DISCLAIMER: This post is NOT in any way legal advice. I'm not an lawyer. Seek professional advice of a lawyer together with an IT specialist!
Also note that this is work in progress and that I'm updating this and waiting untill after 25 may 2018 to see how others have implemented various solutions to comment on them.
I've first read the GDPR law in 2016 for the Computer and Cybercrime Professional university degree I followed. We handled it in 2 distinct courses IT Laws and Privacy and IT Governance, Security Compliance and Risk assessment. The information gained there together with prior knowledge about Privacy laws made me realize that there are many similarities and new things which are awesome.
Data Protection regulations implemented by most countries in the European Union before GDPR gave citizens the same rights GDPR now wants to give EU citizens worldwide.
This is an incredible effort. Since if you were an EU citizen and where registering in the US or anywhere else in the world, those companies didn't have to comply to any regulation. Now with GDPR if you're an EU citizen they are forced to comply.
I won't explain what GDPR is or why it's important. There are many rumours and myths around it. It's best to read the information directly from the EU Comission.
Is everyone ready for GDPR?
I instantly saw a business potential, however the market was already overrun by big companies with big marketing budgets to overhaul other big companies for GDPR setups. I thought realistically that a small guy like me couldn't stand out from the crowd. I was sure the market would be flooded by great implementations.
I was wrong. Most business owners, lawyers and IT crowds still don't fully understand or haven't implemented GDPR in a correct and safe manner.
What's worse it seems that half of global companies are NOT ready for GDPR.
Others estimate that 1 in 3 companies are not ready. The numbers may vary and we'll not know 100% accurate statistics untill after the GDPR is in place by looking at websites and applications. Up untill the 25th of may 2018 it;s still a little bit of speculation.
2 years seemed like MORE than enough time to get everything working, or not?
One thing that made me rethink the strategy as I started reading the news was that most companies have paid large amounts of money only to setup certain whitepapers and documents explaining how they're going to become compliant. Documenting every step of the way. This had been done by contacting experts in the security field as well as lawyers.
This is only half the battle. The other half of the battle is securing the systems and anonymizing data.
This means they then need to contact specialized IT firms to technically implement everything according to specifications. So the bigger a company is the harder it will be to do everything.
But what happens if small companies aren't ready yet? What if they don't have the money nor knowledge?
In Romania for example small companies have formed a forum to ask the state to give them help in implementing GDPR.
Searching the internet for related news I was flabbergasted by the amount of people who haven't even heard of GDPR from a long chance.
As a comparison I've also taken the time to analyze the Dutch and Belgian sphere of influence and found out that it's a little better. However it's not as I expected.
This had made me rethink that there is a huge market possibility to serve small companies. Small companies contact small agencies and/or independent IT mercenaries, free entrepreneurs or freelancers for their development. Most of those developers also have NO idea how to work out GDPR. The small companies also have limited budgets to invest in paying lawyers and specialized experts.
Most web developers use CMS systems and plugin's that aren't yet up to date with GDPR compliance. Let alone people that have an online shop. Yep, even if you have a blog and have subscribers you need to comply.
This is a huge problem. Since each solution has to be personalized for each and every company. There is no application that can do it for you.
You need to contact a laywer and a specialized DevOps (Software Developer and Operations unification aka Programmer + SysAdmin) to review your options
Is excluding EU citizens an option?
If you live in the EU this is certainly not an option.
If you live anywhere in the world then its also not an option.
Closing the doors to EU citizens is not a solution since all multinationals have business in Europe. If you view yourself as a small business in the USA - or anywhere else in the world - that thinks it can go without doing business with EU citizens then it's time to reassess your position. Any big enough company from another country has EU customers whether they know it or not.
Let's take for example domain registration and hosting companies. They provide services worldwide so I don't think they'd stop selling it to Europeans.
This is certainly NOT an option at all. Allow me to explain. There are 704.83 million internet users in the Europe as of 31 december 2017. There are 4 156 million interet users worldwide. Thus europe has a 17% share. This is certainly not something to ignore.
Facebook gets 25% of it's total revenue from Europe. (statista.com) Sure, there can be companies worldwide that have a small percentage of sales in Europe. They might be thinking "let's block EU access".
Blocking EU customers will be nearly impossible, let me tell you why. Geoblocking is inefficient and most people access various websites with VPN''s so their true location is never revealed.
If a EU customer is on holiday somewhere else in the world you still have to abide to the EU law since the customer is a resident and citizen of the EU.
If I go on a safari to Africa or go visit Machu Pichu and access any website they'll have to treat my data based on GDPR.
GDPR offers extraordinary solutions to the world of Privacy and Cyber Security which will force companies to COMPLY. There are only 2 problems with the system.
- Most EU citizens don't know their rights and never read the privacy policies nor care about their data security.
- Developers will have to read the regulations themselves and NOT rely on what "management" has put together.
1. EU citizens need to know their rights
The GDPR will ensure that most EU citizens will know their rights have fullcontroll over their data with things including:
OPT-IN functionality that allows the user to enable certain settings and then disable them
The right to access all the personal data processed and stored by a company based on their persona
The right to be forgotten
From the beginning this sounds like an extraordinary thing. If we take a closer look people get fooled every day. Whoeven reads the fineprint on a web page before purchasing? If there is a security popup banner/error or a dancing duck people will always chose the dancing duck. Thus there will be certain problems from the start that people will have to pay attention and opt in themselves for certain services/products to be available.
2. Developers need to understand and implement GDPR safe applicatoins
Developers working in fortune 500 enterprises or for other big companies that implement GDPR already know what to do. Developers that have their own small companies and develop software for small busineses have a problem. They might not have the time nor the money to read everything and talk to a lot of lawyers.
I recommend all developers to check out this guide first to get the grasps of GDPR.
There are many topics which are interesting to know, I
Subscriptions equal marketing
Double opt in is the best thing to do.
Storing the IP and date as a form of consent is necessary. However IP is also considered personal data. Well, based on most IT laws that handle digital signing in the EU using the IP is OK as long as it's not given away or processed unlawfully.
Processing and storing logs
TURN IP anonymizatoin in Google Analytics
Removing the last octet of the IP address if you process any IP further than just saving it
IP Address logs
Ip address logging can be done if it is for the safety and to prevent fraud
I've read a story where someone related that a certain person was called up based on a research project. He accessed a certain webite and the the people who owned that website called at the company where he worked based on the IP address stored in Google Analytics. The author claims that an IP address is directly identifable to a person. This is true only to the extent that it's combined with other personal data.
However I beg to dfifer that this is totally different than sotring IP addresses for the purpose of information security and preventing fraud.
First and foremost such data should NOT be accessible to everyone. The GDPR states that access MUST be restricted to data and CLEARLY documented.
Second of all there was no consent in the person being contacted. It's something to store an IP address for IT security reasons and something else to start analyzing the data about the IP.
You can store an IP address in access/error logs ONLY if access is restricted to it and if it's encrypted after a few days.
There are also many more things I will write about in the future, for now I consider these the most important aspects.