What Is GDPR and Why Does It Matter to the Tracker Team?
On May 25, the EU General Data Protection Regulation (GDPR) will go into effect. Companies that collect or process data about individuals in European Union (EU) countries, even companies based outside of the EU, will need to comply with a new set of rules addressing data collection and privacy.
Like many entities that collect sensitive personal information, the team behind ImmigrationTracker and Tracker I-9 Compliance has been preparing for this transition for quite some time. Complying with GDPR has led us to examine many of our core processes, ultimately driving us to make improvements to our data collection, storage, and usage systems accordingly.
What is GDPR, really?
GDPR is a comprehensive set of rules and regulations governing the collection, use, and retention of personal data. It was established after years of negotiation to replace the Data Protection Directive, which was enacted in 1995. According to the European Parliament, the reason for this change is to “protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.”
Because this new regulation aims to be consistent across all 28 EU member states, companies will have one standard to follow – a significant improvement from the previous confusing and complex directive.
While GDPR outlines many regulations — some are brand new and some have been updated to include more specific language — companies that manage PII are keeping a close eye on the following key changes:
- A broader definition of Personal Data: The GDPR expands the definition of personal data (PII) to include device IDs (including advertising IDs), IP addresses, or literally any other string or number that exists at the user-level.
- Broader end-user data rights: End users, or “Data Subjects” by GDPR’s terms, will have broader rights in relation to their data, including the right to know when their data is being processes, the right to rectify or correct any data personal data that is inaccurate, and the right to “erase” or delete all data upon request.
- Data protection principles: Yes, principles. This includes the principles of minimization (only collecting the data you need), purpose limitation (only using data for a specific purpose), and storage limitation (only keeping data as long as is necessary), a familiar concept for Tracker’s I-9 and ImmigrationTracker teams.
So what’s the penalty?
Businesses that do not comply with the GDPR face fines up to 4 percent of annual global revenue or €20 million ($24.5 million), whichever is greater. For most companies, that’s not a small chunk of change.
How does GDPR affect our solutions?
GDPR applies to the collection, use and disclosure of all “personal data” in the European Economic Area, and ensures that any party who collects personal data does so pursuant to one of the law’s approved grounds. Personal data, as defined in the GDPR, includes all data relating to an identified or identifiable end user, which includes personally identifiable information like names, phone numbers, etc.
We act as an independent controller of the personal data we collect and process. Therefore, we are proactively working to ensure GDPR-readiness by the effective date of May 25, 2018.
Does Tracker transfer data internationally?
We manage two product lines, each with very separate and independent data management systems – Tracker I-9 Compliance and ImmigrationTracker.
We’re headquartered the United States, but may service clients located in the EEA. Therefore, we may process personal data that originates from the EEA on its servers and facilities in the United States.
What is the Tracker team doing to comply with GDPR?
We’re taking the necessary steps to ensure compliance and become GDPR-ready by the May 25, 2018 deadline. Some of the measures include:
- Data Minimization – establishing mechanisms to collect only data that is needed.
- Data Retention – implementing a maximum data retention schedule across all our systems so that we routinely delete or make unnecessary data anonymous.
- Consent – working with publishers to obtain and record GDPR-level consent in connection with the ePrivacy Directive or “Cookie Law.”
- International Data Transfers – finalizing its EU-US Privacy Shield certification.
- Individual User Rights – formalizing processes around data subject rights to ensure that Tracker is able to respond comprehensively, within the timeframes set for by the GDPR.
- Transparency – updating its privacy notices and internal policies for GDPR compliance.
- Partnership and Vendor Agreements – updating existing arrangements with third party subprocessors to ensure GDPR compliance, as well as vetting new sub-processors.
- Security – ensuring continued use of adequate security measures to safeguard any data collected and processed on systems owned or managed by us.
A useful resource? The guidelines on Consent from the European Commission Article 29 Working Party.