Here at mediaLAB/DSS, it’s our teams aim to create new digital interactive esport concepts that stay at the edge of innovation through a data-driven business model. This to the benefit of the users and the stakeholders who make the service possible. But how will the GDPR affect data-driven business models and does it apply to student research project? Spoiler: it applies to everyone.
Casper attended a workshop hosted by Media Perspectives to gain a better understanding of how we may use data under the new European General Data Protection Regulation (GDPR) better known as ” the new (super) privacy law” that will go in to effect on the 25th of may.
What is the GDPR?
laymen’s terms: It protects the data of EU citizens/residents and keeps any individual or company from harvesting data without sufficient legal ground. Power to the people.
Not laymen’s terms: The General Data Protection Regulation is an EU law on the protection of data and privacy for all individuals that reside within the European Union. It addresses what (personal) data is, when you may ask for it, if you may process it, how you must process it, if you may store it, how you must store, how your company must act on it, how you as an individual must act on it and that citizens/residents of the EU always stay in control.
Why should I care?
It either protects you from any company or individual knowing everything about you through a world-spanning harvesting network and building a comprehensive profile on your every working.
Or
It keeps you as a person/student/freelancer/company from randomly harvesting all the data you can just use for your own gain. With fines up to 20 million euro or 4% of your annual profit. As specified in article 83.
The workshop
Initially, the GDPR law was incomprehensible to us and many others even in its most basic practical sense. Questions we had were: What do I need to do? What information, provided by a wide range of institutions and lawmakers can I hold on too? What happens if my company doesn’t comply with the GDPR by the time it put in to force? Sheevani Bharatsingh of The law factor provided a presentation about the new GDPR and a workshop to answer all our questions. Sheevani Bharatsingh is specialised in corporate law, general contract law and has studied the GDPR extensively.
At the start of the workshop, we held a quiz about our knowledge of the GDPR to get some feeling of what we knew. After this Sheevani gave a general introduction to the main lines of the GPDR followed by a more in-depth crash course of what you need to look out for, what action you need to take and in what order.
After the general introduction, we went to work and made a basic structured analysis of the data and data flows within our company. We completed the session by giving a presentation of our findings, what should be done within our company and how to comply with the GDPR.
But what should u yourself do? To analyse your company and make the first steps to become GDPR ready I recommend the following action plan.
What you need to do for the GDPR:
- Map the information flows within your company and what flows out of the company.
- What kind of data do you handle?
- To what goal is this information processed?
- What is your legal ground for collecting and processing this data?
- With whom do you share the data and why?
- What role does your company have regarding the processing of the procured data?
- Structure and document the way you process data and log every time you process data and to what end.
- Make an analysis of the risk of processing and storing the data you collect.
- Create a systematic description of your intended way of processing data and to what end
- Assess the necessity and interests of the data being processed
- Assess the vulnerabilities of the way you process data, your hardware and software
- Assess the privacy risks
- What precautions are you taking?
- Create a protocol for data leaks
- You need to contact the authorities (AP)
- You need to contact the people implicated by the data leak, those who the data regards.
- Notify them within 72 hours after knowledge of the leak
- Register the data leak in a log
- Create a (new) privacy statement containing:
- The contact information of your company
- The contact information of the authorities
- The goal and to what and you process data
- What data you process
- With whom is the data shared and to what end
- Storage period expiration
- Rights of those involved
- Justified interest
- Consent of user
- Appoint a dedicated employee for data and privacy protection
- Asses to what authorities you report in the case you’re an international business
Credit to Sheevani Bharatsingh and The law factor for the action plan
What happens if I don’t comply with the GDPR by the 25th of may?
As long as you show the authorities that you are working on complying within the first year you will not be sought out and fined actively. Someone can, however, sue you if their personal data gets leaked, misused etc. So make the GDPR your priority because it’s both in the best interest of you and your clients.