微信图片_20200422133424

GDPR and how do implement it in the software development process?

All the companies providing goods or services for the EU citizens will have to adhere to the new data protection rules or face fines of up to 4% annual global turnover or roughly $24.5M. As the GDPR comes into force it will affect businesses all over the world.

What is GDPR? Who needs to prepare for GDPR?

Any organization which gathers or processes EU citizens’ personal data is subject to the regulation. Moreover, all your contractors (including software development companies) need to adhere to the standard for your app to be GDPR-compliant.

How we implement it into your software:

1. Get informed consent from the user

The GDPR states that businesses now have to ask users to agree to collecting and processing their personal information. The request “must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent

2. minimize the collected data

Make sure that you are collecting only the information you can’t do without. And, if possible, implement automatic deletion of the data you no longer need. 

3. Encrypt personal data

Encryption adds an extra layer of security the hacker must defeat before they can access the information. The GDPR Article 32 requires that personal data is protected by the “state-of-the-art” measures. However, the exact nature of those measures is left for the companies to decide

4. Implement “privacy by design” 

Make sure privacy is taken care of at every stage of the product’s lifecycle. Implementing this idea is a much larger undertaking.

4.1 Two-Factor Authentication

It protects from online fraud and identity theft

4.2 Blocking brute force attacks

If a hacker intends to use automated login/password guessing, these measures can stop them.

4.3 Automatic Log-Off

This feature helps prevent unauthorized access and modification of data

4.4 Separate domain names for Customer and Admin portals

Separating portals helps protect the information and allows securing the admin section without hampering users.

4.5 HTTP Authentication for Web Admin Panel

This feature adds another layer of protection against them.

4.6 SSL Certificate

SSL certificates protect the information transfer between app server and database or between the user and your service.

4.7 Locking Unused Database Ports

New servers are shipped with all the ports open. Lock the unneeded ones so they can’t be used for intrusion.

4.8 Database can be accessed only from API server IP

Allowing only one IP address will prevent unauthorized access and locate data breaches. Cloud firewalls could help with that.

4.9 Database connects to API server via HTTPS

Encryption helps protect the information while it is in transfer.

4.10 Server is accessed via VPN

VPN adds another layer of security to the data on the server.

4.11 Regular Database backup

Back up the information in the DB and store it on an external cloud service. In the event of a data breach, it will help to minimize losses.

4.12 Regular Server Log Backup

All the server logs should be kept and stored externally. It helps locate inconsistencies in case of hacker attacks.

4.13 Adjust Inotify

Set up triggers and notifications to detect intrusion quickly.

4.14 Log all the Server Actions

Logs allow to find out which data was modified.

5. Implement “Privacy by default”

“Privacy by default” essentially means that if there are privacy settings in your product, they must be set to maximum at the start.

6. Implement Pseudonymization

Pseudonymization means storing information that can identify a person (e.g. social security number) and the related data (gender, age, location, etc.) separately.

7. Prepare for the users to exercise their rights

The new European regulation has given people extra rights that companies must grant: Right to be forgotten; Right to object; Right to rectification; Right to access; Right to portability.

8. Document everything

The regulation requires companies to not only implement additional data protection measures but also document them to be able to prove that they’ve taken the necessary steps.

9. Prepare a plan for contingencies

No matter how well you are defended at the moment, it pays to be prepared for personal data breaches.

In most cases, you’ll need to notify the Information Commissioner’s Office (ICO) within 72 hours of detecting a breach. If you opt not to, you must have a valid (and properly supported by documents) reason for it. But if there is a “high risk to the rights and freedoms of individuals”, you need to inform your users as well.

Add a Comment

Your email address will not be published. Required fields are marked *