Click to learn more about author Victor DeMarines.
As the May 25, 2018 deadline for the General Data Protection Act (GDPR) regulations inches closer, there isn’t a compliance officer on the planet who isn’t consumed with making sure every asset is covered. With the networked, global nature of our economy, the act is likely to touch even the smallest businesses.
We’ve received questions from our customers on how to ensure GDPR compliance with we recently worked with Privacy Ref, a consultancy specializing in data privacy, to put together some advice that I think is broadly applicable for companies that run technology subject to the regulation. I’ll preview the highlights here. Please note, this does not serve as legal advice, but simply as guidance and best practices we have garnered from internal and external experts on the matter.
Who is Responsible for Ensuring Compliance?
When a third-party processes or stores the data, it can be confusing as to what your responsibilities are. It helps to understand the roles in the new regulations. I’ll lay out an example as it applies to customers of hosted software usage Analytics Solutions.
GDPR refers to the “data subject.” This is the end user – the individual you’re collecting information about. The “data controller” is your company, and the “data processor” is the hosted software usage Analytics Solution provider. That means, as a customer of the hosted solution provider, you are a data controller. Even though it stores, works with, and augments information on your behalf, the hosted solution provider is the data processor and you are the data controller. The provider may only process a data subject’s personal information based on your direction. In short, as data controller, you are accountable under GDPR to assure that the principles are met. This includes verifying that the principles and requirements of GDPR have been met by the provider. Hosted software usage analytics solution provider should be able to provide a summary of its GDPR readiness for its internal processes and technology upon request.
Do We Need Consent from the Data Subject?
As the data controller, one of the big questions of GDPR compliance revolves around getting consent from the data subject. Under previous regulations, the bar was somewhat lower here, and the data controller could satisfy this requirement by gaining consent through licensing terms, click-throughs, and other means. That is no longer the case.
However, the regulations may actually ease this process for you. When it comes to processing data to protect the legitimate interests, such as the prevention of fraud (e.g., software piracy or license overuse) or the use of data to improve products of the data controller or third party, you do not need to gain consent. There are several details in the regulations that lay out specifics to that end.
It’s understandable that even if there’s a legal basis for not gaining consent, you may still want to, especially in certain geographies or customer bases. The consent mechanism should not be buried in a EULA but presented in a separate screen. Additionally, users should be able to change their preference (opt-in or opt-out) at a later time.
You also need to address the fairness and transparency principle, in which you must include the legal basis in your privacy notice, state if it’s being shared with a third party, and that the processing may occur in the United States.
Minimizing Your Risk
In the Court of Justice of the European Union opinion for Breyer v Bundesrepublik Deutschland, Case C-582/14, 12 May 2016, IP address combined with ISP records would constitute personal data in the hands of the website provider. But more broadly there could be applicability: even if you’re not an ISP if you “could keep [the IP address] indefinitely and could request at any time from the Internet access service provider additional data to combine with the IP address in order identify the user.”
Overall, when collecting personal information and providing it to a third party, only collect the minimum necessary to meet your objectives. For example, with Revulytics Compliance Intelligence customers have the ability to collect organization IP address and other application and machine environment data. Collecting this data in the clear may aid in the identification of an infringing organization.
GDPR compliance isn’t as complex as it may seem – and it can easily be accomplished without disrupting your business practices.