New General Data Protection Regulations (GDPR) are changing the landscape of web design and development. Companies both large and small are scrambling towards GDPR compliance for the new regulations that take affect on May 25, 2018. These newly approved regulations widen required compliance to include ANY data (personal and sensitive) that belongs to a user who ia a European Union citizen. This now includes purchases made oversees even if they are non EU products.
How will the new GDPR regulations influence development trends and how can we as developers continue to provide value to our clients?
There are many relevant and interesting posts on how to prepare for GDPR. But the bigger question for those of us that are on the development side, particularly those of us that are third-party vendors, is how to gain better insight to these regulations. Doing so we can provide and (hopefully) increase our value to our clients.
The idea behind the GDPR is that consumer trust is essential to growth in the digital economy. And the EC has concluded that giving users of digital services more information and greater control over when and how their personal data is used helps to win their trust. If the use of personal information isn’t kept in check the online business community will suffer as customers won’t trust them enough to use their services.
The regulations also aims to shift the perspective regarding who “owns” user data. It reinforces the idea that personal information doesn’t belong to a company just because it resides on their servers.
What Is Considered Personal Data?
Personal data is defined as “any information relating to an identified or identifiable natural person”. This can be a single piece of information or multiple data points combined to create a record.
Beyond personal data there is also sensitive personal data, defined as information about a person’s:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Health data
- Sex life or sexual orientation
- Past or spent criminal convictions
Sensitive personal data requires stricter protections than regular personal data, and the consequences for its leakage or misuse are greater.
GDPR expands the definition of personal data to include:
- Genetic data
- Biometric data (such as facial recognition or fingerprint logins)
- Location data
- Pseudonymized data
- Online identifiers
The latter definition is important for developers. It includes things like IP addresses, mobile device IDs, browser fingerprints, RFID tags, MAC addresses, cookies, telemetry, user account IDs, and any other form of system-generated data which identifies a person.
Privacy by Design is Trending as Best Practice
GDPR requires the adoption of the Privacy by Design framework. This a seven-point development methodology requires optimal data protection to be provided as standard, by default, across all uses and applications.
The PbD framework has seven foundational principles:
- Be proactive, not reactive. Anticipate privacy issues before they reach the user. Privacy must also be preventative, not remedial.
- User privacy must be the default setting. The user should not have to take actions to secure their privacy, and consent for data sharing should not be assumed.
- Privacy must be embedded into design. It must be a core function of the product or service, not an add-on.
- Aim for positive sum and avoid dichotomies. For example, PbD sees an achievable balance between privacy and security, not a zero-sum game of privacy or security.
- Offer end-to-end lifecycle protection of user data. This means engaging in proper data minimization, retention and deletion processes.
- Standards must be visible, transparent, open, documented and independently verifiable. Your processes, in other words, must stand up to external scrutiny.
- Privacy must be user-centric. This means giving users granular privacy options, maximized privacy defaults, detailed privacy information notices, user-friendly options and clear notification of changes.
GDPR-Conscious Design Requirements
Design requirements are an integral part of a GDPR-conscious development workflow.
Data protection by default as a design process starts with developing with minimization in mind. Collect only the absolute minimum amount of personal data required and no more, both on the front end and back end. Do not link personal data with other data sets stored in a single location. If aggregating data, remove personal and identifying data as much as possible. Anonymisation is always recommended, but it can’t be tied to anyone in any way.
Personal data must be deleted, either automatically or as requested by the user, when it is no longer needed. Don’t forget that the deleted data may still be present in archives and backups. You will also need to work with any third parties whom you pass data to or receive it from to ensure that any request for data deletion on your end also removes the data on their end.
Another aspect of GDPR-conscious system design is protecting data from unnecessary access. Consequently, personal data should never be visible to all users of a system. In addition, personal data should be encrypted at all times.
Consent and Subject Access
Keep in mind the idea that users own their personal data. On the front end, your projects and applications should provide full control over consent settings through things like control panels, user dashboards, account settings, and privacy centers. These choices must be granular; a user must be able to invoke any aspect of control over their data at any time. An all-or-nothing approach to website access is no longer permissable.
You’ll also need to provide an interface for individual subject access rights, such as (but not limited to):
- editing and correct information.
- downloading data.
- restricting processing.
- data deletion.
Account settings and privacy dashboards are the ideal homes for these options.
On the back end, you’ll need to enforce user consent and choice. Users must enjoy optimal privacy settings by default; they should not have to opt-in to privacy, or switch off defaults to achieve it.
Additionally, you cannot assume consent through a lack of action, such as a failure to tick a box or the mere creation of an account. So, you should develop ways to alert users to the fact that they have not yet granted opt-in consent to any applicable choices and options.
Your back end development process will also need to ensure timestamped documentation of what consent a user gave, how they gave it, and whether or not they have withdrawn it.
Testing, Maintenance, and Documentation
Finally, developing for GDPR means adding privacy by design and data protection by default to your testing processes. These should supplement existing procedures such as penetration testing.
Your privacy testing procedures should predict the ways unauthorized users would access actual data on your system. If you are applying Privacy by Design retroactively to an existing project, be sure to test how easy it is to access legacy data.
And remember to always thoughly document your testing. Your testing results, and the methodologies you used to achieve them, need to be noted and actioned as living documents. This may seem an arduous task at the time but your future self will thank you.
The Golden Rule of Personal Data
The European Union privacy overhaul will bring positive changes to our business processes and development workflows. Therefore we all need to become more thoughtful about what data we collect, how we collect it, and what we do with it. With data breaches and privacy violations in the headlines every day, not to mention governments expressing open malice against vulnerable citizens, our privacy obligations are as much about ethics and humanity as they are about law and policy.
As you design and develop your applications tell yourself this golden rule of data privacy –
Treat others personal data as you would like yours to be treated.
No one wants their own personal data to be used inappropriately or exposed to outside threats, approaching your projects with a bit of empathy will go a long way in doing the right thing.
About DeCort Interactive
Website performance tuning is our specialty. We harness the true power of your website and collaborate with you to better understand your company and its goals. Our team is a collective of passionate developers with interdisciplinary expertise. Your end product will be optimized to run at the highest level and we don’t stop until you are satisfied.
Contact us today to improve the performance of your website.