GDPR and Privacy by Design: what developers need to know

It’s estimated that 90% of the world’s data has been collected in the last two years, according to a recent report. By the year 2020, it’s expected that we will create 1.7 megabytes of new information every second for every human on the planet. This huge stream of data, includes personal and sensitive information. What challenges and opportunities are there for businesses and consumers worldwide?

There is currently little control over the data that organisations store or how it’s being used. So asking questions about what is done with your data or how it’s being stored is important.

Until we build better systems — personal data is not safe. It is the time to take a different approach to software and systems development. Why now?

The GDPR and the Privacy by Design Framework

The General Data Protection Regulation (GDPR) is coming. The GDPR is new legislation passed by the EU parliament in 2016. It will come into effect on May 25th, 2018. The GDPR changes European privacy rules. One monumental change is the introduction of the Privacy by Design and Privacy by Default Framework. In this article we will focus on the Privacy by Design Framework.

It is important to clarify that although the GDPR is European legislation, it will have a global impact. The data of European citizens is protected, even when in the systems of business outside of the EU. That is why developers worldwide need to understand the new requirements.

The Privacy by Design framework comprises of 7 principles. These 7 foundational principles developed by Canada’s former Information and Privacy Commissioner Ann Cavoukian in 2009 (conveys what the GDPR is endeavouring to encourage among data controllers).

Privacy by Design means that organisations need to consider privacy from the first design stages and throughout the complete development process of any new products, processes or services that involve processing personal data. This means that it is no longer just about data protection but rather about designing and building systems so data is inherently protected.

With Privacy by Design, privacy and security are no longer an afterthought.

In short, Article 25 of the GDPR requires; “data protection by design; data controllers must put technical and organisational measures such as pseudonymisation in place — to minimise personal data processing”. Building compliant systems means that new functionality needs to be added, to deliver data pseudonymisation, encryption and other privacy enhancing measures.

What does it mean for you as a developer?

Design

1. Operate within legal boundaries and be accountable. For the first time, those building and designing the system, need to learn and apply privacy frameworks and legislation.

A privacy strategy is essential to make choices early in the development process about how you incorporate privacy when designing your new service or product. A good tool for the privacy strategy is the Privacy Impact Assessments (PIA). This tool helps to identify and reduce the privacy risks of the projects. It also reduces the risk of harm to individuals through the misuse of their personal information. It also helps to design more efficient and have a more effective processes for handling personal data.

Don’t forget to keep your PIA findings. These will allow you to show your rationale behind certain decisions at a later stage.

2. Think of ethics. The ethical aspects of design and systems development must also be taken into consideration early on. An organisation should decide how transparent they would like to be on its data processing and how much it wants to know about the users/customers involved. Analysis of what minimal data is required, will be the new norm. Ask the question, what kind of information do you absolutely need? Is it necessary to collect this personal data? For example, if the requirement is to design a system that detects if someone is older than 18, then creating a field for the date of birth is no longer the answer.

For data security proper steps must be taken to protect users’ personal information to prevent data leakage. Additionally the overuse or exploitation of personal information in business processes needs to be reassessed and modified. Especially for sensitive information, data storage decisions are now more critical. The emerging distributed storage technologies warrant explorating.

3. Communication is key. Communication with users/customers is very essential to discuss at the initial design stages and throughout the complete development process. The system must make it obvious to the user who is collecting their data and how they can contact that entity. If personal data will be kept, they need to let the user know for how long they keep the personal data and why/how their data is being used.

Communication lines must be clear, also when something backfires. Users/customers need to be informed when something like this happens. Significant fines will be imposed if data breaches are not reported to the user/customer and the EU within 72 hours.

When collecting data, you need to seek active consent. For the:
a) collection or use of personal information (for each purpose).
b) sharing of personal information with third parties.
c) storing of personal information.

It must also be clear where they can turn if they want to know more about the processing of their personal data and how they can exercise their rights.

If the third party has access to personal data, the user must be made aware. They have the right to know with whom the information will be shared, what the purpose is, and the third-parties need to provide links to their privacy policies. Users may also choose if they want this data to be collected, accessed and used by third parties. To aggregate data the user needs to give permission, as this data is built only from what they share.

As part of consent management, the following must be communicated to the user/customer:

- how long a consent is valid
- how they can manage any consent given by them
- the consequences of withholding or withdrawing their consent.

Users must be able to withdraw consent by simple and efficient means, with no undue delay or undue cost. The Kantara Initiative has a very good standard for Consent Receipt Specifications.

4. Data security, quality and retirement. Data security measures need to prevent data leakages. It’s important to guarantee the quality of the data for the organisation. It is now critical to manage what the entity will do with the data, once the product or service retires.

Users must be able to deactivate their account and have the option to delete their accounts. This means that all personal information/content needs to be removed from the network and any back-end servers. The development of Right to be Forgotten systems and process will be an emerging area.

Implementation

5. Basic knowledge on privacy. A successful systems implementation will happen when everyone involved in the development and implementation of new products and services, has enough knowledge on privacy.

A systematic approach should be adopted that relies upon accepted standards and process frameworks, and is amenable to external review. This should include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.

6. Document data protection. Clear policies, guidelines and work instructions related to data protection should be developed and a privacy specialist should be available to help.

Policies should be implemented at a technical and business process level. When personal data is no longer required, it needs to be destroyed or anonymised. Anonymised data is achieved by removing information that can identify an individual. This can be done by removing any information that can be used to identify an individual and making it impossible to re-identify the individual. Those applying anonymisation need to thoroughly asses the proven possibility of de-anonymisation.

Consent management for anonymisation, storage and other data treatments is an integral part of near-future systems.

7. Development process. The development method (agile, waterfall etc.) used within your organisation must apply the concepts throughout the whole development process. This will enable your development team to take measures in the relevant phases.

It’s important to assign responsibility to make sure that the end-user privacy is considered. This needs to be done throughout the whole product life cycle and throughout the different business processes. When collecting personal data, a company representative must be assigned at each stage of the process to ensure end-user privacy is built into the services and business processes.

8. Monitoring and evaluation. When you launch a new system or policy, it must be adopted by the organisation and monitored throughout its lifetime.

Compliance needs to be demonstrated, for example, through the creation and maintenance of documentation that proves the organization is using technology for continuous monitoring of data and continuous evaluation of vulnerabilities.

These steps, together with the 7 principles of the Privacy by Design Framework (starting from the design process and monitoring and testing when the design has been completed) will dramatically change the way businesses around the world manage data. The new challenge for developers is to build GDPR compliant systems and champion the Privacy by Design framework.

Sphere Identity provides digital identity solutions for enterprises and individuals. Privacy by Design is essential to the products we build.

Sign up for updates from Sphere Identity by clicking here.