Facebook is lately in the news for the wrong reasons. It’s arrangement with Cambridge Analytica to harness Facebook users’ data and push targeted content to those users has kicked up a storm in the business world; and reasonably so. Data captured from users before, during or after a transaction remains with the company long-after, and can be manipulated in different ways for business reasons.
In the absence of any regulation, companies ranging from Banks and Financial Institutions to e-commerce companies to all kinds of service providers are recklessly capturing user data on their websites and storing it in their databases for future use.
What is GDPR?
Long before the Facebook scandal rocked the world, governments around the world have been debating the dangers of capturing and exploiting user data. That is why; the European Union came up with its own set of regulations in April 2016, called the GDPR or General Data Protection Regulation. GDPR governs how, how long and how much data can be captured and how the same must be managed thereafter. Business organizations that do business in the Europe, or primarily targeting end-users based in the Europe, are mandated to follow the GDPR, failing which, they will be subject to severe fines and penalties.
What does the GDPR advocate?
As per the GDPR, end-users or clients, also called ‘data-subjects’ have the following rights from the angle of data-protection. These apply to companies of all sizes – from solo entrepreneurships to large multinationals:
- Right to erasure or the right to be forgotten or deleted from the system as a user
- Right to restriction in processing, that is, only when the user gives consent can the data be processed, else, it must be marked as restricted
- Right to data portability, that is, user’s personal data must be exportable into any machine readable format
- Right to rectification: the user must have the ability to correct some of his/her personal data
- Right to be informed in simple language as against complex terms and conditions worded in legal language
- Right of access, that is, the user should be able to clearly see all the data about them that you are storing
- Right to data minimization, that is, minimum data about the user must be collected
- Right to integrity and confidentiality, that is, the organization must maintain the data safely and securely, and ensure the data is not modified or manipulated in any way
In addition to the above, companies with more than 250 employees must keep a record of all the processing activities carried out on the user’s personal data.
As the deadline for implementing GDPR on all online websites, portals or applications gets closer (25th May 2018), it’s important for software developers to be aware of the data management guidelines recommended by the GDPR. Given below are some best practices, dos and don’ts which serve as technical guidelines for protecting users’ personal data. Personal data not only refers to what companies are capturing from users, on their websites or otherwise, but also whatever data they are purchasing from 3rd party providers. Further, these technical guidelines may or may not be automated depending on the size of the organization and its current data-management practices.
- Forgetting users: The data model of the software must be so designed that if the user seeks to have his data deleted, then, only the userid is maintained and all other data is deleted, with the forgotten IDs maintained in a separate database.
- 3rd parties must be notified or erasure: Once the user data is deleted from your own system, you should contact 3rd parties such as Facebook, Twitter, Googleplus, Salesforce, Hubspot, etc and initiate the data delete from their systems as well
- Restricted processing: The user should be given an option to choose ‘restricted processing’ for his profile, so that his/her data is not visible to the public or back-office staff
- Exportable data: The ‘forget me’ feature may only delete the user’s personal data but a record of transaction may still be maintained. These along with the personal info should be exportable when demanded by the user
- Editing the profile: Users should be able to edit their personal information that you have captured from them directly and fetched from 3rd parties, through the user interface
- Consent boxes: You should present a list of activities where the user data will be processed, and provide consent boxes for each of them so that the user can check or uncheck them as per his/her preference. The check-uncheck data should also be clearly marked in the database
- Re-request consent: In case the user appears to be confused about the consent boxes, or if you need to use the data for which there is no consent provided, you should send a clear request to the user with necessary explanations and obtain consent if required
- Show “all my data”: Once the consent(s) have been clearly provided by the user, the same data should be exportable and displayed in the UI for the user’s self-assurance.
- Age-checks: Minors or those below 16/18 years of age must specify their age and show parent permissions for using certain functions/sites, as well as giving consent of their data, by providing the parent’s email ids
- Deadlines for storing user data: Certain user-data should only be maintained for as long as one or more activities require the same and must be deleted thereafter by using a deadline function, with the ability to change the deadline in case of emergencies
- Data must be encrypted in transit: Communication between the application layer and database should be through TLS with the certificate being self-signed
- Data at rest must also be encrypted: The private key may be either stored on your premises or in the cloud
- All backups must be encrypted
- Use of pseudonyms: When the user data is being used on test or staging servers, pseudonyms should be used for them
- Integrity of data must be protected: Implement checksums or any other method for data authentication, so that every-time some data is updated, its updated all through the application
- Maintain a register of all activities that processed user-data: This is mandated by the GDPR, and such data can be stored in an application or microservice maintained on-premise
- Logging access to user-data: Every read command on the user’s personal data must be logged to ensure the data has not been accessed or processed without a valid reason
- Registering 3rd party APIs: 3rd parties should not have random or reckless access to user data through APIs. Every API consumer should be clearly registered with all contact information
- Don’t use data unless user has consented: While this was already covered under the point about consent boxes, please note, every time a new processing activity is added to the register of activities, user consent for this activity must be taken afresh from all users.
- Personal data should not be logged: Log only the identifiers and do not log the user’s personal data and ensure all old data logs are cleaned up.
- Capturing unnecessary data: Unlike the past when forms had a lot of fields, GDPR insists that minimum data is captured. For example, if it’s not an e-commerce site, fields such as address, zip code and contact number need not/must not be captured
- Trusting 3rd parties blindly: Even as you stay compliant with all GDPR guidelines, ensure that 3rd parties who are given access to user data through APIs are also compliant; else, in case of a data breach, you are at serious risk. This can be done by signing a clear contract with every 3rd party.
- GDPR compliance has nothing to do with your Quality systems: Quality standards such as ISO, SEI-CMM etc do not necessarily cover the above GDPR guidelines. So always undertake GDPR audits irrespective of your Quality standard audits.
Ensuring GDPR compliance at your organization may require a redesign of your data models, storage techniques, data flows and API calls, for better data protection. GDPR regulators will have a thorough checklist that will be used to gauge your level of compliance.
This has created a new breed of GDPR Consultants who are likely to tell you that GDPR is extremely complicated and an expensive exercise. Be wary of such claims. GDPR compliance is not meant to be complicated at all. It involves clear guidelines that can be incorporated within your existing processes and then enforced through discipline. Aloha Technology consultants can help you navigate the GDPR milieu easily.
Engage the right class of technology company and you can enjoy GDPR compliance in a cost-effective and efficient manner. Aloha Technology has the right mix of expertise and experience to undertake such initiatives for your organization.