you’re doing work in a protected area it’s likely that the supervisory authority will recognize that.

What it says

Intelligence agencies get their own set of rules

So you should

This article is highly unlikely to affect you (as I can’t imagine a supervising authority reading this article for legal advice).

However, I think this article is really illuminating as to how serious the Commission is about implementing GDPR.

It’s writing in ways for people to escalate up through organizations > supervising authorities > legal systems to protect their data and discover how it’s being used.

What it says

Religious institutions have some special exemptions

So you should

If you’re a church, mosque or other religious organization, the existing privacy laws you operate under apply in addition to the GDPR.