GDPR for developers, engineers, designers, testers, and other tech geeks
These days you can’t call yourself a developer if you don’t know how to use Git or UI/UX designer if you don’t know how to use Figma. The same rule will apply to GDPR very soon.
Why? The answer is simple - tech companies work with a lot of data, especially if they develop global products, and EU citizens can be among their users. Therefore, they need to follow GDPR, unless they want to pay huge amounts of money for GDPR penalties. Tech companies can’t afford that risk, and that’s why they resort to educating all their employees about GDPR.
Introduction into GDPR
What is the GDPR?
The General Data Protection Regulation, also known as GDPR, is the privacy and security law, which protects the privacy of data of EU citizens and residents all over the world.
When does the GDPR apply?
The GDPR applies if:
- the company processes personal or special category data and is based in the EU, regardless of where the actual data processing takes place.
- the company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behavior of individuals within the EU.
Who are EU citizens under the GDPR?
The GDPR applies to all EU member state citizens and all residents who are temporarily located in the EU for different reasons (work, health care…).
Are there any fines or penalties?
There are two tiers of penalties, which max out at 20 million euros or 4% of global revenue (whichever is higher), plus data subjects have the right to seek compensation for damages.
What is the difference between data protection and data privacy (under GDPR)?
Data protection means keeping data safe from unauthorized access. Data privacy means empowering users to make their own decisions about who can process their data and for what purpose.
The GDPR Key Terms
Let’s move to the next section, and that is the key terms of the GDPR. Watch the interesting video below, which will teach you the most important key terms.
If you missed the GDPR key terms (that you should understand) in the video, check out the list below:
Personal data — Personal data is any information that relates to an individual (also known as the data subject) who can be directly or indirectly identified.
Examples: name, address, ID card/passport number, income, cultural profile, IP address, data held by a hospital or doctor (unique health card ID or similar). Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
Special category of data — Special category of data is personal data that needs more protection because it is sensitive.
Categories: racial or ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric, or health data except in specific cases, personal data related to criminal convictions and offenses unless this is authorized by EU or national law.
Data processing — Basically any action performed on data, whether automated or manual.
Examples: collecting, recording, organizing, structuring, storing, using, erasing.
Data subject — The person whose data is processed.
Examples: users, site visitors, customers, client employees.
Data controller — The person who decides on how personal data will be processed.
Examples: the company or organization that handles data, owner or employee in the company or organization who handles data.
Data processor — A third-party company, organization, and application that processes data on behalf of a data controller.
Examples: cloud provider (AWS, Azure, GCP), email service provider (Gmail, ProtonMail), outsourced software development companies, and similar.
Data Subject Rights
The goal of the GDPR is to give individuals (Data Subjects) greater control over the data they lend to companies and organizations. The GDPR achieves this goal through the rights of data subjects.
As a developer, designer, or engineer that wants to offer top-quality services which will be GDPR compliant, it’s important for you to understand and implement these rights into client applications and platforms.
According to the EU GDPR, there are eight basic data subject rights, so let’s learn basic things about each of them, which all of us must know.
1.The right to be informed
Individuals have the right to be informed about the collection and use of their personal data. We must provide individuals with information, including the purposes of processing their personal data, the retention periods of that personal data, and with whom it will be shared.
How can this data subject right be realized?
It is often most effective to provide this privacy information to individuals through a dashboard, just-in-time in-app notifications, email notifications, and such.
What is the deadline for this data subject right?
We must provide information of this right at the time of collecting the individual’s personal data. Or if we obtain personal data from other sources, we must provide that information to the individuals within a reasonable period of obtaining the data and no later than one month.
2. The right to access
This is a very simple right, individuals have the right to access and receive a copy of their personal data, and other supplementary information.
How can this data subject right be realized?
This right is usually exercised by submitting the “Data subject request”.
What is the deadline for this data subject right?
We should respond without delay and within one month of receipt of the request. But, we may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the individual.
3. The right to rectification
Individuals have the right to correct inaccurate personal data or supplement if they are incomplete.
How can this data subject right be realized?
This right is usually exercised by submitting the “Data subject request”.
What is the deadline for this data subject right?
We should respond without delay and within one month of receipt of the request.
4. The right to erasure
The right to erasure is also known as ‘the right to be forgotten’. Individuals have the right to erase their personal data, but this is not absolute and only applies in certain circumstances.
How can this data subject right be realized?
This right is usually exercised by submitting the “Data subject request”.
What is the deadline for this data subject right?
We should respond without delay and within one month of receipt of the request.
5. The right to restrict processing
Under the GDPR, individuals also known as data subjects, have the right to request restriction or suppression of their personal data. This is not an absolute right and this right only applies in certain circumstances. Even if the processing is restricted, we still can store data but not use it.
How can this data subject right be realized?
This right is usually exercised by submitting the “Data subject request”.
What is the deadline for this data subject right?
We should respond without delay and within one month of receipt of the request.
6. The right to data portability
This right allows individuals to move, copy or transfer their personal data from one application or platform to another, without affecting its usability. If there is some reason why it can not be done, or allowed by the user, then we (as data processors or data controllers) must allow them to save locally their stored data.
How can this data subject right be realized?
This right is usually exercised by submitting the “Data subject request”.
