What Developers Need to Know About Europe’s Data Privacy Rules
On 25 May, enforcement will begin of the European Union’s General Data Protection Regulation (GDPR): a law covering any organization anywhere in the world that handles the personal data of EU residents. Many individual developers and small-business owners will need to make sure that their applications, services, and websites comply with the GDPR, even if they do not live in EU countries.
The GDPR aims to give Europeans a clear understanding of who has their personal data and more control over its use. This means organizations must be much more disciplined about capturing and using personal data. “You need to be able to produce, delete, and audit the data easily,” says Michela Palladino, director of European policy and government relations for the nonprofit Developers Alliance.
Individual developers can get started by mapping out all the personal data in their possession. GDPR defines personal data as anything that could directly or indirectly identify a person, such as a name, a photo, an email address, bank details, posts on social networking websites, or medical information. In addition, the regulations also cover “special categories of data,” says Lydia de la Torre, a privacy law fellow at Santa Clara University, in California. These special categories include racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data concerning a person’s sex life or sexual orientation.
The next step for developers is to understand what they would need to change in order to comply with the GDPR, says Palladino. She recommends simply no longer collecting any personal data that is not actually needed (and deleting any such archived data), to minimize complications and risks.
For the personal data that is needed, developers must clearly specify the intended use and seek consent in each use case. “For example, if you are collecting telephone numbers from users in order to enable two-factor authentication, you cannot then use those same telephone numbers for a different purpose,” de la Torre says.
Some collection and data use do not require consent under the flexible category known as “legitimate interest,” says Bozhidar Bozhanov, founder and CEO of the secure auditing company LogSentinel, in Bulgaria.
For example, a website comment box that invites users to leave both a comment and email address could use that email address to notify them about follow-up comments under the legitimate interest category, Bozhanov says. But using the email address for other purposes, such as auto-registering them for another website, would require consent.
Developers and website owners probably need not panic over basic processes such as logging IP addresses. Simple access logs should not be a problem because they rotate frequently and cannot be used on their own to identify an individual person.
“If you store the IPs of users and actively try to correlate IPs with behavior, then you should ask for consent,” says Bozhanov. “But if you do that, you are probably not a small-website owner.”
Small-website owners, with a few hundred users, may not attract the spontaneous scrutiny of regulators but could find themselves facing individuals demanding their GDPR rights. Such individuals could also file complaints with regulators. Enforcement authorities will be holding audits to ensure compliance with the GDPR, so start keeping detailed logs and reports.
“Don’t assume the data on your website doesn’t matter,” Bozhanov says. “On the other hand, don’t be too scared of huge fines and don’t rush to pay expensive consultants. But do make sure you have adequate a word used too often in the regulation protection of users’ data.” The Developers Alliance’s Palladino recommends taking an in-depth look at who within the organization has access to personal data and to start limiting access where possible.