GDPR for Tech Products
by Kateryna Petrenko, IT lawyer at Legal IT Group
What is GDPR?
The EU General Data Protection Regulation, known as GDPR, has replaced the Data Protection Directive 95/46/EC few years ago and made everyone talk about it way earlier before it came in force. It`s been a while, but still the Regulation is one of the top-news. The reason is quite obvious: GDPR main idea is to give individuals more control over their personal data that is collected, kept and processed by so-called controllers and processors. There are certain consequences of the new regulation for companies who do their business in the EU (or have something to do with the EU citizens’ personal data) – and their tech products as well. They must be compliant.
Is it crucial? Yes. Is it complicated? Always. However, with the whole new modern philosophy of being transparent and trustworthy for your clients efforts are definitely illuminating.
Taking a more precise look at tech products affected with GDPR, let us stop at three most often met in IT – apps, marketplaces and software-as-a-services. The requirements under GDPR, mentioned in this article, are overviewed rather generally, and so are legal tips. They are divided in groups relatively, tentatively and as for our opinion, which means that in most cases for a certain product they can be more significant than for others (and doesn't mean that they are not applicable to others at all).
Privacy by design
Among other GDPR requirements, there is one that demands to hold and process only those categories of personal data that are unavoidable for proper work of your tech product. A risk of failure to comply with it is really high, if you do not think it through before the development has begun: instead of asking yourself honestly “Do we need birth dates/full addresses/annual income/etc. so much?” and making it pretty clear right away, you provide all the data “just in case”. Foreseeing this probable way of thinking, GDPR authors have created a requirement, called privacy by design.
The idea of privacy by design is placing privacy on the first place, making it preventative, which means deciding on personal data that you need (as well as anticipatory understanding of risks that holding and processing of each category may drag), while developing the whole concept of your app, web site, software etc., and before you start building them. So better do not rush your terms and take enough time to see the whole picture before the very work starts – and it will pay you off.
There must be a legal reason to collect and process any kind of personal information, which under the Regulation may be at least one option out of six possible (Chapter 6 of the GDPR). Consent is fairly the option number one on the list.
As a legal basis for processing personal data, consent is person`s clearly and voluntarily given prior to processing permission to process his/her personal data for one or more requested reasons, which can also be easily withdrawn in case the person (data subject) does not want the processing to be conducted anymore.
Consent under GDPR shall always be an action. Remember the automatic check-in boxes? They are not accepted anymore. The reason is clarity is demanded now, which means a consent should never be assumed.
Children`s personal data
It is known that quite a big percent of app users (this especially refers to games) are minors. As children are usually less aware of possible risks against their personal data as well as of their rights as data subjects (they are not different from adults` rights), they need particular protection as for collecting and processing their personal data.
Requirement to the age of consent under GDPR is 16 years old. Some countries apply their own age of consent, sometimes it is lower, and the others stick to the age under GDPR. Some organizations are OK with collecting and processing personal data of children under this age. However, this does not mean that consent may be omitted – in this case parents or whoever holds a parental responsibility give it for the child.
Aiming at the younger audience, consider that GDPR protects personal data of minor users in other ways too, e. g. there are more strict requirements against automated decision making that includes such data.
Remember what we wrote about the consent a bit earlier? Pay attention to it for your marketplace as well. You probably would consider sending newsletters and different advertising messages to your customers via email, for example, and if so, you really should create an opt-in box (or any analogue), and then regularly track a list of those data subjects who have given consent for such mailing.
Of course, it is true that not all the cookies files are used in a way that allows to identify the user. However, most – advertising, analytics, chat tools etc. – are considered personal data. To become compliant, the organisation must either stop collecting cookies or find a lawful ground to process that data.
Updates to your policies
Keep an eye on your policies from time to time, ask yourself regularly, if your policies respond to what you do in fact with personal data. There might be (and probably will be) some changes in your processing, so don't forget to represent them in the documentary.
Also, an organisation is obliged to inform its customers about updating their policies. While some minor updates may be omitted, the big ones should be better announced with a website banner (or any analogue).
