Now more than ever, it’s clear that the defining driver of the online economy is personal data.
Giants like Facebook and Google have built billion-dollar businesses on knowing what you want to see and giving advertisers access to that information. But it’s not just them. Pretty much every online business (yours and ours included) collects and uses personal data in some way. As consumers, we know our data is being used by companies. But it hasn’t really been clear how. And until now, companies haven’t had a good reason to be upfront about it either. As Nitasha Tiku wrote in Wired:
“Clicking to accept an impenetrable terms-of-service document once seemed like a no-brainer. The upside was incredible efficiency and the downside, it seemed, was just some annoying shoe ads stalking you around the web.”
However, this is all about to change. With the General Data Protection Regulation (or GDPR) coming into effect May 25th, 2018, the power balance around personal data is about to shift. And it will have serious implications around how you do your business moving forward.
So, what does your company need to know (and do) to make sure you’re complying to GDPR requirements? Let’s separate the facts from the fear-mongering and take an honest look at what GDPR means for you and your business–based on our experience getting Planio ready for GDPR.
Before we dive in: This information is all publicly available, and it goes without saying that if you’re unsure what GDPR requirements your business needs to meet, you should probably speak with a lawyer. I am just a layman and not a lawyer and this article is not legal advice but merely my personal opinion. If you disagree on anything or have any suggestions, please leave a comment below.
What is the GDPR and why should I care?
The General Data Protection Regulation, or GDPR, is a new, unified European privacy law that affects how personal data is collected and handled by companies, and grants more rights to users over how and when that data is used.
While it feels like a big shift in how data is handled (and it is), GDPR’s main concepts and principles are pretty similar to the current Data Protection Act enforced by individual European countries. As, Steve Wood, Deputy Commissioner of the Information Commissioner’s Office—the department in charge of enforcing GDPR—wrote:
GDPR is an evolution in data protection, not a burdensome revolution.
What GDPR brings, is a unified approach, clearer requirements, a broader definition of what ‘personal data’ is, and steeper penalties for not being compliant. (You can read the full, 88-page regulation here, if you’re curious).
As a user, GDPR means you have more control over how your data is collected and used. As well as the right to delete and edit that data at any time, for any reason.
As a business, it means you have to receive clear consent to collect and use personal data, as well as be transparent about what data you’re collecting and how long you’re keeping it. It also means you’re more accountable for safely handling people’s data, must be able to demonstrate compliance, and can be faced with severe penalties for data breaches.
Just as an example, in 2016, UK communications company TalkTalk were fined £400,000 for failing to protect customer data from being accessed by hackers. Under GDPR, they would have received a £59m fine, according to NCC Group.
Perhaps most importantly, GDPR also expands the definition of ‘personal data’ to “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
In short, as a company, you’re now responsible for anything that can be used to identify a person in any way. And yes, that includes cryptic IDs and hashes, like the MD5 or SHA sum of an email address.
So, if the general well-being of your user’s data isn’t at your top of mind, GDPR requirements and penalties are a great way to move them up the ladder.
Should I worry about GDPR if I’m a US company (or anyone outside of Europe)?
The short answer is yes.
If you have just one European customer, employee, candidate, email subscriber, or anything along those lines (which is just about everyone), you will have to comply with the GDPR.
And even if you don’t currently have a European presence, your potential customers will care and it can affect whether they buy your product or not. In fact, a PwC survey showed that 92 percent of U.S. companies consider GDPR a top data protection priority.
So yes, it’s work. But yes, it’s worth it.
What are the GDPR requirements for my business (and what can I do to make sure I’m compliant)?
This is where things get interesting. Sure, the potential for massive fines makes for great headlines. But the reality is that GDPR isn’t meant to destroy businesses. (Well, legal, ethical ones at least.)
Instead, it’s designed to help companies be more transparent about how they use data, build trust with users, and grow in a way that’s sustainable, not shady.
But, that still doesn’t ignore the fact that you’re going to have to put in some work to get GDPR compliant. In fact, a 2017 study from Dimensional Research said that over 80% of IT professionals surveyed expected GDPR-related spending to be upwards of $100,000.
So, what are the requirements for your business?
The GDPR contains 99 articles that define exact requirements and the rights granted to EU citizens. But here’s a rundown of the ones you should be most aware of as you transition to becoming GDPR compliant.
1. What are the new data rights for users under GDPR?
First off, let’s understand what being GDPR compliant means for your users.
