GDPR: The New Normal of Software Development
The European Union’s General Data Protection Regulation (GDPR) goes into effect this week. While the regulation affects all organizations accessing personal data of European Union (EU) citizens, its implication for software development companies is far reaching. This is because personal data – the focus of the regulation – is at the very core of software development. This means that those of us in the industry need to understand GDPR and position ourselves to operate in compliance with the regulation. Failure to comply has significant implications, as we will find out below. But first, let’s get started with the basics.
What is GDPR and What has Changed
The GDPR is a regulation that replaces the 1995 Data Protection Directive (DPD) of the EU. It sets minimum lawful standards, which organizations who benefit from personal data (“controllers,” under GDPR), and companies processing on their behalf (GDPR “processors”), must adhere to when processing personally identifiable data of EU Member State citizens (GDPR “data subjects”). The goals are to increase protection of, control over, and transparency of personal data. To fully understand how this regulation is different from past practices, consider these key differences between GDPR and the DPD:
- Opt-out vs. Opt-in Consent: Under the previous directive, organizations could consider a person’s failure to opt-out as an indication of consent, such as failure to untick a pre-ticked box. Under GDPR, organizations must gain explicit consent from the data subject. Explicit consent requires an clear, simple contract regarding their information and its intended use.. In order to be considered a valid consent, the controller must be able to show consent has been given by the data subject. If the consent is written, the verbiage in the consent contract must be written in clear, understandable language. Consent may be obtained for only for the personal data required for performance of the contract. Additionally, subjects have the right to easily withdraw consent at any time.
- The Definition of Personal Data: While the DPD applied only to information that can be used to identify a person and their sensitive personal details, GDPR covers any data or data sets which might be traced back to an individual, such as an IP address.
- Reporting a Data Breach: With the DPD, organizations were merely encouraged to report when there has been a breach of their data. Under GDPR, organizations are under obligation to report such breaches to the proper authorities within 72 hours of the incident.
- Data Protection and Accountability: GDPR requires explicit accountability for data protection from organizations. Any company employing more than 250 people or processing more than 5,000 profiles annually must appoint a dedicated data protection officer. Companies are also expected to commit to mandatory activities, such as staff training, internal data audits, and maintaining compliance documentation. None of these requirements were stipulated under the old rules.
- Penalties and Compensation: Non-compliance with GDPR could impose costly penalties on companies found in violation of the regulation. Under DPD, violations could lead to a maximum fine of 500,000 euros or one percent of a company’s annual revenue. The maximum fines under GDPR are considerably larger: 20 million euros or four percent of annual revenue, whichever is higher. Furthermore, GDPR allows data subjects to seek compensation for both material and non-material damage, whereas DPD was material only.
- Definition of Processing: Under GDPR data “processing” has a much broader meaning, defined as: “Any operation performed on personal data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
- Scope: The 1995 EU Data Protection Directive was a guideline for EU Member States to pass and implement national legislation to effect change regarding data protection. The GDPR is much more than a directive. It is a legally forceable and binding piece of legislation meant to unify data regulation across the EU. It is more far-reaching, including Member States and any organization handles data of EU citizens, which means its scope extends to any software application involving EU citizen data.
GDPR Subject Rights Means Responsibilities for Developers
Protecting the privacy rights, ensuring transparency, and providing control over personal data of EU citizens is central to GDPR. The requirements of GDPR places obligations on organizations to take steps to fulfill the new rights of data subjects, and thus it is imperative that developers keep these rights in mind when creating new GDPR-compliant software applications:
- Information and Transparency: When requested by data subjects, controllers must provide any information relating to their data processing to the subject in a concise and transparent form using clean and plain language. Article 13 and Article 14 establish what information shall be provided.
- Rectification: Provides data subjects the right fix inaccurate or incomplete information and without undue delay.
- Restriction of Processing: In lieu of erasure, data subjects can prevent a controller from processing their information if the data’s accuracy is contested, processing is unlawful but subject opposes erasure, or the controller must maintain the personal data for legal reasons.
- Erasure (or ‘Right to be Forgotten’): Data subjects can request deletion of personal data, of which the organization must oblige without undue delay (within the law).
- Notification Obligation: The entity collecting data must notify third parties of any erasures, rectifications, or restrictions of processing.
- Data Portability: Data subjects have the right to transfer their personal data between controllers, i.e. to move account details from one beneficiary of the data to another.
- Objection: While controllers must have a lawful basis for processing personal data, i.e. public interest or legitimate interests, lawful bases are not absolute and data subjects have a right to object to such processing.
- Profiling: Data subjects may elect to not be subject to automated decision-making based on their personal data, which may produce legal effects. Controllers must implement safeguards to protect the data subjects’ rights, freedoms, and legitimate interests.
Governing Principles for Software Development Under GDPR:
Another way in which GDPR affects developers is Article 25: Data Protection by Design and by Default. What does this mean? It means that organizations must build data protection safeguards into their products, processes, and services from the earliest stage of development. In other words, privacy and security considerations should not be an afterthought, but rather inherently built into each product, from the first stages of design and throughout the entire development process..
There are six key principles defined by the regulation that govern how organizations can collect, store, and process personal data. To be in compliance, ‘by design and by default” software developers should keep these principles in mind:
- Lawfulness, Fairness, and Transparency: GDPR requires processing of personal data to be lawful and fair. Communication relating to the processing of personal data should be transparent, accessible and easy to understand by the person whose data is being processed and include the identity of the controller and the purposes for which the data is being processed. Such communication should also disclose risks, rules, safeguards, and rights regarding the processing of personal data and how to exercise those rights. (See Article 5 and Article 6 for compliance requirements.)
- Purpose Limitation: Personal data may only be collected for specified, explicit, and legitimate purposes, as determined at the time of collection.
- Data Minimization: Personal data should be limited to only what is relevant and needed for the purpose of which it is being processed.
- Accuracy: Personal data must be kept up-to-date and inaccurate data must be immediately deleted or rectified with accurate information. Every reasonable step must be taken to ensure information accuracy.
- Storage Limitation: Storage of personal data must be kept to a strict minimum and once the information is no longer necessary for processing, it should be erased. The entity collecting data should establish time frames for deletion or for a periodic review to ensure limitation.
- Integrity and Confidentiality: GDPR requires that personal data be processed only if the purpose of processing it could not reasonably be fulfilled by other means and in a manner that ensures security and confidentiality.
In order to achieve a smooth transition in creating GDPR-friendly software that prioritize data protection, developers will need to devise strategies, policies, and procedures regarding data protection, subject control, and transparency. And now that we’ve covered the basics, we have a foundation of understanding and how we might approach software development that complies with GDPR. If you have any questions regarding this topic, leave us a comment.