With data becoming the new currency, it’s no wonder that software applications are the top attack vector of the hackers. The recent past has witnessed some major data breaches; the Facebook–Cambridge Analytica data scandal, Equifax data breach are to name a few. With such data breaches putting user trust and interest in businesses at stake, it has become imperative for them to ensure that steadfast development practices for development are adopted.
In today’s software economy, innovations are happening at a fast pace. One of the major aspects of delivery that’s gravely overlooked in the process is security. To ensure that software applications reaches users without ambiguity, the European law for data protection and privacy is implemented from 25 April 2018, named General Data Protection Regulation (GDPR).
The later segment outlines the critical aspects of GDPR and how it is going to affect the software development ecosystem, making it more explicit and secure.
General Data Protection Regulation (GDPR) is a set of data privacy laws that aim to protect EU citizens’ privacy in the increasingly data-driven digital world. In addition to this, the law enforces strict penalties for a breach, to both data controllers and processors.
To understand how GDPR affects a business, categorize if it falls into the the controller or processor category. A ‘data controller’ is a company that collects personal data and further decides how to use it. On the other hand ‘data processor’ is the supplier, who handles the data on behalf of the controller. For example: A software development company like Daffodil is a Data Processor, while its customers are Data Controllers.
Also, GDPR ensures that companies notify individuals that their data is compromised within 72 hours of realizing a data breach, whereas data processors should notify their customers without undue delay.
What software companies need to know:
Before moving ahead with the crux of GDPR, it is important for developers to acknowledge the definition of ‘personal data’. Basically, any piece of data that identifies an individual or unveils data about an identified individual is the data that GDPR is concerned about. This data may come from the user explicitly or collected from the user through 3rd party sources (like APIs) etc.
If a software application collects, stores, or manages the data of individuals who live in European Union, it is imperative to take GDPR laws into consideration. No matter in what part of the world a software is engineered, if it processes the personal data of EU citizens, GDPR applies.
In the making of a software application for EU market, it’s the responsibility of both controllers and processors to make the resultant GDPR compliant. To ensure this, GDPR gives application users the right to restrict collectors and stay informed about what happens to their data. Some of the major aspects of the law includes:
- The right to restriction of processing (i.e. a business can keep the data, but mark it as ‘restricted’ and do not use it without further consent of the user)
- The right to data portability (the ability of an individual to export his data in a machine readable format)
- The right to be informed (using clean and simple messaging to obtain authorization from users)
- The right of access (the users should whether or not their data will be processed, and if does, the user should not the purpose, category of PI concerned, envisaged period for which the data will be stored etc.)
- The right to erasure or right to be forgotten (i.e. users can withdraw their personal data by requesting erasure)
In addition, there are basic principles such as data minimization i.e. Collectors should not try to access data more than necessary, integrity and confidentiality maintenance, such as, security measures to protect data and ensure that it’s not modified inappropriately. To put it concisely, it is important for developers to understand the concept and identify business processes that require implementation of these privacy and security policies.
Here are a few examples outlining different ways how developers can move ahead with GDPR compliant development:
1. Depending on the level of sensitivity and risk, a certain level of protection to comply with GDPR can be set for the user data. This may range anywhere from data encryption to limiting access to data via access keys or authentication.
2. Ideally, applications collect basic info about users, which includes (but is not limited to) name, country of residence, email etc. However, for apps under the health and fitness domain, the data collected from the users differs. How this data of the user be stored and processed (used in medical research, follow-ups, fitness management and suggestions etc.) is a concern for them. Thus, keeping the users informed about the same is imperative.
3. Using HTTPS for secure communication can go a long way in ensuring security of user data. What started as a simple login screen to access protected content has now turned out to be a big source of collecting personal information and financial operations. Encrypting data as it passes through various forms protects it against unauthorized usage.
4. Users should have visibility about how the application uses the cookies. Informing users that the application is using cookies, getting user consent for the same (acceptance or denial), and ensuring that sessions and cookies expire or destroyed after a logout is a significant aspect of user privacy.
5. When users request erasure of their personal data, deleting it from the system is not enough. Ascertain that all the third parties, to which you have pushed the user data to (say Salesforce, Hubspot, or any cloud service provider), deletes it as well.
6. Encrypt the data between the transit, i.e. sharing of data between the application and user/databases/APIs/third party services/microservices should be encrypted.
Developing GDPR Compliant Software Applications
Businesses failing to follow data protection and privacy regulations may end up inadvertently helping hackers steal sensitive data of their consumers. This is followed by a huge fine of €20 million, or 4% of global annual turnover, whichever is high.