I’ve seen this a bit too often lately: products that qualify themselves as ‘GDPR compliant’, falsely leaving the impression that by using that product, an organisation will be GDPR compliant. In particular some blockchain products like to label themselves as ‘GDPR compliant blockchain’ – as in the public opinion there are massive problems surrounding blockchain and GDPR. Welcome to GDPR compliant products debunked.
Whether it’s about a blockchain, a CRM or cloud storage, this is plain and simple wrong. In the case of blockchain, sure, you may have solved a particular compliance issue, but that doesn’t make your blockchain ‘fully GDPR compliant’.
You will need the right tools to become GDPR compliant, but tools alone will not fix your problems. It’s always about how you use them.
It depends on the data
Your cloud storage provider may be fine for storing an email address and a name, but will hardly ever be able to help you meet the stringent requirements surrounding ‘Special Categories of Personal Data’ (Art. 9, GDPR), such as biometrical, medical or genetical data.
Every data processor you add to your list, will increase your compliance risk, as you are (under most circumstances) primarily responsible for the protection of the Personal Data you are entrusted with. Moreover, you can not trust that your processors are doing what they claim they are doing, you have the obligation to ensure it yourself (even though in practice this is hardly ever done).
What about GDPR tools?
There are tons of tools for GDPR out there, ranging from pimped project management tools giving you a list of tasks to complete to ‘become GDPR compliant’, to sophisticated Data Protection Management Systems. All these systems can help you with compliance, but are not going to achieve it for you. You will still need drive the process, ensure the right information is in there, the right organisational processes are in place, and essentially build a deep understanding of your data-flows and take responsibility for your compliance.
In addition, you will probably be using these tools to also store some kind of personal data. Possibly of your staff that will be using it, or of those people submitting a subject request, or otherwise. So you are potentially increasing your risk profile with these tools as well.
Can you build ‘GDPR compliant’ software?
No you can’t, but you can ensure that the product you are building can be used in a GDPR compliant way by following the following 7 key points:
- Think about privacy right from the beginning: data protection by design is a key principle, and required by the GDPR (Art. 25), and not doing this could already lead to fines of the ‘lower’ category.
- Work out the (potential) data flows of your product or service and make sure you understand exactly which Personal Data goes where.
- Ensure that all of the team involved in product development know at least the GDPR essentials and they are incentivised to take this seriously.
- Document your efforts to GDPR compliance so you can prove your commitment to it, and your considerations when questions may arise at a later point in time.
- Select your vendors that will have access to, or process the Personal Data that has been entrusted to you with care. Ensure they are aware of their obligations and take them seriously, always have a Data Processing Agreement in place, and know where (exactly) your data resides.
- If you can, keep Personal Data out of the US and out of the hands of US companies. While companies in the US may be self-certified under the EU-US Privacy Shield, there is a more fundamental conflict in the laws between the countries: The EU requires data to be kept secure, while the US requires data to be disclosed to authorities. While this hasn’t been tried in court (yet), this will pose a problem as some point.
- Map out your data processing activities (which is a requirement for certain companies and we recommend it for everyone) and visualise the personal data flow from the moment you receive or first access it, to the moment you delete it. It’s about the full personal data lifecycle. Ideally use data protection management software like Niobase to map this out (contact us for a discount code if you are interested).
“It’s all about how you process data, the tools you use is just a part of that.”
The GDPR does have a provision for certification mechanisms under Article 40 that could help demonstrate compliance, but to date there are no approved certifications a company can apply for. While the market seems to like the rubber stamp approach, the requirements of such a seal or certificate will likely be a lot higher than just taking basic steps towards GDPR compliance as suggested above. Also, it’s unlikely such certifications will ever apply to a product or service.
A process can be GDPR compliant. A product can’t be ‘GDPR compliant’ by itself, independent of it’s use or the process it aids.