In the field of the software business, services that have been designed with security in mind will succeed in the future. Ensuring data security is not a transient trend and even at EU level it has become an important topic. In the spring of 2018, for the safety of all of us, a new EU data protection regulation, more commonly known as the GDPR, came into force. The regulation sets its own requirements for software and its design.
This GDPR Regulation applies in particular to the processing of personal data of employees and customers. As a result, it affects almost every company – and especially those involved in the development of services containing personal data.
What things does a software developer need to consider in order for services and processes to pass the EU GDPR screen?
1. Start by identifying risks
For starters, it is necessary to assess the risks of the service in relation to the processing of personal data. Where does information go, where does it go and how does it affect individuals’ privacy? And what effect will it have on individuals if their information ends up in the wrong hands out of the system? Of course, greater sensitivity must be exercised in regard to patient information system data than with simple e-mail registry management.
One way to map risks is through the Privacy Impact Assessment (PIA) process. It examines the risks to data subjects of processing or leaking personal data. It can be used to define the necessary security controls, i.e. measures to improve security in order to manage risks.
2. Consider security in the application development process
The secure processing of personal data must be taken into account when designing the service and must be part of the application development process. A good guideline is that the fewer people have access to personal information, the better. Software test and production environments are kept separate. Often, developers simply have access to a test environment that uses fictitious sample data for test situations instead of real personal information.
3. Evaluate the need for encryption
If data is transferred over the Internet, there is a risk that the data will fall into the wrong hands. Whenever personal data is transferred, it must be encrypted when transferred. For example, in the case of web services, an encrypted HTTPS connection should be used. When storing data, the situation is slightly more multidimensional and the need for encryption and encryption methods should be considered based on the results of the PIA analysis.
However, it is good to remember that different services contain different identifiers, and therefore there is no specific all-encompassing guideline in this case either. Risk mapping tells you the baseline. The purpose of each security control is to seek to reduce a specific identified risk.
4. Make sure that the security status of the application is monitored
The EU Data Protection Regulation (GDPR) is accompanied by a legal act requiring breaches to be reported to the EDPS and, if necessary, to data subjects within 72 hours. So, when building an application, it is worth considering how this happens. For example, the logging of the processing of personal data in software should be considered at the design stage.
In addition, the application must be able to be monitored regularly and its security verified. In addition to EU authorities, it is also of interest to customers and corporate data protection commissioners. The security status of the application can be verified, for example, with various security testing services.