These 7 Steps Will Help Prepare Your Software for GDPR

On the 25th of May, all the companies providing goods or services for the EU citizens will have to adhere to the new data protection rules or face fines of up to 4% annual global turnover or roughly $24.5M. We have prepared a list of things you could do to make sure your app is safe from the hammer of the law.

Mar 22, 2018

As the GDPR comes into force it will affect businesses all over the world, including 52% of American firms. Some of the established companies, like MailChimp and Amplitude have already released statements claiming to have prepared for the new privacy rules. But Gartner predicts that only half of the businesses will succeed. We have prepared a list to help you be among them.

What is GDPR?

The acronym stands for General Data Protection Regulation. It is a legal document detailing the rules pertaining to personal information collection and processing. In contrast to the recommendation-like 1995 Data Protection Directive, GDPR is a binding legislative act, which will be enforced.

Who needs to prepare for GDPR?

According to the full text of GDPR, any organization which gathers or processes EU citizens’ personal data is subject to the regulation. Moreover, all your contractors (including software development companies) need to adhere to the standard for your app to be GDPR-compliant. Experts at Gartner think that the authorities would start enforcing the legislation right after it comes into effect, so the sooner you will be ready, the better.

What you need to know about GDPR

The regulation and its accompanying documents are massive in scope and size (260 pages), but there are things you can do to make your product fit its requirements.

1. Get informed consent

The GDPR states that the businesses now have to ask users to agree to collecting and processing their personal information. The request "must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent”.

According to Sergei Voronkevich, personal data protection expert, your application has to describe what information will be handled, why and where. Silence or doing nothing doesn’t equal consent – the user has to take an action (like ticking the checkbox). A timely notification with a clear description and an option for the user to accept/decline will do the job.

Moreover, if you already have a certain user base, you might need to have them “repermission” your app, lest their consent level is below the GDPR-compliant.

2. Manage the personal data

Make sure that you are collecting only the information you can’t do without. And, if possible, implement automatic deletion of the data you no longer need. This will both protect your users’ privacy (giving you another selling point) and help you avoid lots of trouble in case of a data breach: informing the authorities and the owners of affected accounts, as well as paying a huge fine for ignoring data minimization rules.

“Where there is a reason to process the data, there is no problem. Where the reason ends, the processing should, too," - Bart Willemsen, research director at Gartner.

Consider using OAuth for logging in. This will take the information security burden from you.

If you still need to store some personal information, be sure to keep the names and related information (e.g. account history) in separate databases. This way if the data about user actions is leaked, no one will be able to attribute those actions to a specific person. It is also one of the GDPR requirements.

3. Make sure the information is protected well

The GDPR Article 32 requires that the personal data is protected by the “state-of-the-art” measures. However, the exact nature of those measures is left for the companies to decide. As Belitsoft has quite a bit of experience in building HIPAA-compliant medical apps which have similar technical requirements, there are a few options we can recommend.

It goes without saying that the personal data must be encrypted. The Ashley Madison hack has shown that the company has stored the users’ addresses and credit card details in plain text, leading to multimillion-dollar lawsuits. If GDPR was in effect back then, the company would’ve also received a huge fine.

There are three main ways that you can approach the creation of the GDPR-compliant database.

First one is developing your own custom server with centralized database development. It will be able to provide the necessary level of security and saves you money in the long run, although you will need to make a certain investment up front. However, it will require careful optimization, as encrypting and decrypting information might be resource-intensive.

The second option is turning to the third-party GDPR-compliant server with centralized DB. It is a much quicker solution, as all the technical issues have already been solved by the provider. It is also cheaper in the short term (the associated development costs are relatively minor) but will cost more in the long run.

The third option is using blockchain technology and building custom server with a decentralized database. It is secure by design and will be considered a sufficient measure of protection. It is also a cost-effective long-term solution.

Need a team of experts to build your GDPR-compliant application? Contact us and get a free quote on your project!

4. Implement "privacy by design" and "privacy by default"

“Privacy by default” essentially means that if there are privacy settings in your product, they must be set to maximum at the start. Feel free to include an option to downscale the protection, should someone wish it. But your app cannot make a new user do something to get the highest level of privacy.

The concept of “privacy by design” is somewhat uncertain, but boils down to making sure privacy is taken care of at every stage of the product’s lifecycle. Implementing this idea is a much larger undertaking, which may even lead you to rewrite your app from scratch. To start, you need to conduct a Privacy Impact Assessment to determine which functionality you need to implement or modify. After the results are in, it is a matter of using them to design the application in a way that keeps personal information safe.

"Many of the companies who we're talking to… they're going to want to trade with Europe too, and therefore it's very important that they buy a platform that is going to be compliant with those regulations." - Paul Clarke (CTO at Ocado) on GDPR

5. Prepare for the users exercising their rights

The new European regulation has given people extra rights that companies must grant. They are:
 

  • Right to be forgotten – a user can request that all of their stored data is permanently deleted “without undue delay”;
  • Right to object – a user can forbid to use their personal data for certain purposes;
  • Right to rectification – if a user finds some or all of their stored data incorrect or incomplete, they may request it be rectified;
  • Right to access – users are entitled to know what personal information about them is being processed and how;
  • Right to portability – a user may request their information to be transferred to a different organization.

