Part 1 in the GDPR mini series: a primer
Whether you're in Europe or not: the General Data Protection Regulation (GDPR) will have a great impact on businesses everywhere. Because even if you're outside of Europe, when you find yourself handling personal data of a European citizen (even if you're based outside the EU), you have to comply with the strict GDPR rules.
The General Data Protection Regulation is a very strict privacy protocol installed by the European Commision, the European Parliament and the Council of the European Union. It will prohibit companies from asking for data they don’t need, and from storing and using private data in a non-compliant way. The fines for non-compliance are substantial.
Even if you’re not in Europe, you could theoretically get a penalty for not complying. But even if you don't, not playing by the rules will cost you your European B2B customers.
Is the end of data harvesting near? And what does this mean for content and UX? That's what we discuss in this month's podcast.
COOKIE CONSENT WAS JUST A TASTER, GET READY FOR THE MAIN COURSE.
EXTRA BACKGROUND ON THE GDPR
THE 6 principles of privacy
- Lawfulness, fairness and transparency
Private data should only be used by organisations in a lawful and fair way. It should be crystal clear to the user how their personal data will be processed.
- Purpose limitations
Organisations are only allowed to use the consensually obtained data for the goals they communicated at the time of the transaction. They can no longer take a database and use it for purposes other or unrelated to what was communicated to the user.
- Data minimisation
Organisations can only ask for the information that is essential for their service. Profiling or marketing are (most of the time) not essential for servicing the client.
Information has to be straightforwardly interpreted and not out of date. It should be rectifiable by the user.
- Storage limitations
Personal data can only be stored for a few years, and only in a secure file or document, on a secure server that is physically in Europe.
- Integrity and confidentiality
Private data should be stored and processed in a way that the data is protected from loss, destruction or damage.
Consent is king, transparency is queen
The magic word in the new GDPR regulations is ‘consent’. As an organisation, you need to get consent of the user, or 'data subject' in GDPR terms, that is...
- Informed: they need to know what they’re consenting to.
- Freely given: you can’t force someone to give their data to use your service.
- Specific: they are only agreeing to what you are specifically saying they are agreeing to.
- Unambiguous: just like in other cases where you need consent: consent is a clear yes, not the absence of a no.
Privacy by design and Privacy by default
Privacy by Design is about the whole engeneering process of a service. It takes privacy into account at every step. We also describe this as value sensitive design, in which human values are taken into account, in a well-defined maner throughout the whole process.
Privacy by Default: all the privacy settings are set to optimal privacy. You will be asked for consent when prompted for personal details. Also, only the bare minimum will be asked for. Privacy by Default can be seen as a subset of Privacy by design.
Meet our 5 experts
Aral Balkan - Ind.ie
Aral Balkan is a cyborg rights activist, one third of ethical software company Ind.ie and part of the DiEM initiative. In all these roles, he passionately strives for a better, safer and more democratic web.
Clovis Six - Internet Architects
Clovis Six is a UX researcher at Internet Architects, and one of my favourite people to work with. After dealing with some GDPR related issues for his clients, he decided to specialise in the matter. He inspired me to make this podcast and helped out in shaping it. (Thanks buddy!)
Katryna Dow - Meeco
I met Katryna Dow at a professional event on data. Personal data is at the core of what Katryna's company Meeco does. I’m curious to learn how the GDPR will affect her business.
Seppe Van Steelant - City of Ghent
Government is one example of organisations that own loads of private data. Seppe Van Steelant is the Data Protection Officer (DPO) at the City of Ghent.
Bart Van den Brande - Sirius Legal
With only one year to go until GDPR goes into full effect, this seems like a good time to lawyer up! So that’s what we did. Meet Bart Van den Brande at Sirius Legal.
- GDPR mindmap by J4vv4d
- Bedtime reading: the complete text of the General Data Protection Regulation
- Good overview of what the GDPR entails by Duthler Associates: