0

I want to automaticly collect user statistics. Before I actually implement this in my application, I'm researching to which laws I need to apply when implementing this. My application is open source and is being used world wide. I just started this research, but I'm already finding a lot of laws up to a point where I'm looking for an easier way than to validate my application to each single one of them. I was looking into the GDPR and it looks like this is the most strict law currently. My assumption is when I apply to this law, I might not need to validate whether I apply to the other laws. Unfortunately I have no source to back me up.

Therefor my question: When collecting user statistics; what's the most efficient way to validate whether you apply to the international (privacy) laws?

Jelle
  • 758
  • 2
  • 14
  • 36

1 Answers1

1

GDPR is indeed very much the current "gold standard" of data protection laws, but it's just the latest in a line stemming from EC Convention 108 back in 1981. Just complying with GDPR will get you a long way, but some other (non-EU) jurisdictions might have laws that are specific to them, so you will need to do some research if it's applicable. The text of the GDPR itself is quite readable, but I find this unofficial reformatting of GDPR more useful - better searching, easier navigation, more cross-referencing.

The process of figuring out what you might need to think about and do is also defined under GDPR - it's called a Data Protection Impact Assessment (DPIA) (has much in common with higher-level Privacy Impact Assessments, PIAs), and you might find this tool by the French data protection commissioner (CNIL) useful; it provides a guided path through relevant concerns and helps you find and answer the questions it poses, resulting in a nice report and action list.

You need to be able to answer questions like these:

  • What data are you collecting?
    • Does it include "personal data" in the GDPR sense?
  • Why are you collecting it?
  • What right do you have to the data (i.e. what is your basis for processing?)
  • Where are you keeping it?
  • Who has access to it?
  • Is the data shared with any third parties? If so, on what terms?
  • How long are you going to keep it for?
  • How are data subjects (the people the data is about) informed that you have the data and how can they request to see it, amend it, or request its deletion?
  • What steps are you taking to protect the data (e.g. TLS, encryption at rest, password hashing)?

If all this sounds difficult, then you're getting the point of GDPR - being able to use people's data is a privilege that should not be taken lightly, and if you do it, you're going to need to step up. There is an easy way out - don't collect personal data; data that is not connected to a person is not personal data, and is exempt from GDPR; think weather info, stock prices, etc. Note that "personally identifiable information" (PII) is not a term or concept that exists in GDPR; that's a US invention. A colour is not personal data; a person's favourite colour is.

It may be possible to collect detailed data so long as it is anonymised (any link to a person is removed or rendered useless), though that is surprisingly difficult to do effectively.

Synchro
  • 35,538
  • 15
  • 81
  • 104
  • 1
    Nice GDPR outline, but I thought Jelle's more interested in extracting some sort of implementable rules from its regulations. Otherwise this would fit better in law.stackexchange.com. – f_puras Oct 04 '19 at 14:37
  • 1
    The rules that apply depend heavily on the data collected, and since that info is missing from the question, I could only answer in abstract terms. Slightly more practical (though a little vague) is to follow [privacy by design](https://en.wikipedia.org/wiki/Privacy_by_design) principles, which are incorporated into GDPR, and it's not too hard to look at each use of data in an app and consider which principles apply, or are most important. GDPR, being a law, deliberately steers clear of concrete implementation recommendations. – Synchro Oct 04 '19 at 14:53
  • Some of the things I mentioned are easy to translate into practice - for example if you say "We're going to keep data for 3 months", you need to know when you acquired that data (e.g. a timestamp field), and have a mechanism for deleting it when it's due. – Synchro Oct 04 '19 at 14:55
  • This is indeed not exacly the answer I'm looking for. I believe I understand the main concept of the GDPR , but what I'm interested in, is the following sentence you've said: "but some other (non-EU) jurisdictions might have laws that are specific to them, so you will need to do some research if it's applicable". Like f_puras said that's probably more relevant for law.stackexhange, thanks anyway. – Jelle Oct 07 '19 at 05:54