General Data Protection Regulations
The GDPR current intent is to assure that IT organizations provide individuals with more control over their personal data. That intent is expressed in a set of comprehensive new rules about data privacy, including consent, access to personal data, portability, erasure, notification of breach, and more. Penalties for noncompliance can be significant as seen in recent fines by Brexit-bound English regulators.
This latest edition GDPR is responding to 3 Information and Web technology phenomenon:
- The rise of massive data breaches on the Web coupled to criminal hacking which has become highly profitable. So now Bot traffic exceeds individual Web messaging;
- the continued harvesting and selling of individual’s personal data with little or no personal control over that private data and its uses by major IT companies [think Facebook, Google, Verizon, Vodafone, Comcast, Deutsche Telekom, etc, etc];
- the pervasive use of automated, intelligent and Internet connected devices into all aspects of home, business, and community affairs as the Internet of Things allows increased control over every aspects of life;
Major US Websites are banning European customers as GDPR starts up
Los Angeles Time, New York Daily Post and A&E Entertainment are some of the major US websites that have balked on the first day of GDPR rules rather than incurring fines for non compliance with GDPR.
Bloomberg and the NYTimes in major stories declare that Privacy Is Now Stronger in EU Than US. The reaction to the Privacy Rules are mixed as cited in the NYTimes Report. “It’s a gradual and not a revolutionary kind of thing … However for many companies it was a huge wake-up call because they never did their homework. They never took the data protection directive seriously”
Public Attitude Toward Data Privacy Is Ambiguous
In 2015 Pew research did a major survey on public attitudes toward data privacy and control. More than 2/3rd expressed concern as shown in the chart [click to see the full-size version]: Three quarters of those surveyed expressed the need to be in control who could access their personal info. But only 65% believed they had control over what info was collected about them. Three years later after the scourge that was 2017 hacking attacks worldwide, and attitudes had not changed despite Ransomware and Facebook/ Cambridge Analytica hacks and breaches.
Instead, there is almost a resignation that in order to obtain the free or lower cost services offered by WiFi providers, online apps and social media , consumers will have to grin and bear it.
Yet GDPR has real bite – up to 4% of a non-compliant organization’s annual revenue can be charged for non-compliance. And users have recourse through Data Privacy Agents in each EU country. Finally the EU has shown a willingness to issue big fines – $2.8bn in late 2017 against Google for data usage and antitrust violations. The EU has been waiting for years for the US to lead in data privacy issues. But with the MAGA presidency USA exceptionalism as marked by EPA backtracking, vacating foreign treaties, and Climate Change inaction – Europe is setting a respectable standard for better Personal Data Privacy.
GDPR – General Data Protection Regulations is Europe’s try at regulating and controlling three perverse Internet trends:
- The ever larger hack attack and data breaches, many originating in North America but affecting Europeans and the delayed reporting of the breaches by the affected companies for many months after the event with minimal recourse offered to users;
- increased harvesting of users interactive online data with minimal user control of that data to review, edit or delete as desired;
- increased social and economic vulnerability as social media transaction are shaped by automated bots. Automated bots now comprise more than half of Internet traffic;
Responding to the May 25, 2018 deadline for the European GDPR – General Data Protection Regulations, WordPress has shown leadership by providing templates and starting tools to implement GDPR requirements for Data Privacy in its latest core system update version 4.9.6. Now WordPress which is currently used by 30.8% of the World’s websites does not have to respond to a European regulation for Data Privacy. However, the implications of the upcoming law is that websites that have European residents as customers and users, regardless of whether their websites are based in Europe, have to adhere to the GDPR rules in order to continue to do business with European clients and customers.
- Use of comments, cookies, and user supplied media;
- Contact Form information and/or Account Information supplied for login privilege on the website;
- Info supplied through embedded content like mapping data or through analytics routines like Google Analytics, Yoast SEO, etc;
- Any sources of imported data from 3rd parties such as credit reports, purchase-related data, or personal educational or health data
- How long does the website retain your data. For each source of personal data cited above and accounting for what is done with the data;
- A list of the rights you have over your data including right of review of all data, right to edit or correct data; right to delete all or part of data
- How is your personal data protected?
- What happened in the case of a data breach. When are you informed? What compensation are you entitled to?
- What 3rd Parties are personal data exchanged with. What processing do they perform on the data. How do they protect your personal data;
- What automated decision making and/or profiling is done with any of your personal data;
- What industry regulatory disclosure requirements involve personal data?
Now again, it is important to note that action only has to be taken if you have European clients and customers. But the good news is that the CMS and software industry is responding to GDPR:
- Drupal, the second largest CMS, has both a gude and Drupal 7 and 8 modules for GDPR;
- Joomla, the 3rd largest CMS has a comprehensive premium extension for GDPR;
- Squarespace, a fast growing CMS, has a detailed advisory;
- Wix has advisory help as well;
- Shopify, a fast growing eCommerce service, has a more deetailed advisory
- Siteground, one of the top-rated hosting services, has broad GDPR info;
- Microsoft, as major Web vendor has a Trust Centre.
Here is the current strengthened EU General Data Protection Regulations:
What feedback am I entitled to on providing personal data
On providing personal personal data, you must receive information about:
- the name of the company or organisation that is processing your data (including the contact details of the DPO, if there is one);
- the purposes for which the company/organisation will use your data;
- the categories of personal data concerned;
- the legal basis for processing your personal data;
- the length of time for which your data will be stored;
- other companies/organisations that will receive your data;
- whether data will be transferred outside the EU;
- your basic rights in the field of data protection (for example, the right to access and transfer data or have it removed);
- the right to lodge a complaint with a Data Protection Authority(DPA);
- the right to withdraw your consent at any time;
- the existence of automated decision-making and the logic involved, including the consequences thereof.
The information should be presented in a concise, transparent, intelligible way and drafted in clear and plain language.
- You have a right to ask for and obtain from a company/organisation confirmation as to whether or not it holds any personal data which concerns you.
- If they do have your personal data then you have the right to access that data, be provided with a copy and get any relevant additional information (such as their reason for processing your personal data, the categories of personal data used, etc.).
- This right of access should be easy and be made possible at reasonable intervals.
- The company/organisation should provide a copy of your personal data free of charge. Any further copies may be subject to a reasonable fee.
- The information should be provided in a commonly used electronic form.
- This right is not absolute: the use of the right to access your personal data should not affect the rights and freedoms of others, including trade secrets or intellectual property.
Note the cost, time limits, and expected format of completing requests for data from companies/organizations.
Individuals have the right to:
- Access their personal data
- Correct errors in their personal data
- Erase their personal data
- Object to processing of their personal data and when to do so
- Transfer/export personal data
Controls and notifications
Organizations will need to:
- Protect personal data using appropriate security
- Notify authorities of personal data breaches
- Obtain appropriate consents for obtaining/processing data
- Keep records detailing data processing
- Demonstrate GDPR compliance
Key questions on Personal privacy
- Personal data about childresn
- 7 types of personal data are deemed sensitive:political opinion, sex life or orientation, racial or ethnic origin, religious belief, trade union membership, genetic data, biometric data, health info
- Can an NGO act on one’s behalf
- Can I be subject to automated profiling?
IT and training
Organizations will need to:
- Train privacy personnel and employees
- Audit and update data policies
- Employ a Data Protection Officer (if required)
- Create and manage compliant vendor contracts
Organizations are required to:
- Notify all users of any personal data collection
- Declare processing purposes and use cases for collected personal data
- Define data edit, retention and deletion policies
©JBSurveyer @ ImagenationIT 2018