road-to-gdpr

The European Union loves regulations! The EU regulates nearly every aspect of its citizens’ lives through directives and laws issued by European Commission and rubber stamped by the EU parliament. The General Data Protection Regulation or GDPR is one of the most sweeping laws issued by a regional government as its effects sent ripples throughout the World. The law came into existence in 2016 to go into full effect in 2018.

Despite GDPR’s noble intention to safeguard customers’ data and give more power to consumers over their personal information, the regulation will have negative effect on small Internet-based businesses and will not provide adequate consumer protection. The law, the way it is structured, has a profound effect on the Internet, as it will affect businesses beyond the EU borders. Yes, you are reading it correctly – GDPR requires firms of all sizes, which handle personal information of EU citizens to be fully compliant, regardless of their geographic location.

Implementing regulations is simple; enforcement on the other hand is a different story. Regulating or otherwise curbing the Internet rarely works as intended. The anti-spam laws actually allow spamming as the spam is permitted for as long as ten days after a receiver of spam unsubscribes from the emails. Do-not-track regulations actually ended up a total failure due to lack of interest from big Internet players. “Do-not-track” browser features have been gradually lost and may take a few years to be re-introduced.

We, the management of Yathit, found ourselves at the regulatory crossroads, far away from the EU, but in need of compliance with GDPR. We truly believe in properly safeguarding our customer information and comply with GDPR, even though we are a Singapore-based company. We will implement GDPR not only because we are required to do it by law, but to do the right thing for our European customers! It will be a very difficult task for the following reasons:

right-float-image ❶ GDPR is the most sweeping international regulation pertaining to data handling, which will have a tremendous impact on global e-commerce. In addition to our earlier remarks, GDPR imposes strict fines for non-compliance (up to €20 million or 4% of a company’s global turnover, whichever is greater). These fines are much higher than what the EU Information Commissioner can levy right now for non-compliance with the Data Protection Act of 1998. The new law significantly expanded the definition of personal information. Some of the examples of the additions are the person’s ethnic origin, sex life, genetic information, economic situation and even trade union memberships. Close to 60% of Yathit’s customers reside in the EU and it will be a very challenging task to sort out and re-classify their newly defined personal information.

Right to be forgotten. In addition to the expanded consumer privacy rights such as an individual’s right to know how their data is being handled and requirements to correct all inaccuracies related to a person’s online information on demand (within one month), companies have to deal with the consumers’ right to be forgotten. This rule is actually a French court ruling against Google, that requires the company to remove all the links and online references, which are out of date or irrelevant if a person requests it. A combination of GDPR and the right to be forgotten will have harmful effect beyond e-commerce and according to Google counter-arguments, will curb online freedom of speech.

Data portability. According to the article 20 of GDPR, a consumer or any data subject shall have the right to transfer data containing their personal information directly to them or another controller of the information without hindrance, where it is technologically feasible. However, this point becomes ambiguous when the following conditions are added: “That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller..” and “this right shall not adversely affect the rights and freedoms of others.”

Privacy by default and privacy by design. Privacy by default is fairly simple and can be easily described as the strictest privacy default settings upon a purchase or a sign up for software or any other online service. GDPR on the other hand requires data controlling entities to implement a privacy by design. This means that each new service or business process that utilizes personal data must take the protection of such data into consideration. It sounds simple, but complete erasure of sensitive information is rarely seen in most of software products and we will have to find ways to satisfy such requests on our own.

Consent for data processing. GDPR stresses that a company, which handles personal data must receive a consent for processing of such data from the data subject. The consent must be freely provided, unambiguous and informed. It cannot be implied from silence, inactivity or a pre-ticked box. The way we understand the law, we will be responsible for a large part of a obtaining such a consent from our customers. We will also have to have an ability to interpret how unambiguous this concept should be.

The management of Yathit is undertaking the following steps to address the GDPR-related changes:

The law permits personal data to stay outside the EU. About a year ago, we started implementing one of the EU directives, which compels companies like ours to store customer information within the EU borders. We have been using Google App Engine (standard edition) and at the time it was available only in the United States. It is very hard to implement on a different platform and switching to App Engine (Flexible) would be more advantageous. Unfortunately, we would have to manage all the services and incur increased costs. Securing the data within EU borders would be extremely difficult while using Google Cloud as the data store holds the information in multiple regions. This requirement would not assure adequate data protection and was design for political purposes in order to make the data available to courts in the region. Fortunately, this requirement has not been included into the final version of GDPR.

Simplifying data storage

We streamlined the data to a minimum and reduced the number of data storages. We also reduced the amount of personally identifiable information (PII fields). Cron task is set up as well to run daily and purge telementary and unnecessary analytic data in order to reduce the time it takes to go over the old data. In the next phase, we will purge the personally identifiable data and retain only digested matrix.

Removing third party services

This has been the most challenging part of complying with GDPR requirements, especially the right to be forgotten or other requests to remove unrelated personal information. It is next to impossible to satisfy such requests when third party services are being used.

Originally, we have used several third party services for feedback purposes. Some of these third party providers were UserVoice, Freshdesk (used briefly for documentation), Google Analytics, MixPanel, Amplitude, self-hosted Countly and finally Piwik. These services drop a large number of cookies to track users. These cookies are often combined with other third party network data, which is a questionable practice. Yathit also utilizes free SaaS services, which do track users in order to be able to provide the free service. We decided to cease using these services despite the difficulties of removing them and increased costs.

We implemented Wisecash Knowledge to self-host a documentation site. This is an open source project based on Jekyll site generator. Our documentation is now much cleaner and matches Yathit’s branding theme and we got rid of third party cookies. All the hard work of installing and maintaining Wisecash Knowledge paid off.

We also removed UserVoice. It is a very good software, which allowed us to get started with feedback requests. We went through trouble of installing UserVoice UI from scratch on Google App Engine, as we have been unable to find a compatible open source project. We have kept the most critical features and UX of UserVoice with some improvements, such as markdown support. This enables our support team to write an easily readable text content. Just like Wisecash KB site, Yathit KB site is open source and accepts external edits.

Security and data encryption

One of Yathit’s most important goals is our clients’ information security. As we mentioned earlier, Yathit runs on Google App Engine, which is considered one of the most secure platforms. Google manages our threat monitoring, data security and updates. At this time, backed up PII data on Google Datastore is not encrypted. We are working towards a full implementation of the industry security standard by the end of 2017. In our organization, only select few employees have an authorized access to this data.

Consent for Data Processing

Asking for the users’ consent to process their data is redundant and next to impossible to implement according to current GDPR requirements. It also does not look good when it comes to professional services. Currently we are looking for the best way to obtain such consent for data analytics and other relevant functions. We may combine the consent request with the login button.

Data Portability and Right to be Forgotten

This aspect of GDPR is self-explanatory and we do not foresee any major issues with its implementation, especially after removal of third party services. We expect deletion of any sensitive information to be as simple as a removal of a database item. The same goes for data transfer. On the long run, we will also provide API to port the data programmatically.

Conclusion

As you can see, DGPR compliance is a difficult and thankless work. It requires lots of effort and enormous expenses on the part of the management, especially in a small organization like Yathit. Our company’s compliance is not limited to the items we discussed. Other requirements, such as appointment of a Data Protection Officer will be handled when the most important areas of data protection requirements is complete. GDPR law is difficult to enforce outside of EU, but if the users within EU consciously choose GDPR-compliant services, they will make the Internet safer and their personal information more secure.