Is your business ready for the GDPR? Does it need to be?
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect in the EU. The GDPR introduces some of the strongest protection for personal information in the world. It replaces the previous regulation (Directive 95/46/EC), introducing more stringent data protection rules, unifying things to help make compliance is easier, and making updates to keep up with over a decade of technology advancements.
The European Commission has created a helpful infographic that helps simplify this very complex topic.
This article is geared toward small and medium sized businesses based in the U.S. and other non-EU countries. Formal and complete compliance with GDPR is beyond the scope of this article. We provide advice to see if you are affected and describe some next steps to take. We also describe how features built into FileMaker and WordPress can help with GDPR compliance.
Disclaimer. This post is not legal advice. We’re not lawyers.
Overview of GDPR
Below are some of the highlights of what the new regulation covers.
The GDPR applies to any personal data. This can be name, email, street address, IP address, or any other personally identifiable information.
The regulation applies to controllers and processors of personal data. Most companies are probably both the controller and processor of the personal data that they manage. A controller is the entity that has control of the data. A processor is an entity outsourced by the controller to manage and/or process the data. Under the EU’s previous data protection directive, processors were not liable for violations, only the controller was. If a processor violated the previous directive, the controller was the one who faced the penalties. Under the new regulation, both controllers and processors are liable.
Consolidation of Authority
Some aspects of the new regulation actually make life easier for businesses who manage EU personal data. Each EU member state establishes a Supervisory Authority. Businesses will establish one state’s SA as their primary SA and will not have to work separately with individual state SAs as before. The regulation describes the primary SA as being a “one-stop shop” for all data regulatory activity.
Lawful basis. There must be a lawful basis to collect and process the data. To be lawful, the data processing must meet one of the following criteria:
- Person has given their consent for their data to be processed,
- Processing is necessary for the performance of a contract, e.g., a shipping address needed to fill an order,
- Processing is necessary to comply with a legal obligation on the part of the controller, or
- Processing is in the public interest.
Consent. If consent is the lawful basis for processing the data, the data subject must consent to having their personal data used. Subjects must be given a clear description of what they are consenting to. No burying consent clauses deep within dense legal agreements. Inactivity cannot count as consent. A pre-ticked checkbox to “opt-in” is not valid consent under the new regulation.
Right of Access. Data subjects have the right to ask a controller what personal data is being held, how it is being used, with whom the data is being shared, and how the data was acquired.
Right to Erasure. Data subjects also have the right to request the erasure of personal data by a controller.
Data Portability. The regulation requires controllers to allow the transfer of personal data by the data subject from one system to another. The regulation also requires that controllers provide personal data in a machine-readable format, and prohibits the controller from any efforts to prevent the transfer of personal data to other systems.
Anonymizing Data. Personal data that has been anonymized is exempt from the regulations. Anonymization removes the personally-identifiable part out of personally-identifiable information. Encrypted data is considered anonymized, while in its encrypted state.
Data Breaches/Reporting. The regulation requires controllers and processors to notify their primary Supervisory Authority within 72 hours of discovering the breach.
Enforcement. The Supervisory Authorities set up by the member states are in charge of enforcement. The SA can request from controllers and processors, any data or information it needs to investigate potential violations. The SA can also issue warnings, reprimands, bans and fines. Fines can be as large as 20,000,000 EUR or 4 percent of a company’s total worldwide annual turnover, whichever is larger.
Are you affected?
Any company that does business with EU customers or markets to EU customers is affected by the new regulation. Listing prices in EU currency, or having a web site localized for one of the EU states is enough to be considered as doing business in the EU.
A company that processes personal data for another business in the EU is likely affected by the regulations. The EU partner business will likely require compliance as part of their own compliance. If a non-EU business keeps data about EU vendors they work with, and has no other customer-type personal data of EU subjects EU, they may not be affected.
Strictly personal use of others’ personal data is exempt. Your personal contact management isn’t affected. However, if you sync contacts with your business’s Exchange or Google Contacts server, you may be affected.
Businesses who do business with no actual presence in the EU can be fined for GDPR violations. It’s currently unclear how enforceable penalties will be against businesses in non-EU countries. It’s likely that many non-EU countries will establish trade agreements with the EU, allowing enforcement of penalties against their country’s businesses. At the very least, a company not based in the EU, would certainly find themselves prevented from doing business in the EU if they violate the GDPR.
