Can Your App Become GDPR Compliant?

5 min read Stephen Blum on Apr 17, 2018
Can Your App Become GDPR Compliant?.jpg

You need to be General Data Protection Regulation (GDPR) compliant starting two years ago. While it was ratified in 2016 and is currently in effect, enforcement (i.e. fines) will be implemented starting May 25th, 2018. If your app uses PubNub, you are on your way to being GDPR compliant. PubNub is making life easier for apps with a GDPR checklist. Life is better for the developers who think about compliance before they start to code. Making sure your app complies before it ships saves a lot of time and hassle. Built with ‘security by design’, PubNub was built with developers in mind. And with onset of GDPR, PubNub delivers key components to help you comply.

The final deadline for GDPR compliance is May 25, 2018, and companies that have thus far ignored their responsibilities will have to face the music. What song is playing? You’ve heard this one before: $12-24 million, or 2-4% of the worldwide annual revenue of the prior fiscal year, whichever is higher depending on violation tier.

A catchy tune that is hard to forget. Nobody is quite sure how they are going to enforce discovery of non-compliance, and in this situation, companies that don’t know can definitely get hit; it really hurts. Users have already started to report violations ad-hoc to companies’ email inboxes. When you get notice, you’ll have a thirty (30) days to comply and respond. You’ll have to catalog and either provide a copy or delete the user’s personal data based on the various rights in GDPR – “right to be forgotten”, “right to data portability” and “data subject request rights”.

GDPR and Why Should We Care?

The GDPR is a very complex set of data protection regulations specifically created to protect EU citizens and their personal data wherever it exists on the web and in mobile applications. This applies to any business that has personal data stored on EU citizens. This means that any business, anywhere in the world who holds data for EU citizens must comply. When you use PubNub you’ll automatically inherit the GDPR requirements for any data stored on PubNub network servers.

The initiative has already been passed into law. That was two years ago. And the deadline for the grace period is May 25th of this year. Companies that have not yet established the necessary framework is putting their business continuity at risk. In the event of a breach, or any action related to non-compliance, fines will run into the 💰millions.

So tell me – if we save a load of data, for example object data, that is related to a customer, but stores no actual personal data (name, email, IP address or to quote Article 4 of GDPR: “ information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”) do you have to allow them to delete all that related data/and or download it – or it is just data that actually contains “personal info”? Answer: Just personal data – but that definition is quite broad.

In addition, if I have a load of data in a PubNub Channel that are objects representing an invoice, but that data does not contain their “personal info”, do I need to allow them to delete it all and export it? Answer: No

You can say this is a bit of a gray area. Derivative data is data. Source identification data such as home address, photos, names, etc will be a target for GDPR. However derivative data such as analytical insight or Artificial Intelligence Models will not have to be deleted, even if requested. This is because it is derived data.

You can’t ask humans who learn details about a customer to just “forget”. “Mr. Smith just requested we delete his data. ‘Okay everyone who knows details about the Smith account, take your forget-me-pill, that’s the green pill with purple speckles for Smith.’ We do not enforce memory-wiping technology to be used on employees for reading personal customer data. And we do not enforce an AI to forget derived intelligence.

The G in GDPR in Our Daily Lives

“General” is a quantifier matching all data. Evidence of the GDPR influence has already infiltrated your browsing activity. You’ll see those top-banners explaining that your data is being used. And a request for consent to process cookie data is commonplace on EU apps and sites, as is the option to allow or block notifications. In any case, the language is very clear as to what information is being processed and we can either agree or not agree and then get on with our lives.

The sites in question will have fulfilled that specific compliance mandate, but to take it a step further, let’s say that we consent to share cookies for a site we’re on. If in the future we decide we want our cookies removed from that site, we have only to ask. Under the letter of the regulation, the request must be granted within a certain timeframe. This is known in GDPR terms as “the right to be forgotten”.

The Complex Concepts of GDPR Compliance

While removing a bit of personal data may sound simple enough, the process is not quite so cut-and-dry. The protection requirements for IP addresses, indeed, any action or engagement they have with the site at all, are the same as what is required to protect name, address, and payment data. Each individual bit of data, from your browsing history to how long you stayed on a page and how you interacted with the content while you were there. All these things are attached to your identity, and so, must be accessible enough to isolate and destroy.

For companies that have historically stored data based on a log system, the process of isolating the entirety of one user’s data would be a daunting job. A large part of the compliance process, from an IT compliance provider’s standpoint, at least, concerns the act of organizing this information in such a way that it can be accessed, protected and deleted at a binary level.

Additionally, consumers can request an accounting of what personal data of theirs is being held. This extends beyond data that was provided to the company itself and includes data provided to your company by third-party vendors including shippers, payment processors, and so on, extending the onus to include all companies involved in the processing, transmission, and storage of that data.

Data Governance: Past, Present, Future

In a legacy environment, the act of isolating personal data and connecting all its various branches and iterations would be a time-consuming, expensive, and largely inefficient endeavor. To mitigate this problem, data would have to be migrated to compliant platforms that do a better job of sorting and protecting this data, platforms that make short work of what would have been impossible in the pre-GDPR world.

In our next part, we’ll look at why IoT is vulnerable within the scope of GDPR.