Just a few short years ago, the idea of User Data Privacy Compliance on the internet was full of hesitation. It was as dubious as the idea of Miranda Rights in the Wild West. Back then, the web was, and many would argue it still is, an adolescent medium growing at supernova speed.
Just a few short years ago, the idea of User Data Privacy Compliance on the internet was full of hesitation. It was as dubious as the idea of Miranda Rights in the Wild West. Back then, the web was, and many would argue it still is, an adolescent medium growing at supernova speed. Pioneers were only discovering boundaries long after traversing past them. Regarding personal data, the frontier mindset was prevalent: if you could catch it, you could keep it. But in recent years, this particular aspect of online exchange has finally begun to experience welcome regulation. Now, there are real consequences for actors that fail to follow regulatory requirements. Meaning the collection, storage, and exploitation of personal data.
The GDPR in Europe is the most widely-known and powerful piece of data regulation, but it’s essential to realize that many of its tenets are soon to be adopted, in one form or another, worldwide. In California, the CCPA will come into effect January 1, 2020. India is currently finalizing a far-reaching data privacy bill. In Brazil, the LGPD will become the law of the land sometime in early 2020. For businesses all over the world, the need to be user data privacy compliant will only grow more critical. So, let’s assume that you aren’t yet able to pour over the fine print of each legislation to ensure compliance…what are some general steps you can take to protect your business from falling afoul of the regulator?
To capture every piece of data under the sun and try to figure out how to use it after the fact is rapidly consigned to the dustbin of history. Article 7 of the GDPR states data controllers must be able to “demonstrate that the data subject has consented to the processing of his or her personal data.” Furthermore, this consent can’t be tacit or assumed. The request for consent must be presented “in a manner which is clearly distinguishable from the other matters…using clear and plain language.”
A logical, mandatory consequence is that consent for data collection and processing must be clearly stated. You can’t explicitly ask for consent to capture an undefined set of data. Personal data can only be collected for “specified, explicit, and legitimate purposes” (Article 5(1) of GDPR). The upshot for development teams is clear. Define specific data you want your system to capture and obtain affirmative consent from your users.
Another vital point to note is that obtaining consent does not mean that consent is iron-clad in perpetuity. Article 7 of the GDPR also includes the provision that “The data subject shall have the right to withdraw his or her consent [to having their data captured] at any time.” Furthermore, the GDPR mandates that “it shall be as easy to withdraw as to give consent.” What does this mean for your business? Well, most basically, your website/app/digital product must have a straightforward way for users to retract their consent. Your system must have built-in processes to guarantee it too. If users withdraw permission, the data cannot live anywhere in the infrastructure.
In the old days of only a few years ago, once a company had your data, it was theirs to keep. However, regulators have stepped in to advocate for data subjects’ right to have their data scrubbed from systems after a certain amount of time has elapsed. The most well-known development around this “Right To Be Forgotten” was a 2014 lawsuit in which the Court of Justice of the European Union ruled that Google had to remove links to out-of-date information regarding a Spanish man. While search engine link results are not the purview of most SME’s, this general principle is now enshrined in the GDPR via Article 17, which is entitled “Right to erasure,” and Article 19, which details the process that must be undertaken by the data processor when they receive a request for Erasure.
Does your system have controls in place to efficiently remove data after a certain period has elapsed? It better!
Published from our Privacy Magazine – To learn more, visit Privacy.dev
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team at Ethyca attended the PEPR 2022 Conference in Santa Monica live and virtually between June 23rd and 24th. We compiled three main takeaways after listening to so many great presentations about the current state of privacy engineering, and how the field will change in the future.
For privacy engineers to build privacy directly into the codebase, they need agreed-upon definitions for translating policy into code. Ethyca CEO Cillian unveils an open source system to standardize definitions for personal data living in the tech stack.
Masking data is an essential part of modern privacy engineering. We highlight a handful of masking strategies made possible with the Fides open-source platform, and we explain the difference between key terms: pseudonymization and anonymization.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Book a Demo