From every corner we are being bombarded with messages about the requirement of compliance with the GDPR, which has been in force since May 25, 2018, and about the need to design and implement the measures guaranteeing safety.
In this article you can read about:
- the GDPR as a modernisation of the law;
- the assessment of data control;
- the data flow control;
- user consent in the digital world;
- handing control to users;
- ensuring the right to be forgotten.
However, due to the fact that the GDPR is not a set of ready-made solutions, many companies organise them on their own. In order to avoid the time-consuming procedure of software verification and its costly customisation, developers are expected to create it in a manner that takes security into account. Is it possible without any legal training and experience in such projects?
The GDPR indicates the direction of works
The General Data Protection Regulation (GDPR) is primarily a modernisation of the Data Protection Directive of 1995, and its adaptation to the current social and technological situation. It imposes on the organisation an obligation to protect and properly process clients' data, which involves the preparation of adequate legal and technical measures, and adaptation of the company's operating conditions (through, e.g. employee training, development of security strategies or conducting regular audits). Wording of the Regulation – the range of which is global and concerns many industries – does not provide any examples of good practices; the document introduces an open data protection model and gives the organisations free rein in choosing the form of ensuring security.
In the 21st century, people describe themselves and their lives in online space. They use various types of applications and platforms, thanks to which they can pursue their hobbies, make purchases, work, or share their remarks with others. All digital traces and information left within the network can be intercepted and used by unauthorised persons. As a result, the GDPR was created, introducing the obligation to supervise and control the data provided by users.
Protection Impact Assessmen
Software developers very often create projects in which huge amounts of data are being processed. Therefore, the GDPR requires, among others, the creation of a series of activities and documents related to the Protection Impact Assessment (PIA). PIA is the foundation of every sustainable data protection strategy and – in a nutshell – involves designing the processes that ensure the security of the collected information. On the basis of the processes carried out within the scope of the PIA, a document (report) is created, made available to all project members, and subject to dynamic changes during the project development. As part of the report, you can estimate the risk for privacy and protection of personal data, as well as support collecting/using/disclosing information, identifying threats to privacy, anticipating problems, and obtaining recommendations on data security. The report created as part of the PIA processes is a manifestation of its compliance with the Regulation, and a guarantee of a high level of protection.
Supervision over the data flow
The first one of the areas worth focusing on is the data flow within the framework of the solution being developed. Developers should control what user data is being collected, where is it stored, how is it used and who – and to what extent – has access to it. It is recommended to create mechanisms that track the flow of information inside and outside the organisation. The data movement path created on this basis, and reporting any disturbing movements (e.g. about suspicious backups) or changes made (e.g. about removing sensitive data) is an evidence of compliance with the new regulations, and of a responsible attitude of the members of the organisation. In addition, it is worth considering the possibility of storing personal data in more than one place (e.g. in separate databases, components). Thanks to the separation of data and the removal of connections between them, it will be more difficult to identify one specific person in the case of a breach.
All data (including personal data) is used by data controllers who decide about the purposes and means of processing personal data. Data controller can be a person or entity (e.g. a developer or an organisation), and it is the controller who decides what data is collected, how it is used and with whom is it shared. In addition to the controller, there is also the data processor. Data processor is any entity entrusted with data for processing on behalf of the controller for pre-defined purposes. Developer can therefore be a data controller or a data processor, or even both – and thus control the flow of information, providing its protection.
The Regulation also introduces the concept of data minimisation, i.e. collecting only the information that is necessary to achieve specific goals by the organisation. If any data is unnecessary, has never been used or has no business value – it is better to delete it.
Because the explicit consent is most important
Activity of many companies is based on the processing and analysing the data left by users. Based on it, a profiling process is carried out to even better adapt their communication and market offer to the target group. Developers will first need to become familiar with the purpose of collecting specific data within the software, in order to be able to create an adequate solution for obtaining consents. The designed mechanism first of all is to improve the management of consents (their modifications and withdrawals, among others) and to ensure the flow of such processes like responding to users' queries about the amount of collected information about them and the way its being used. Developers should think carefully about how this information can be sent, because the regulations require to provide a response in the form of a list within 30 days of being notified. Control panels, dashboards, account settings or privacy centres can be used for this purpose, among others.
Modern clients desire transparency and fast response time; consumers want to be sure that their data is in the right hands, and that they can trust the organisation. Therefore, the Regulation introduces the possibility of making decisions about your data, and most importantly – stops the practice of using personal data without the knowledge or consent of data subjects.
Give me control
In the light of the GDPR, data subject has the right to control their personal data. Therefore, the software being created should allow the user to decide about themselves (their account) and their data. Creating an Identity and Access Management (IAM) seems to be a good solution here. Thanks to it, the user can delete and update data; check the expressed consents, privacy settings and the form of security (the password strength and the method of logging in, e.g. using a multi-level authentication). User's rights should not be restricted.
Forget about me
One of the most important rights arising from the GDPR is ensuring that all information stored by the organisation can be deleted. It is the so-called ”right to be forgotten”. After exercising this right by the user, all personal data, as well as other information enabling their identification, must be removed within 30 days of submitting a relevant application. Developers should create their applications keeping this right in mind, and in the case of applications based on personalisation – enter the presumed data to ensure their proper functioning.
It is worth to mention the existence of social networks or e-commerce stores that require data transfers, e.g. for the the purpose of registration process or shopping. They can – despite receiving a request for deletion of data – give it a critical status, and keep it in case of a financial audit or an order to demonstrate compliance with other regulations. That is why it is so important that developers are aware when they can and when they can not delete data from their databases.