Steps to Take
Even if you aren’t affected by the GDPR, it’s still beneficial to comply with the requirements. This will help ensure that you’re meeting the highest standards of customer data protection.
The full assessment for GDPR compliance is called a Data Protection Impact Assessment. This is the most thorough way to identify all the steps required for full compliance. A pdf of DPIA guidelines can be found here.
Short of a DPIA, here are the general steps that any non-EU business should take.
- Identify repositories of Personal Data – The first step is to identify all the current sources of personal data kept by your company. The regulation is not limited to only data stored electronically. Any organized collection of personal data is covered, including purely paper-based records. You’ll want to review how your personal data is collected, how it’s stored, how it’s processed, and who has access.
- Lawful basis – Review the lawful basis criteria and make sure your reasons for storing personal data fall in one of the categories.
- Consent – Make sure that you have consent from your data subjects. If you don’t already, implement a method to inform your customers and other data subjects about the data you will be storing about them and the purpose for storing that data.
- Right of access/right of erasure – Be prepared to produce a report for your data subjects, upon request, that shows the information you are storing about the individual. Develop a procedure to delete customer data upon request and implement a way for data subjects to submit these requests.
- Data portability – Be prepared to provide a machine-readable (.csv, tab-delimited, etc.) file with an individual’s data. Make sure that you do not have any procedures or structures in place that prevent the transfer of an individual’s data to other services similar to yours.
- Anonymizing data – Implement encryption for any personal data you store. Data breaches that involve only encrypted data are not required to report under the GDPR.
- Data breach reporting – Implement a plan to report data breaches. Implement procedures for monitoring for data breaches.
Compliance, it’s complicated!
FileMaker has a variety of features that help implement GDPR compliance.
- Encryption at rest protects actual FileMaker database files.
- Field level encryption can protect personal data in a more targeted way.
- Secure storage of container fields can encrypt container field data that’s stored externally.
- SSL encryption is essential if you are accessing your FileMaker database via the Internet, i.e., if it’s not locally-hosted.
- Custom privileges and access controls let you limit users access to personal data.
These all protect the personal data you collect from your users, but won’t necessarily make you compliant with GDPR.
As WordPress is an open source platform used by many businesses in the EU, we expect some support will be coming (at least to WordPress core) at some point. However, there’s not a lot of momentum behind this at the moment.
- WordPress has a grassroots effort to provide a unified way for plugins to register and identify where, why and how long personal data is stored by plugins and provide a common way to remove and/or export their data. Whether this is adopted by the community or not remains to be seen.
- Each plugin author will need to modify their plugin to become compliant (if it processes or stores personal user data), or user’s requests will have to be manually serviced by a site administrator.
- Many plugins (some free, some paid) like DeleteMe will likely appear in the near future to address common cases and popular plugins like WooCommerce and popular membership plugins. Due to the open nature of WordPress it’s possible for plugins to “fix” other plugins compliance.
- There will be no silver bullets here, as compliance extends beyond just storage and security to how data is collected, and consent is given.
- WordPress.com has plans to be compliant, so many of those enhancements should make their way into the open source version.
- WP Tavern is covering the WordPress response to GDPR as it develops including a podcast episode with a lengthy discussion around the GDPR and WordPress with a lawyer.
If you’ve had LuminFire build you a custom plugin, modifications may be required to ensure it allows for GDPR compliance.
We’re evaluating the GDPR compliance needs for BrilliantSync (as a data processor) and will provide details when a formal plan is announced.
It’s not just about the tools
Just like PCI or HIPAA compliance, technology and software tools can help you become compliant, but there are policies and best practices that are required to ensure full compliance.
We Can Help
If you don’t do business with EU customers or vendors and don’t store personal data about any EU data subjects, implementing some level of GDPR compliance is still good practice. You can follow the steps above and use it as a business advantage over your competitors, and be ready for when you do expand to the EU or other countries with stricter personal data regulations than the U.S.
If you are doing business with the EU or store information about EU data subjects, you will want to take a deeper, more formalized approach to compliance.
We can review your FileMaker/WordPress web solution and provide technical advice and estimates on what would be required to bring it into compliance with our full GDPR audit process that includes:
1. Privacy Impact Screening This is a series of yes/no questions that help your organization determine its risk level for GDPR non-compliance.
2. Data Repositories In this step, you will identify all the systems that contain personal information about individuals.
3. Privacy Compliance Assessment This is a more detailed series of questions and exercises designed to identify non-compliance risks.
Contact LuminFire for help.