Clever Geek Handbook

What you need to know about GDPR in 2019

Today we’ll talk about the “great and terrible” GDPR (General Data Protection Regulation) or General Data Protection Regulation. Despite the fact that the law was adopted in May 2018, many companies still do not fulfill all its requirements.











We met with our DPO (Data Protection Officer) to tell him in simple terms what GDPR is and what companies must do to avoid large fines.

The article contains footnotes citing the basic definitions of the law.









- What is GDPR?



- GDPR is an international law ¹ that applies to the whole world, although it has been adopted in the EU. This is a law that protects the rights of users on the Internet, regulating, in particular, the transfer, processing, storage of personal data of each person who is in the EU or is an EU citizen.







¹ “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."



- Even if he uses the services / sites of companies outside the EU?



- Yes, international status allows you to extend the effect of the law not only in the EU. If someone uses the resources available to him from the territory of the EU or is a citizen of the EU, but is located on the territory of other states, he is still subject to this law.







- What was the reason for its adoption?

- The adoption of the GDPR was preceded by many cases of data abuse, including personal ones. Marketers began to “terrorize” people with various kinds of research. They began to study the behavior and habits of a person and use this knowledge, thus making him more defenseless. When a person performed some actions on the site, recommendation systems, for example, provoked him to a certain behavior.







Facebook, at some point, completely began to legally sell user data for research. Plus, all biometric data came under protection, and this is very important since electronic passports introduced in the EU.











- What should companies from non-EU countries do in order to comply with the requirements of this law?



- It is necessary to observe the rules that this law defines. First of all, you need to notify users of the collection of information. This is the first resource visitor to encounter. The company must absolutely clearly and easily (including through design solutions) convey to the user what they want from him, what his data is collected, and why they need it. If, for example, weight parameters are collected, it is necessary to indicate why they will be used (if their real goal is to offer a drug for weight loss, it should be written).







- Should data be stored in anonymized form?

- The law requires anonymization of data and store it in different places. But the fact is that there are two main roles here - processor ² and controller ³.







The controller is the one who collects and uses this data, it is obligated to store it anonymously and in different places, so that for example, attackers, having gained access to some database, would not be able to compare this data with a real person. For example, your name, address, bank card number, height, weight, marital status, etc. Each item should be stored in different databases. In one name, in the second marital status, in the third address, etc.







But each company has algorithms that allow you to connect all this and use for your own purposes. Thus, providing data storage is one thing. But processing ⁴ this is completely different. There should be data access protocols. If they are not there, in the event of a leak, this will be clarified by the commission, and if you did not have protocols, the commission will decide that you keep it well and do not process it very well, and take action.







² “'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”;



³ “'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law ”;



⁴ “'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction ”.







- How is the process of translating an existing site / business organized to meet the requirements of this law?



- First of all, you need to analyze the current state of data collection and processing. Accordingly, if at the moment only one server is used, it is necessary to divide it into several, so that it is impossible to hack all the databases from one source. Protection should be at the input of information, and the server is constantly monitored by antivirus software. It is advisable to provide the second channel with the Internet, so that in case of a leak through one of the channels, turn it off and carry out work to eliminate all problems on the other channel. Access should only be through a secure VPN connection. Now all major browsers write warnings when trying to access pages without https.

If https is used, all is well. By the way, Google, which for a long time ignored some requirements of this law, takes into account the presence of an ssl certificate as one of the ranking factors in the search.







- What threatens non-compliance with the requirements of this law?



- If we are talking about the EU resident, then of course it will be penalties, instructions that will be issued by the regulatory authorities after the analysis and investigation. In principle, at the macro level, this is all regulated by a high fine of EUR 20 million, or 4% of the annual turnover . The European court, which will consider the case, would rather prefer 4% of the turnover, rather than 20 million euros.











But this is the maximum. A year has passed since the entry into force of the law, and there have already been practical cases. In cases where the leak was minimal and no one was hurt, the attackers were caught and the company was simply issued a warning. If, by negligence, something was not done, they gave a fine, from a couple to hundreds of thousands of euros. To date, Google has issued the largest fine of € 50 million for the continued neglect of certain requirements of the law. Particularly severely punished for the loss of biometric data, for example, medical institutions, this was immediately warned.







- Who is required to comply with this law, and to whom the action does not apply?



- The one who does not store personal data ⁵ - the data that allows you to identify a person or determine his location, for example ip is also included here, but at the moment the commission does not consider ip as personal data. Name and phone number are personal data if they are collected with the intention of not only contacting the person, but also using them in some other way. If only for communication - the data does not have the force and limitations on the retention period. these goals do not involve selling goods or predicting user behavior.







It is also worth remembering that mail, login or password, separately, are not personal data. Only specifically those parameters that allow you to personalize a person or determine where he is, for example ip + mac addresses.







In the post-Soviet space, we are accustomed to the fact that “if it’s not allowed, it’s forbidden,” in liberal countries, on the contrary, “what’s not prohibited is allowed.” These are two completely different paradigms, and attitudes towards the law. And, accordingly, the presumption of innocence is valid here - until proven, you are not guilty.







⁵ “'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person ”;



- Now, the Commission has submitted another law on the protection of personal data, the law on cookies, tell us more about this.



- This is just the question of ip addresses. Through ip, you can determine where the person is, the entire configuration of the equipment. But at the same time it is necessary to somehow comply with this law. Now ip has moved beyond the scope of this law . But they do not leave, the question remains open, because it still requires regulation. Already there were two of his editions, soon there will be a third. Their use is great to undercut. Great Britain has already begun movement in this direction .











If the law is adopted in the current version, Google and similar companies simply will not be able to work in the EU. Now everyone is lobbying for the mitigation of this law. But it’s worth paying tribute to the EU, they are paying great attention to people, their citizens and residents, and they are promoting this law in favor of people. While the law has not been adopted, and is not even in the last phase of reading. But guided by practice, even if it is accepted in 2019, 1-2 years is usually given to bring all matters in order.







Now the whole question is only how deeply companies will be allowed to penetrate people's personal lives.







- What is the composition of the team required to implement measures to meet the site requirements of this law?



- Usually this implies partial employment, in rare cases it is necessary to involve the whole team at full time. The analyst will conduct an audit of the current state of affairs in the company, as well as generate specifications for execution. A system administrator or DevOps who will be responsible for hardware, communication channels and more, and a programmer , will finalize the site.







- What will be the result of the work of the team and company of the client?



- First of all, the work with personal data (processing) will be changed: the collection, processing, storage will be brought into compliance with the law. With a high degree of probability, a new position will appear in the client's company - Data Protection Officer (DPO). Work will be done on the company's website and the documentation available to users (Safety Statement, Privacy Policy, Cookie Processing Policy, etc.). Internal protocols for access and processing of personal data of users will appear.







You can learn more about GDPR by clicking on the link: https://www.gdpreu.org/ (the resource is available only in English).







More articles:


All Articles