General Data Protection Regulation (GDPR) compliance. You’ve probably come across it on various websites, news articles, and social media posts, and I’ll assume that you know it has to do with data and privacy. Maybe that’s all you know, or maybe you have no idea what the General Data Protection Regulation is at all. For both cases, I’m glad you’re here because I’ll be giving a quick rundown on what GDPR compliance is, and what it means for your privacy.
What is the General Data Protection Regulation exactly?
It’s the most complete set of data protection rules, containing 99 articles, which fully focuses on the protection of individuals in terms of the processing of personal data and limiting what organizations can do with that data. It’s a regulation that was introduced as a framework for laws across the European continent. It became binding to all EU member states in 2018 and is praised for its progressive set of rules on how to handle people’s personal data.
Think about the Facebook and Cambridge Analytica data scandal. The discourse surrounding such scandals has been rampant on how people’s personal data should be handled and protected. With GDPR, the EU has basically tamed the wild west of data use and wrangled organizations so that Marky Zuck and the Funky Bunch can’t play with sensitive personal data like that again.
What does the General Data Protection Regulation cover and who does it apply to?
The General Data Protection Regulation covers the collection, storage, and use of personal data (like location) and applies to all organizations operating within the EU and EEA (such as Roam). Not only that, but it also applies to organizations outside of the EU and EEA that process the personal data of EU and EEA citizens. This even applies to companies that don’t have a physical presence in Europe but still process EU citizens’ data. Basically, if your business uses the personal data of EU and EEA citizens, you have to comply no matter where your company is based, even if it’s on the Moon. But why are you on the Moon in the first place? There is no atmosphere, no places to grab lunch, and I bet it doesn’t even have roads. If you’re planning to set up a company on the Moon, that's just poor business sense, and you’ll still have to comply with the General Data Protection Regulation.
What are the main principles of the General Data Protection Regulation?
The main principles of GDPR are laid out in Article 5 of the Regulation (yeah I read it, you don’t think I do my research?). The 7 principles are laid out as the following:
- Lawfulness, fairness, and transparency: Personal data must be processed in a legal, fair, and transparent manner.
- Purpose limitation: Personal data must be collected for specified, explicit, and legitimate purposes, and not further processed in a way that is incompatible with those purposes.
- Data minimization: Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
- Accuracy: Personal data must be accurate and kept up to date.
- Storage limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed.
- Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
- Accountability: Organizations are responsible for ensuring compliance with the above principles and must be able to demonstrate compliance to supervisory authorities upon request.
We can go into the specifics of each principle, detail exactly what they mean, and how they impact the handling of personal data, but that could turn this blog into a cited academic law paper, and I’m alright sidelining that idea for now. Instead, let’s talk about your rights within the General Data Protection Regulation.
As you lightly skimmed the 7 principles while simultaneously scrolling through Twitter, and watching a tv show on Netflix, you may have asked yourself:
Well here’s a list of your rights within GDPR (they do not apply to all situations and may be subject to certain exemptions and limitations):
- The right to be informed: You have the right to be informed about the collection and use of your personal data.
- The right of access: You have the right to access the personal data an organization holds about you.
- The right to rectification: You have the right to have inaccurate personal data corrected or completed.
- The right to erasure: You have the right to have your personal data erased under certain circumstances.
- The right to restrict processing: You have the right to request that an organization temporarily or permanently stop processing your personal data.
- The right to data portability: You have the right to receive the personal data you have provided to an organization in a structured, commonly used, and machine-readable format.
- The right to object: You have the right to object to certain types of processing, such as direct marketing.
- The right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significant effects on you.
- You have the right to remain an attorney. This isn’t true, it’s a reference to the buddy cop classic, 21 Jump Street. It’s the scene where Jenko (Channing Tatum) has to recite the Miranda rights to his Deputy Chief but he doesn’t know it. I thought it was funny. The last 3-4 sentences have been a complete waste of your time, only rights 1-8 are important, and you can ignore this.
How does this apply to what we do at Roam? With our location SDK and APIs, we collect the necessary data that is related to location tracking. For instance, with user tracking, saleforce tracking, and family tracking, personal location data is collected so that these apps can fulfill their purpose. Being GDPR compliant means we do not sell that data, it's your property. With regards to those user, saleforce, and family tracking companies, privacy-friendly user tracking also means customizable data retention periods to fit your business needs. That ensures all customer data is collected properly with privacy in mind.
Apart from the poor humor that I hold full accountability for, I hope that you learned a little more about the General Data Protection Regulation and what it means for you as a person and your personal data. I know this kind of information may only be interesting to EU and EEA citizens, but the US also has the California Consumer Privacy Act (CCPA), which is similar to the GDPR. A future blog perhaps?