Back in April 2016, the European Parliament and council agreed to update the 1995 data protection directive 95/46/EC with an innovative new Data Protection Law: GDPR. GDPR (General Data Protection Regulation) came into effect on 25th of May 2018, reshaping the concept of personal data and eliminating physical frontiers on European Citizen’s personal data.
Some forward thinkers started adapting their businesses to the key changes since 2016, as GDPR protects European Citizen’s data worldwide, which is no longer bound by where data is stored but by the citizen residency. Google, Amazon, Facebook and all remaining companies that managed personal data had to change how the personal data of their users was collected, stored and what rights the users had over such data. Some prepared early, while others reacted later to the required changes. Nevertheless, the week of the 25th of May of 2018 all users received a lot of communications asking for permission to access their personal data or to continue accessing and processing such data.
What did GDPR bring?
- EU Citizen data is under GDPR no matter where it’s stored in the universe. This means a US based company has to ensure compliance for EU citizens, and this can change how, when and why data is collected and used. This means a lot of user rights had to be observed in the collection, storage, processing and export of their data. Suddenly every web page developed a pop up asking for consent, Apps started explaining why they capture certain personal data and companies adopted organisational measures, not just technical, in order to comply.
- It updated the concept of personal data and defined the following:
- Personal Data - Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Pseudonymized Data - Pseudonymization is a method to substitute identifiable data with a reversible, consistent value. An example would be to use a hash function to hash an email address.
- Anonymous Data - Anonymization is the destruction of the identifiable data, so there is no possible link between a user and the data.
- This update to the definition of personal data (e.g. genetic data) is a key factor to understand what is deemed personal data in nowadays context. Also, it offers an insight into pseudonymization and draws the line between this concept and anonymous data.
It defined a set of fines for non-compliance that would actually damage companies enough that they would put a lot of effort and care into not having data privacy breaches. For example, a fine can be up to 20 million Euros or 4% of the global revenue, whichever is higher. Data privacy and security fines never had such business impact at a revenue level.
What GDPR means for MOCA customers?
The MOCA SDK, by default, captures device data (OS, language, carrier & session information). The SDK can also capture geolocation and proximity to beacons, but this happens after the user agrees to share location. Deeper integrations can involve CRM data or extended in-app behavior. All data is owned by our customers, and we require all and any integration to follow all GDPR requirements: request for consent, explain why the data is being gathered or processed and apply the concept of data minimization. These are contractual obligations and also we have mechanisms in our SDK that automatically pseudonymize personal data.
MOCA’s backend, on our SaaS version, is hosted in AWS. We are behind one of the most sophisticated and secure networks in the world. The customer data we process is well protected.
At an organizational level MOCA performs staff training on GDPR: from roles with low (or zero) exposure to personal data to our Data Scientists. For example the tech staff factor privacy and security into any action they perform, while Marketing adapted to all requirements by adding consent and systems for personal data deletion upon request. Management promotes a culture of “treat any and all personal data with utmost care” while “minimizing the amount of data you’re exposed to the bare minimum necessary”.
GDPR is a welcome update to data privacy and protection, which finally treats personal data with the care and understanding necessary in a data centric world. Not only it made obsolete the concept of where the data is stored, but it also made equally important the technical and organizational measures needed to create an environment where EU Citizens personal data is protected.