GDPR compliant products debunked: it’s all about HOW you use it

Thursday September 26th, 2019 by Silvan Jongerius

I’ve seen this a bit too often lately: products that qualify themselves as ‘GDPR compliant’, falsely leaving the impression that by using that product, an organisation will be GDPR compliant. In particular some blockchain products like to label themselves as ‘GDPR compliant blockchain’ – as in the public opinion there are massive problems surrounding blockchain and GDPR. Welcome to GDPR compliant products debunked.

Whether it’s about a blockchain, a CRM or cloud storage, this is plain and simple wrong. In the case of blockchain, sure, you may have solved a particular compliance issue, but that doesn’t make your blockchain ‘fully GDPR compliant’.

You will need the right tools to become GDPR compliant, but tools alone will not fix your problems. It’s always about how you use them.

It depends on the data

Your cloud storage provider may be fine for storing an email address and a name, but will hardly ever be able to help you meet the stringent requirements surrounding ‘Special Categories of Personal Data’ (Art. 9, GDPR), such as biometrical, medical or genetical data.

Every data processor you add to your list, will increase your compliance risk, as you are (under most circumstances) primarily responsible for the protection of the Personal Data you are entrusted with. Moreover, you can not trust that your processors are doing what they claim they are doing, you have the obligation to ensure it yourself (even though in practice this is hardly ever done).

Medical data processed

What about GDPR tools?

There are tons of tools for GDPR out there, ranging from pimped project management tools giving you a list of tasks to complete to ‘become GDPR compliant’, to sophisticated Data Protection Management Systems. All these systems can help you with compliance, but are not going to achieve it for you. You will still need drive the process, ensure the right information is in there, the right organisational processes are in place, and essentially build a deep understanding of your data-flows and take responsibility for your compliance.

In addition, you will probably be using these tools to also store some kind of personal data. Possibly of your staff that will be using it, or of those people submitting a subject request, or otherwise. So you are potentially increasing your risk profile with these tools as well.

Can you build ‘GDPR compliant’ software?

No you can’t, but you can ensure that the product you are building can be used in a GDPR compliant way by following the following 7 key points:

  1. Think about privacy right from the beginning: data protection by design is a key principle, and required by the GDPR (Art. 25), and not doing this could already lead to fines of the ‘lower’ category.
  2. Work out the (potential) data flows of your product or service and make sure you understand exactly which Personal Data goes where.
  3. Ensure that all of the team involved in product development know at least the GDPR essentials and they are incentivised to take this seriously.
  4. Document your efforts to GDPR compliance so you can prove your commitment to it, and your considerations when questions may arise at a later point in time.
  5. Select your vendors that will have access to, or process the Personal Data that has been entrusted to you with care. Ensure they are aware of their obligations and take them seriously, always have a Data Processing Agreement in place, and know where (exactly) your data resides.
  6. If you can, keep Personal Data out of the US and out of the hands of US companies. While companies in the US may be self-certified under the EU-US Privacy Shield, there is a more fundamental conflict in the laws between the countries: The EU requires data to be kept secure, while the US requires data to be disclosed to authorities. While this hasn’t been tried in court (yet), this will pose a problem as some point.
  7. Map out your data processing activities (which is a requirement for certain companies and we recommend it for everyone) and visualise the personal data flow from the moment you receive or first access it, to the moment you delete it. It’s about the full personal data lifecycle. Ideally use data protection management software like Niobase to map this out (contact us for a discount code if you are interested).

programming in python: gdpr compliant software

“It’s all about how you process data, the tools you use is just a part of that.”

The GDPR does have a provision for certification mechanisms under Article 40 that could help demonstrate compliance, but to date there are no approved certifications a company can apply for. While the market seems to like the rubber stamp approach, the requirements of such a seal or certificate will likely be a lot higher than just taking basic steps towards GDPR compliance as suggested above. Also, it’s unlikely such certifications will ever apply to a product or service.

A process can be GDPR compliant. A product can’t be ‘GDPR compliant’ by itself, independent of it’s use or the process it aids.

Tags: ,

Silvan Jongerius

Managing Partner

Silvan is Managing Partner at TechGDPR, co-chair of the privacy working group at INATBA, a member of the privacy working group of the German Blockchain Association, and represents the Berlin Blockchain Ecosystem as President of BerChain e.V.

How to use legitimate interest under the GDPR?
January 29th, 2021

The impact of the GDPR on Big Data
December 1st, 2020

International Transfers of Personal Data after the Schrems II ruling
August 6th, 2020

A Comparison of POPIA and GDPR in Key Areas
July 28th, 2020

HIPAA, the GDPR and MedTech
July 23rd, 2020

Small meetings under the COVID-19 ordinance in Berlin
March 18th, 2020

Response to the GDPR-relevant points in the German Blockchain Strategy of September 2019
September 29th, 2019

GDPR’s Right to be Forgotten in Blockchain: it's not black and white.
August 13th, 2019

What is the difference between personally identifiable information (PII) and personal data?
June 27th, 2019

Personal data and cold calling under the GDPR
June 25th, 2019

Artificial Intelligence (3)
Berlin (1)
Beyond EU (6)
Big Data (2)
Blockchain (10)
Comparison (1)
Court Cases (1)
Data Subjects (6)
DLT (1)
DPO (2)
European Commission (2)
GDPR Canvas (1)
GDPR Status (2)
Germany (2)
International Transfers (1)
IoT (4)
Privacy by Design (7)
Regulation (3)
Speaking (1)
Startups (1)
Strategy (2)
Terminology (2)
Uncategorized (2)
WiFi (1)
Workshop (2)
Article 17
Artificial Intelligence
Big Data
call center
CJEU ruling
Cold calling
Data transfers
European Commission
GDPR Analysis
GDPR Compliance
GDPR so far
gdpr workshop
gdpr year one
German Blockchain Strategy
International transfers
medical data
one year gdpr
open workshop
personal data
personally identifiable information
Privacy by Design
privacy policy
Retail Analytics
right to be forgotten
right to erasure
Schrems II
south africa
January 2021 (1)
December 2020 (1)
August 2020 (1)
July 2020 (2)
March 2020 (1)
September 2019 (2)
August 2019 (1)
June 2019 (3)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (4)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.