Disclaimer: this article should not be used as legal advice for your company when it comes to the compliance of data privacy laws such as the GDPR. It is background information to help you understand the GDPR and how Open Social has ensured its own compliance.
If you are in the online business, and who isn’t nowadays, you’ve definitely heard of the European General Data Privacy Regulation (GDPR) that will become operative on the 25th May 2018. This legislation will affect how businesses collect, manage, and process personal information from customers. This page will provide an overview of the GDPR legislation and what Open Social is doing to ensure compliance. It’s important to note that even if your company is based outside the EU, the GDPR is still applicable if you are processing the data of EU citizens.
The GDPR is an EU legislation that enhances the protection of personal and private data of EU citizens and ensures that organizations that collect and process personal data comply with various obligations. It replaces and builds upon the 1995 EU Data Protection Directive (DPD) and its terms on data privacy and security but includes a few new additions that focus on the rights for secure personal data and stricter penalties for noncompliance. Moreover, the GDPR is a directive that will ‘harmonise’ data privacy laws across Europe. It applies to the 27 member states at all levels of the law; local courts, supreme courts, and eventually the EU Court of Justice.
Why is this happening? The amount of digital information collected and stored has vastly increased since its creation in the 90’s. Since then, a need for stricter data regulation and privacy has become necessary to protect the information of web users.
It’s important to note that even if your company is based outside the EU, the GDPR is still applicable if you are processing the data of EU citizens.
What is needed to comply?
The GDPR document consists of 99 articles dedicated to the rights of individuals and the obligations for companies to comply with the new legislation. Many of the principles outlined in GDPR are the same as those in the Data Protection Act (DPA). So, if your company already complies with the current data protection laws, then you will already be complying with many of the GDPR principles. Below you will find an overview of the most important components of the GDPR (please be aware that this is not comprehensive and does not replace the legislation).
- Access and portability. You must allow the customer to access their own data and give it to another company if requested. This is the right to data portability. This is new in comparison with the DPA and one of the most challenging aspects of the GDPR.
- Erase data. Customers have the right to demand that their data is deleted or object to the way it is processed, as long as it does not interfere with freedom of expression or the ability to research. The controller also has the responsibility of telling other organizations (such as Google) to delete any copies of the data as well. This is the right to be forgotten and is new in comparison with the DPA.
- Check if you need a data protection officer. You must have a data protection officer if you collect data on a large scale or deal with sensitive data. Read more.
- Clear communication. You must inform customers/visitors who you are when you ask for their data. You must also explain why you are processing their data, how long it will be stored for, and who will receive it.
- Consent. You must get clear consent for collecting data. If you’re collecting data from children, you must check the age limit for parental consent.
- Warnings. You must inform the customer of serious data breaches within 72 hours of learning about it.
- Profiling. If you are using data for profiling and processing applications for legally-binding documents then you must inform your customers, have a person (not a machine) checking the process, and offer the customer the right to contest a refusal. Open Social does not use any form of profiling.
- Marketing. You must give people the right to opt out of direct marketing that uses customer data.
- Sensitive data. You must use extra safeguards on information such as race, health, sexual orientation, religion, and political beliefs. For most projects that means at least encrypting the stored data.
- Data protection by design. You should build data protection safeguards into your product and services in the early development stages. This is the requirement to build in data privacy by design.
- New technologies. You are obligated to conduct a Data Privacy Impact Assessment (DPIA) when you process new technologies.
- One stop shop. If you have offices in multiple EU countries, then you must have a lead supervisory authority for a central point of enforcement.
- Keep records. You must keep data records if you process data regularly, collect sensitive information, and if the data you collect is a threat to people’s rights and freedom.
- Data transfer outside EU. You must make extra arrangements when transferring data to countries that have not been approved by EU authorities.
There have been many checklists surfacing online in order to help companies comply. For example, Hubspot created a great GDPR checklist and ICO (Information Commissioner's Office) has created a 12-step guide.
Your local Data Protection Authority will be monitoring your compliance, which is coordinated at an EU-level. The cost of noncompliance is high. It will result in warnings, reprimands, suspension of data processing, and fines as high as €20 million or up to 4% of your global annual turnover. In other words, companies can’t afford to ignore the legislation and it should be everyone’s priority to ensure compliance.
Privacy by Design
Open Social has a user-centered design, in which user freedom of choice, privacy, and security have been at the forefront of our design choices. This means we are naturally compliant with most of the GDPR. For example, profile fields on Open Social are optional and users can choose with whom they want to share their profile information.
Also, when adding any type of content to the platform such as a blog or timeline post, users can choose the visibility of the content: public, community only, or just for group members.
Moreover, users have always had the right to delete their account and unpublish or anonymize their data in Open Social. In order to ensure that groups do not lose all their content when a user chooses to delete their data, Open Social has a special feature that assigns groups to platform administrators. This way, only the content associated with the leaving user will be deleted.
GDPR Features and Roadmap
In the terms of GDPR-compliance, there are a few fundamental actors. These are defined for Open Social as follows:
The Data Controller: Open Social customers. This is the entity that decides the means, purpose, and processing of the data.
The Data Processor: Open Social. This is the entity that handles and processes the personal data on behalf of the controller.
The Data Subject: Users of an Open Social online community. This is who the law has been designed to protect.
In order to ensure full compliance, Open Social began reviewing its external and internal processes. We found that we need to work on the following:
- Improve communicating about what happens with our user’s data.
- Provide site managers with the ability to minimize the collection of personal data.
- Encrypt personal data by default.
- Allow users to export their data from Open Social.
- Assign a Data Protection Officer (DPO).
- Scope our security controls using a framework.
In the next months, we will adopt the Open Social product to the points above. You can keep track of the progress on our roadmap tool Receptive. We are working on the following:
- Asking users for their consent for sharing personal data.
- Be clear what data is left when an account is deleted.
- A site manager should be able to remove profile fields.
- Allow users to export all of their data from the community platform.
We are currently documenting our processes, which provides a stronger understanding and overview of our data management strategies. To stress the importance of privacy, we appointed our co-Founder Taco Potze as Data Protection Officer.
Our end goal is to ensure that one, Open Social complies with the GDPR and two, that the data controllers (our customers) have the tools to comply with the GDPR as well.
Still to come:
- Legal documentation
- Review through Critical Security Controls (CSC) of CIS
Why is this important?
Many companies may need to adapt their privacy policies, security practices, and marketing handbooks. At Open Social we feel we have a good head start. We also recognize that the new regulations have various benefits for both end-users and organizations. Here are the top ones:
- More transparency between organizations and end users. Once all organizations comply with the GDPR, EU citizens will have a lot more control and transparency in how their data is used.
- Greater value for organizations and end users. In the long term, the access and portability component of GDPR will increase the value of services that are allowed to process the data of their end-users. This will only come into effect when it has been defined legally by the courts and has been implemented by all major software solutions.
Our customers will be notified of any changes that will be made to the functionality or regular use of Open Social. This page will also be updated over the coming months, so feel free to return at any time!
Next: EU ePrivacy Regulation
Although the GDPR is gaining a lot of attention, new EU legislation is already on the horizon and is expected to go into effect in 2019. It’s currently called ‘Directive on Privacy and Electronic Communications’ (Directive 2002/58/EC and the 2009 update, Directive 2009/136). The newcomer is the ePrivacy Regulation and aims to update the EU’s ePrivacy legal framework. The new regulation will compliment the GDPR and similarly strives for regulation uniformity across the EU. As online privacy and security is a topic that needs continuous effort, we will keep Open Social in line with applicable laws wherever we can. Read more about the ePrivacy Regulation.