In its most basic form, when you collect data linked to an EU person (or “data subject” using GDPR terminology), GDPR entitles them to know:
- What data is being kept
- For what purposes
- How long you’re keeping it
These rights apply across the EU, regardless of where the data is processed and where the company is established. They also apply when you buy goods and services from a non-EU company operating in the EU.
Additionally, according to the European Commission, “data subjects” are also entitled to access (“Right to access”), export (“Right to Data Portability”), change, and permanently delete (“Right to Be Forgotten”) all their data from your systems. Whenever they want.
In effect, GDPR means users should be able to access their data as easily as they gave it to you in the first place.
Reading that last sentence could potentially be pretty scary for a lot of companies. If you’ve been collecting data sets for months or years without any real thought into how to use them, it might take a massive operational overhaul to get to a place where you can quickly respond to GDPR demands from users.
Which means that your first step in becoming GDPR compliant should be to look at your current data stores as well as your processes for storing and processing it and be aware that users can now ask you to change or delete them at any time.
What to do next?
Ensure that you and your team all understand the basic principles of GDPR and what it means from a user’s perspective. Know their rights inside and out so that everyone can handle requests for clarifying how and when you are using their data.
2. What data is protected under GDPR?
As we said earlier, one of the biggest changes that GDPR brings to how you handle data is just the scope of what is now deemed “personal data”.
According to the European Commission: "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
What to do next?
Talk to your team about the changes to what’s classified as “personal data” under GDPR. This is a great opportunity to field questions and ask for specific situations where you’ll need to update your processes to be compliant.
3. Am I a data “controller” or a data “processor”?
There are two different groups when it comes to GDPR requirements. There’s data “controllers”—the organization or individual that has collected and “owns” the data—and data “processors”—the organization or individual that processes personal data on behalf of the data controller.
So, for example, let’s say your company provides customer support via Planio Help Desk and uses it to receive from and send emails to your users. In this case (and for this use case) you would be the data controller, while Planio is the data processor.
This is an important distinction, as each group has different responsibilities and obligations under the new regulations. Generally speaking, as a controller, your responsibilities are around properly collecting consent, managing consent-revoking, enabling right to access, and so on.
While as a processor, you also need to comply to GDPR requirements and can only use the data for the purpose it was supplied to you, obtain written permission from the controller before employing a subcontractor, make sure data is properly stored and protected, and more.
Lastly, if you are the data controller, you are legally obligated to ensure your contracts with processors comply with the GDPR. In most cases, this is done using a separate data processing agreement.
What to do next?
- Determine whether your activities make you a “controller” or a “processor” and make sure you’re complying to all the outlined requirements.
- If you’re a controller, make sure that all your contracted third-party data processors comply with GDPR requirements and sign data processing agreements with them.
- If you’re regularly processing data for your clients, consider hiring a lawyer to draft up a data processing agreement template to sign with your clients.
4. What is my “lawful basis” for processing personal data?
Another GDPR requirement you’ll need to be aware of is that you need to have a “lawful basis” for collecting any personal data.
Basically, that means you need to be able to clearly answer the question:
“How did you get my [piece of data] and why are you allowed to have it?”
More specifically, it means that you need to comply with at least one of the six requirements for processing data. Under GDPR, you cannot process any data unless:
- Consent: You get and document explicit consent from the user to collect and process their data for one or more specific tasks. Example: A user signed up for your email newsletter and confirmed her email subscription via double opt-in.
- Contract: Processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. Example: A user is shopping around for car insurance and asks for a quote. The insurer must process certain data (e.g. your date of birth and address) in order to prepare the quote and complete the intended contract.
- Legal obligation: Processing is necessary for you to comply with the law (not including contractual obligations). Example: An employer needs to process personal data to comply with its legal obligation to disclose employee salary details to a government authority (like the HMRC in the UK). Where the ‘contract’ basis relies on an agreed upon or intended contract between you and the user, legal obligation must rely on complying with local laws.
- Vital interests: Processing is necessary to protect someone’s life. Example: You provide somebody’s personal details to emergency services on the phone.
- Public task: Processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. Example: A professional organization, such as a bar association, with an official authority to do so, may carry out disciplinary procedures against members.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Now, while the first few points seem pretty clear, the “legitimate interest” basis has a few nuances you need to understand if you’re going to be using it.
In a nutshell, there are three elements to the legitimate interest basis that you need to be able to pass:
- There is a legitimate interest (this can be your own interest or the interests of third parties and can include commercial interests, individual interests or broader societal benefits)
- Processing data is necessary to achieve it
- You’ve balanced that interest and need against the individual’s interests, rights, and freedoms (If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely going to override your legitimate interests.)
