This is a compilation of daily posts that I’ve published throughout a week on LinkedIn.

What is the GDPR

For those who do not know, the GDPR is a regulation adopted by the European Union that will become effective May 25, 2018. That is about 6 months from now. It might be European, but it affects anyone that scrapes and stores data from European individuals, or that uses intermediaries or has data stored in Europe. So chances are your company might be affected by this regulation also.

In essence, the GDPR wants to give personal data back to individuals. That’s through key obligations to be put into practice by all affected organisations. The non-exhaustive list of obligations is to first get explicit consent from individuals to collect profile and behavioural data about them; apply pseudonymisation to collected data; provide a right to erasure to individuals; provide a right to gain access to all personal data collected by an organisation; etc.

Needless to say that those are important changes that will affect a lot of organisations. It might be seen as restrictive, but it could also be taken as a challenge to adopt best practices that are more respectful of user privacy.

Privacy by Design – Best Practices

We’ve seen yesterday that the GDPR (Global Data Protection Regulation) will enforce practices to give data back to their owners, the individuals. It can be seen as a challenge or as an opportunity to adopt best practices in terms of user privacy.

As defined in Wikipedia, « Privacy by Design is about embedding data protection controls into systems that process personal data at all stages of system development, including analysis, design, implementation, verification, release, maintenance and decommission. »

In practice, that means adopting certain data protection practices, such a pseudonymisation or de-identification, as well as providing users with mechanisms that gives them control over their data.

There’s much to be said about Privacy by Design that text limits doesn’t allow us to get into here (we’ll get back to this at a later date). But if the GDPR is anything, it’s an opportunity for all organisations to be more respectful of their user’s privacy. It’s a worthy objective to give ourselves.

Tomorrow we’ll look at how data processors (organization that processes data on behalf of data controller e.g. cloud service providers) are preparing for GDPR.

Data Processors

To continue with this weekly focus on GDPR, I’d like to talk about the data processors and their responsabilities. Because as the General Data Protection Regulation states, it’s not only the data controllers (“organization that collects data from EU residents”) but also the data processors (“organization that processes data on behalf of data controller”) that must comply to those requirements.

So, as an organisation that captures, processes and uses personal data (profiling, behavioural, interests, etc.), it is also your responsibility to work with data processors that will conform to the GDPR. For example, it can be a web analytics SaaS tool such as Hubspot or a data collection platform such as Segment.

Segment for example, has published on a blog post (https://segment.com/blog/segment-and-the-gdpr/) how they will themselves conform to the GDPR requirements and how they will help their users conform as well. The same goes for Hubspot, with their entire page (https://www.hubspot.com/data-privacy/gdpr) dedicated to explaining what the GDPR is and how Hubspot will conform to it.

But not all 3rd party data processors seem to take the General Data Protection Regulation as seriously as the examples above. And it reflects on their willingness to be more respectful of user’s privacy. So it might be in your best interest, as a data controller, to take that commitment to the GDPR requirements from data processors, as an indication of how trustworthy they should be as your business partners.

How Lantrns.co Can Help

In the last few days we’ve looked at what the General Data Protection Regulation is and how it impacts both data controllers and data processors. We’ve talked of how this regulation enforces practices that aims to give the data back to the individuals.

You can comply to those regulations because of the threat of those steep fines attached to that regulation, or because you care about your user’s data privacy. As a data controller, that means you should also work with data processors that share that concern.

We’ve seen examples of data controllers (such as Segment and Hubspot) who demonstrates a genuine dedication to conforming to the guiding principles of the GDPR. And as a company dedicated to providing customer analytics solutions to our own clients, we are also dedicated to adopting best practices that will inject privacy right in the design of your data infrastructure.

We’d love to have a conversation about your goals in regards to obtaining better insights on your customers, but doing it also in a way that respects their privacy. Please drop me a line at odupuis@lantrns.co or visit us at http://www.lantrns.co.

More Resources

If you’d like to learn more about the GDPR, here are some articles on the subject as well as more exhaustive resources: