Across the EU, the General Data Protection Regulation (GDPR) is just a few months from coming into force. It is set to change the way data can be collected, stored and used and will impact all businesses - software development companies are no different. If it’s an area you’ve not yet considered, we’ve identified the seven key terms that you should be assessing.
First up, what is GDPR and why is it something that matters to all businesses?
The GDPR is EU-wide regulation that will be coming into force on 25 May 2018, following a two-year transition period. It aims to strengthen and unify the regulations that relate to personal data.
The extensive regulation covers a variety of different areas, from how the data is collected to begin with to when it should be deleted. It extends to cover existing data too.
It’s a change that businesses need to be aware of, not least because of the potential sanctions they face should they fail to adhere to GDPR. While first time offenders and those found to have non-intentional non-compliance will receive a written warning, the sanctions can reach up to €20 million or 4% of annual worldwide turnover.
Why does GDPR matter to software development companies?
Like all businesses operating in the digital era, software development companies are very likely to hold some forms of personal data. If you’re a company that writes data centric web or mobile applications or if you are a business that holds customer data, GDPR will influence the way you should be operating.
With just weeks left until GDPR comes into effect, it’s time to assess your current procedures and how they will need to adapt.
Whether you’ve yet to consider the impacts of GDPR at all or you’re refining your changes, there are seven core areas that software development companies should be focussing on. With the right blueprint moving forward, you can be sure that you’re ticking all the GDPR compliance boxes before the deadline.
The protection of personal data is what underpins the GDPR. Assessing what personal information you collect, and hold is the first step to understanding exactly how much the changes will affect your business operations.
The term personal data encompasses a huge selection of data that can either directly or indirectly lead to a person being identified. This means that data such as full name with address, phone number, email address, bank details, medical data, social networking websites, and computer IP address are all considered personal data. The majority of businesses hold at least some form of personal data.
Under the existing Data Protection Act (DPA), there are already rules relating to the data controller, the individuals that process personal data. The role of data controllers is going to be under even more scrutiny. To ensure that you’re GDPR compliant you need to consider who currently has access to the personal data that you store and whether it’s necessary. In some businesses, you may find that you’ll need to change data controller privileges or create a tiered system, where some employees can only access limited amounts of personal data.
Like data controllers, the role of data processors will also need to be assessed. Data processors are the third parties that you work with, such as software development companies, web hosting providers and network infrastructure. You’ll now be responsible for taking reasonable steps to ensure those businesses that you work with are also GDPR compliant as well as considering how they use the personal data you give them access too.
Right to be forgotten
One of the core changes that GDPR brings in for individuals is the right to be forgotten. Should the individual request it, your data controllers and data processors have the responsibility to ensure that all their personal data is removed entirely or risk sanctions, although there are some exceptions, for example if personal data needs to be retained for legal reasons.
Businesses need to take two steps where this area is considered. The first is with staff training to ensure that the right to be forgotten is carried out. Secondly, you need to make requesting the right to be forgotten accessible for those you hold information on.
Data protection officer
Depending on your business, you may need to appoint a Data Protection Officer, who will have the formal responsibility for data protection compliance within the business. This ruling applies to all public authorities, for businesses that carry out large scale systematic monitoring of individuals, or those who store special category data.
Within your business is might be necessary to take pseudonymisation steps. Pseudonymisation is the process where the most identifying fields within a data record are replaced by artificial identifiers, or pseudonyms. This process allows you to facilitate processing personal data in such a way that the data can no longer be linked to the data subject without the addition of extra information. It’s one way of limiting the data that you hold, control the data employees have access to and improve security.
Privacy impact assessment
Finally, putting a stringent privacy impact assessment (PIA) in place can help you identify and resolve potential problems at the early stage of any data capture project. PIAs are a key component of the privacy by design approach put forward by the GDPR changes and can help streamline how businesses operate under the regulations.
With the right plan, GDPR shouldn’t negatively affect your software development activities. In fact, it can be a bonus, giving consumers greater confidence in your brand and improving your trustworthiness. While existing processes might need to change to reflect GDPR, it doesn’t have to be a time consuming task that takes resources away from other business critical areas.
If you are collecting any personal data and want to complete a review of the impact the new GDPR regulations will have on your business, we can offer you dedicated support, all you need to do is get in touch. We’re a bespoke software development company with a focus on web and mobile application development that understand the rules of GDPR.