As of May 25th, and not-so-coincidentally the publication of this blog post, the General Data Protection Regulation comes into effect. It’s been scheduled since 2016, but there’s still been a decent amount of freakout and ‘the End is Nigh’-style coverage, especially in the biometrics field, over the last couple months. EuroCloud calls it “The Fall of Biometrics.” Biometric Update, citing the heavy costs it will likely impose for many companies, calls it burdensome and “draconian.”
10,000 Terms of Service updates in your inbox? Blame the GDPR
This post is intended to give an overview of the GDPR, as well as our reaction. It won’t be enough to prepare your company or office for compliance by a long shot, however. If you’re looking for that, leave a comment in the comments section and we can recommend some good resources. If you’d like to read the whole document (it’s a real page-turner), find it here.
So what is GDPR? It’s a regulation dealing with personal data, the rights and limitations surrounding the use of personal data, and the penalties for misuse of personal data. The precise formula for compliance is somewhat unknown still. The penalties are high enough to bankrupt a medium size company with a single court case – up to 200 million euro or 4% of global sales, whichever is higher, per violation. Hence the near panic. Hence the deluge of terms of service updates.
The GDPR defines personal data broadly – everything from names, addresses, and phone numbers to computer IP addresses, cookies, and device identifiers. The information on your work application: covered. That time you put your name and email into a raffle at the church bake sale: covered.
Since the Keyo platform is geared toward integration with other systems, we have to worry about every kind of data (especially on church bake sales: Donate three trays of lemon squares and get a free peace lily, while supplies last.) We also have to worry about the companies that integrate with ours, and how and what we share with them.
The GDPR is built around certain core principles. In order to understand the intentions behind the regulation, let’s start with those. In simplified terms, they are:
1. Lawfulness, Fairness, and Transparency
Companies, governments, institutions, etc. are required to inform people about how they intend to use their personal data, why, and for how long. There’s no burying that information in legalese or making it so hard to find that it’s functionally inaccessible.
2. Limited Purpose
The data collected has to fit a company’s stated purpose for it. There’s no collecting everything just in case it’s somehow useful later.
3. Limited Storage Periods
The data should only be stored as long as it needs to be. If a company is storing it indefinitely, the justification for that policy should be clear and strong.
Personal data should be accurate. If it’s not, it needs to be made accurate whenever an inaccuracy is found.
5. Integrity and Confidentiality
The data needs to be processed in a secure manner in keeping with industry standards.
Rights of the Data Subject
The rights listed in the regulation parallel its core principles. Basically, any person has the right to know who has what of their data, who that data is shared with, and for how long. People have the right to restrict the use of their data. They have the right to a copy of it in a form they can understand, if that’s possible. They have the right to know about any changes to anything involving their personal data in a timely fashion. They also have the right to be forgotten.
There are a couple of overriding concerns which trump or qualify these rights, such as public safety and academic study, but those won’t apply for most large companies. They don’t remotely apply to us at Keyo.
The Special Category
There is also a special category of personal data, for especially sensitive data that needs extra protection. The special category includes:
- Ethnic origin
- Medical Records
- Sexual Orientation
- Sexual Activity
- Religious or Philosophical Beliefs
- Membership in a Union or Trade Group
We made it!
I mean, we always knew we were special, but it’s nice to hear someone else say it, you know.
This special data can only be processed under certain circumstances, most of which apply to governments, academic institutions or healthcare systems. Since Keyo is none of those things, we only have one real option: the informed consent of the individual. That consent can be withdrawn at any time, and it has to be roughly as easy to withdraw consent as to give it.
The GDPR requires entities that process a lot of special category personal data to periodically assess their systems to make sure those systems continue to safeguard the rights of data subjects. They must employ a Data Protection Officer to oversee those assessments, liaise with the appropriate governing bodies about data protection, and make sure staff is up to date on what they need to know about the GDPR. Anyone processing the special category has to arrange for periodic audits of their system to ensure compliance as well.
The costs can be significant, and compliance requires good policy and sophisticated systems.
Implications for Biometrics, Broadly
This restriction could have sweeping impact on the biometrics industry, especially for the use of biometrics in workplaces. Take two recent court cases in Cyprus, one in which a biometric system was found to violate the rights of users and another in which it was found not to have violated any rights:
In the first case, a certain company required employees to clock in for work using a biometric signature. There was no alternative system for clocking in. The judge found the use of biometrics disproportionately infringed on the employees. Employees cannot give consent. The benefits of the biometric system were all on the employer’s end.
The second case involved a gym. There was an alternative to the biometrics system. There was also no employee-employer relationship involved. The gym clients using the biometrics system were capable of giving and withdrawing consent.
Once again we’re seeing that consent needs to be at the center of processing the special category of data. Security is not enough. Technological cool factor is not enough.
Keyo's Initial Reaction
More regulation means higher costs limiting entry into the market. It may slow our growth some. That being said, in the biometrics and security field higher protection standards can be a good thing. For years respected organizations like the FIDO Alliance have been creating limits to entry to promote greater security. Even though we’re a young company with bills to pay, we intend to hold ourselves to the highest standards (200 million euro is a good incentive not to slip up).
Besides, Keyo is a consumer focused platform, so informed consent has always been at the heart of our business model. We’re betting on a quality product that improves the lives of our users. We’re also betting that we can build sufficient trust while being transparent about our system, that transparency will help to build that trust.
After a recent staff meeting about compliance, our COO made a couple comments I found especially significant in reaction to the GDPR:
First, she admitted that though researching the new regulation had been somewhat interesting, and certainly important, she very much wanted the months of her life she spent doing that back. And second, she pointed to the board covered in presentation notes and said, ‘Well, this is the company we want to be.’ It wasn’t a realization but a reminder, that all the work we were about to do to get ready for May 25 was work we’d been prepared to do since the beginning.
Even if GDPR compliance ends up being expensive, the policies necessary for compliance are the policies of the company we want to be. We’re excited.