Judith
Posted on April 26, 2018
May 25 marks the target for GDPR compliance in the EU here are some key points that a US Developer should look at
The Changing Privacy Landscape The revamp will modify the Data Protection Directive of 1995
First is the General Data Protection Regulation or GDPR
All of the existing principles from the original Directive stay with us under GDPR. What GDPR adds is new definitions and requirements to reflect changes in technology which simply did not exist in the dialup era.
The second half is the revamp of the ePrivacy Directive of 2002
(You know it, somewhat inaccurately, as the “cookie law.”) This revamp, which deals with data in transit such as cookies, telemetry, metadata, and consent for marketing. ePD is still in draft but look for a deadline of late this year/beginning of 2019.
What should you know about these changes?
GDPR pertains to personal data
defined as “any information relating to an identified or identifiable natural person.
Includes multiple data points or combinations that create a record
- Genetic data
- Biometric data (such as facial recognition or fingerprint logins)
- Location data
- Pseudonymized data
- Online identifiers This includes Sensitive personal data: requires stricter protection-pay attention devs
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Health data
- Sex life or sexual orientation
- Past or spent criminal convictions Personal data is used, stored and manipulated by data controllers and data processors.
The controller you or the organization you represent
Data processor is any entity that processes the data for the controller
GDPR covers only Europe, right? NO
If you deal with data from any European entity (customers, users, business, etc) you need to protect it under GDPR. The fact that the USA currently doesn't have a far reaching set of laws or governances for protecting data is not a reason to push this under the rug. The US views these privacies mostly under contract and property law - right now; but remember the internet has no boundaries. Pretty soon there will be a collision of practices about how we protect data so start doing it now as much in accordance to GDPR as you can within your purview. Data protection is not overtly protected by law - the responsibility is very much in the hands of engineers who create and implement these processes.
What you can do now
The Privacy by Design framework
a seven-point development methodology which requires optimal data protection to be provided as standard, by default, across all uses and applications.
Privacy Impact Assessment
TRAINING AND PROFESSIONAL DEVELOPMENTinclude legal and industry specific and methodologies, frameworks
Technical And Security Measures most data breaches begin internally think access control, segregated data
- Healthy data protection workflows
- Avoid unnecessary data capture or loss
- Require everyone in your project to work from a clearly defined set of code libraries, tools, and frameworks
Technical and security measures to address third parties
Disable unsafe or unnecessary modules ( in APIs and third-party libraries)
Code Reviews
Minimization in front and back end UI design where data is collected
Map where data is stored, protected, encrypted, and sandboxed
Data should be deleted automatically or through user actions
CONSENT AND SUBJECT ACCESS
front end provide better consent mechanisms and user controls
- UI for individual subject access rights, such as the right to edit and correct information, the right to download data, the right to restrict processing, and the right to data deletion. (think account settings)
- develop ways to alert users to any applicable choices and options
On the back end, develop to enforce user consent
- Procedures such as penetration testing
- Test for data protection by default
- Develop ways for the public to notify if your data has been breached GDPR is really about adopting common-sense safeguards for data protection and privacy as fundamental parts of your development workflow. Here is the full GDPR Code of Practice as a start in making changes
Anonymisation managing data protection risk code of practice
The Privacy by Design framework
Privacy Impact Assessment
Key ideas
* Consent
* Notification of data breach
* Right to be forgotten
every individual reserves the right to ask for the deletion of their personal data in situations when the data is no longer required
Posted on April 26, 2018
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.