Understand the GDPR in 10 minutes

or, “Just tell me what I have to do, man.”

Like a school kid who hasn’t started their year-end project by May, are you kept awake at night with a creeping fear that you are supposed to be doing something about the GDPR but you feel like you’ve waited way too long to ask what exactly it is?

Let’s fix that! Here’s a basic idea of what the GDPR means to your small internet business — in as few words as possible!

Note: I’m not a lawyer. I’m not even an EU resident. I’m just sharing my own notes to save you time and point you in the right direction. I make no claims that this information is accurate and no one should ever listen to anything I say.

What is the GDPR?

Unlike the United States government, the European Union is tired of giant internet companies collecting tons of consumer data and then constantly leaking it or misusing it. To attempt to fix this, they created the General Data Protection Regulation (GDPR). It’s a set of new European Union regulations which sets out exactly how companies must manage personal data.

If your company doesn’t comply, you can be fined as much as tens of millions of Euros (in proportion to the severity and scale of your violation).

European Union? But I’m in the UK. LOL Brexit!

Sorry, GDPR regulations still apply before Brexit completes and the UK has said they will implement their own GDPR equivalent after Brexit. So nothing is different for you.

European Union? I’ve never even been there!

TWIST — you are still probably affected. You have to follow GDPR regulations for managing personal data if you offer goods or services to anyone in the EU regardless of your location!

Guess what? Your website or mobile app is a service and IP addresses are considered personal data. So unless you just block anyone in the EU from using your service or you don’t collect any personal information at all, you still need to comply.

But I heard that the GDPR only applies to businesses with over 250 employees!

No, that’s not correct at all. There are some relaxed documentation rules for small companies that only occasionally process personal data, but in general you still have to follow GDPR regulations.

When does the GDPR take effect?

You can start getting fined for not following the rules as of May 25th, 2018.

Ok, fine! What kind of personal data is regulated?

GDPR covers any data that can be used to identify a person, even indirectly. So the following kinds of personal data are regulated:

  • Obvious stuff, like names, addresses, GPS location and bank details.
  • Less obvious stuff, like IP addresses, Email addresses, or even a user’s posts, tweets or instagram stories.
  • Even less obvious stuff, like raw user ids or “anonymized” data if it is possible to work backwards from the data to identify the person.

What do I need to do to comply with the GDPR?

While the full GDPR regulations are quite long and complex, we can mentally break them down into a few broad requirements that are easier to think about.

Requirement 1: Justify your need for personal data

First, you can only collect personal data if you have a valid reason for collecting it. But you can’t just make up your own reason. The EU says that there are six legal justifications for collecting data:

  1. You got explicit consent from the user to collect the data.
  2. You need the data to fulfill contractual objections with the user — like how a phone company obviously needs to know a customer’s phone number to provide phone service to that subscriber.
  3. You need the data to comply with another law.
  4. You need the data to protect someone’s life.
  5. You are a public authority (like a government office) and you need the data to carry out your responsibilities.
  6. You have a “legitimate interest” in the data. This justification is vague and requires extra documentation.

In general, you are expected to use the most limited justification possible and have an actual business need for all the data you are collecting.

Furthermore, you need to pick your legal justification for collecting the data before you collect it and you need to tell the user your justification at the time you collect the data. For example, you can’t tell a user that you need their address to ship them a product and then turn around and resell that address to an advertiser.

Each these legal justifications has it’s own set of sub-rules that you have to follow. For example, getting consent from a user to collect their data must be done according to a set of very specific rules. Gone are the days of pre-checked checkboxes and legal disclaimers hidden in privacy policies.

Things get much messier if you are working with certain kinds of data that are considered extra sensitive — things like race, religion, sexual orientation, political party or trade union affiliation, health information and biometrics. If you work with this kind of data, you should probably stop reading this and just go talk to a professional.

Requirement 2: Give Users Control Over Their Data

Once you collect data, you are required to give users control over the data that you collected. The GDPR outlines eight specific rights that users have over their data:

  1. You have to tell your users why you are collecting their data, what you are doing with it and how long you are keeping it.
  2. If a user requests it, you have to give them a copy of the all data you have collected about them.
  3. If a user says that their data is inaccurate, you have to correct it.
  4. If a user requests it, you have to delete all their data.
  5. If a user requests it, you have to stop processing their data.
  6. If the user wants to move from your service to another service, you have to allow them to transfer their data out of your service in a machine-readable format.
  7. A user has a special right to object to their data being used for certain purposes, like direct marketing.
  8. If you are using personal data for automated decision making or profiling (like feeding customer data into a machine learning model to approve a home loan), then you are exposed to a bunch of extra requirements around explaining how your model works, having an appeal system and so on.

In most cases, you are required to process any of these user requests within one month.

Depending on your justification for originally collecting the data, not all of these user rights always apply. There is a byzantine matrix of which rights apply for which legal justifications. But if you generally structure your operations so that you can support all these user rights, you should be fine.

Requirement 3: Keep Customer Data Secure

Under the GDPR, you are required to keep personal data secure and you are required to regularly test your security measures. You are also expected to consider security as part of your design process and not just bolt-on some weak security measures after you build your product.

What does that mean exactly? The GDPR only gives you guidelines like taking “appropriate technical and organizational measures.” It doesn’t tell you exactly what you need to do, but this checklist is probably a pretty good place to start.

Along these lines, you also need to proactively monitor for data breaches, report any breaches within 72 hours to regulators and keep records of any breaches.

Requirement 4: Implement Data Governance and Documentation

A big part of the GDPR is maintaining proper governance, accountability and record keeping. For everything we’ve mentioned so far, you have to be able to document your compliance.

Here are some of the specific requirements:

  1. You must have written records of your purposes for collecting data, your data retention policies, a history of any time data is shared, your security policies and so on.
  2. If you hire anyone external to process your data for you, you must have a written contract with them outlining their privacy responsibilities.

If you are a small or medium-sized business (less than 250 employees) that only does “occasional” data processing of EU residents, some of these requirements are relaxed and you aren’t expected to keep written records (with some exceptions around “risky” data).

Things do get much more complicated if you are a large company (over 250 employees) or work with “risky” data. If either of those apply to you, go talk to a professional. You have to do extra things like carry out regular protection audits (DPAs) and name a Data Protection Officer (DPO).

That sounds impossible! I give up!

If you are a small business located in another country like the United States, you might be tempted to block all EU users instead of risking exposure 20 million Euro fines.

But that kind of reaction is probably a misunderstanding of how EU regulators work. The goal of these regulations are to improve data handling, not to introduce impossibly complex rules and then penalize a company on a technicality. The GDPR clearly spells out that companies that do their best to cooperate with regulators and follow these regulations will be much less at risk of fines.

Ok, I get the basic idea. I need to start being responsible and transparent with user data. But where can I learn more about the regulations?

To learn to apply each of these requirements in more detail, check out the GDPR guide from the UK’s Independent Commissioner’s Office. It covers each of these same topics in much more detail, offers suggested compliance checklists and links to the full regulations where needed.

Good luck!

Thanks for reading! If you are interested in Machine Learning (or just want to understand what it is), check out my Machine Learning is Fun! series or sign up for my newsletter.

In the spirit of the GDPR, this is my official notice that I am collecting your email address with your explicit consent in order to email you when I write new stuff or have relevant news to share. I won’t give your email address to anyone else. Whew… That wasn’t too hard!

You can also follow me on Twitter at @ageitgey or find me on LinkedIn.

Interested in computers and machine learning. Likes to write about it.