In this article, we’ll talk about the EU General Data Protection Regulation (GDPR). It’s a new regulation law the main point of which is to define the rules that should be followed by each EU company that works with personal data of its clients. It will enter into force on May 25, 2018, and will require business organizations to protect the personal data and privacy of EU residents. The reason why it should not be ignored is that non-compliance will cost companies a lot. This new set of regulations affects all stages of software development life cycle. To avoid undesirable expenses and become a GDPR compliant company, each business owner should understand what personal data is and how it should be collected and stored.
Personal Data and Its Importance
The main aim of GDPR authors was to formulate the rules that will regulate how personal data of EU citizens are collected and processed. Therefore, we must deal with the terms first. Personal data is any data that can be used to identify a person, i.e., user habits, behavior, interests, geolocation data, etc. Pieces of such info are collected by websites and online applications. In case of data leakage, a malefactor can use this info for criminal purposes.
As an example of the identifier, we may consider a real name of a person. Besides that, a user can be identified with the help of other pieces of information which includes nicknames, location, address and other data gathered together and analyzed. Data can be encrypted to hide information about a user, but if there’s a way of using it to identify a person, it still can be considered as personal data. But if a company that provides some services online and collect user’s data can store it in a way that doesn’t allow to identify a real person behind it, such data is not considered as personal. The new set of regulations introduces new rules defining how a company should handle sensitive data of its users.
What is GDPR
First of all, let’s check what’s new about GDPR. According to the new regulations, you have to keep the data related to a particular user and data that may lead to the identification of a real person separately. For example, you have to store a user’s name and browsing history separately. The reason behind this is that in case of data leaks, a malefactor won’t be able to tie together a particular user and his actions. GDPR also defines new rights for data subjects. This rule includes the possibility for a user to send a request for personal data deletion. You, as an application owner, will have to satisfy such request and delete all personal data. Also, it’s necessary to inform the authorities and all your users in case if there were any data breaches. This rule is mandatory for execution within 72 hours after these data leaks were detected.
To understand how everything will work in practice, let’s consider a few facts regarding GDPR:
- It’s one of the most comprehensive laws related to user’s privacy. GDPR gathers together many existing EU data regulations. Companies that are not GDPR compliant can be fined for 4% of their annual revenue or 20 million Euros.
- If you handle business in EU, you have to make sure that your company is GDPR compliant. GDPR influences all organizations that provide online services or collect personal data of EU citizens. If you’re an owner of an online app or website that collects the data on its visitors, most probably, you will become a subject to these new regulations.
- Reaching GDPR compliance requires cross-functional collaboration. To follow all GDPR requirements, business owners throughout the European Union will have to figure out the details on how they collect and store personal info of their users. In most cases, it will require collaboration between the company employees from different departments, such as IT, marketing, finance, etc.
- Potentially, GDPR can significantly improve the process of working with personal data. According to Gartner, the average impact of issues related to personal data can reach almost ten million dollars per year for a company. New regulations will push business owners to review their policy towards personal data of the users.
- Data minimization will help to decrease infrastructure costs. GDPR will limit the use of personal data by business organizations. Therefore, companies will have to optimize the infrastructure and lower the costs.
- The software vendor review process is crucial. GDPR clearly defines the difference between so-called data controllers (organizations that define the details of how personal data should be processed) and data processors (organizations that gather and process personal data). What’s important is that responsibility for GDPR compliance lays on data controllers. What it means is that it’ll be barely possible for an organization to rely on software vendor’s reassurances in full GDPR compliance. It will be required to identify all third-party companies involved in personal data gathering and processing to make sure that they strictly follow all recommendations.
- GDPR requires the high level of transparency and agility. As it has been said earlier, the new regulations require all companies to notify about any data leaks in 72 hours. Besides that, there’s the right of EU citizens “to be forgotten” which means that any user can ask an organization to delete all the personal data. The ability to follow these rules will require improving organization’s agility needed for fast response to user requests.
As you can see, the new set of laws and regulations is quite a serious issue. It both increase the responsibility of an organization for the personal data and provides some potential for improvements. Let’s see what actions can be taken by business owners to reach full GDPR compliance.
The Measures Allowing to Build GDPR Compliant Software
In this chapter, we’ll share some advice that will help your company to become GDPR compliant and avoid penalties.
- Make sure that the intention to keep your user’s info private is one of your main principles. A user that is applying for your services must be assured that the website or application he is going to use has settings with maximum privacy. This rule must be met without any actions from the side of a user.
- Privacy concerns should be the core concept of any developed software and must not be considered as optional functionality or plugin. You can’t put your users before the dilemma: functionality or privacy. Software that doesn’t follow the described requirement will be considered as illegal after GDPR will enter into force.
- You should define what personal data you collect, how you store, and process it. In order to follow this requirement, you can use a separate document or specially designed software. Such tool can be used to keep records on all manipulations with user’s data, responsible employees, access level, and other related information.
- Minimize the amount of personal data in use. Use only the minimal sufficient amount of users’ personal data that is required for running your business. If it’s possible, try to minimize user identification. If you apply for the services of a custom software developer, discuss the possibility of implementing the function of deleting unnecessary user data. These measures will both protect the private info of your users and help you avoid undesirable consequences of data leakage.
Extra Tips That Will Help to Follow the GDPR Rules
In addition to taking measures that will guarantee the GDPR compliance of your software, you should follow some additional rules that determine your workflow and relationships with clients:
- Keep records of every measure that was taken to follow GDPR requirements. It will help you to prove that your company is GDPR compliant in case of such need. If you spend efforts on following the regulations without documenting anything, all undocumented actions may, in some cases, become a waste of your time and resources. You can hire a certified specialist whose duty will be to track and document all measures related to reaching full GDPR compliance.
- Remember that you have to get permission from a user if you’re going to collect and process personal data. You should inform your users about the details of data processing and its transmission to another country. The description of how everything will work should not contain any unclear statements or equivoques.
- As we have mentioned before, new regulations increase penalty charges against business organizations in case of any data leakages. It means that companies will pay for such kind of incidents not only with their reputation. That’s why information security must become one of the highest concerns of your company. According to GDPR authors, encryption is one of the key measures that helps to follow the requirements. But if a software vendor prefers any other option to be implemented in a custom web application, it’s acceptable.
It’s pretty easy to understand why business owners in EU are concerned about this new set of regulations described in GDPR. Potentially it may have a significant impact on each company that deals with personal data of its users. It’ll bring many changes in the way of how you should collect and store personal data. Therefore, the sooner you decide to make all possible efforts to become a GDPR compliant company the better for you. Such measures will both protect you from losses and increase customers’ loyalty.
Vitaly Hornik, the Chief Operating Officer of Delivery Department of XB Software, has commented:
Full GDPR compliance is one of the measures that can significantly improve the security of your business. That’s why you shouldn’t underestimate its importance. If the comprehensiveness of this new set of regulations confuses you, make sure that you work with reliable Data Protection Officer (DPO). DPO’s primary task is to oversee data protection strategy and implementation to ensure the compliance with GDPR requirements.