17 June, 2022
Do you understand what the GDPR is? If you are a software developer and your answer to that question is no, then this blog post is exactly what you need to prevent the possible fines that come with violating this set of laws. GDPR compliance in software development is very important nowadays, especially if you are in Europe. So, let us get straight into it!
What is the GDPR?
Firstly, let us understand what the GDPR is. GDPR stands for General Data Protection Regulation. It is the EU’s new data privacy and security law that includes hundreds of pages’ worth of new requirements for organizations around the world. It imposes restrictions on any organization, as long as they target or collect data related to people in the EU. The regulation comes with harsh fines for those that violate its privacy and security standards. Moreover, being such a large, far-reaching, and without many specifics, achieving GDPR compliance is a very challenging task.
In order to understand how to develop software which aims for GDPR compliance, it is first important to understand the most important array of legal terms that are specified in the regulation, this include:
- Personal data: Any information that relates to an individual who can be directly or indirectly identified. This can be for example names and email addresses or also ethnicity, gender, biometric data, etc. Pseudonymous data can also fall under this definition if it’s relatively easy to ID someone based on it.
- Data processing: Any action performed on data, whether automated or manual.
- Data subject: The person whose data is processed.
- Data controller: The person who decides why and how personal data will be processed.
- Data processor: A third party that processes personal data on behalf of a data controller.
Data protection principles
GDPR compliance in software development requires you to consider the data protection principles that you need to follow when processing data. These are:
- Lawfulness, fairness and transparency: Processing must be lawful, fair and transparent to the data subject.
- Purpose limitation: Data processing must be done for the purpose specified explicitly to the data subject when the data was collected.
- Data minimization: You should only collect the strictly necessary data for the purpose specified.
- Accuracy: Personal data must be kept accurate and updated.
- Storage limitation: Personally identifying data should only be stored as long as necessary for the specified purpose.
- Integrity and confidentiality: Processing must be done in a way that ensures security, integrity and confidentiality.
- Accountability: The data controller is responsible for demonstrating GDPR compliance with all these principles.
When it comes to accountability, the main idea is that the data controller has to be able to show that they are GDPR compliant to be GDPR compliant. This can be done in several ways such as:
- Training your staff and implementing technical and organizational security measures.
- Maintaining detailed documentation of the data you are collecting, how it will be used, where it will be kept, who is responsible for it, etc.
- Having Data Processing Agreement contracts in place with third parties you contract to process data for you.
Handling data securely is essential when developing software that complies with GDPR. To handle data securely, following GDPR, you are required to use “appropriate technical and organizational measures”.
Technical measures mean using technologies that allow one to keep data safe. These include using two-factor authentication and end-to-end encryption. Moreover, organizational measures mean doing things within your organization to make sure to keep data safe, for example, staff training or limiting access to personal data only to those employees that require it.
Finally, in case of a data breach, you have 72 hours to tell the data subjects before you face penalties.
Data protection by design and by default
Data protection by design and default basically means that within your organization, you must consider the data protection principles in the design of any new product, service or activity. This is covered in Article 25 of the GDPR. Thus, this also means that these principles need to be essential to you when developing software that intends to use personal data.
When are you allowed to process data?
Processing data is necessary for several software applications. When you aim for GDPR compliance in software development, you can only process data under certain scenarios:
- Data subject has given you specific and unambiguous consent to process the data.
- Processing of personal data is required to execute or prepare to enter into a contract in which the data subject is a party.
- Data needs to be processed to comply with a legal obligation of yours.
- Processing the data is needed to save somebody’s life.
- Processing the data is required for an activity in the public interest or to carry out an official function.
- You have a legitimate interest to process the data. Note that even though this seems like quite a flexible scenario, the “fundamental rights and freedoms of the data subject” always override your interests.
Now, let us focus on the first of these requirements as this is one of the most common ways in which organizations can access and process personal data. So, what constitutes consent?
Consent from a data subject is tied to several new rules, these are:
- Consent must be “freely given, specific, informed and unambiguous”.
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language”
- Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision.
- Children under 13 years of age can only give consent with permission of their parents or legal guardian.
- You need to keep documentation of the consent.
Data protection officers (DPOs)
Being a data controller or processor not only means that you will have to follow the conditions mentioned above, it also means that you may need to appoint a DPO. The three conditions under which this is required are:
- You are a public authority other than a court acting in a judicial capacity.
- Your main activities require you to monitor people systematically and regularly on a large scale (this is the case for companies like Google or Meta).
- Your main activities are large-scale processing of special categories of data which are listed under Article 9 of the GDPR, or data related to criminal convictions and offenses mentioned in Article 10.
Thus, if your company’s activities (including its software development) falls under the conditions above, you will need to appoint a DPO.
People’s privacy rights
Taking these rights into consideration when developing your software is essential to aim for GDPR compliance in software development. These rights consist of:
- Right to be informed
- Right of access
- Right of rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling
More information on the rights of the data subject can be found here.
In conclusion, the above mentioned points are the principal points of the GDPR. Software developers that wish to comply with the GDPR need to follow the points and principles mentioned above when developing software. The full regulation encompasses more aspects but this article attempted to focus only on the main areas. Feel free to check the full regulation here.
What software do we build with GDPR in mind?
Codific is a team of security software engineers that leverage privacy by design principles to build secure cloud solutions. We build applications in different verticals such as HR-tech, Ed-Tech and Med-Tech. Secure collaboration and secure sharing are at the core of our solutions.
Videolab is used by top universities, academies and hospitals to put the care in healthcare. Communication skills, empathy and other soft skills are trained by sharing patient interviews recordings for feedback.
SARA is used by top HR-Consultants to deliver team assessments, psychometric tests, 360 degree feedback, cultural analysis and other analytical HR tools.
SAMMY Is a Software Assurance Maturity Model management tool. It enables companies to formulate and implement a security assurance program tuned to the risks they are facing. That way other companies can help us build a simple and safe digital future. Obviously our AppSec program and SAMMY itself is built on top of it.
We believe in collaboration and open innovation, we would love to hear about your projects and see how we can contribute in developing secure software and privacy by design architecture. Contact us.