It would be obvious to say that collecting someone's emails and collecting their biometric data are not the same things at all. So far, it is intuitively clear that a data subject risks more by giving someone his/her sensitive data.
As for GDPR, there is a list of types of information defined as sensitive. These categories (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data and biometric data) are very specific and most companies do not need them to do their business. However, if your company needs such data, you should meet additional requirements: get individual’s explicit consent to collect and process it; keep sensitive data encrypted and/or pseudonymised and separately from other personal data; reflect your activity in regard of collecting and processing necessary categories of sensitive data in your policies etc.
If you deal with someone`s personal data, you need to guarantee that such information is and will be fully protected. Depending on types of information you collect and your budget, you can find a suitable solution to being secure. Security measures the GDPR suggests are divided in two groups – organisational and technical. While organisational refer to safety of your locks, risk assessments, non-disclosures with your employees, technical ones include encrypting data, ensuring that systems and services enable cyber security, providing the ability to restore access to personal data, maintaining a process for evaluating system security and so on.
The very first and important step to your information security is to assess risks and understand the impact on the fundamental rights and freedoms of the individuals, resulting from the possible loss of security of the personal data. A number of factors need to be considered by the data controller, such as the types of personal data, criticality of the processing operation, volume of personal data, special characteristics of the data controller, as well as special categories of data subjects. Depending on the level of such impact, you shall take steps towards security of your clients` privacy.
In general processors usually have less obligations against security than controllers. However, under GDPR they must apply a level of security that is not lower than controllers, with all the measures included.
Your third parties – are they compliant?
If you are a controller under GDPR, you are obliged to pay attention to contractors you are going to work with and conditions on which you are going to transfer them the retained personal data. To make your relations with third-party partners compliant, you must sign a data processing agreement with each of them. A DPA is a legal instrument that establishes third party obligations to process personal information exclusively for the purposes and in the way that as a controller you have anticipated, as well as provide all the security measures (those that we have written earlier above) necessary.
Of course, it is better if both, a processor and controller, are GDPR-compliant. However, even if not, a detailed and clear DPA is a fine way for the controlling party to play it safe.
There are some general tips as how to make any tech product closer to GDPR-compliance.
Basically, the GDPR compliance is fully attached to auditing of processes with personal data. That is why a GDPR audit, or, as it called, Data Protection Impact Assessment (DPIA) shall be step number one in your journey to responding all the GDPR requirements.
In fact, DPIA concerns not all the aspects of being in compliance, it is only about data impact assessment. Organisations are not prohibited to exploit other forms of auditing, not mentioned in Regulation, in addition to DPIA; however, such audit won’t be an appropriate proof of your actions towards compliance.
“If not so, what is the point of doing it, anyway?” – might you ask. And the answer is, that in case any activity gives you opportunity to see flaws in your data collection and processing and then set all the processes right – do it. GDPR is not a piece of cake, so regular, twice-a-year auditing, plus before doing business with a new partner or conducting risky operations with data, etc., is the key to consistency between organisation`s activity and legal requirements.
Data mapping is one of the starting points when it comes to DPIA. To comply with GDPR, organisations need to map their data flows within an organisation. In case the data is being transferred to other organisations for a purpose of processing, the data map should reflect these connections too. Basically, a data map contains information on types and categories of data collected, purposes of its collection, legal basis for processing, data storage information (place of storage, period of retention etc.), data transfer methods and destinations, and third parties locations.
Why having a fully-detailed data map is efficient? First of all, mapping reveals possible risks of the data flow even if they might not be obvious. Also, it helps to understand if your data security solutions are well-equipped. Gaining full visibility of the process gives a clear view on what is done and what is not, so it is a good idea to repeat the data mapping from time to time to see the changes and adapt to them.
Detailed and user-friendly policies
It is important to make your policies easy to find and easy to read, so it won't take too much effort for your customers to learn how your company uses their personal data. Not is it only another GDPR requirement, but it is also a good attitude and respect to real people who use something you have created.
In case of any further questions, you can contact Kateryna via Legal IT Group website.