The General Data Protection Regulation (GDPR) protects the privacy of personal data of European Union (EU) residents exclusively. Yet as a software creator, you can’t always tell whether a user or website visitor is a resident of a specific country or region. If there’s the slightest chance that one of your users might be from the EU, it’s best to make your app GDPR compliant and thus avoid severe fines and reputational damage.
The good news is that you can easily achieve the necessary level of data security with the right approach to software development and testing. In this article, we overview some ground requirements of the GDPR and offer you five tips for creating a GDPR compliant app.
The GDPR is an EU data and privacy protection law that came into force in May 2018. While passed by the European Parliament and aimed at protecting the rights of EU citizens, this law affects businesses and organizations all around the globe.
According to the GDPR, any data related to an individual — their name, email address, and even eye color — is considered personal. The regulation relies on the Privacy by Design framework, encouraging software creators to build their solutions with data privacy in mind.
While it’s natural that any software created for and distributed within the EU should comply with the GDPR, you might need to meet the requirements of this regulation even if you operate outside the EU. Just consider the answers to the following four questions:
1. Do EU residents use your solution?
2. Do you collect user emails and logins?
3. Do you collect personal data for product shipping?
4. Do you use any third-party services that process user data (analytics, user authentication, etc.)?
If you answer “Yes” to at least one of these questions, then you’d better make sure that your software and your website comply with GDPR requirements.
Failing to meet the requirements of the GDPR can cost you up to 20 million euros or up to 4% of your annual turnover.
The key goal of the GDPR is to give EU citizens proper control over the use of their personal data by businesses and organizations. The law does this by granting users a set of rights regarding the processing of personal data. Let’s take a closer look at them and the abilities you would need to provide your software users with to satisfy these rights:
The need to comply with the GDPR has little effect on basic software development and testing choices, like what programming language to use or which test automation tool to deploy. However, you need to account for GDPR requirements every time you need to process users’ personal data when building and testing your product.
In the next section, we discuss five ways you can ensure that your solution complies with the GDPR.
Paying close attention to ensuring strong data protection and maintaining user data privacy throughout each stage of the software development lifecycle (SDLC) is the key to building a GDPR compliant app. Below, we list five essential tips to meet GDPR requirements while working on your product:
Now, let’s take a closer look at each of these steps.
Building a GDPR compliant product is all about establishing proper data protection and management routines.
Under the GDPR, businesses and organizations should only collect personal data that’s absolutely necessary to deliver their services. Thus, you can start with assessing what personal data of your users you gather and which of that data you truly need and for how long.
The data you collect should be securely processed and stored. To do this, consider applying strong encryption algorithms to secure all sensitive information both in transit and at rest. Also, make sure your solution uses secure communication protocols such as TLS/SSL and HTTPS.
To audit your data collection activities, log and document all data that you collect, handle, and delete, including data you get from third parties.
Make sure to delete any personal data that you don’t need to deliver your services. For instance, if your solution uses payment gateways, remove any unnecessary personal data from your system once the transaction is completed.
Finally, if there’s a data breach, you must notify the authorities within 72 hours after its detection. It’s also your duty to identify and inform all individuals impacted by the breach.
The GDPR requires businesses and organizations to explicitly request and receive consent before collecting and processing a user’s personal data. This also applies to any data collected for analytics, advertising, and crash logging.
First, explain to your users why you need a particular type of data. Then, provide them with clear and understandable options for giving and withdrawing their consent to have their data collected, receive notifications and emails, etc. For example, you can add a starting page enabling your user to opt in and a separate page enabling your user to opt out of these activities at any moment.
However, this doesn’t mean that you have to ask users for their consent after every action they take on your website or within your app. The GDPR allows you to collect user information without explicit consent in cases when it would be common sense to process user data or when it’s impossible to provide the necessary service without processing data.
Also, keep in mind that according to GDPR requirements, any user has the right to have their data deleted from your application upon request. This means that:
- A user must be able to place such a request either via your application or on your website, if you have one.
- You need to be able to track and delete a user’s data across your application’s databases and servers as well as pass on this request to any third parties using this data.
To maintain GDPR compliance, it’s also important to secure a user’s personal data from unauthorized access. One way to do that is by implementing two-factor authentication. In this way, you can validate that the person logging in to a user’s account is indeed the account owner.
Additionally, consider implementing single sign-on so that you don’t receive, process, and store any personal data except for what’s needed to authenticate a user.
If your user authentication procedures rely on the use of security questions, make sure to avoid questions asking for a user’s personal information: names of relatives and pets, phone numbers, etc.
Simply assuming that your subcontractors and third-party services you work with are GDPR compliant isn’t the best choice. As a data processor, you are responsible for the security of all user data you collect and use. Furthermore, according to the GDPR, even if a data breach happens on your subcontractor’s side, you’ll share the responsibility. This is why it’s important to make sure that all third parties and software development kits (SDKs) connected to your application comply with the GDPR.
The GDPR also requires signing a Data Processing Agreement with all your data processors, so make sure you have those sorted out.
Quality assurance (QA) helps software creators validate an application against specified parameters and see if all critical requirements are met. To make sure your product meets all GDPR requirements, it’s essential to add GDPR compliance-related checks to your general software testing routines.
In addition to checking your application against GDPR requirements, it’s important to execute software testing in a GDPR compliant way. You need to make sure that no personal user data is available to people who aren’t supposed to see it, including QA specialists, developers, and even business owners.
It’s also important to document the use of personal data for testing, including data backups and replicas. In this way, you’ll be able to precisely track and analyze the movement of users’ sensitive data across your testing environments, which makes it easier to manage and secure such data.
To reduce the risks of data leaks and disclosure, try to avoid using personal data when testing your application. Instead of genuine production data, you can use a masked version of actual data, synthetic data, or a combination of both.
Finally, consider running additional security or penetration testing. This will help you make sure your application is properly secured against cyber attacks and doesn't contain vulnerabilities that may lead to a data leak.
Developing a GDPR compliant app may seem challenging. To achieve compliance, implement the necessary data protection measures at each stage of your SDLC that requires processing users’ personal data.
To develop a GDPR compliant app from scratch, plan its entire design with personal data privacy protection in mind. Achieving GDPR compliance for an existing solution would require you to thoroughly revise not only your data processing routines but all of your Privacy Policies and Terms as well as consent forms.