May 25th, 2018 is almost here. On that date, the General Data Protection Regulation (GDPR) will be enforced in the EU. Companies that don’t comply could face fines of up to €20 million or 4% of worldwide annual turnover (whichever is higher).
At Two Hat Security, we take the security and privacy of your user’s data very seriously. Our chat filter and automated moderation software Community Sift is classed as a data processor, so we are diligently preparing for GDPR by engaging with industry experts and international consulting firms to ensure that we are compliant.
GDPR will replace the Data Protection Directive 95/46/EC as the primary law that regulates how companies collect user’s personal data. GDPR applies to any company that collects data from EU citizens, regardless of their physical presence in the EU. The regulation increases accountabilities for both “data controllers” (companies that collect personal data) and “data processors” (companies like Two Hat that process personal data).
As defined by GDPR, personal data refers to:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
GDPR is a complex piece of legislation with many moving parts. Because of this, some areas are up for interpretation. However, the basics are relatively clear and can be broken down into four distinct categories: data minimization, transparency, security by design, and privacy by design.
Read the complete regulation here.
Important note: We are not GDPR specialists, and cannot offer legal advice. We strongly recommend that you consult with your own experts (legal team, Data Protection Officer, GDPR consultant, etc) for advice relating to your specific situation.
Key transparency requirements of the new regulation include:
Notification within 72 hours will become mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. As a data processor, Two Hat Security will be required to notify data controllers (our clients) of any data breaches. In the event of a data breach, Two Hat will provide notice within 24 hours.
Data subjects can request that their personal data be erased. There may be some exceptions, as data controllers can compare the subjects’ rights to erasure to “the public interest in the availability of the data”. In this situation, we strongly recommend that you consult with your legal team to determine how they define “public interest”. To facilitate users’ Right to be Forgotten requests, Two Hat will provide clients with a dedicated API.
Data subjects can request confirmation as to whether or not their personal data is being processed, as well as where and to what purpose. Data controllers are also expected to provide an electronic copy of the subject’s personal data for free.
Two Hat Security is implementing new processes and upgraded technology to address the key points above, in addition to other aspects of GDPR. We are committed to GDPR compliance, and to meeting all of the requirements of the regulation by May 25th, 2018.