What is the deadline for this data subject right?
We should respond without delay and within one month of receipt of the request.
7. The right to object
Under the GDPR, individuals have a right to stop their data from being processed and used for business purposes. The data controllers or data processors may be able to continue processing if they can show that they have a compelling reason for doing so.
How can this data subject right be realized?
This right is usually exercised by submitting the “Data subject request”.
What is the deadline for this data subject right?
We should respond without delay and within one month of receipt of the request.
8. The rights in relation to automated decision making and profiling
Data subjects shall have the right not to be subject to a decision based solely on the automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
How can this data subject right be realized?
This right is usually exercised by submitting the “Data subject request”.
What is the deadline for this data subject right?
We should respond without delay and within one month of receipt of the request.
Data Subject Request
What is Data Subject Request (DSR)?
A Data Subject Request is any request made by an individual or an individual’s legal representative for information held by the company or organization about that individual. The request allows each individual to exercise their rights guaranteed by the GDPR.
How can it be received?
Individuals can make Data Subject Request verbally or in writing, including via social media. However, each DSR must be logged, so the initial verbal request must be converted into a written one.
Who processes the data subject request?
The request is usually handled by a data protection officer, or another authorised employee in the company. This field is defined in the company’s Data Subject Request Procedure.
Data breach (GDPR)
A (personal) data breach is not just access to data from an unauthorized party, a (personal) data breach is a cyber security incident in which protected data is exposed, copied, transmitted, viewed, stolen, or used by an unauthorized party to do so.
A personal data breach is especially important for us because this type of cyber incident potentially results in the disclosure of personal data for which we are responsible under a DPAs signed with our clients, GDPR, and similar legislation.
What is a data breach under the GDPR?
In the GDPR text, a personal data breach is defined as a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
So we can conclude that a personal data breach of the GDPR is any security incident that includes disclosure of the personal data of EU citizens.
Types of the data breach:
- Confidentiality breach — unauthorized or accidental disclosure of or access to personal data;
- Integrity breach — unauthorized or accidental alteration;
- Availability breach — accidental or unauthorized loss of access to or destruction of data (e.g. by a power cut or systems failure).
Data breach notification
When the data for which we are responsible suffers a data breach and it is likely that the breach poses a risk to personal data, under the GDPR, data controller (usually our client) has to notify supervisory authorities (each EU member state has its own Data Protection Authority that is responsible for implementing and enforcing the GDPR rules) without undue delay and at the latest within 72 hours after having become aware of the breach.
How does data breach notification apply to us?
If your company is a data controller, it has to notify supervisory authorities, at the latest within 72 hours. If your company is a data processor, it must notify every data breach to the data controller as soon as it cans.
GDPR Principles (Privacy by Design)
The Privacy by Design framework comprises 7 principles, which the GDPR seeks to encourage among data controllers.
Before we continue with GDPR Principles, we should first learn what is Privacy by Design (PbD). PbD means embedding privacy in design. This refers to the incorporation of privacy in product development and management (e.g. mobile application), which includes business processes, database architecture, product design, etc.
Principle #01: PROACTIVE NOT REACTIVE and PREVENTIVE NOT REMEDIAL
Privacy by Design comes before the fact, not after, it is characterized by proactive rather than reactive measures. It anticipates, identifies, and prevents privacy-invasive events before they happen. Whether applied to information technologies, organizational practices, physical design, or networked information ecosystems, PbD begins with explicit recognition of the value and benefits of proactively adopting strong privacy practices, early and consistently.
Example: Preventing (internal) data breaches from happening, in a way to adopt CSIRP.
Principle #02: PRIVACY AS THE DEFAULT SETTING
Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data is automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy − it is built into the system, by default.
Example: Users of an application don’t need to do anything more to protect privacy on their personal data, because they are already protected (encrypted) by default.
Principle #03: PRIVACY EMBEDDED INTO DESIGN
Privacy by Design is part of the design and architecture of IT systems and business practices, not imposed as an add-on, subsequently. Privacy must be built into the system without compromising functionality. The principle says that privacy must be integrated in a holistic, integrative, and creative way.
Principle #04: FULL FUNCTIONALITY — POSITIVE-SUM, NOTE ZERO-SUM
Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner (company and users). Privacy by Design avoids the pretence of false dichotomies, such as privacy vs. security, demonstrating that it is possible, and far more desirable, to have both.
Example: Companies should not only make consent forms for their product users, but companies should also protect them through internal procedures and security practices.
Principle #05: END-TO-END SECURITY — FULL LIFECYCLE PROTECTION
Privacy by Design ensures secure lifecycle management of information, end-to-end. Privacy must be continuously protected across the entire domain and throughout the life-cycle of the data in question. There should be no gaps in either protection or accountability. The “Security” principle has special relevance here because, at its essence, without strong security, there can be no privacy.
Example: When some user writes their personal data inside the app, the app automatically encrypts that personal data and stores it in some secure location (database).
Principle #06: VISIBILITY AND TRANSPARENCY — KEEP IT OPEN
Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to both users and providers alike.
Example: The privacy policy of the product must contain the location of data.
Principle #07: RESPECT FOR USER PRIVACY — KEEP IT USER-CENTRIC
Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.
