On 25th May 2018, the General Data Protection Regulation (GDPR) will enter into force and start governing all aspects of EU personal data collection and management by websites and apps from anywhere in the world – what data is collected, how it’s collected, how and where it’s stored, where it’s shared, and so on.
The Regulation imposes high privacy standards and very restrictive data minimisation principles and profiling provisions. It will also introduce new concepts, such as the ‘right to be forgotten’, ‘risk-based approach’ and ‘privacy by design’. The GDPR will also have a wide territorial scope. This means that any company, including non-EU companies, that collects EU citizens’ data, will fall under the Regulation and will have to comply with it.
All those rules will not be easy to navigate, so it is essential that developers are properly educated and prepared to handle them.
There is plenty of information out there on how to best prepare yourself for the coming of the GDPR and ensure you’re compliant*. Companies have hired lawyers, DPOs and the luckiest can rely on expert privacy engineers.
EU Member States also have to speed up their work on adapting their national laws to the new Regulation. Only two EU countries, Germany and Austria, have everything in order. Other countries are still having heated internal discussions on the reform and others are as far as one can be from implementing the legislation.
In order to help EU governments and national data protection authorities step up their preparation, the European Commission published this week a new guidance document and is allocating million of euros to support national privacy authorities in their efforts to help businesses, and SMEs in particular, be compliant.
The Commission also launched a new practical online tool to help industry and other affected parties to comply and also educate citizens on how to benefit from the new data protection rules.
And once you’ve finished with GDPR? Developers will soon be required to comply with the ePrivacy Directive of 2002, which deals with another range of important issues related to online and internet privacy and is currently being reviewed in the form of the ePrivacy Regulation proposal. But for now, GDPR should be the focus.
As developers, it’s essential to take the necessary steps to ensure you are ready, have a full understanding of what data GDPR applies to, and what new functionality you need to provide consumers.
*See below some (of the many) useful tools you can find online that explain the GDPR and give valid advice on compliance:
- https://www.rsa.com/content/dam/pdfs/7-2017/A-Practical-Guide-for-GDPR-Compliance-Osterman-Research.pdf
- https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
- https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird–bird–guide-to-the-general-data-protection-regulation.pdf?la=en
- https://www.cnil.fr/sites/default/files/atoms/files/rgpd-guide_sous-traitant-cnil_en.pdf
- https://techcrunch.com/2018/01/20/wtf-is-gdpr/
MICHELA PALLADINO
Director, European Policy & Government Relations