The Big Push for Data Privacy: GDPR

General Data Protection Regulations

GDPR is the response to the Wild World of Web data stolen, collected and exchanged on individual Eurpoean citizens. The rules of GDPR have a long history over the 40 years as seen in this chart:

The GDPR current intent is to assure that IT organizations provide individuals with more control over their personal data. That intent is expressed in a set of comprehensive new rules about data privacy, including consent, access to personal data, portability, erasure, notification of breach, and more. Penalties for noncompliance can be significant as seen in recent fines by Brexit-bound English regulators.

This latest edition  GDPR is responding to 3 Information and Web technology phenomenon:

  1. The rise of massive data breaches on the Web coupled to criminal hacking which has become highly profitable. So now  Bot traffic  exceeds individual Web messaging;
  2. the continued harvesting and selling of individual’s personal data with little or no personal control over that private data and its uses by major IT companies [think Facebook, Google, Verizon, Vodafone, Comcast, Deutsche Telekom, etc, etc];
  3. the pervasive use of automated, intelligent and Internet connected devices into all aspects of home, business, and community affairs as the Internet of Things allows increased control over every aspects of life;

Major US Websites are banning European customers as GDPR starts up

Los Angeles Time, New York Daily Post and A&E Entertainment are some of the major US websites that have balked on the first day of GDPR rules rather than incurring fines for non compliance with GDPR.

Bloomberg and the NYTimes in major stories declare that Privacy Is Now Stronger in EU Than US. The reaction to the Privacy Rules are mixed as cited in the NYTimes Report. “It’s a gradual and not a revolutionary kind of thing … However for many companies it was a huge wake-up call because they never did their homework. They never took the data protection directive seriously”

Public Attitude Toward Data Privacy Is Ambiguous

In 2015 Pew research did a major survey on public attitudes toward data privacy and control. More than 2/3rd expressed concern as shown in the chart [click to see the full-size version]: Three quarters of those surveyed expressed the need to be in control who could access their personal info. But only 65% believed they had control over what info was collected about them. Three years later after the scourge that was 2017 hacking attacks worldwide, and attitudes had not changed despite Ransomware and Facebook/ Cambridge Analytica hacks and breaches.

Instead, there is almost a resignation that in order to obtain the free or lower cost services offered by WiFi providers, online apps and social media , consumers will have to grin and bear it.

Yet GDPR has real bite – up to 4% of a non-compliant organization’s annual revenue can be charged for non-compliance. And users have recourse through Data Privacy Agents in each EU country. Finally the EU has shown a willingness to issue big fines – $2.8bn in late 2017 against Google for data usage and antitrust violations. The EU has been waiting for years for the US to lead in data privacy issues. But with the MAGA presidency USA exceptionalism as marked by EPA backtracking, vacating foreign treaties, and Climate Change inaction – Europe is setting a respectable standard for better Personal Data Privacy.

GDPR – General Data Protection Regulations is Europe’s try at regulating and controlling three perverse Internet trends:

  1. The ever larger hack attack and data breaches, many originating in North America but affecting Europeans and the delayed reporting of the breaches by the affected companies for many months after the event with minimal recourse offered to users;
  2. increased harvesting of users interactive online data with minimal user control of that data to review, edit or delete as desired;
  3. increased social  and economic vulnerability as social media transaction are shaped by automated bots. Automated bots now comprise more than half of Internet traffic;

So GDPR addresses each of these issues. For example, with GDPR data breaches will have to be reported as soon as  they are discovered and the organization will have to inform users what actions have been taken and will be taken in the immediate future  to restore the users data and integrity. Meanwhile, for harvesting of  users data GDPR stipulates a number of practices starting with a privacy policy and extending to rghts to inspect, edit, transfer or delete personal data collected about them. Finally, the use of automated processing is also restricted. So GDPR is designed to redress the balance in collection and use of persoanl data through the ever broadening Web toolkits. What will be a challenge is to get the IT community, often profiting from the current “arrangements” on board. Here is a small insight into the IT community response.

Responding to the May 25, 2018 deadline for the  European GDPR – General Data Protection Regulations, WordPress has shown  leadership by providing templates and starting tools to implement GDPR requirements for Data Privacy in its latest core system update  version 4.9.6. Now WordPress which is currently used by 30.8% of the World’s websites does not have to respond to a European regulation for Data Privacy. However, the implications of the upcoming  law is that websites that have European residents as customers and users, regardless of whether their websites are based in Europe, have to adhere to the GDPR rules in order to continue to do business with European clients and customers.

