Just found about this new regulation, it will be law in 2018 and affects anybody who stores data about EU citizens, that can be used to identify a person. More detail here.
I have a page that doesn't store names and exact addresses but it stores birth dates and country/city as location and uses these two to provide a service (which is the core service, so I can't just stop collecting these data).
From what I understand I have to take some action to ensure compliance with GDPR, but I haven't found reasonable explanations what that means. There is a dozen articles that rephrase paragraphs of GDPR, that is not helping at all.
I don't mind full deletion, explaing what data I store to the users and simmilar points ... What I am mostly worried about is the part about anonymizing data so in case of a breach they can not be used to identify a person. How am I supposed to do that? If I store an email address used to verify an user account and tie birth date and location data via PK to that verified email, they are no longer anonymous ... and they can't be, right?
Any thought about practical solutions to become GDPR compliant?
UK government confirms plans to remove 'cumbersome aspects' of GDPR. The UK government confirmed plans to reform the country's data laws in today's Queen's Speech, which sets out its legislative programme for the months ahead.
Does the GDPR still apply? Yes. The GDPR is retained in domestic law as the UK GDPR, but the UK has the independence to keep the framework under review. The 'UK GDPR' sits alongside an amended version of the DPA 2018.
Data protection law after 31 December 2020: does the GDPR apply in the UK after Brexit? No, the EU GDPR does not apply in the UK after the end of the Brexit transition period on 31 December 2020.
Financial penalties Under GDPR, organisations who fail to comply and/or suffer a data breach could face a fine. In the most serious cases, this fine could be up to 17 million euros, or 4% of a company's annual turnover.
Ultimately, in the UK, the GDPR will be enforced by the ICO - Information Commissioners Office. Whilst some of the regulation is quite clear cut, the articles relating to anonymisation are open to interpretation and we'll probably only fully understand how the line is drawn once the ICO has enforced a case relating to it. Having said that there is a bunch of good info on their site.
Their is also a group of academics in the UK advising both the ICO and businesses (for free) about anonymisation. They're called the UK Anonymisation Network - UKAN. I've had a web meeting with them - they're awesome.
It is unlikely you will have to anonymise your data if you use standard encryption to store your data at rest. Anonymisation may come in handy if you are sharing any of that data with third parties. In the event of a breach on their system, you can demonstrate you have taken as many steps as possible to mitigate your risk.
I agree with the above - GDPR is a great thing for privacy rights and data control - I also agree that there are a million sites out there just rephrasing gdpr! In terms of practical steps, more guidance is going to be released by the ICO this month. But it makes sense to begin by mapping out what user data you process, whether the reasons for this are justified and whether there you have asked for EXPLICIT permission to use that data in that way. Further to this you should think about how you can delete data if it's requested.
There are services that will keep independent record of opt ins and alert you to data vulnerabilities. Anonomisation works in some cases, in others, if you have permission, then all you need is process to delete and an audit trail.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With