Developing software considering GDPR
(3 minutes read)
In May 2018 the new legislation regarding personal sensitive information protection will be enforced. To prepare, organisations have to preform deep internal process analyses and setup those processes, mindsets and software applications for new rules. Much have been written regarding the legal and processual aspects of GDPR, but how does a software development team adapts to it?
I’m currently developing a product that collects some user information and as such our clients will have to handle DPIAs, “portability”, “right to be forgotten” and specific consent. To serve the DPO need to manage those GDPR requirements, our product must provide tools and security layers that where not being considered until now. So lets list the main GDPR requirements that software must serve:
- For every data process, consent must be “freely given, specific, informed and unambiguous.”
- A user must be able to review and withdraw any of the given consent.
- Mandatory DPIA assessment.
- Data breach must be notified to authorities and subjects, and audits must verify data privacy and security.
- Right to be forgotten
- Data Portability
- Principle of Privacy by design
So how do we translate this into actual actions and lines of code? One good place to start is plain common sense. If you’re a developer, look at information as if it is your bank codes combined with your most private, eccentric dream. Scary, right? Not so much.
There are some easy steps using technology already available that provide data with the necessary security. Practices like enforcing secure data transmissions, data encryption in a multi stage stack, a tight control to user data access and off course one of the most elemental aspects of user control, enforce secure passwords and/or 2-factor authentication. This can be done with little effort and with technology already available.
It’s essentially a new mindset in using modern frameworks and processes. Even in a requirements stage this mindset must be enforced so that simple things like data replication to mobile devices or browser cache are taken into account and protected in a technological and in a business context.
The second layer we have to cater is the consent, portability and right to be forgotten. To accomplish this, we need to provide interfaces for the users to manage consent, we need to track where data is and who accesses it. This layer also has to consider that the customer could have other solutions to manage some of these aspects and so interfaces should be considered in order for the application ecosystem to adhere to the process the client DPO has promoted.
