May 25 marks the target for GDPR compliance in the EU. Here are some key points you should look at:
The Changing Privacy Landscape
The revamp will modify the Data Protection Directive of 1995
First is the General Data Protection Regulation (GDPR)
All of the existing principles from the original Directive stay with us under GDPR. What GDPR adds is new definitions and requirements to reflect changes in technology which simply did not exist in the dialup era.
The second is the revamp of the ePrivacy Directive of 2002
(You know it, somewhat inaccurately, as the “cookie law.”) This revamp, which deals with data in transit such as cookies, telemetry, metadata, and consent for marketing. ePD is still in draft but look for a deadline of late this year/beginning of 2019.
What should you know about these changes?
GDPR pertains to personal data:
defined as “any information relating to an identified or identifiable natural person.
Includes multiple data points or combinations that create a record
• Genetic data
• Biometric data (such as facial recognition or fingerprint logins)
• Location data
• Pseudonymized data
• Online identifiers
This includes Sensitive personal data: (requires stricter protection- pay attention devs)
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Health data
• Sex life or sexual orientation
• Past or spent criminal convictions
Personal data is used, stored and manipulated by data controllers and data processors. The controller: you or the organization you represent. Data processor is any entity that processes the data for the controller.
GDPR covers only Europe, right? NO.
If you deal with data from any European entity (customers, users, business, etc) you need to protect it under GDPR. The fact that the USA currently doesn’t have a far reaching set of laws or governances for protecting data is not a reason to push this under the rug. The US views these privacies mostly under contract and property law – right now; but remember the internet has no boundaries. Pretty soon there will be a collision of practices about how we protect data so start doing it now as much in accordance to GDPR as you can within your purview. Data protection is not overtly protected by law – the responsibility is very much in the hands of engineers who create and implement these processes.
What you can do now
The Privacy by Design framework
a seven-point development methodology which requires optimal data protection to be provided as standard, by default, across all uses and applications.
Privacy Impact Assessment (PIA)
TRAINING AND PROFESSIONAL DEVELOPMENT
include legal and industry specific and methodologies/frameworks
TECHNICAL AND SECURITY MEASURES
most data breaches begin internally (think access control, segregated data)
• Healthy data protection workflows
• Avoid unnecessary data capture or loss
• Require everyone in your project to work from a clearly defined set of code libraries, tools, and frameworks
Technical and security measures to address third parties
Disable unsafe or unnecessary modules ( in APIs and third-party libraries)
Map where data is stored, protected, encrypted, and sandboxed
Minimization in front and back end UI design where data is collected
Data should be deleted, automatically or through user actions, when it is no longer needed
CONSENT AND SUBJECT ACCESS
• provide better consent mechanisms and user controls
• UI for individual subject access rights, such as the right to edit and correct information, the right to download data, the right to restrict processing, and the right to data deletion. (think account settings)
• develop ways to alert users to any applicable choices and options
• develop to enforce user consent
• Procedures such as penetration testing
• Test for data protection by default
• Develop ways for the public to notify if your data has been breached
GDPR is really about adopting common-sense safeguards for data protection and privacy as fundamental parts of your development workflow.
Here is the full GDPR Code of Practice as a start in making changes:
Anonymisation: managing data protection risk code of practice
2. Notification of data breach
3. Right to be forgotten
every individual reserves the right to ask for the deletion of their personal data in situations when the data is no longer required