Who will get the control of personal data after GDPR?

When taking steps in the digital arena footprints are left behind. While browsing websites or when accepting the terms of use of a certain application, data is stored. Data that contains sensitive and personal information (IP address is also a personal information). That is why EU is imposing a new set of rules in the form of General Data Protection Regulation (GDPR). The goal of GDPR is to protect EU citizens from privacy and data breaches in a world never so digitally connected as it is now. The directive was first established in 1995, we have to bear in mind that a lot has changed since then.

Who do we trust our personal data with?

I had the pleasure to watch a "funny" video a couple of weeks ago, which tried to demonstrate how would accepting terms of use of a digital app look like in an analogue world. People were - to put it mildly - astounded when asked for data about them, which they share in the digital world with just one click. Let's assume you download an app which, prior to installing, demands access to identity, contacts, SMS, media, camera, microphone, device ID & call information. You have a choice not to accept that kind of terms, but you won't be able to use the app. But as like with previous 83 apps you downloaded to your phone, you do the same for the 84th time and accept the terms. Great. Now let's see how this will play out in an analogue, physical world. You come to a store, want to buy something. A product, or an app. But you have to deal with a person behind the counter and share all those sensitive information with a person. You will probably be quite reluctant to share your contacts with this person. But we have no problems doing that digitally. In each of those cases, all this information about you, your phone, your contacts, locations you visited, what you bought using the phone, is stored somewhere. To be used later. For some purposes.

More rights for users

The data will still be collected and stored, but there will be made some important amends to how one will give consent and the possibility to withdraw that consent will be introduced. Even more, the language of the consent will have to be given in a clear and plain language.

Other important rights will include:

1. Breach notifications will become mandatory in all member states where a data breach is likely to result in a risk for the rights and freedoms of individuals. 
2. We as subjects will have the right to demand a confirmation from data controllers whether the personal data about us is being processed and for what purpose. A data controller is a natural or legal person, public authority, agency or other bodies which, alone or jointly with others, determine the purposes and means of the processing of personal data. 
3. The data erasure or the right to be forgotten entitles each subject to request the data controller to erase the personal data, stop with the further dissemination of the data and also stops third parties from further exploiting the data. 
4. Data portability means that the subject has the right to receive the personal data concerning them and also having the right to transmit that data to another controller. 
5. A concept of privacy by design has existed for a couple of years now, but only now with the GDPR becomes a legal requirement. This means that data protection should be included from the onset of designing a system. And not just adding it later. The concept of data minimization is also added, meaning that controllers should hold on and process only the data necessary for the completion of its duties. And they should also limit the access to personal data to processors. To clarify, a processor is a natural or legal person, public authority, agency or other bodies which processes personal data on behalf of the controller.

What is expected to be done?

GDPR is much more than just a set of technical solutions. It has deeper and broader implications and extends itself also on organizational, legal and process level. There are no shortcuts to be GDPR compliant, but it shouldn't be too complicated either. There isn't, and probably won't be, a single, generic solution for all "needs". However, it is to expect that further work on GDPR module will be done and new features added. The download count is still quite low, but we should wait to see what happens. 

But one can't expect a one size fits all solution. Each individual Drupal website will need a tailored solution to be GDPR compliant. The list of what to do to be compliant is quite extensive. Instead, I will focus myself on what not to do, what are the practices you should avoid by all means:

1. Users agree on a certain scope of purposes the data about them will be used. Don't use the data for purposes users haven't agreed to. 
2. Collecting too much information about your users could present a violation. You should collect only the data you absolutely need. If not delivering someone goods you probably don't need their home address. 
3. Logging personal data is another on a not-to-do list. It would definitely be a hassle to get rid of the personal data from log files, but you should find a way. Personal data includes also the IP address.
4. If you assume 3rd parties are compliant, stop. It is your responsibility if there is a breach in one of the 3rd parties or processors you send data to. 
5. Having an ISO 27001 certification is a good start, but it doesn't guarantee compliance. Other measures and activities also to be taken into consideration. 

Websites will have to comply with new regulations and (re)consider how they gather data and for what purpose and also the storage functionality. This could involve a substantial amount of work and database changes. But because of the non-compliance fines which are quite high, one will have to invest in it.

 

 

If you have a Drupal website, have clear guidance about what needs to be changed, and you are unsure about how to make the necessary technical and developmental changes, then please get in touch and see how we can help.