Facebook is lately in the news for the wrong reasons. It’s arrangement with Cambridge
Analytica to harness Facebook users’ data and push targeted content to those users has
kicked up a storm in the business world; and reasonably so. Data captured from users
before, during or after a transaction remains with the company long-after, and can be
manipulated in different ways for business reasons.
In the absence of any regulation, companies ranging from Banks and Financial Institutions
to e-commerce companies to all kinds of service providers are recklessly capturing user
data on their websites and storing it in their databases for future use.
What is GDPR?
Long before the Facebook scandal rocked the world, governments around the world have been
debating the dangers of capturing and exploiting user data. That is why; the European
Union came up with its own set of regulations in April 2016, called the GDPR or
General Data Protection Regulation. GDPR governs how, how long and how much data
can be captured and how the same must be managed thereafter. Business organizations that
do business in the Europe, or primarily targeting end-users based in the Europe, are
mandated to follow the GDPR, failing which, they will be subject to severe fines and
What does the GDPR advocate?
As per the GDPR, end-users or clients, also called ‘data-subjects’ have the following
rights from the angle of data-protection. These apply to companies of all sizes – from
solo entrepreneurships to large multinationals:
- Right to erasure or the right to be forgotten or deleted from the system as a user
- Right to restriction in processing, that is, only when the user gives consent can
the data be processed, else, it must be marked as restricted
- Right to data portability, that is, user’s personal data must be exportable into any
machine readable format
- Right to rectification: the user must have the ability to correct some of his/her
- Right to be informed in simple language as against complex terms and conditions
worded in legal language
- Right of access, that is, the user should be able to clearly see all the data about
them that you are storing
- Right to data minimization, that is, minimum data about the user must be collected
- Right to integrity and confidentiality, that is, the organization must maintain the
data safely and securely, and ensure the data is not modified or manipulated in any
In addition to the above, companies with more than 250 employees must keep a record of
all the processing activities carried out on the user’s personal data.
As the deadline for implementing GDPR on all online websites, portals or applications
gets closer (25th May 2018), it’s important for software developers to be aware of the
data management guidelines recommended by the GDPR. Given below are some best practices,
dos and don’ts which serve as technical guidelines for protecting users’ personal data.
Personal data not only refers to what companies are capturing from users, on their
websites or otherwise, but also whatever data they are purchasing from 3rd party
providers. Further, these technical guidelines may or may not be automated depending on
the size of the organization and its current data-management practices.
- Forgetting users: The data model of the software must be so designed that if the
user seeks to have his data deleted, then, only the userid is maintained and all
other data is deleted, with the forgotten IDs maintained in a separate database.
- 3rd parties must be notified or erasure: Once the user data is deleted from your own
system, you should contact 3rd parties such as Facebook, Twitter, Googleplus,
Salesforce, Hubspot, etc and initiate the data delete from their systems as well
- Restricted processing: The user should be given an option to choose ‘restricted
processing’ for his profile, so that his/her data is not visible to the public or
- Exportable data: The ‘forget me’ feature may only delete the user’s personal data
but a record of transaction may still be maintained. These along with the personal
info should be exportable when demanded by the user
- Editing the profile: Users should be able to edit their personal information that
you have captured from them directly and fetched from 3rd parties, through the user
- Consent boxes: You should present a list of activities where the user data will be
processed, and provide consent boxes for each of them so that the user can check or
uncheck them as per his/her preference. The check-uncheck data should also be
clearly marked in the database
- Re-request consent: In case the user appears to be confused about the consent boxes,
or if you need to use the data for which there is no consent provided, you should
send a clear request to the user with necessary explanations and obtain consent if
- Show “all my data”: Once the consent(s) have been clearly provided by the user, the
same data should be exportable and displayed in the UI for the user’s
- Age-checks: Minors or those below 16/18 years of age must specify their age and show
parent permissions for using certain functions/sites, as well as giving consent of
their data, by providing the parent’s email ids
- Deadlines for storing user data: Certain user-data should only be maintained for as
long as one or more activities require the same and must be deleted thereafter by
using a deadline function, with the ability to change the deadline in case of
- Data must be encrypted in transit: Communication between the application layer and
database should be through TLS with the certificate being self-signed
- Data at rest must also be encrypted: The private key may be either stored on your
premises or in the cloud
- All backups must be encrypted
- Use of pseudonyms: When the user data is being used on test or staging servers,
pseudonyms should be used for them
- Integrity of data must be protected: Implement checksums or any other method for
data authentication, so that every-time some data is updated, its updated all
through the application
- Maintain a register of all activities that processed user-data: This is mandated by
the GDPR, and such data can be stored in an application or microservice maintained
- Logging access to user-data: Every read command on the user’s personal data must be
logged to ensure the data has not been accessed or processed without a valid reason
- Registering 3rd party APIs: 3rd parties should not have random or reckless access to
user data through APIs. Every API consumer should be clearly registered with all
- Don’t use data unless user has consented: While this was already covered under the
point about consent boxes, please note, every time a new processing activity is
added to the register of activities, user consent for this activity must be taken
afresh from all users.
- Personal data should not be logged: Log only the identifiers and do not log the
user’s personal data and ensure all old data logs are cleaned up.
- Capturing unnecessary data: Unlike the past when forms had a lot of fields, GDPR
insists that minimum data is captured. For example, if it’s not an e-commerce site,
fields such as address, zip code and contact number need not/must not be captured
- Trusting 3rd parties blindly: Even as you stay compliant with all GDPR guidelines,
ensure that 3rd parties who are given access to user data through APIs are also
compliant; else, in case of a data breach, you are at serious risk. This can be done
by signing a clear contract with every 3rd party.
- GDPR compliance has nothing to do with your Quality systems: Quality standards such
as ISO, SEI-CMM etc do not necessarily cover the above GDPR guidelines. So always
undertake GDPR audits irrespective of your Quality standard audits.
Ensuring GDPR compliance at your organization may require a redesign of your data models,
storage techniques, data flows and API calls, for better data protection. GDPR
regulators will have a thorough checklist that will be used to gauge your level of
This has created a new breed of GDPR Consultants who are likely to tell you that GDPR is
extremely complicated and an expensive exercise. Be wary of such claims. GDPR compliance
is not meant to be complicated at all. It involves clear guidelines that can be
incorporated within your existing processes and then enforced through discipline. Aloha
Technology consultants can help you navigate the GDPR milieu easily.
Engage the right class of technology company and you can enjoy GDPR compliance in a
cost-effective and efficient manner. Aloha Technology has the right mix of expertise and
experience to undertake such initiatives for your organization.