So, let’s say you’ve sent a cold email to someone. They are well within their rights to ask where you got their email from. And saying “I bought it,” isn’t a good enough answer.
However, this doesn’t mean you can’t do any more email outreach. What it does mean is that you need an honest answer about how you got that data that is legal, fair, and transparent.
In our email example, if you haven’t gotten consent or are under a contractual obligation, you could potentially use a “legitimate interest” basis. The law explicitly states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Here’s a scenario that I think would work:
I saw that you commented on my LinkedIn post about project management tools and thought that you’d be interested in hearing more about our tools. I added you on LinkedIn, you accepted my connection, and I got your email from my contact list. Don’t worry, if you’re not interested, I won’t contact you again.
I am not suggesting you do outreach marketing like this, but I still think it’s legal. Here’s why:
- I am selling a project management tool, so my legitimate interest is to find new customers.
- LinkedIn showed me Julie’s email address after she accepted my contact request, i.e. the data processing was necessary to send the email.
- Julie has expressed her own interest in our tools through her “like” on LinkedIn. She had previously put her business email address on LinkedIn and she accepted my connection request, so she could reasonably expect that I would email her. I have balanced my interest against her rights and freedoms, and by not following up endlessly, I will not cause unjustified harm.
The point is, that you need to have a damn good reason for having someone’s data if they didn’t give you explicit consent or another lawful basis to collect and use it.
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” – Recital 47, GDPR
And in all cases you need to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies. So thinking about why you’re collecting data early on is a must.
What to do next?
Review your processes for collecting data and select the most appropriate lawful basis (or bases) for each activity. Make sure you document them and include information about both the purpose and the processing in your privacy notice (we’ll go more in-depth into this later)
5. Do I need a Data Protection Officer?
It depends. As part of the new regulations, the GDPR requires in certain cases that your company appoints a data protection officer (DPO).
Specifically, you must appoint a DPO if:
- You are a public authority
- Your core activities (aka your primary business activities) require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking)
- Your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences
This is where things get a little tricky. What does “large scale, regular and systematic monitoring of individuals” mean? Basically, you need to look at your business model and look at the number of data subjects, volume of personal data, and the geographical extent, range, and duration of processing.
For example, let’s say you run a large ecommerce site that uses algorithms to monitor the searches and purchases of its users and, based on this information, offers recommendations to them. As this takes place continuously and according to predefined criteria, it can be considered as regular and systematic monitoring of data subjects on a large scale.
In the case of “special categories”, the easiest example is to think of a health insurance company which processes a wide range of personal data about a large number of individuals, including medical conditions and other health information.
If you fall under one of these categories and do need one, your DPO can be an existing employee or externally appointed, but must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
What to do next?
If you fall under a category that requires a Data Protection Officer, make sure you have someone qualified who can step into the role. (In some cases you can even share a DPO across several organizations.)
6. How do I get explicit consent to store and use personal data?
Speaking of consent, one of the major GDPR requirements is that companies now need to get it explicitly before they can store or use any user data.
Basically, that means no more of this:
In the case of a sign up like this, that means you need to:
- Put the "Sign up" button directly under the call-out so there’s no way they’re missed.
- Store and attach the following information with each click through: Who they are, when they consented, what they were told at the time (terms and policies), how they consent, and whether they have withdrawn consent (and when)
So, your sign-up CTA in its most basic form should look something like this:
What to do next?
Audit all of your sign ups and areas where you’re asking for personal data to make sure they comply to GDPR requirements.
Every person whose data you’re processing or will be in the future, should be able to read these documents and easily know:
- What you do with their data and what kind of data is being processed
- How long you will be storing their data for
- The complete list of third-party services you use to process their data
- Clear and easy instructions on how they can make changes to their stored data or ask to have their data removed from your database
- Instructions on how to report a violation of GDPR principles to you that affected them
These are the basic GDPR requirements, but they’re just good practice as well. If you’re storing and using data, users should be able to quickly find out why you are, what you’re doing with it, and how they can change or delete theirs (if they choose to).
What to do next?
8. What are the GDPR requirements around Data Storage?
I am hearing this all over:
“Implementing GDPR is going to cost us so much money because we need to encrypt all data now.”
It's simply not true. In the original regulation, the word "encryption" appears only four times–each time referred to as "such as", "may include", etc. It is not required in order to be compliant.
GDPR does *not* mandate data encryption at rest! It's still a very good idea though if you're building new systems.
Is it a good idea to build new systems with encryption at rest? Oh, yes! Should you think about migrating your existing unencrypted data stores to encrypted ones? Certainly. But you don't have to do it by May 25 when GDPR comes into effect.
