The profession of a software developer is not just about coding. Every developer should take into account the activities that ensure a high level of security in their work, and treat them as an inseparable element of the application development process. Possessing the knowledge regarding the GDPR is a great advantage and makes implementing the project assumptions much easier Thanks to knowing the regulations, a developer is able to take care of the technical aspects of the application that make it possible for the users to, e.g. control the data flow, express consents, gain access to specific resources or exercise new rights (the right to be forgotten, the right to object or the right to transfer data).
In this article you can read about:
- the changes arising from the GDPR;
- the key online identifiers;
- the developer's work standards.
Changes arising from the GDPR
The developers creating a new application should know where to update the code to add a new feature that guarantees a high level of security. In addition, the GDPR broadens the definition of personal data that from May 25 includes:
- genetic data (revealing unique information about the person's physiology or health),
- biometric data (created through a biometric measurement, e.g. fingerprint, retinal scan),
- location data (obtained, e.g. when the location is made available as part of a mobile application),
- other online identifiers.
Key online identifiers
As you can guess, the last type last data – the online identifiers – are important for a developer and include elements such as:
- IP addresses (unique numerical labels assigned to devices connected to a computer network),
- mobile identification numbers (individual numbers associated with smartphones or other portable devices),
- cross-browser ”fingerprints” (information about the user's identity and browser configurations, gained by tracking their web traffic [even if they surf the Internet in private browsing modes] and based on HTTP cookies),
- RFID tags (using the radio waves to remotely identify people and objects),
- telemetric data (data from the user's devices; collecting them contributes to the comfort of using the software),
- cookies (files that are saved and stored on a local computer or other device when visiting a website),
- MAC addresses (unique identifier assigned to a network interface card, given by the manufacturer of the card during the production process),
- user account identifiers and other data generated by the system, enabling the identification of a natural person.
Software developer should build on certain tools, frameworks or libraries, and then create a list of approved standards and methodologies used in coding and testing their applications.
Giving up on dangerous modules by developers is closely related to the Privacy by Design concept, and respect for the privacy of the future user. Being a responsible developer involves determining where and how data is stored, how is it protected and encrypted.
Developers must work according to the Privacy by Default principle, which means that the user who sets up their account for the first time, should immediately use the optimal privacy settings by default. This way, the user is given the opportunity to make an informed choice if they would like to adjust the level of privacy. The default application setting basically menas that it does not track the user's location or share user data with others.
The product that is to be released should first be subject to a security audit with implemented legal and technical recommendations, and to penetration tests. These works, carried out by security testers and auditors, lawyers and security designers, reduce the risk of unauthorised access to the application.
Creating a software that is secure and conforming with the GDPR depends to a large extent on adapting the perspective of both the potential user and the cyber-criminal. It is good to consider all scenarios, to improve the project and thus avoid any unidentified threats.