GDPR and Software

The GDPR (EU General Data Protection Regulation) enforcement date is on 25 May 2018 and there is an obvious sense of nervousness and anxiety, for good reason. There is even an entire employment sector growing from the lack of knowledge on the subject, and the fact that no organisation has been met by any enforcement yet.

Employing a GDPR consultant is a sensible insurance for protecting an organisation from the hefty penalties:

Up to €20 million, or 4% annual global turnover — whichever is higher.

With that sort of money in play, employing somebody to help safeguard your organisation is a no brainer. That said, GDPR is an organisation level responsibility and requires the efforts of all parties within the organisation to ensure GDPR compliance is upheld.

GDPR compliance is an organisation level concern. On the surface this may appear complicated and demanding to get your head around but it is built on fairly simple concepts that are fair and reasonable.

Secure my data and keep it private.

As we have already covered, organisations are deemed to be GDPR compliant when they meet or exceed a set of standards. Software and Hardware cannot be GDPR compliant. What Software and Hardware can do to support GDPR compliance of an organisation is to be built on the principles of Security by Design and Privacy by Design.

It can be difficult to reason if a piece of software is built on these principles due to the level of understanding needed to appreciate the complexity of digital security. The most useful way of explaining Security by Design and Privacy by Design that I have found is to use the example of a filing cabinet.

A filing cabinet is an interface between a user and data. The cabinet includes a locking mechanism (Security by Design) and is made of a robust material that prevents unwanted users viewing or accessing the data within (Privacy by Design).

The locking mechanism has a key that enables approved users to access the data (Security and Privacy by Design).

The cabinet itself succeeds in providing the foundations necessary for an organisation to achieve GDPR compliance, but it cannot be held responsible for a breach.

The organisation that uses the filing cabinet must ensure the cabinet is kept in a suitable location to help prevent unwanted access. If the cabinet is left out on the street where anyone can access it and attempt to freely gain access, the organisation is failing to achieve GDPR compliance. If the key(s) used to access the cabinet is not kept secure and out of the hands of unwanted users, the organisation is liable for failing to meet adequate requirements to be deemed GDPR compliant. If the key is kept somewhere accessible to unwanted users, a nefarious party could steal the key, and make a copy with the intent of accessing the cabinet.

Location of the cabinet and the key to access it are simple examples but they illustrate the responsibility of organisations to ensure common sense practices to ensure the hardware used to protect data are used and maintained as expected. This analogy works for doors, windows, public areas, the car park, and even the entrances of an organisation’s location.

Just like a filing cabinet, a software application is an interface between a user and data. Software is more easily configurable than a filing cabinet and allows for various levels of encryption, access controls, and monitoring and logging of activity in interacting with the interface. Ensuring your software is utilising these tools to meet or exceed security and privacy requirements will put you in a strong position to support your organisation in being GDPR compliant.

If in doubt, consider your own data being stored in one of your own interfaces, whether that be a filing cabinet or a software’s database. If you wouldn’t be comfortable with your personal or sensitive data being seen by anyone unexpected, as a result of an inadequate piece of hardware or software, replace that broken filing cabinet and update the security settings in your software to ensure you are doing everything you can to protect clients, customers, and users data.