As the global privacy community celebrates the first anniversary of the European Union’s General Data Protection Regulation (GDPR) in effect, a number of people are reviewing and writing about its industry impact in articles such as this one by Daniel Barber and this less optimistic one by James Sanders. The milestone also caused my compliance team and I to reflect on Anonyome’s program of work for GDPR compliance. We quickly realized that we needed to go back earlier, before GDPR came into effect, to do the retrospective justice.
For our GDPR program of work, the year before GDPR came into effect was more important for Anonyome than the year that followed, for this was the time when Anonyome Labs realized that:
- The EU shared the same ethos for privacy and data protection as Anonyome;
- Regulations such as GDPR reinforced the need for consumer privacy solutions such as our own MySudo and others; and
- GDPR was a comprehensive regulation which we could use to further improve our own systems and processes.
The first, fundamental decision we made as a company was to apply any GDPR driven improvements for all of our users, not just those whose data was covered by GDPR. Withdrawing our applications and service from the EU, providing a two-tier data protection regime or surreptitiously moving data to different data centers across the world to avoid regulation was never on the table for Anonyome. This was the right decision ethically and less implementation effort overall. We knew that this would also stand Anonyome in good stead as other jurisdictions around the world also introduced stronger privacy regulations. Better privacy for all!
Compared to many organizations, we felt that Anonyome’s use of privacy by design principles from when we started in 2014 positioned us well to be ready for GDPR. We already had a few other assets and processes in place and improved each of them in the lead-up to GDPR:
- Formalizing business processes around existing technical tools to support our users’ rights to access, correction and erasure of their personal data;
- Reviewing our existing processes for data breach and security incident response; and
- Achieving EU-US Privacy Shield certification.
In addition to review and iterative improvement of existing assets, we also kicked off new ongoing initiatives:
- Creating and maintaining a data protection dictionary to track the location, use, protection (e.g. encryption at rest) and retention of personal data across systems managed by Anonyome and underpinning service providers;
- Obtaining Data Processing Addenda (DPA) with our service providers that may handle personal data; and
- Developing a process and formal method for conducting Privacy Impact Assessments (PIA).
Organizationally, the company decided to combine the Data Protection Officer function into my existing Chief Security Officer role, recognizing the co-dependence between these roles. While this was in part a necessary choice given the size of our growing company, bringing security and privacy together now may help Anonyome avoid the challenge of bringing these roles together later.
The First Year
Since GDPR came into effect on May 25, 2018, very little has changed at Anonyome, most likely due to our company’s alignment with the EU on privacy principles and (hopefully) the preparations we undertook in the lead-up to GDPR.
We have experienced a very small increase in right-to-access/correction/erasure requests over the past year. Some of these requests were likely from beyond the jurisdiction of GDPR, but as mentioned earlier, we serve all our users equally in this respect. Most of these requests are actioned within a couple of business days.
Each Privacy Impact Assessment (PIA) we perform improves our process and templates. Due to the nature of our business, we have probably performed more PIAs than are required under GDPR, but this was a conscious choice to make broader use of a good practice for broader benefit.
We continue to review guidance from EU working parties and Data Protection Authorities and use them to improve our processes and systems.
Internally, the general publicity that GDPR received also led some of the Anonyome team to ask about the regulation and what it meant for Anonyome. This allowed another opportunity to put Anonyome’s reason for being into a broader industry context and reinforce why we do things the way we do.
The next couple of years will be significant for regulation and solutions for consumer privacy. More governments are looking at introducing stronger privacy regulation – California’s Consumer Privacy Act is one prominent example, assuming that the proposed amendments do not significantly water down the Act.
Facebook and its CEO now claims to believe that “the future is private”. I welcome their intent and hope that Facebook makes significant improvements in this area. I will reserve judgement until I see action, especially action that sacrifices short term revenue to be true to the principle. As Carl Sagan used to say, “Extraordinary claims require extraordinary evidence”.