Table of Contents
It’s been a while that everyone who is somehow connected to software development or maintenance is buzzing about the new GDPR, that is going into effect on May 25, 2018.
You must have heard that it’s a rather strict yet complicated document that everyone panics about.
But what is actually GDPR and how it might affect your business?
The European Union General Data Protection Regulation (GDPR) is a document that regulates data protection and privacy for all European Union citizens. It is also known as DSGVO that stands for Datenschutz Grundverordnung (General Data Protection Regulation in German). ISO 27001, the international information security standard was the most popular document that regulated security before the GDPR was enforced.
It aims to keep all the personal data that is collected by any business, organization or enterprise safe from unauthorized access or use.
What is personal data according to GDPR
What is meant by the term “personal data”? That can be any information that can be used to directly or indirectly identify the real person. For example, name, photos, email, bank details, social media page, IP address or any other information that is usually collected by apps and websites. All this information can be identified as regular personal data.
Beyond regular personal data, there is also sensitive personal data. Surely, it requires stricter protection and the consequences are greater. Sensitive personal data according to GDPR includes:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Health data
- Sex life or sexual orientation
- Past or spent criminal convictions
- Genetic data
- Biometric data (such as facial recognition or fingerprint logins)
- Location data
- Pseudonymized data
- Online identifiers
Personal data also includes such thing as IP addresses, cookies, user accounts, etc. so developers have to make sure all the data is collected and stored appropriately.
How to demonstrate your GDPR compliance
Being able to demonstrate the compliance of your business is a must. That can be special certificates or system documentation. Therefore, you should know how to prepare the proper documentation to provide it when needed.
The basic information that must be included:
- What kind of data you collect
- What is the purpose of it
- How long you store this data
- How you process this data (including all parties that process it)
It’s also recommended to have a general policy document explaining what data are you collecting, what are rules, etc. That will allow users to understand what you know about them and what they get in return. If you use cookies on your website, you need to explain why do you need them. Generally, users have a right to understand what information about them is collected by your business. In other words, you can continue using your existing documentation but expand it with privacy information required by GDPR.
Additionally, you can be not the only party collecting users data on your website or app. And these third parties can be a reason for serious problems. The latest example is Cambridge Analitis who collected the data from Facebook users and then used inappropriately. So, to avoid such situations businesses need to specify all the third parties that somehow get access or process your user’s data.
How to understand whether you are the data processor or not
GDPR addresses all the data processors but many companies are not sure if they can be named data processors or not. For example, we are a software company, and we are building a website or an app for our clients. This website or app collects users personal data. And here comes the question: do we intend to be a data processor?
The answer depends on technical conditions. If our client stores the information on our servers or our employees have access to this data, we are data processors. Hence, we bear equal responsibility.
By default, software development companies don’t want to be data processors, since that makes them liable to any sanctions in case of any breaches. But how to avoid this “ burden”? The first thing you need to consider is that you don’t have access to any personal data of your client’s clients. And don’t forget to note this clause in your contract. Though avoiding such data might be difficult, it’s better to strive once, that pay fines later. The typical “weak” places where you can run into are testing environment, log files or any emergency patches. Pay extra attention to these cases to keep calm later.
Since software development rarely requires actual access to PII data (Personally identifiable information), avoiding any accidental exposure seems the only possible way of keeping your development company safe from sanctions.
Conclusion
Though implementing GPDP/DSGVO/ISO 27001 is rather stressful for most companies, we believe that it will bring more positive control and security to end-users. The main concern of any business working online is to tell users what data is collected, why, and how it will be used. Moreover, any user not has a right to ask for all the information about him that a company possesses and can demand the total deleting of this data.
The main idea is to work transparently so that users will trust your company and let you use their data for multiple needs including marketing or improving users experience.