 

This calls for an update to your privacy policy, as well as the public offer of your product. In addition, giving every user an option to request correction, transfer or deletion of their data (even through a simple contact form) will be a must.

6. Document everything

The regulation requires companies to not only implement additional data protection measures but also document them to be able to prove that they’ve taken the necessary steps. Otherwise, the official audit will prove that the company is incompliant and – you’ve guessed it – must pay a fine.

That is why it is important to properly prepare security policies, data protection impact assessments, personal data registry and other relevant documents. See the complete list of things to describe on the Information Commissioner’s Office website.

This task of mapping out the information processing and putting it on paper usually falls to Data Protection Officer(it’s likely you’ll need one). If you don’t have such a specialist on staff, you might also be breaking the law and putting your business at risk.

7. Plan for contingencies

No matter how well you are defended at the moment, it pays to be prepared for personal data breaches.

Data breaches GDPR

In most cases, you’ll need to notify the Information Commissioner’s Office (ICO) within 72 hours of detecting a breach. If you opt not to, you must have a valid (and properly supported by documents) reason for it. But if there is a “high risk to the rights and freedoms of individuals”, you need to inform your users as well.

The notification for users must be written in a clear and plain language and include the following:

 

  • Name and contacts of your DPO (or another contact point, if you don’t have a Data Protection Officer);
  • Description of the likely consequences of the data breach (costs, reputation damage and so forth);
  • Measures you’ve taken or intend to take to mitigate the information leak.

 

If you fail to notify the ICO when necessary, the maximum fine might reach EUR 10M or 2% of annual global turnover. Note that this might stack with other fines, so having a reporting procedure in place is important.

Conclusion

While the new regulation might cause panic for businesses, it doesn’t have to. New security practices might prevent your company from becoming another Equifax. Moreover, implementing them ahead of your competitors might give you an edge and help your company remain in good standing with the law.

For more info on GDPR see the acronyms and terms list. And see this GDPR compliance checklist.

RECOMMENDED FOR YOU

Lead Generation Design of The Best SaaS Websites

If clothes make the man, the design makes the website. That's where potential customers start evaluating a product. The SaaS website can (and should) be an online lead-generation machine, so each component of it has to be as good as possible. As people generally remember the first and the last thing they see, having impressive header and footer can go a long way towards making your product successful. What do some of the best SaaS companies do with their websites’ headers/footers? Look at this list to get and keep in mind some ideas for custom software development while building or redesigning your SaaS website. ...

PHP 7 vs Node.js

Our team is experienced both in PHP programming and Node.js development. We have a portfolio with both PHP-based applications and Node.js-based applications as well as mixed ones. What do we take into account when considering which tool to use in custom software development? ...

The Top 10 Advantages Of Laravel for Cost-Effective Web Development

Laravel framework is very popular for custom software development. It is the Most Starred PHP Framework on Github: more than 35 000 developers from all over the world (mostly from the USA) greatly appreciate robust features of this platform. Based on data of the BuiltWith, Laravel's popular websites verticals include Business, Entertainment, Media, News, Shopping, Technology, Vehicles. Why is Laravel so popular? ...

100% Remote Million-Dollar SaaS Companies

Companies that hire remote (distributed, virtual, dispersed, or dedicated) workers and do it well seem to have a huge leg up on the competition. Let’s learn how these successful SaaS companies use global talents to increase software quality and reduce the cost of rent and office supplies: Basecamp, Buffer, Chargify, Convertkit, Ghost(pro), Groove, Hubstaff, Invision, Olark, and Zapier. As the company where you can find a remote PHP developer, we believe that you could utilize their experience and expertise to build your own full remote SaaS company. ...

SaaS Founders Who Became Rich Starting With MVP

Belitsoft has a huge experience in MVP software development for startups and prototypes for existing brands. MVP is a minimal version of the product with the minimum set of features that is enough to deploy and test the key hypothesis to solve problems of this product’ potential customers. Experts suggest that, in B2B, it’s not an MVP until you sell it. Viable means you can sell it. ...

Profitable SaaS Startup Ideas

The way to get profitable startup idea is not to try to think of startup ideas (including SaaS development). It's to look for problems, preferably problems you have yourself.  In fact, for many entrepreneurs, successful business ideas start out as solutions designed to address a challenge they face personally. Solving the problem that frustrates you may be one of the best ways of finding an idea for your startup. Look at these software developers who turned their problem into success.  ...

Get A Free Quote

Do you have a software development project to implement? We have people to work on it.
We will be glad to answer all your questions as well as estimate any project of yours.
Use the form below to describe the project and we will get in touch with you within 1 business day.

Call us:
Phone - USA
Phone - BELARUS
Skype
EMAIL US:
Contact form

We use cookies to enhance user experience

Ok Learn more