Insights
Real experiences and insights that shape outcomes
More than 4 years have passed since the EU adopted the General Data Protection Regulation (GDPR). Now everyone in the business of apps has to comply with the privacy regulations or face fines of up to €20 million. So, here’s our guide to GDPR compliance for software developers and entrepreneurs.
Check out the following criteria to our find if your solution is subject to privacy regulations:
If you answered yes at least to one question, congratulations, you are a definite candidate to the GDPR. So better start reading on how to implement GDPR compliance.
The first step to GDPR-compliant software is to check what kind of personal data it stores.
Do you really need it?
The best course for the privacy-conscious future is to collect only the bare minimum of personal data.
Encryption scrambles data in a way that makes it unintelligible for those who don’t have the decryption keys. Although it’s often mentioned as a key factor of GDPR compliance, the word “encryption” is only mentioned 4 times throughout the GDPR text:
As any cybersecurity expert would tell you, data breaches are inevitable. In July 2015, hackers attacked Ashley Madison and stole more than 25 GB of personal data from the adultery dating website. The information, including names, emails, and addresses, was stored as plain text which allowed anyone to track the would-be cheaters. This negligence resulted in a wave of blackmail, ruined careers, and broken marriages. Website owners had to pay over $11 million to settle ensuing lawsuits. Moreover, at least three people have committed suicide due to the Ashley Madison’s breach.
According to experts, end-to-end encryption is your best bet at mitigating the damage of a possible data breach. Source: tresorit.com
But what if for some legitimate reason, such as cost efficiency or drop in performance, you can’t use encryption as a part of your data protection policy? In such a case, you should either gather enough evidence to back up your claims or use alternative methods such as pseudonymization.
Contact us” forms often contain personal data such as emails, phones, or home addresses. If you store and send this information as plain text, you’re opening the door to hackers. So again, use encryption for the “contact us” forms. Also, inform your clients how you store this data and for how long.
The next step is to employ HTTPS, a secure version of the HTTP communication protocol. It encrypts all the data sent between a client and a server using the SSL/TLS cryptographic protocols. When a user requests an HTTPS connection to your application, it sends him/her your SSL certificate that contains the key required to initiate the secure connection. That’s why it’s important to receive an SSL certificate from a credible Certificate Authority and correctly install it. Also, make sure that your certificate isn’t susceptible to protocol vulnerabilities.
Forget about any kind of pre-ticked boxes. The very notion of user consent has drastically changed under GDPR. You can no longer get away with implicit, opt-out consent. GDPR requires “a statement of clear affirmative action” or “a freely given, specific, informed, and unambiguous user consent”.
Your consent forms must default to a “no” or be blank. In such a way you don’t force your users to actively opt out.
As a website owner, you want to occasionally reach out to your clients for marketing purposes. You need to ask for explicit consent for each type of data processing you handle. This means that if you’d like to send promo materials via email, phone, and post, your consent form should have three separate opt-in boxes. If all you need for your marketing is the email address, a marketing consent will suffice.
But if you use personalization, segmentation, or targeting, you’ll need both marketing consent and consent (or legitimate interest) to collect and profile any additional behavioral or demographic data.
If you pass your customers’ personal data to third parties, you should accurately identify and name each of these parties in your consent forms. However, you’d have to opt out of the permission instead of opt in which is a big NO under GDPR.
Still, giving third parties access to the personal data of your users for analytics or other purposes is definitely a bad idea. According to more than 300 industry experts, the majority of users don’t want third parties anywhere near their personal data. The best decision might be to use a self-hosted web analytics platform that guarantees that you will be the only one to collect, process and store personal data.
Note: GDPR doesn’t impact the usage of Google Analytics as it can’t track individual users.
You’ll have to request the Terms and Conditions agreement separately for any kind of personal data handling.
Under GDPR you’re no longer allowed to hide your Terms and Conditions or bury it in the fine print. The following scheme is no longer appropriate according to the regulation. Users will have to acknowledge they’ve read the Terms and Conditions and agree to them before getting access to your app.
