To most people, the GDPR is nothing but a bunch of annoying emails from companies asking for consent to keep in touch. But if you’re thinking about creating new software solutions in 2018 and beyond, the GDPR is something you can’t afford to ignore unless you have an extra €20 million, which is what the European Union is ready to charge for more serious GDPR violations.
In fact, individuals responsible for particularly great neglect of the protection of personal data and data subject rights may even face jail time.
In this article, we take a closer look at what the GDPR is, and we explain several essential secure software development practices that all software developers should learn and respect to create software that’s GDPR-compliant and future-safe.
What is GDPR?
The GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It aims to unify the EU’s common data protection practices and bring more control and higher standards, affecting how companies gather, store, and use data related to EU residents.
The regulation replaced the EU’s 1995 Data Protection Directive 95/46/EC, which regulated the processing of personal data and the free movement of such data within the European Union. The GDPR became enforceable on May 25, 2018, and it doesn’t require local governments to pass any enabling legislation.
The main objective of the GDPR is to expand the principles from the EU’s 1995 Data Protection Directive 95/46/EC to reflect the massive technological changes that have transformed the world since 1995, the time of the Motorola Pager and the Zip Drive.
In a nutshell, the GDPR requires companies to safeguard their users’ data and protect their privacy rights. Companies that handle personal data of European users must build their systems and processes with data protection by design and by default.
In practice, this means pseudonymization or full anonymization, encryption, informed consent, and other privacy- and security-promising practices. The GDPR additionally gives EU citizens the right to request a portable copy of their data, the right to have their data erased, and the right to revoke their consent.
Any company, regardless of its geographical location, that processes data pertaining to EU citizens and fails to comply with the GDPR can receive a fine of up to €20 million or up to 4 percent of its annual worldwide turnover of the preceding financial year.
When a company decides to outsource some of its functions, it still remains responsible for the personal data transferred to the outsourcing vendor. The only way for a company to avoid GDPR liability is to ensure that it cannot access any personally identifiable data under any circumstances, which is often impossible in practice.
Creating GDPR-compliant software
Regardless of whether you decide to hire an offshore, onshore, or nearshore software development company (read this article to learn more about the difference between them) or rely entirely on your own staff, there are certain essential secure software development practices you need to know about.
Because the GDPR has been enforceable only for a short while, not many people realize what it entails and how it relates to software development. Keep in mind that just because an IT outsourcing company has European clients doesn’t mean the company understands the impact of the GDPR and is able to develop GDPR-compliant software solutions.
We have written a detailed article that talks about everything you should know before hiring a software development company, and you should study it carefully to find out what else besides the understanding of the GDPR should a software development company have in 2018 and beyond.
Apart from your partners, your employees should understand the implications of the GDPR as well. If you don’t have the resources necessary to raise proper GDPR awareness, consider hiring a company that provides GDPR employee training services.
The GDPR Article 13 talks about what information companies that collect data from EU citizens must be able to provide. It mentions things such as the identity and the contact details of the controller, contact details of the data protection officer, or the purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
In other words, the GDPR places a huge emphasis on documentation and transparency. Companies must be able to clearly describe what data they are collecting, for what purpose, for how long, and who can access them, among other things.
Of course, it’s much easier to cope with this requirement when it isn’t implemented as a mere afterthought. Instead, documentation should be part of every software development effort from the very beginning for a number of different reasons, besides the ability to demonstrate GDPR compliance.
Allow users to manage their own data
The GDPR Article 15 states that EU citizens have the right to receive a copy of their personal data in a commonly used format, have their data erased without undue delay, and transfer their data to another provider, among many other things.
While the GDPR doesn’t require companies that collect data from EU citizens to provide their users with automated, real-time tools for data management, it’s in every company’s best interest to do so. Without automated data management capabilities, each data-related request would have to be followed by a lengthy identity verification process to prevent data breaches.
Needless to say, the self-service systems for GDPR-compliant data management shouldn’t be an afterthought but a basic requirement right from the very beginning of every software development effort. A well-designed data management system is guaranteed to reduce costs and lead to greater user satisfaction, making it a worthy investment.
The GDPR is meant to alter software development practices and force software development companies to take steps toward better application design and greater security.
It will inevitably lead to some software development companies leaving the market due to their inability to adapt, but, at the end of the day, it should reduce the number of data breaches and force companies to disclose them sooner, thus protecting the interest of end users.
It has also created a tremendous opportunity for software development companies to differentiate themselves by implementing secure software development practices such as those outlined in this article.