What data-driven businesses need to know about the GDPR

tl;dr

  • Make sure you have a lawful basis for processing personal data.

  • Put together a document that outlines what data you store, where it comes from, and who you share it with.

  • Ensure your data is clean and up to date, and be aware of any data where disclosure is “likely to result in a high risk to the rights and freedoms of individuals”; you can collect such data only in specific circumstances. You may also need a parent or guardian’s consent to collect data for individuals under the age of 16.

  • Review the eight rights that the GDPR grants individuals, and make sure you have systems in place to honor them.

  • Review your privacy policy and ensure it meets the requirements under the GDPR.

Introduction

We’re in the final days of the countdown to GDPR enforcement. GDPR introduces new legislative requirements that impact the way you collect, manage, protect, and share data.

The GDPR protects European residents by giving them the means to allow or withhold permission for businesses to process their personal data. It sets out stringent new requirements for businesses to obtain consent for processing customers’ personal data. Indications of consent must be unambiguous and involve a clear affirmative action; no pre-ticked checkboxes allowed. And businesses are supposed to make the process of withdrawing consent as easy as providing it.

Personal data is any information that allows direct or indirect identification of an individual. In addition to legal names and ID numbers, personal data may include cookie IDs, usernames, device identifiers, and IP addresses.

Controllers and processors

Different kinds of businesses have different responsibilities when it comes to keeping personal data private. The GDPR’s Article 4 makes a distinction between two kinds of entities — controllers and processors. A controller “determines the purposes and means of the processing of personal data,” and a processor “processes personal data on behalf of the controller.” If you collect, process, and store information about people, you’re a controller. Businesses that provide data warehouse platforms, ETL services, and analytics software, all of which store or process data on behalf of controllers, are clearly processors. But you can be a data controller in one context and a processor in another. Stitch plays both roles — we’re a processor for the data we move on behalf of our customer, but we’re a controller when it comes to data about our customers and users.

Article 28, which covers processors, states:

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

In other words, controllers must pick processors that comply with the GDPR, or risk penalties themselves. The EU can impose heavy fines (up to the greater of €20 million or 4 percent of the company’s global turnover), and GDPR violations can also damage to a company’s reputation.

Let’s walk through the responsibilities both controllers and processors have to become compliant with the terms of the GDPR .

Compliance for controllers

For data for which you’re a controller, your first step should be to document the places and ways that your company processes personal data:

  • What data do you collect?

  • Where does it originate?

  • Where do you replicate it to?

  • Who has access to it?

  • Do you share it with other organizations?

  • How long will you retain it?

  • What rights do the data subjects have, and how can they access, rectify, erase, and restrict the processing of their personal data?

All controller organizations (and some processors) must designate a data protection officer and give them authority to assess compliance situations and mitigate noncompliance risks. The data protection officer should also be responsible for vetting new systems. When you roll out new technology for processing personal data, the GDPR calls for you to make a data protection impact assessment to identify and mitigate any risks that might arise. Among the technologies you must assess are analytics, BI software, ETL, data pipelines, data warehouses, and data lakes.

To minimize the risk profile for any application, it’s good practice to architect each system to collect, process, and store only the data that’s necessary for a specific purpose. You can also use pseudonymization, which the GDPR defines as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” That additional information is kept separately in a protected repository.

You should also define all the processes that you’ll follow when individuals assert their rights under the GDPR, such as asking to see the data you maintain about them, or asking you to delete their data.

Compliance for processors

Like controllers, processors have responsibilities under the GDPR. The relationship between a controller and a processor must be covered by a contract that details the duration, nature, and purpose of the processing, the types of data processed, and the obligations and rights of the controller.

If they meet certain criteria, processors must maintain a record of all categories of processing activities, and must be able to demonstrate compliance with both the contractual instructions of the controllers of the data they work with and the data protection regulations of the GDPR.

Processors are required to inform controllers of any new downstream subprocessors, and give the affected controller time to object. Processors bear liability for the actions or inactions of subprocessors.

Both controllers and processors must implement appropriate security measures. Processors must have defined procedures for dealing with a data breach, which include notifying relevant controllers without undue delay after becoming aware of it.

The unending struggle

GDPR not only requires organizations become compliant its regulations; it also requires that they review and update their infrastructure on an ongoing basis. All organizations must write a concise, transparent, intelligible, and accessible privacy policy that explains how the organization protects personal data and digital privacy, and informs people of their rights to data about them.

Stitch is fully compliant with the GDPR; if you’re ready to take advantage of a GDPR-compliant data pipeline, sign up now.