Pen

How Does the GDPR Affect the Developers Work?

07 May 2018 | Weronika Masternak | development big data martech

From every corner we are being bombarded with messages about the requirement of compliance with the GDPR, which has been in force since May 25, 2018, and about the need to design and implement the measures guaranteeing safety.

In this article you can read about:

  • the GDPR as a modernisation of the law;
  • the assessment of data control;
  • the data flow control;
  • user consent in the digital world;
  • handing control to users;
  • ensuring the right to be forgotten.

However, due to the fact that the GDPR is not a set of ready-made solutions, many companies organise them on their own. In order to avoid the time-consuming procedure of software verification and its costly customisation, developers are expected to create it in a manner that takes security into account. Is it possible without any legal training and experience in such projects?

The GDPR indicates the direction of works

The General Data Protection Regulation (GDPR) is primarily a modernisation of the Data Protection Directive of 1995, and its adaptation to the current social and technological situation. It imposes on the organisation an obligation to protect and properly process clients' data, which involves the preparation of adequate legal and technical measures, and adaptation of the company's operating conditions (through, e.g. employee training, development of security strategies or conducting regular audits). Wording of the Regulation – the range of which is global and concerns many industries – does not provide any examples of good practices; the document introduces an open data protection model and gives the organisations free rein in choosing the form of ensuring security.

In the 21st century, people describe themselves and their lives in online space. They use various types of applications and platforms, thanks to which they can pursue their hobbies, make purchases, work, or share their remarks with others. All digital traces and information left within the network can be intercepted and used by unauthorised persons. As a result, the GDPR was created, introducing the obligation to supervise and control the data provided by users.

Protection Impact Assessmen

Software developers very often create projects in which huge amounts of data are being processed. Therefore, the GDPR requires, among others, the creation of a series of activities and documents related to the Protection Impact Assessment (PIA). PIA is the foundation of every sustainable data protection strategy and – in a nutshell – involves designing the processes that ensure the security of the collected information. On the basis of the processes carried out within the scope of the PIA, a document (report) is created, made available to all project members, and subject to dynamic changes during the project development. As part of the report, you can estimate the risk for privacy and protection of personal data, as well as support collecting/using/disclosing information, identifying threats to privacy, anticipating problems, and obtaining recommendations on data security. The report created as part of the PIA processes is a manifestation of its compliance with the Regulation, and a guarantee of a high level of protection.

Supervision over the data flow

The first one of the areas worth focusing on is the data flow within the framework of the solution being developed. Developers should control what user data is being collected, where is it stored, how is it used and who – and to what extent – has access to it. It is recommended to create mechanisms that track the flow of information inside and outside the organisation. The data movement path created on this basis, and reporting any disturbing movements (e.g. about suspicious backups) or changes made (e.g. about removing sensitive data) is an evidence of compliance with the new regulations, and of a responsible attitude of the members of the organisation. In addition, it is worth considering the possibility of storing personal data in more than one place (e.g. in separate databases, components). Thanks to the separation of data and the removal of connections between them, it will be more difficult to identify one specific person in the case of a breach.

All data (including personal data) is used by data controllers who decide about the purposes and means of processing personal data. Data controller can be a person or entity (e.g. a developer or an organisation), and it is the controller who decides what data is collected, how it is used and with whom is it shared. In addition to the controller, there is also the data processor. Data processor is any entity entrusted with data for processing on behalf of the controller for pre-defined purposes. Developer can therefore be a data controller or a data processor, or even both – and thus control the flow of information, providing its protection.

The Regulation also introduces the concept of data minimisation, i.e. collecting only the information that is necessary to achieve specific goals by the organisation. If any data is unnecessary, has never been used or has no business value – it is better to delete it.

Because the explicit consent is most important

Activity of many companies is based on the processing and analysing the data left by users. Based on it, a profiling process is carried out to even better adapt their communication and market offer to the target group. Developers will first need to become familiar with the purpose of collecting specific data within the software, in order to be able to create an adequate solution for obtaining consents. The designed mechanism first of all is to improve the management of consents (their modifications and withdrawals, among others) and to ensure the flow of such processes like responding to users' queries about the amount of collected information about them and the way its being used. Developers should think carefully about how this information can be sent, because the regulations require to provide a response in the form of a list within 30 days of being notified. Control panels, dashboards, account settings or privacy centres can be used for this purpose, among others.

Modern clients desire transparency and fast response time; consumers want to be sure that their data is in the right hands, and that they can trust the organisation. Therefore, the Regulation introduces the possibility of making decisions about your data, and most importantly – stops the practice of using personal data without the knowledge or consent of data subjects.

Give me control

In the light of the GDPR, data subject has the right to control their personal data. Therefore, the software being created should allow the user to decide about themselves (their account) and their data. Creating an Identity and Access Management (IAM) seems to be a good solution here. Thanks to it, the user can delete and update data; check the expressed consents, privacy settings and the form of security (the password strength and the method of logging in, e.g. using a multi-level authentication). User's rights should not be restricted.

Forget about me

One of the most important rights arising from the GDPR is ensuring that all information stored by the organisation can be deleted. It is the so-called ”right to be forgotten”. After exercising this right by the user, all personal data, as well as other information enabling their identification, must be removed within 30 days of submitting a relevant application. Developers should create their applications keeping this right in mind, and in the case of applications based on personalisation – enter the presumed data to ensure their proper functioning.

It is worth to mention the existence of social networks or e-commerce stores that require data transfers, e.g. for the the purpose of registration process or shopping. They can – despite receiving a request for deletion of data – give it a critical status, and keep it in case of a financial audit or an order to demonstrate compliance with other regulations. That is why it is so important that developers are aware when they can and when they can not delete data from their databases.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
We would be happy to talk about your project!
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to hello@sagiton.pl, or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: hello@sagiton.pl.

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.