May 25 2018 is an important date for many operations doing business in Europe, as it represents the moment when the General Data Protection Regulation goes into effect. The GDPR protects the personal privacy and data of EU residents, and fines for non-compliance are stiff. The GDPR standardizes data protection requirements among all members of the European Union. Anyone who develops or deploys software systems will be expected to conform to a new set of requirements regarding the gathering, storing and usage of individual customer data.
The GDPR is a replacement of the Data Protection Directive, implemented in 1995. The DPD was a non-binding act that asked member states to enact regulations on their own. It was highly localized, and proportionality issues relative to actual damage were common. Over 23 years, the digital world managed to quickly outpace the DPD. With the near ubiquitous nature of data-gathering, a universally applicable law became an increasing necessity.
The GDPR is intended to be directly binding, so individual European governments will not be expected to pass additional legislation to enact it. It also applies to all sectors, making it different from other requirements, such as the HIPAA rules that govern the healthcare sector. Imposed fines are capped at 4% of total global revenues or €20 million, with courts instructed to pursue whichever is larger.
GDPR and basic data protection principles
It's wise to be familiar with the terminology used in the GDPR before getting too involved with other issues. Within the GDPR, there are three legally defined main roles: Data Controllers, Data Processors and Data Subjects.
An enterprise or individuals are defined as data controllers if they, under Article 4 of the GDPR, are a "natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law." A data processor is a "natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller." This includes companies that create software for clients. Finally, any EU resident can be classified as a data subject.
The GDPR outlines a number of principles for compliance. Foremost, under the principle of Lawfulness, all data that is processed should be lawfully gathered. This includes data that is gathered with clear consent, under a legal obligation or under contract. Transparency requirements call for data subjects to have access to all information in a format that'll be concise and easy to comprehend. Purpose Limitation demands that data should only be collected for explicitly stated and specific purposes that are legitimate. Data Minimization limits the scope of what data can be processed to what is required in relation to the state purpose of collection. Accuracy entails that all information be kept up-to-date and accurate. Storage Limitation imposes requirements that personally identifiable information shouldn't be held any longer than necessary. Companies are also expected to abide by Security principles that prevent unlawful processing or access, and they also must have measures in place to avoid accidental loss or damage. The data controlled is assigned responsibility under the principle of Accountability.
Under the GDPR, all residents of the EU have the right to know what will be done with any data that's collected about them. They also have the right to ask that data be corrected or destroyed, and they can object to or restrict the processing of their data. Copies of all data that is being processed must be produced upon request, and the data may not be subject to automated process. All inquiries related to these rights must be met within a single month from the time of the request.
Achieving GDPR compliance for software development projects
Bringing software products into line with these regulations starts with adopting the principles of Privacy and Security by Design. In this approach, privacy and security are considered core elements of the software from its inception. Technological and conceptual safeguards carried over from the DPD- and HIPAA-compliant software development should be applied as architectural solutions. Serious consideration should also go into what data will be collected in the first place. The goal is always to acquire, process and retain the absolute minimum amount of data possible to do the job.
According to this GDPR compliant software development guide , there is a number of common practices that address these concerns, if we speak of the tech side of things: data encryption, notification mechanisms, verification of age, means of active consent, and others. Deeper understanding of possible problems and solutions vary according to every particular software product, and it is up to the software developers to keep you informed and take care of these issues.