These 7 Steps Will Help Prepare Your Software for GDPR
On the 25th of May, all the companies providing goods or services for the EU citizens will have to adhere to the new data protection rules or face fines of up to 4% annual global turnover or roughly $24.5M. We have prepared a list of things you could do to make sure your app is safe from the hammer of the law.
As the GDPR comes into force it will affect businesses all over the world, including 52% of American firms. Some of the established companies, like MailChimp and Amplitude have already released statements claiming to have prepared for the new privacy rules. But Gartner predicts that only half of the businesses will succeed. We have prepared a list to help you be among them.
What is GDPR?
The acronym stands for General Data Protection Regulation. It is a legal document detailing the rules pertaining to personal information collection and processing. In contrast to the recommendation-like 1995 Data Protection Directive, GDPR is a binding legislative act, which will be enforced.
Who needs to prepare for GDPR?
According to the full text of GDPR, any organization which gathers or processes EU citizens’ personal data is subject to the regulation. Moreover, all your contractors (including software development companies) need to adhere to the standard for your app to be GDPR-compliant. Experts at Gartner think that the authorities would start enforcing the legislation right after it comes into effect, so the sooner you will be ready, the better.
The regulation and its accompanying documents are massive in scope and size (260 pages), but there are things you can do to make your product fit its requirements.
1. Get informed consent
The GDPR states that the businesses now have to ask users to agree to collecting and processing their personal information. The request "must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent”.
According to Sergei Voronkevich, personal data protection expert, your application has to describe what information will be handled, why and where. Silence or doing nothing doesn’t equal consent – the user has to take an action (like ticking the checkbox). A timely notification with a clear description and an option for the user to accept/decline will do the job.
Moreover, if you already have a certain user base, you might need to have them “repermission” your app, lest their consent level is below the GDPR-compliant.
2. Manage the personal data
Make sure that you are collecting only the information you can’t do without. And, if possible, implement automatic deletion of the data you no longer need. This will both protect your users’ privacy (giving you another selling point) and help you avoid lots of trouble in case of a data breach: informing the authorities and the owners of affected accounts, as well as paying a huge fine for ignoring data minimization rules.
“Where there is a reason to process the data, there is no problem. Where the reason ends, the processing should, too," - Bart Willemsen, research director at Gartner.
Consider using OAuth for logging in. This will take the information security burden from you.
If you still need to store some personal information, be sure to keep the names and related information (e.g. account history) in separate databases. This way if the data about user actions is leaked, no one will be able to attribute those actions to a specific person. It is also one of the GDPR requirements.
3. Make sure the information is protected well
The GDPR Article 32 requires that the personal data is protected by the “state-of-the-art” measures. However, the exact nature of those measures is left for the companies to decide. As Belitsoft has quite a bit of experience in building HIPAA-compliant medical apps which have similar technical requirements, there are a few options we can recommend.
It goes without saying that the personal data must be encrypted. The Ashley Madison hack has shown that the company has stored the users’ addresses and credit card details in plain text, leading to multimillion-dollar lawsuits. If GDPR was in effect back then, the company would’ve also received a huge fine.
There are three main ways that you can approach the creation of the GDPR-compliant database.
First one is developing your own custom server with centralized database development. It will be able to provide the necessary level of security and saves you money in the long run, although you will need to make a certain investment up front. However, it will require careful optimization, as encrypting and decrypting information might be resource-intensive.
The second option is turning to the third-party GDPR-compliant server with centralized DB. It is a much quicker solution, as all the technical issues have already been solved by the provider. It is also cheaper in the short term (the associated development costs are relatively minor) but will cost more in the long run.
The third option is using blockchain technology and building custom server with a decentralized database. It is secure by design and will be considered a sufficient measure of protection. It is also a cost-effective long-term solution.
Need a team of experts to build your GDPR-compliant application? Contact us and get a free quote on your project!
4. Implement "privacy by design" and "privacy by default"
“Privacy by default” essentially means that if there are privacy settings in your product, they must be set to maximum at the start. Feel free to include an option to downscale the protection, should someone wish it. But your app cannot make a new user do something to get the highest level of privacy.
The concept of “privacy by design” is somewhat uncertain, but boils down to making sure privacy is taken care of at every stage of the product’s lifecycle. Implementing this idea is a much larger undertaking, which may even lead you to rewrite your app from scratch. To start, you need to conduct a Privacy Impact Assessment to determine which functionality you need to implement or modify. After the results are in, it is a matter of using them to design the application in a way that keeps personal information safe.
"Many of the companies who we're talking to… they're going to want to trade with Europe too, and therefore it's very important that they buy a platform that is going to be compliant with those regulations." - Paul Clarke (CTO at Ocado) on GDPR
5. Prepare for the users exercising their rights
The new European regulation has given people extra rights that companies must grant. They are:
- Right to be forgotten – a user can request that all of their stored data is permanently deleted “without undue delay”;
- Right to object – a user can forbid to use their personal data for certain purposes;
- Right to rectification – if a user finds some or all of their stored data incorrect or incomplete, they may request it be rectified;
- Right to access – users are entitled to know what personal information about them is being processed and how;
- Right to portability – a user may request their information to be transferred to a different organization.
6. Document everything
The regulation requires companies to not only implement additional data protection measures but also document them to be able to prove that they’ve taken the necessary steps. Otherwise, the official audit will prove that the company is incompliant and – you’ve guessed it – must pay a fine.
That is why it is important to properly prepare security policies, data protection impact assessments, personal data registry and other relevant documents. See the complete list of things to describe on the Information Commissioner’s Office website.
This task of mapping out the information processing and putting it on paper usually falls to Data Protection Officer(it’s likely you’ll need one). If you don’t have such a specialist on staff, you might also be breaking the law and putting your business at risk.
7. Plan for contingencies
No matter how well you are defended at the moment, it pays to be prepared for personal data breaches.
In most cases, you’ll need to notify the Information Commissioner’s Office (ICO) within 72 hours of detecting a breach. If you opt not to, you must have a valid (and properly supported by documents) reason for it. But if there is a “high risk to the rights and freedoms of individuals”, you need to inform your users as well.
The notification for users must be written in a clear and plain language and include the following:
- Name and contacts of your DPO (or another contact point, if you don’t have a Data Protection Officer);
- Description of the likely consequences of the data breach (costs, reputation damage and so forth);
- Measures you’ve taken or intend to take to mitigate the information leak.
If you fail to notify the ICO when necessary, the maximum fine might reach EUR 10M or 2% of annual global turnover. Note that this might stack with other fines, so having a reporting procedure in place is important.
While the new regulation might cause panic for businesses, it doesn’t have to. New security practices might prevent your company from becoming another Equifax. Moreover, implementing them ahead of your competitors might give you an edge and help your company remain in good standing with the law.