Now the side bar on the left provides the historical details as to the what and why of  GDPR rules. But the bottom line is that by Friday, May 25th websites which deal with European customers will need to have a Privacy Policy statement which details how the website will meet the broad GDPR rules. The advantage of the WordPress Privacy Policy template is that no major rule or issue has been omitted So each website’s Privacy Policy should address the following issues:

  1. Use of comments, cookies, and user supplied media;
  2. Contact Form information and/or Account Information supplied for login privilege on the website;
  3. Info supplied through embedded content like mapping data or through analytics routines like Google Analytics, Yoast SEO, etc;
  4. Any sources of imported data from 3rd parties such as credit reports, purchase-related data, or personal educational or health data
  5. How long does the website retain your data. For each source of personal data cited above and accounting for what is done with the data;
  6. Who is your data shared with, where and how much data is sent  and links to their Privacy Policy statements
  7. A list of the rights you have over your data including right of review of all data, right to edit or correct data; right to delete all or part of data
  8. How is your personal data protected?
  9. What happened in the case of a data breach. When are you informed? What compensation are you  entitled to?
  10. What 3rd Parties are personal data exchanged with. What processing do they perform on the data. How do they protect your personal data;
  11. What automated decision making and/or profiling is done with any of your personal data;
  12. What industry regulatory disclosure requirements involve personal data?

Now given this head start it was straight forward to create the statement of  ImagenationIT privacy policy because for most items our site collects no personal data. The major exceptions were comments and WP Statistics plugin data. So most small to medium size businesses will likewise find adding a privacy policy statement and support  readily doable. The complications will occur if extensive data regarding mailing lists, comments or purchases is used. Also team and membership  websites [think Buddy Press or SportsPress], will require more comprehensive work.

Now again, it is important to note that action only has to be taken if you have European clients and customers. But the good news is that the CMS and software industry is responding to GDPR:

  1. Drupal, the second largest CMS, has both a gude and Drupal 7 and 8 modules for GDPR;
  2. Joomla, the 3rd largest CMS has a comprehensive premium extension for GDPR;
  3. Squarespace, a fast growing CMS, has a detailed advisory;
  4. Wix has advisory help as well;
  5. Shopify, a fast growing eCommerce service, has a more deetailed advisory
  6. Siteground, one of the top-rated hosting services, has broad GDPR info;
  7. Microsoft, as major Web vendor has a Trust Centre.

Here is the Privacy Policy statements made by the three major software vendors – Facebook [most ambiguous], Google [changing], Microsoft [no tight compliance timeline] in light of the May 25th 2018 GDPR start date. I will let readers compare and contrast the sincerity of their privacy commitments; but all have some notable omissions especially about when they will be fully compliant. In the 12 major policy statement requirements an orange cautionary coloring is used on some of the more contentious policy issues. See the issues raised in the left sidebar.

Here is the current strengthened EU General Data Protection Regulations:

What feedback am I entitled to on providing personal data

On providing personal personal data, you must receive information about:

  • the name of the company or organisation that is processing your data (including the contact details of the DPO, if there is one);
  • the purposes for which the company/organisation will use your data;
  • the categories of personal data concerned;
  • the legal basis for processing your personal data;
  • the length of time for which your data will be stored;
  • other companies/organisations that will receive your data;
  • whether data will be transferred outside the EU;
  • your basic rights in the field of data protection (for example, the right to access and transfer data or have it removed);
  • the right to lodge a complaint with a Data Protection Authority(DPA);
  • the right to withdraw your consent at any time;
  • the existence of automated decision-making and the logic involved, including the consequences thereof.

The information should be presented in a concise, transparent, intelligible way and drafted in clear and plain language.

 

Can I access my personal data held by a company/organisation?

  • You have a right to ask for and obtain from a company/organisation confirmation as to whether or not it holds any personal data which concerns you.
  • If they do have your personal data then you have the right to access that data, be provided with a copy and get any relevant additional information (such as their reason for processing your personal data, the categories of personal data used, etc.).
  • This right of access should be easy and be made possible at reasonable intervals.
  • The company/organisation should provide a copy of your personal data free of charge. Any further copies may be subject to a reasonable fee.
  • The information should be provided in a commonly used electronic form.
  • This right is not absolute: the use of the right to access your personal data should not affect the rights and freedoms of others, including trade secrets or intellectual property.

Note the cost, time limits, and expected format of completing requests for data from companies/organizations.  

Personal privacy

Individuals have the right to:

Controls and notifications

Organizations will need to:

Privacy Issues

Key questions on Personal privacy

IT and training

Organizations will need to:

Transparent policies

Organizations are required to:

©JBSurveyer @ ImagenationIT 2018

Insert WordPress Content

Pin It on Pinterest