Whether you’re in Europe or not: the General Data Protection Regulation (GDPR) will have a great impact on businesses everywhere. Because even if you’re outside the EU, when you find yourself handling personal data of a European citizen, you will have to comply with the strict GDPR rules. Part 1 in the GDPR mini-series: a primer.
The General Data Protection Regulation is a very strict privacy protocol instated by the European Commission, the European Parliament and the Council of the European Union. It will prohibit companies from asking for data they don’t need, and from storing and using private data in a non-compliant way. The fines for non-compliance are substantial.
Even if you’re not in Europe, you could theoretically get a penalty for not complying. But even if you don’t, not playing by the rules will cost you your European B2B customers.
Is the end of data harvesting near? And what does this mean for content and UX? That’s what we discuss in this month’s podcast.
The 6 principles of the GDPR
- Lawfulness, fairness and transparency
Private data should only be used by organisations in a lawful and fair way. It should be crystal clear to the user how their personal data will be processed.
- Purpose limitations
Organisations are only allowed to use the consensually obtained data for the goals they communicated at the time of the transaction. They can no longer take a database and use it for purposes other or unrelated to what was communicated to the user.
- Data minimisation
Organisations can only ask for the information that is essential for their service. Profiling or marketing are (most of the time) not essential for servicing the client.
Information has to be straightforwardly interpreted and not out of date. It should be rectifiable by the user.
- Storage limitations
Personal data can only be stored for a few years, and only in a secure file or document, on a secure server that is physically in Europe.
- Integrity and confidentiality
Private data should be stored and processed in a way that the data is protected from loss, destruction or damage.
Consent is king, transparency is queen
The magic word in the new GDPR regulations is ‘consent’. As an organisation, you need to get consent of the user, or ‘data subject’ in GDPR terms, that is…
- Informed: they need to know what they’re consenting to.
- Freely given: you can’t force someone to give their data to use your service.
- Specific: they are only agreeing to what you are specifically saying they are agreeing to.
- Unambiguous: just like in other cases where you need consent: consent is a clear yes, not the absence of a no.
Privacy by Design and Privacy by Default
Privacy by Design is about the whole engineering process of a service. It takes privacy into account at every step. We also describe this as value-sensitive design, in which human values are taken into account, in a well-defined manner throughout the whole process.
Privacy by Default: all the privacy settings are set to optimal privacy. You will be asked for consent when prompted for personal details. Also, only the bare minimum will be asked for. Privacy by Default can be seen as a subset of Privacy by Design.
Meet our 5 experts
- GDPR mindmap by J4vv4d
- Bedtime reading: the complete text of the General Data Protection Regulation
- Good overview of what the GDPR entails by Duthler Associates: