GDPR is a big deal; even for outsourced development agencies that collect no user data

Coming into effect in a few short days, the EU’s General Data Protection Regulation (GDPR) is set to bring about the greatest change to European data security in 20 years. Replacing the 1995 Data Protection Directive, outdated in the age of social media and “smart” mobile devices, the new regulations require companies that collect data on EU citizens to comply with strict new rules.

Companies are expected to implement initiatives for safeguarding data and take technical and organisational measures to individuals’ privacy rights.  GDPR places the obligation on companies to prove their accountability, requiring that they be able to demonstrate GDPR compliance and that reasonable measures have been taken to grant individuals’ rights over their data security. Companies are also required to ensure systems and processes are in place to test, monitor and measure data security at any given time.

As an external development partner to many clients in Europe Calcey collects no data from EU citizens directly, that brings it under the purview of GDPR. We have also already minimized access to sensitive data of clients, a quick win and a crucial step to reduce our exposure. While the maxim that you can’t lose (and in this case misuse) what you don’t have is logically sound, actually complying with GDPR requires a lot more. What follows is what we’ve learned and done in preparation so far, to gear up for changes post 25th of May.

A quick summary of GDPR

GDPR requires not only that organisations maintain records of the categories of data they process, the recipients of that data and their geographical whereabouts, the retention periods and security measures that have been applied, but also that these records be dis-closable at any given time.

Take a minute to consider this. The exercise of an individual’s rights over their personal data can only truly be effective if an organisation’s technology stack is fully flexible and agile to delete, restrict processing and export data as and when the individual (or data subject) demands. The challenge, then, that many organisations have been faced with is that their technology and processing systems have not been designed for GDPR compliance.

The core individual rights covered by the GDPR that require the most technological attention are the ‘right of erasure’ (the right to be forgotten/deleted from the system), the ‘right to redaction’ (data can be kept, but is marked “restricted” and cannot be touched without further consent by the user), the ‘right to data portability’ (the ability to export one’s data in a machine-readable format), the ‘right to rectification’ (the ability to get personal data corrected), the ‘right to be informed’ (getting readable information, as opposed to long T&Cs), and the ‘right of access’ (users should be able to see all the data collected and stored about them).
The technology these rights require, in turn, include technology to:

  • Enable rectification, redaction, erasure and anonymization
  • Map or trace the full information life cycle
  • Enable the transmission of personal data from one technology stack to another
  • Perform search and retrieval
  • Enable freeze and suppression
  • Categorise personal data by type and processing purpose

To be compliant processing systems will be required to include controls to protect against unlawful and/or unauthorised access or disclosure of personal data and include up-to-date countermeasures against current attack techniques.

Technologists, have their work cut out for them in the era of GDPR and must take information security seriously. Continuous steps and improvements to systems will be needed to ensure compliance.

Privacy can no longer be an afterthought

Privacy, for instance, should be built into software from inception and should be at the core of any system and not be installed with a plugin. Privacy cannot come at the price of an app’s functionality and users should not have to choose between privacy and functionality. Such software will become illegal under the GDPR.

A pertinent point for companies to think about could prove to be ‘pseudonymization’, heavily recommended by regulators as a way of protecting personal data. ‘Pseudonymization’ is the processing of personal data in manner that the data can no longer be attributed to a specific data subject without the use of additional information. That is personal data is stored separately from additional information so that in the event of a breach, the data would be hard to reconstitute. For example, a person’s name would be kept separately from the history of his actions on an app. This way in case of a breach, it would not be possible to match an individual and his actions. While adding an additional layer of security, implementing pseudonymization demonstrates a commitment to security, which can be useful under GDPR in the event of a breach.

Consent is set for an overhaul

Further to be deemed unacceptable under GDPR are soft opt-in methods and consent buried in long Privacy Policies or Terms & Conditions documents full of legalese. GDPR consent guidelines require that consent messages should be written in plain language and unbundled from all other terms and conditions. The information must cover all forms of processing that companies aim to undertake. Take for example, the common practice for companies to collect data to share with third parties for marketing reasons. Consent is often obtained by asking customers if they would like to receive marketing relevant to their interests (e.g. from travel agents). Current guidance by authoritative sources indicate that even such precisely defined categories of third-party organisations will not be acceptable under the GDPR. Instead, companies and all third-parties will need to be named and the purpose of the data collection explicitly stated.

All opt-in messages and collection systems will need to be checked and re-written where they don’t comply with GDPR. Consent records may need to be maintained as well, so they can be presented if challenged. System design changes may be required to ensure that systems are in place to provide evidence that users consented to specific uses of their personal data.

In the event where users request that their data be removed, companies will need to ensure comprehensive processes are in place to remove this data. This means deleting personal information, as well as other identifiable data, within a 30-day window once a request is made. Having an automated system that can perform this may become a necessity and well worth looking into, as manually removing data laborious. Developers will also need to plan how the information requested can be made available in an easy to understand format. Here, again, the law requires information to be provided within 30 days of a request. Having a system in place to monitor data breaches is also necessary to ensure quick detection and action in the case of a breach to minimize damage.

What can service companies do to face the brave new world?

GDPR is spawning an industry of its own as newly minted “GDRP consultants” offering everything from advice and audits to outsourced “Data Protection Officer” offerings, set up shop. The lack of clarity and direction regarding implementation casts doubt about the validity and effectiveness of such interventions and certifications to ensure compliance.

Calcey being a software services company providing engineering talent to fast-growing technology companies is unlikely to become a data controller, at any stage. Instead, Calcey is already a data processor, due to current engagements with European clients. Hence, Calcey preparations for GDPR is focused the following;

  • Getting Data Protection Agreements in place with data controllers to formalize governance of data
  • Educating staff about the requirements, risks and responsibilities created by GDPR
  • Minimising access to sensitive data and using anonymisation/pseudonymisation to minimise risks in the event of a breach
  • Conducting an internal audit to identify, assess, mitigate and minimize risks, even though Calcey’s exposure to sensitive data is minimised by the above

Of course, much more remains to be done. GDPR is certain to become an on-going theme and will be a key consideration in all future architecture discussions when new projects are being initiated. The tight coupling of functionality with user data is already a thing of the past.

The transition to comply with the new regulations will be chaotic and will re-shape the internet economy. How the many successful internet giants who rely on businesses models where users exchange personal information for free services, will evolve, remains very much an open question. Stay tuned for more blog posts around the topic, as we along with the rest of the world, continue to grapple with this new reality.

References
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en
https://gdpr-info.eu/
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
https://www.dpnetwork.org.uk/opinion/gdpr-consent-ico-draft-guidance/