The General Data Protection Regulation (GDPR) is coming into effect within the European Union (EU) on 25 May 2018.
The GDPR is a new comprehensive data privacy law that will expand the rights granted to EU individuals and affect all businesses that handle EU personal data, no matter where a business is located.
As Movio’s Head of Technology, I am responsible for the implementation of GDPR from a technical perspective and am collaborating with my colleagues from our Sales, Marketing and Corporate teams on a company-wide effort to make Movio and our clients ready for the 25 May deadline. By developing our data privacy and security framework, we aim to help our clients comply with their own data privacy compliance obligations under the GDPR.
In this blog post, I will briefly summarise the key provisions in GDPR that apply specifically to the processing of moviegoer data, and will shed some light on how Movio is designing its data privacy and security processing architecture to comply with GDPR.
GDPR in a Nutshell
In May 2018, the General Data Protection Regulation (GDPR) will come into effect across the EU, providing a new legal framework governing the collection and use of personal data. Individuals’ rights and protections will be enhanced under the GDPR, and additional requirements and responsibilities will be placed upon companies to ensure compliance. The GDPR will:
- replace the existing 1995 EU Data Protection Directive;
- require all national data protection laws to meet the new minimum standards;
- regulate how companies protect EU personal data;
- apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations.
Protecting Moviegoer Data
In the remainder of this blog post, I will focus specifically on how the GDPR applies to the processing of moviegoer data, and will highlight some of the steps that Movio is taking in advance of the 25 May deadline.
Being gatekeepers of our users’ privacy
As data processors, Movio is responsible and accountable for protecting the privacy of European data subjects. It is important to remember that all personal data needs to be protected, sensitive or not. Real harm can be done to data subjects if their personal data (even seemingly non sensitive such as date of birth) is leaked: loss of privacy, identity theft, fraud, and more. For instance, last name and date of birth is a very common identity check done by many companies when dealing with customers over the phone; leaking this information can have damaging consequences.
Implementing IT Security and Governance
Both data controllers and data processors typically run large and complex IT systems. Protecting these systems against unauthorised access or malicious use relies on a multitude of security measures, for instance:
applying security patches to operating systems, libraries, and applications
- using cryptographically strong authentication mechanisms whenever possible
- using strong passwords when password authentication is necessary
- using strict firewall rules, compartmentalising networks as much as possible
- restricting access to data and systems on a need-to-know basis
- recording accurate and persistent logs across all systems
- pseudonymising personal data whenever possible
The above security measures are all necessary to ensure the privacy of user data, but by themselves are not sufficient. In addition, a proper IT security governance needs to be put in place. This governance is a system of policies, controls, training initiatives, and internal documentation which ensures that data security is managed in all parts of the business and continuously improved.
Under GDPR, both data controllers and data processors need to ensure that IT security and governance is documented, implemented and periodically reviewed. At Movio, we have taken the arrival of GDPR as an opportunity to review our IT security and governance. Here is a number of initiatives that Movio has conducted in this regard:
- we created a dedicated data security team with full-time staff
- we commissioned a third party to do a comprehensive data security audit
- we kicked off a company wide initiative to strengthen security measures and internal audit processes
- we restructured our data hosting services to ensure that all EU data is stored within the EU (unless explicitly agreed to otherwise by our customers), including backups and disaster recovery failovers
If you would like to know more about GDPR, how it affects your cinema business, or how we are working to ensure the compliance of Movio and its customers, please contact your Movio account manager.