Here's what your actual obligations are once you have collected personal data:
First off, you are now more responsible than before that the data you’ve collected is safe. If the amount of data breaches making their way into the news is any indication, this is a good move. But it also means you’ll want to take some time to assess and audit your own data protection mechanisms. (We’ll get into that next!)
You also need to make sure that data is stored with proper permissions and controls as the GDPR requires that data cannot be used for anything other than the reason given at the time of collection. This probably means a few new columns in your databases with metadata about how the data in question is meant to be used.
If you’re building new systems for storing personal data, they must have protection designed into them (under the data protection by design requirement), and have strict control over how and when data is used.
Lastly, you must ensure that personal data can be securely deleted after it is no longer needed.
What to do next?
Talk to your IT team about your current data storage procedures. Do you keep records of the purposes the data was collected for? Is your data stored securely? How do you handle transferring it to third parties? Are new systems being designed with security, privacy at front of mind?
9. What are my obligations when it comes to Data Protection (and fines)?
We already talked briefly about what you need to do in order to store data in a safe and secure way. But it’s important to note that these aren’t just suggestions.
Under the GDPR, individual Data Protection Agencies can impose much larger fines for improperly storing, processing, or protecting personal data. Violators who either fail to protect user data or fail to notify their DPA of a breach can face a fine of €20 million or up to 4% of annual worldwide turnover from the previous financial year, whichever is greater.
To put that in perspective, for Facebook, that would be $1.6 billion. For Google, $4.4 billion.
What to do next?
Understand your financial risks around poorly protected personal data and ensure your storage is safe and secure.
10. How and when do I have to report a Data Breach?
Along with larger fines, the GDPR also requires companies to come clean about data breaches within a maximum of 72 hours after becoming aware of the breach (unless it is unlikely to result in a risk to the rights of the individuals).
And in the case that the breach could negatively impact the users whose data has been accessed, you’re also required to contact them as soon as possible.
You’re also required to keep a record of any personal data breaches. (Whether you had to report them or not).
What to do next?
- Ensure you have solid breach detection, investigation, and internal reporting procedures in place.
- Make sure you have a system for reporting and documenting all breaches that could potentially happen.
11. What is the “Right to Be Forgotten”?
Under the “Right to be Forgotten”, the GDPR requires you to have a clear way for users to request that their data is deleted from your databases. At any time. There’s no specifications around how these requests need to be made, which means users can make them either verbally or in writing. The only requirement is that if the request is valid, you must deal with it within a month.
Wait, I said “if valid.” What does that mean?
In short, there are a few reasons why you wouldn’t have to comply with a request to delete data. Mostly, these are extraneous cases around legal, health, and safety concerns. However, in most cases (you got consent, the data is no longer necessary for the reason you collected it, you are relying on “legitimate interests”...) you’ll have to comply.
What to do next?
- Create a policy around recognizing, responding to, and documenting requests for erasure.
- Have methods in place to easily erase personal data when requested to.
- When you build new software, consider building in a “delete” feature right from the start to save you some manual work later.
12. How do I make sure users have the “Right to Data Portability?”
One of the aims of the GDPR is to give users more control over their data. As such, the “Right to Data Portability” means that if a user has provided you with their data either by consent or through a contract, you have to be able to supply them with it in a structured way, if asked.
Let’s say you run a social network and a user decides that they’ve found a different network they want to use instead of yours. Under this right, you must supply them with all of their personal data—friends, photos, posts, etc...—in a way that they can use and that’s machine-readable, so for instance in form of a CSV, XML, or JSON file.
Under GDPR, your users have a *right* to get a CSV, JSON, or XML export of their data from your platform.
You might also be required to send their information directly to the other organization, if this is technically feasible. For example, in preparation for GDPR Facebook recently implemented an export feature that allows users to easily download all of their profile info to be used somewhere else.
What to do next?
- Talk with your IT team to understand what is the best way to supply users with their data if requested.
- Include information on how they can request their data (or create a self-serve tool) in an obvious place.
13. What do I need to document to show I’m GDPR compliant?
Going through all of these GDPR requirements can be a bit overwhelming. So, it’s probably a good idea to step back, take a deep breath and remember that the whole point of this is just to be more clear about how and when personal data is being used.
Whenever you look at one of these requirements, simply ask yourself “how can I show that I have a good, legal, and fair reason to collect and process this data?”
The GDPR helps you in this sense, by providing clear instructions around what you need to document to show you’re compliant. Most organizations are required to maintain a record of their processing activities, including processing purposes, data sharing and retention. This is important because it not only is a legal requirement, but can also help you demonstrate your compliance with other aspects of the GDPR.
