On May 25, you probably received way more emails than usual. All those online mailing lists that you didn’t know you were subscribed to as well as all kinds of web apps and websites you’re using probably notified you about changes in their privacy policies.
Everyone from Google and Amazon to the smallest one-person companies have updated their rules on handling your data in response to GDPR, a new European Union regulation aimed at protecting the private data of EU residents. But you probably received emails and notifications even if you don’t reside in EU, since it’s way easier for companies that operate globally to apply changes to all users than to try to single out EU residents.
And now that GDPR is in effect, everybody has updated their policies and moved on, right? But what about new applications? When you’re making a new product – regardless of how big or small – if you’re planning to operate in Europe you need to make sure that your application is GDPR compliant. It’s also way easier and cheaper to make a GDPR compliant app from scratch than to try to update an old solution that doesn’t have the right feature set to comply or, sometimes, even the ability to implement such features due to early design decisions.
If you’re wondering what exactly you need to do to make your app GDPR compliant and particularly what little choices you need to make at the early stages when designing it and establishing the basic architecture, we’ve got you covered. In this article, we discuss the main things you need to include in any new project to make sure it’s GDPR compliant.
The General Data Protection Regulation, or GDPR, is a European Union law that covers data privacy and data processing. The main point of the law is to unify rules on data privacy and disputes regarding data privacy across all EU member states as well as to make data privacy rules friendlier for data owners (so-called “data subjects” in the law). The spirit of the law is to make handling of personal data transparent and to provide users with control over their data.
GDPR defines personal user data as any information that’s related to or that can be used to identify a specific person. This means that location data and online identifiers are also considered personal data. The law is applied universally to all industries and all situations, making it the single widest data privacy regulation in terms of its scope.
One of the points of GDPR is to provide more control for data owners. To accomplish this, several new rights have been introduced for data subjects:
- The right to be informed – Data subjects have the right to know when their data is being collected and for what purpose.
- The right to access – Data subjects have the right to access their own personal data.
- The right to rectification – Data subjects have the right to request changes and corrections to their data.
- The right to erasure – Data subjects have the right to request that their data be deleted.
- The right to restrict processing – Data subjects have the right to prohibit a specific company from processing their data.
- The right to data portability – Data subjects have the right to request a copy of their data and to move their data fully to other processors.
- The right to object to data processing or marketing activities including profiling – Data subjects have the right to object to processing of data regardless of its lawfulness and also to object to any marketing activities performed with their data, including any automatic actions and decisions.
For data processors and controllers, GDPR brings increased accountability. This includes the need to protect data, monitor all data access, and log all processing activities. Any breaches should be reported no later than three days after they happen. Non-compliance with any GDPR rules can result in extremely hefty fines (2–4% of global revenue).
If you want to read more on key GDPR changes, check out official EU data protection page.
At this point, it’s hard to say how strictly GDPR will be enforced. Particularly when it comes to small businesses, many hope that some leeway will be granted since a lot of GDPR rules are extremely hard and costly to implement.
What’s more important when trying to comply with the regulation is to follow the spirit of it rather than to follow every rule to a T. There are four main principles on which GDPR is built that you need to understand and base your compliance around:
- Don’t gather data you don’t need
When it comes to user data, it’s important to approach it with the right mindset. You need to understand that user data belongs to the user and that even if they share something as trivial as an email address with you, you’re still not free to use it as you please. Thus, it’s extremely important to gather as little data as possible. Gather only information that you need to provide your service and you’re pretty much already halfway to GDPR compliance.
- Don’t store data longer than necessary
It’s also important to make sure that any personal data that you do store is actually necessary for providing your service. If you don’t need certain types of data, you should delete it. Generally speaking, the less data you store, the less chance that you’ll get in trouble.
- You don’t necessarily always need consent
Asking users for their consent after every action that they take on your website or within your app is just as inconvenient for users themselves as it is for you. It’s unreasonable to display consent forms every time information is exchanged between a user and the app. Thus, GDPR allows you to collect user information without explicit consent. This usually applies to instances when it would be common sense to process user data or when it’s impossible to provide the necessary service without processing data.
The basis for such processing is called legitimate interest, and there are a lot of things you can get away with even without explicit consent. However, what’s important is that you process data in a way that’s consistent with the purpose of the service you provide. It’s one thing to use user data in order to personalize the user experience and it’s another to use it for personalized advertising outside of your app or service.
