Just a few short years ago, the idea of User Data Privacy Compliance on the internet was full of hesitation. It was as dubious as the idea of Miranda Rights in the Wild West. Back then, the web was, and many would argue it still is, an adolescent medium growing at supernova speed.
Just a few short years ago, the idea of User Data Privacy Compliance on the internet was full of hesitation. It was as dubious as the idea of Miranda Rights in the Wild West. Back then, the web was, and many would argue it still is, an adolescent medium growing at supernova speed. Pioneers were only discovering boundaries long after traversing past them. Regarding personal data, the frontier mindset was prevalent: if you could catch it, you could keep it. But in recent years, this particular aspect of online exchange has finally begun to experience welcome regulation. Now, there are real consequences for actors that fail to follow regulatory requirements. Meaning the collection, storage, and exploitation of personal data.
The GDPR in Europe is the most widely-known and powerful piece of data regulation, but it’s essential to realize that many of its tenets are soon to be adopted, in one form or another, worldwide. In California, the CCPA will come into effect January 1, 2020. India is currently finalizing a far-reaching data privacy bill. In Brazil, the LGPD will become the law of the land sometime in early 2020. For businesses all over the world, the need to be user data privacy compliant will only grow more critical. So, let’s assume that you aren’t yet able to pour over the fine print of each legislation to ensure compliance…what are some general steps you can take to protect your business from falling afoul of the regulator?
To capture every piece of data under the sun and try to figure out how to use it after the fact is rapidly consigned to the dustbin of history. Article 7 of the GDPR states data controllers must be able to “demonstrate that the data subject has consented to the processing of his or her personal data.” Furthermore, this consent can’t be tacit or assumed. The request for consent must be presented “in a manner which is clearly distinguishable from the other matters…using clear and plain language.”
A logical, mandatory consequence is that consent for data collection and processing must be clearly stated. You can’t explicitly ask for consent to capture an undefined set of data. Personal data can only be collected for “specified, explicit, and legitimate purposes” (Article 5(1) of GDPR). The upshot for development teams is clear. Define specific data you want your system to capture and obtain affirmative consent from your users.
Another vital point to note is that obtaining consent does not mean that consent is iron-clad in perpetuity. Article 7 of the GDPR also includes the provision that “The data subject shall have the right to withdraw his or her consent [to having their data captured] at any time.” Furthermore, the GDPR mandates that “it shall be as easy to withdraw as to give consent.” What does this mean for your business? Well, most basically, your website/app/digital product must have a straightforward way for users to retract their consent. Your system must have built-in processes to guarantee it too. If users withdraw permission, the data cannot live anywhere in the infrastructure.
In the old days of only a few years ago, once a company had your data, it was theirs to keep. However, regulators have stepped in to advocate for data subjects’ right to have their data scrubbed from systems after a certain amount of time has elapsed. The most well-known development around this “Right To Be Forgotten” was a 2014 lawsuit in which the Court of Justice of the European Union ruled that Google had to remove links to out-of-date information regarding a Spanish man. While search engine link results are not the purview of most SME’s, this general principle is now enshrined in the GDPR via Article 17, which is entitled “Right to erasure,” and Article 19, which details the process that must be undertaken by the data processor when they receive a request for Erasure.
Does your system have controls in place to efficiently remove data after a certain period has elapsed? It better!
Published from our Privacy Magazine – To learn more, visit Privacy.dev
Ethyca hosted its second P.x session with the Fides Slack Community earlier this week. Our Senior Software Engineer Thomas La Piana gave a live walkthrough of the open-source privacy engineering platform, Fides 2.0. He demonstrated how users can easily deploy Fides and go from 0 to full DSR automation in less than 15 minutes. If you weren’t able to attend, here are the three main points addressed during the session.
Introducing consent management in Fides 2.0. With the coming state privacy laws in 2023, your business needs to have granular control over users’ data and their consent preferences. Learn more about how Fides can enable this for your business, for free.
Ethyca launched its privacy engineering meetup, P.x, where Fides Slack Community members met and interacted with the Fides developer team. Two of our Senior Software Engineers, Dawn and Steve, gave presentations and demos on the importance of data minimization, and how Fides can make data minimization easier for teams. Here, we’ll recap the three main points of discussion.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Get a Demo