What Technical, Organizational and Legal Measures Should Be Taken by a Custom Software Provider to Stay Compliant with the Newly Released EU Personal Data-Related Regulation
The GDPR was has been the talk of the town for a spell now, creating quite a commotion and some new business opportunities for up-and-coming consulting outfits. While there is still quite a bit of ambiguity as to many of the aspects of the General Protection Data Regulation, issued jointly by the governing European Union institutions in May of 2018, it is clear as rain that this regulation’s imposition will be impactful to most custom software providers and none of them can afford to overlook its advent. At least, as long as they want to stay in touch with, and profit from the increasingly innovation-reliant market of the European Union, whose gross domestic expenditure on various R&D activities, according to Eurostat, constituted EUR 303 billion in 2016.
Prior to making an assessment of the implications the imposition of the GDPR will have for software providers and considering the diverse set of measures that, incidentally, seem to be indispensable, let’s take a brief look at the gist of this legislative initiative.
As you, probably, know, it’s all about personal data and its collection, storage and exchange. More specifically, it deals with the name, last name, home address, email account (for instance, one that has the following name mask: email@example.com), location data, ID number or IP address of any identified or identifiable EU citizen or, even, resident. Long story short, you are obligated to process any atttributable personal data so that this will rule out any possibility of it getting leaked or being misused, regardless of whether this data was created manually or automatically (for example, you may choose to process such data in a pseudonimized manner). You must rely on the consent of an individual (customer, prospect, or site visitor, in the context under review) while collecting such data. You must delete the data wherever requested by an individual regardless of whether you want or need to process it. As a data holder, you must notify the data protection authorities about any personal data-related breach of security that has come to pass and you have 72 hours for that. You must obtain the data owner’s permission if you want to process the data automatically and not fumble with it manually for years.
Well, that’s just in a nutshell (for all the “musts”, you should refer to the regulation itself or consult some of the trustworthy sources that focus on its technicalities and expound the document at length).
Now, what happens if you run afoul of any of the above requirements, inadvertently, or purposefully? Your failure to comply with any of the afore requirements is potentially fraught with pretty grim consequences. Depending on the nature of the infringement, one can be imposed on a fine of up to EUR 20 million or 4% of the company's annual turnover. For a company based outside the EU, this would, most probably, mean the end of any client relationships with EU-based business entities. Doesn’t sound like a bed of roses, does it? So, let’s now see what the whole thing translates in for a custom software provider that wants to work with EU clients.
First and foremost, one should make several regulation-imposed modifications to the company website. In particular, your website must display a message to the effect that you gather cookies (that is if you do so, of course).
Secondly, it must be indicated that you reserve the right to store and, subsequently, use the email addresses of those site visitors, who send you an email or get in touch with you using the contact form. Also, your website must indicate that you determine the location of your visitors using their IP addresses, - you will, willy-nilly, require this information to make your marketing campaigns smarter.
However, the legal measures you will need to take are not limited only to your web presence. It is also necessary to review all the contract agreements you have with your counterparts and stipulate that the personal data, provided by you, is treated by them in a GDPR-compliant fashion. In addition, the GDPR entails the need to review the legalities, associated with your current employee relationships. In plain language, as an employer, you will be held responsible for any actions of your employees or sub-contractors that are in breach of the GDPR. This means that you must necessarily have well-thought-out NDAs in place.
Firewall any personal data storages that you may have on your network and check your anti-virus (however trivial that may sound): hereon, you may be liable for any Trojan-powered data leakage that was considered to be trifling previously. Similarly, any remote access to your clients' data must necessarily be VPN-protected.
It also makes a lot of sense to opt for a trustworthy Cloud-based data storage provider, rather than use hosted services: major data storage providers tend to have more protections in place and are, thus, likely to represent a more secure data storage option.
Finally, it is imperative that you develop a personal data disposal policy and implement the technical means of enforcing this policy. This means that the personal data you store must be automatically deleted at set intervals whenever it starts meeting certain specified criteria. To enable this, you will also have to implement automatic scanning of all your data storage resources.
Lastly and importantly, there are also some organizational measures that can help manage and reduce significantly the inflow of data your employees have to deal with, thereby also reducing the odds of any possible data leakage.
What are those measures?
First of all, it would be prudent to convince your clients to process their hosted data, whenever possible, remotely, and, thus, avoid copying this data to your infrastructure in the first place. For instance, fixing a bug by one of your developers does not necessarily require importing a truckload of personal data from a client’s network and can well be handled via a remote access.
Moreover, it is advisable that the same policy also be applied to any testing and integration activities. In addition to giving you a host of purely technical and organizational advantages, setting up your testing and integration environments within your client's infrastructure will render the client data a lot less vulnerable to theft and misuse. In this case, the data will not have to be taken outside the client's network and will, thus, remain protected by their established security measures.
However, in many instances, the above may not, simply, be possible due to the client’s company policy, their technical capabilities or just due to the way they build their vendor relationships. In this case, there are two ways that you can curb the personal data-related risks:
Use data scrambling: you can replace meaningful personal data with arbitrary symbols or fictitious data. The approach works well for both app development and software testing purposes. It can be applied in the Cloud, and it is relatively easy to implement due to a large number of readily available software solutions intended for this purpose.
Store all personal data you need to deal with in easily controllable environments that can be quickly accessed by your employees in accordance with their clearance, and frequently scanned for any outdated data that can be deleted.
On the other side of the issue, your employees, while being professionals in their respective areas, may not be so well-aware of the importance of the ways they deal with your clients’ data and the implications any possible breach of security or, even, a mere omission on their part can now have for your company. That is why, your personal data storage policy can, even, be outlined by you in your employment agreements with a view to ensuring a greater degree of this policy’s acceptance and understanding by your staff.
In conclusion, one should also mention that the implementation of the GDPR by a software development vendor can be facilitated greatly if they take a centralized approach to it. It is advisable that you appoint a correspondingly qualified employee or group of employees who will be premanently responsible for the process and its outcomes.