- Don’t assume that third parties are compliant
When you transfer user data to a third party, that third party becomes a data processor. Any breaches or other events that compromise user data become your shared responsibility. When a user requests changes to or deletion of their data, you not only need to comply yourself but you also need to notify all third-party data processors of this request.
Thus, it’s important that any third parties you work with are also GDPR compliant and capable of reliably protecting user data. Don’t assume that just any third party offering you a partnership is compliant. Instead, enforce compliance via service-level agreements. It’s also important to make sure that third parties cannot access user data anonymously.
The four principles mentioned above are important for any product, regardless of industry or intended audience. However, there are also other features that you may consider implementing based on your situation.
- Ability to request and re-request consent from users – While explicit consent isn’t always needed, in many instances it becomes necessary. Your application needs to be able to request and re-request user consent as needed. Consent should be requested per processing activity and there should be an option for a user to withdraw their consent. Your consent checkboxes also should never be pre-selected.
- Ability to see data of an individual user – You should create a UI form that displays all of a user’s data. Ideally, you should even allow unregistered users to see whether you’re storing their data. You don’t necessarily need to implement a form; you can also send users their data via email, for example. Since users rarely request to see their own data, this feature doesn’t need high priority.
- Ability to edit data of an individual user – Users should be able to edit their own data themselves. It’s way more cost-effective to implement a form for users than to force them to go through support personnel who manually edit their data.
- Ability to delete data of an individual user – You need to be able remove all data related to an individual user. Simply deleting data may not always be desirable, though; sometimes you may want to use nullable foreign keys in order to preserve the consistency of a table.
- Ability to quickly notify third parties and delete data on their end – When a user requests deletion of all their data, you as a data controller need to notify any third-party data processors to whom you have transferred that user’s data of the need to delete said data.
- Ability to export data of an individual user – You need to be able to fully export all data regarding an individual user. The process doesn’t necessarily have to be automatic, however. You can manually query a database if necessary. But if you can, it would be great to implement an automatic export feature.
All of the above features can be implemented in a variety of ways depending on the type and structure of your database. For example, if you use a blockchain-like structure, it can be very hard to edit or delete user data, and thus the best solution is to not add it in the first place.
How to Build a Data Backup Service for SaaS
The spirit of the law dictates that data controllers and processors should make every effort to protect user data. The protection of user data is required by many different regulations, and since a data breach by itself can be a major liability, it’s always good practice to implement measures for protecting user data.
The tips below are universal and can help protect data in any situations and for any purposes, GDPR compliance being just one of them:
- Always encrypt user data, – Regardless of whether data is at rest or in transit, you should always make sure that it’s encrypted with a reliable encryption algorithm. It’s also necessary to encrypt all your backups.
- Protect the authentication procedure – Using multi-factor authentication and logging all access to personal data are two minimum steps that you should take to ensure that access to data is thoroughly protected.
- Log all interactions with personal data – While GDPR doesn’t require any logging tools to be built into your app or web service, it’s common sense to include them as both a safety measure and a testing tool. Strive to log all connections to and all interactions with personal data to ensure that it’s processed correctly.
- Pseudonymize personal data before using it for development – Large sets of personal data can be extremely useful in development. They can be used in quality assurance in a variety of cases or they can be used as a basis when developing a machine learning system. Regardless of how you use it, you should always pseudonymize user data to the point where original data subjects are no longer identifiable. Pseudonymization should be applied automatically, and certain databases already have this feature built in.
- Register all API users – It’s important to not allow third parties to access personal data that you’re storing anonymously via an API. You should always require at least some form of contact information from any company that wants to use your API. In terms of GDPR, any such company can be considered an additional data processor, and you, as a data controller, will share responsibility for their failure to comply with GDPR.
GDPR is a great example of the Brussels effect, where regulations made in the EU impact non-EU countries. Even if you’re based in the US, you should definitely make an effort to comply with GDPR in order not to lose users in Europe. While compliance may look like a daunting task at first, writing your app to be GDPR compliant from the ground up will make it easy and cost-effective to achieve the desired results. And if you need help with writing a compliant app or making your existing app compliant, our developers with extensive knowledge and expertiese in cybersecurity and web app development are always ready to help you out.