Due to the new GDPR principle – Right to be Forgotten – a user must be able to unsubscribe and remove his/her consent at any time. If, for example, you send newsletters to your customers, your links and emails should contain the “unsubscribe” feature.
But don’t despair if some users decided to unsubscribe from your mailout! With a dash of creativity, you can change their hearts and encourage them to re-subscribe.
In the official GDPR document cookies are mentioned in the following context (Recital 30):
Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers, or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
In simpler words, the cookies that allow you to identify users via their devices are subject to GDPR. They include cookies for advertising, analytics, and the so-called functional cookies that allow websites to remember user preferences.
In 2020, you should either avoid using such cookies or find lawful ground for collecting and processing personal data:
Under GDPR, the act of visiting your website for the first time doesn’t automatically grant consent for processing personal data. Even if you display “If you use this website, you accept cookies”, the consent case is not considered as “freely given” (Recital 42).
Granular consent still applies, so if you want to track your visitor behavior and use their data for advertising, you should obtain consent for each activity. You’ll also have to allow visitors to easily withdraw their consent.
Remember, you can’t block access to your website for the users who withheld consent. And after they log out, you’ll have to destroy their cookies and sessions.
When signing up for a web application, you will often get security questions. This is a big NO for GDPR software compliance.
Since May 2018, security questions mustn’t contain any information related to the customer’s family, preferences, homes, etc. The best option is to use two-factor authentication (2 FA), which combines a password with a phone number/fingerprint etc. Such systems are a powerful deterrent for cybercriminals. If, for some reason, this option isn’t possible, let users create their own secret questions. Just warn them against disclosing personal information.
Check if your system uses IP addresses or location data in the authentication process. If your logs contain such data, you should inform users about the way you store them and how long they persist in your system. Also, encrypt your logs and never store particularly sensitive data (i.e., passwords) in them.
This is a crucial step for e-commerce applications. If you use payment gateways, you are likely gathering customers’ personal data. In most cases, this data remains in your system. This is illegal under the data protection regulation. Your application must delete any personal data of your customers within a set period of time (e.g., 60 days).
E-commerce websites often track visitors’ behavior and taste to improve their recommendations. Under GDPR, such activities require clear and explicit consent. You’ll also have to tell users how this data will be stored in your systems and for how long. If a user rejects tracking, you’ll have to respect his or her choice.
E-commerce websites often track visitor behavior and taste to improve recommendations. Under the GDPR, such activities require clear and explicit consent. You’ll also have to tell users how this data will be stored in your systems and for how long.
Now you know how to become GDPR compliant. In the privacy-conscious future, the ability to ensure the security and transparency of your application will be a huge advantage. You can use this GDPR compliance checklist for software development to rise above the competition and carve a niche in the changing markets.
Credits: https://www.mindk.com/blog/how-to-make-your-software-gdpr-compliant/
Introduction In today's digital landscape, where data breaches and cyber threats are prevalent, ensuring robust cybersecurity measures is crucial for protecting sensitive informat
Read more
The crypto tax law mandates that the taxpayer cannot carry forward cryptocurrency losses. Representative image Cryptocurrency Tax in India (FY 2022-2023): The Union Budget 2022 pr
Read more
What are the main provisions of the draft document? Is the Government going to monetize public data? The story so far: The Ministry of Electronics and Information Technology (MEIT
Read more
Data Sharing The consent layer of the India Stack puzzle focuses on establishing a new model for data governance in India. Enshrined in a policy framework known as the Data Empowe
Read more
Introduction Data Management Solutions play and important role in meeting the net zero targets. In the global quest to combat climate change, green energy utility providers play a
Read more Technogrep Solutions LLP
HD-022, WeWork Pavilion,
62/63 The Pavilion Church Street,
MG Road, Bangalore,
India-560001
✉ info @ grepdigital.com