So, what exactly do you need to document? Under Article 30, you must keep written records of:
- The name and contact details of your organization
- The purposes of your processing
- A description of the categories of individuals and categories of personal data
- The categories of recipients of personal data
- Details of your transfers to outside countries including documenting the transfer mechanism safeguards in place
- How long you will be keeping the data, if foreseeable
- A description of your technical and organizational security measures
Additionally, you’ll want to create documentation of records of consent, location of personal data, records of breaches, information around your chosen lawful basis, and any controller-processor contracts in place. Documents should be comprehensive and tailored to the specifics of your organization.
This way, if any issues arise, you won’t be scrambling to show that you did the work to become GDPR compliant.
What to do next?
- Do an information audit or data-mapping exercise to find out what personal data your organization holds and where it is.
- Create proper processes for what is documented, where, and how it will be accessible by users, authorities, and employees.
How we’ve made sure Planio is GDPR Compliant (and our customers are, too)
It’s no small task making sure your company is GDPR compliant. However, I believe it’s a necessity not only from a legal standpoint, but as a good business practice.
At our company Planio, data protection and security have always been something we’ve paid special attention to. We’ve spent the better part of the last decade handling personal and business data for over 1,500 companies and work hard to make sure their data is safe and secure. Even before the announcement of GDPR, we took steps to make sure your data is safe with us:
1. We don’t use any third parties for data storage
That means no cloud services or rented or shared servers. At Planio, we’re owner operated and physically own and manage all our servers in our data center in Frankfurt, which is certified to ISO/IEC 27001:2005. We also make sure our entire team is fully trained and up-to-date with the legal requirements around data storage and processing.
2. We follow the concept of “Datensparsamkeit”
Having been a core principle of Germany’s early data protection laws, Datensparsamkeit or ‘data minimization’ is the concept of only collecting the data that’s truly necessary. It means we collect nothing else, even if “we might need to do something with it in the future”. This has been an idea at the core of Planio since we launched and we’re happy to see it adopted by the GDPR.
For example, when you sign up for Planio, our sign-up page only asks for your name and email address. As long as you’re using the free trial, we don’t ask for your credit card, address, or phone number. There’s no sales team waiting to call you and try to sell you Planio.
Another example is our product Planio Help Desk, which comes with an address book feature that allows you to store contact details of companies and contact persons you work with. Out of the box, Help Desk only lets you store basic fields like email, postal addresses, and phone numbers. If you’d like to collect more data about your customers, you can with custom fields. But you don’t have to. And we encourage collecting only as much data from your own customers as you need. Datensparsamkeit FTW.
3. We’ve always made it easy for you to take your data elsewhere
Lastly, at Planio, we’ve always believed in data independence and freedom—long before it became part of the law. We’ve always given users the ability to easily get a machine-readable SQL export of their raw project data.
And since Planio is based on open source Redmine, this means you’ll always be able to spin up an instance of Redmine on your own server, import your data, and be up and running on your own, should you ever need or want to. (But obviously, we’re working hard every day to make sure that’s never needed!)
Also, if you’re currently stuck with your old tool or provider because they hold your data and make it hard to get it out, we are here to help. As a new customer, we will assign you your personal Planio data extraction engineer who will help you export, convert, and migrate your data to Planio.
We’ve made it incredibly easy to become GDPR compliant while using Planio
The points above should hopefully show you just how much we care about data protection and how we’re actively complying with
As a data controller under the GDPR, the only thing you have to do to make sure all the nice things we’ve said above are also legally guaranteed is sign a data processing agreement. This agreement outlines exactly which duties and obligations we have as a data processor and specifically lists the technical and organizational measures we’ve undertook to guarantee the security of you and your customer’s data.
Signing the agreement is incredibly simple and can be done online with our custom tool:
Just head to your Customer Account section, review the agreement (as well as the technical and organizational measures) and sign it online. That’s it!
You can then download the agreement as a PDF and store it along with your other GDPR relevant documentation.
There’s no ignoring the upcoming GDPR regulations. With only a little while left before they become officially enforceable, now is the time to make sure you’re compliant. And while it might feel like a hassle, try to remember what the principles are behind these new laws.
As online companies, we have a responsibility to our users to be transparent and fair with their personal data. So as long as you’re already acting in good faith, becoming GDPR compliant shouldn’t be too much of a leap.
If you have any questions about GDPR and how we’re implementing it at Planio, feel free to get in touch. My team and I will be happy to help!