DEV Community

Judith
Judith

Posted on • Updated on

GDPR Is Making Changes In Tech Data Strategy, Are you ready?

May 25 marks the target for GDPR compliance in the EU here are some key points that a US Developer should look at

The Changing Privacy Landscape The revamp will modify the Data Protection Directive of 1995

First is the General Data Protection Regulation or GDPR

All of the existing principles from the original Directive stay with us under GDPR. What GDPR adds is new definitions and requirements to reflect changes in technology which simply did not exist in the dialup era.

The second half is the revamp of the ePrivacy Directive of 2002

(You know it, somewhat inaccurately, as the “cookie law.”) This revamp, which deals with data in transit such as cookies, telemetry, metadata, and consent for marketing. ePD is still in draft but look for a deadline of late this year/beginning of 2019.

What should you know about these changes?

GDPR pertains to personal data
defined as “any information relating to an identified or identifiable natural person.
Includes multiple data points or combinations that create a record

  • Genetic data
  • Biometric data (such as facial recognition or fingerprint logins)
  • Location data
  • Pseudonymized data
  • Online identifiers This includes Sensitive personal data: requires stricter protection-pay attention devs
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Health data
  • Sex life or sexual orientation
  • Past or spent criminal convictions Personal data is used, stored and manipulated by data controllers and data processors.

The controller you or the organization you represent
Data processor is any entity that processes the data for the controller

GDPR covers only Europe, right? NO

If you deal with data from any European entity (customers, users, business, etc) you need to protect it under GDPR. The fact that the USA currently doesn't have a far reaching set of laws or governances for protecting data is not a reason to push this under the rug. The US views these privacies mostly under contract and property law - right now; but remember the internet has no boundaries.  Pretty soon there will be a collision of practices about how we protect data so start doing it now as much in accordance to GDPR as you can within your purview. Data protection is not overtly protected by law - the responsibility is very much in the hands of engineers who create and implement these processes.


What you can do now

The Privacy by Design framework
a seven-point development methodology which requires optimal data protection to be provided as standard, by default, across all uses and applications.
Privacy Impact Assessment
TRAINING AND PROFESSIONAL DEVELOPMENTinclude legal and industry specific and methodologies, frameworks

Technical And Security Measures most data breaches begin internally think access control, segregated data

  • Healthy data protection workflows
  • Avoid unnecessary data capture or loss
  • Require everyone in your project to work from a clearly defined set of code libraries, tools, and frameworks

Technical and security measures to address third parties
Disable unsafe or unnecessary modules ( in APIs and third-party libraries)
Code Reviews
Minimization in front and back end UI design where data is collected

Map where data is stored, protected, encrypted, and sandboxed
Data should be deleted automatically or through user actions

CONSENT AND SUBJECT ACCESS

front end provide better consent mechanisms and user controls

  • UI for individual subject access rights, such as the right to edit and correct information, the right to download data, the right to restrict processing, and the right to data deletion. (think account settings)
  • develop ways to alert users to any applicable choices and options

On the back end, develop to enforce user consent

  • Procedures such as penetration testing
  • Test for data protection by default
  • Develop ways for the public to notify if your data has been breached GDPR is really about adopting common-sense safeguards for data protection and privacy as fundamental  parts of your development workflow. Here is the full GDPR Code of Practice as a start in making changes

Anonymisation managing data protection risk code of practice
The Privacy by Design framework
Privacy Impact Assessment

Key ideas

*  Consent
*  Notification of data breach
*  Right to be forgotten
every individual reserves the right to ask for the deletion of their personal data in situations when the data is no longer required

Discussion (10)

Collapse
scottishross profile image
Ross Henderson

We're working on it. We're currently building systems left right and center to be ready.

It's a fantastic move from the EU, I just don't know where stand on analytics data and that's what gets me. Is location, (read: country) data considered personal data? Personally I'd say no, but it depends on the situation.

Collapse
jrohatiner profile image
Judith Author

Yes, agreed. That really points to consent - imho. Creating UI experiences that put the onus on the product to provide triggers that give the user the option to consent to the retention and storage of the information is key to the success of that. What do you think?

Collapse
scottishross profile image
Ross Henderson

I think you're probably correct. But at some point it might get ridiculous consistently agreeing to every websites data policy. And I wonder how many aren't going to adhere quite as well as they should.

I've also seen a lot of people online complain saying that small business owners now have more hoops to jump through, and I just don't see how?

Thread Thread
jrohatiner profile image
Judith Author

Good point. Do you think this should be a browser issue as well? Maybe some of the responsibility could rest with browser policies. Instead of a user settings action. For example user inputs that don't just default to add/remove trusted sites. Like the options could include if/else on GDPR policies related to domain/url?

re: hoops
Regulations! Synonym for monetization.... The very reason why we fight the gov on regulating the internet. When you come up with a plan for that, let me know - we'll make >$$$ . lol

Thread Thread
scottishross profile image
Ross Henderson

I believe I've read somewhere that browsers will have an auto-opt-in and out, and maybe that will alleviate some stress.

The best idea I've got for that is making a new country aha.

Thread Thread
jrohatiner profile image
Judith Author

I haven't seen the browser implementation of opt/in-out yet but I was thinking it could even be an onboarding process. For example the way Chrome has a settings UI with sections. Also I was "pondering" it as part of the installation flow as well.

Yea, we do need a "new country" -- as in "United World of the Universe" or "Connected Earth". lol

Collapse
bushwa profile image
Bushwazi

We are working on it as well. I'm on this thread because we've been asked to make recommendations for clients on tools for determining user's locations. Anyone have suggestions?

Collapse
jrohatiner profile image
Judith Author

That is definitely important. And timely. You probably will need different categories for your recommendations to clients.
For instance: if client is android - use the following methods...
If client is web - implement solution in the following way....
iOS do this....

They could be different and depend on the framework, the device(s) targeted, etc
Make sense?

Collapse
harrylincoln profile image
Harry Lincoln

It's actually the 25th - eugdpr.org/

Collapse
jrohatiner profile image
Judith Author • Edited on

Yes, you are right! Thanks for the update on that :) I made the edit. Appreciate it. Namaste!