GDPR in practice: A story about transparency, integrity and perception.

Are you already GDPR compliant?

What happened before.

Last week my girlfriend and I enjoyed a day off since a long time and decided to visit a local shopping centre. By chance, an electronics retailer opened its doors of a new store just that week. And what can be more fun – or at least for me - than strolling around between all those electronics looking for gadgets and novelties. It gets even more interesting when you find something to your liking. And I did… after collective consultation and some justification why I still needed another computer, we decided to buy a reasonably priced ultrabook.

But at the checkout my enthusiasm was somewhat tempered when the cashier asked me friendly for my identity card. When I asked him why he needed it, he answered - after an awkward moment of silence - that this was necessary for the two-year guarantee and otherwise it would take several minutes to do the necessary administration. After I gave him my identity card, he asked me for my e mail address since the guarantee certificate would be sent to me by mail. Within seconds and undoubtedly convinced of the efficiency of the check-out process, he handed me back the receipt and my identity card. 
However, the sales slip states that this is the guarantee certificate and up until now I haven’t received any email with the guarantee certificate.

Why am I telling you about this experience?

Well… on the 25th of May 2018, the General Data Protection Regulation (GDPR) goes into effect. GDPR impacts every organization, regardless of location, that processes data of people in the EU. All companies and organizations, large or small, must comply if they handle personal data of EU residents.

Previously, the privacy of individuals' personal data was protected within the European Union (EU) based on Directive 95/46 /EC on which every country within Europe has based its own local legislation for the protection of personal data. So the GDPR is not completely new, but why is this topic so hot nowadays? There are several reasons:

  • For organizations GDPR is a regulation instead of a directive;
  • The legislation based on Directive 95/46 /EC needed an update to address new concepts as the cloud and social media and the enormous amounts of data that come with it;
  • Under GDPR the supervisory authorities receive more extensive powers such as conducting investigations and taking corrective measures;
  • In case of non-compliance, the supervisory authorities have the power to impose heavy administrative fines (up to €20 million or 4% of annual turnover, depending on what's the highest) in order to place GDPR compliance high on the agenda within companies and associations;
  • The GDPR describes personal information as any information relating to an identified or identifiable natural person (“data subject”) and states that this type of information should be processed following certain principles which are transparency, purpose limitation, relevance, retention, accuracy, integrity and confidentiality. Examples of personal data are: a name and surname; a home address; an email address, an identification card number; location data, an IP address; a cookie ID, ...
  • The GDPR also empowers individuals by giving them more control over their personal data, also known as the rights of data subjects (individuals) which include the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.

Transparency, integrity and perception

The goal of this post isn't to describe those principles and data subject rights in detail as a description of them can be found en masse on the internet but rather review my experience at the electronics retailer compared to the GDPR.

First of all, the retailer placed himself in the position of controller by asking and processing certain personal data from me. I write consciously "certain" because I don't know which of my personal data from my identity card has been stored and/or processed. Hereby the retailer sins against the principles of transparency and relevance.

Despite the processing of personal data - according to the relevance principle - wasn't necessary at all in this case, I gave my consent by handing over my identity card (= action).

Based on the explanation of the employee at the cash register, this consent should only apply to the 2-year warranty on my Ultrabook and can't be used for other incompatible purposes like sending me a birthday card (= purpose limitation). Since a warranty period of 2 years applies, this means – according to the retention principle - that the retailer shouldn't store my personal data for longer than those 2 years.

And last but not least, I was asked for my e-mail address but I didn't receive the guarantee certificate by mail as stated by the cashier. For this I can come up with two possible causes: whether the employee made a typo when entering my email address (=accuracy of the data) in the system or the employee is not aware of the real reason for which the e-mail address of the customer is requested.

As you can see, there's definitely room for improvement to bring this purchasing process in line with the GDPR. Under the General Data Protection Relation there's nothing wrong with collecting personal data if it's based on the correct lawful basis and happens in line with the purpose in a transparent and expected way.

Conclusion

  • GDPR impacts the whole organization and compliance can only be achieved with clear communication and the creation of awareness at strategic, tactical and operational level in which each employee is aware of his contribution and responsibility within the (data) strategy;
  • Compliance with the GDPR is not a one-off activity and should be a recurrent topic on board meetings. Every new initiative – like a project, new service, new product or the use of innovative technologies - has to be balanced against the GDPR. If needed a DPIA (Data Protection Impact Assessment) has to be done to help you identify and minimise the data protection risks.
  • Considering GDPR as a necessary evil is a wrong approach as the obligation of setting up the register of your processing activities offers you the opportunity to get insights in all your distributed data sources and streams.
  • It's clear that the GDPR encourages companies to set up a more centralized management of personal data and platforms (like a privacy dashboard) that enable individuals to invoke their rights as a data subject according to a self-service approach.

And finally while most organizations are still fully engaged in getting GDPR compliant, the successor to the current ePrivacy Directive (also known as the "Cookie Law) announces itself. The new ePrivacy Regulation can be seen as an extension on the GDPR specific for electronic communication.

Formica

As Formica we fulfil the role of controller and processor. We're a controller and processor for the personal data of our customers, (future) employees, suppliers, ... 

While executing projects for our customers, we act as a processor. So we have to guarantee – under the form of a contract - that our employees are aware of the GDPR and that we handle (personal data) in a way that is compliant with the GDPR.

As an integrator of solutions for the digital workplace, we also ensure that our product partners (like Elastic Search, Magnolia, Liferay, ...) take GDPR seriously.

This makes Formica a partner and advisor on which you can rely during your digital journey to GDPR compliance by defining, sketching and implementing solutions. And all this with respect for the privacy of your customers, employees, members, ... and the principles of Privacy by Design and Privacy by Default.