May 25 marks the target for GDPR compliance in the EU here are some key points that a US Developer should look at
The Changing Privacy Landscape The revamp will modify the Data Protection Directive of 1995
First is the General Data Protection Regulation or GDPR
All of the existing principles from the original Directive stay with us under GDPR. What GDPR adds is new definitions and requirements to reflect changes in technology which simply did not exist in the dialup era.
The second half is the revamp of the ePrivacy Directive of 2002
(You know it, somewhat inaccurately, as the “cookie law.”) This revamp, which deals with data in transit such as cookies, telemetry, metadata, and consent for marketing. ePD is still in draft but look for a deadline of late this year/beginning of 2019.
What should you know about these changes?
GDPR pertains to personal data
defined as “any information relating to an identified or identifiable natural person.
Includes multiple data points or combinations that create a record
- Genetic data
- Biometric data (such as facial recognition or fingerprint logins)
- Location data
- Pseudonymized data
- Online identifiers This includes Sensitive personal data: requires stricter protection-pay attention devs
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Health data
- Sex life or sexual orientation
- Past or spent criminal convictions Personal data is used, stored and manipulated by data controllers and data processors.
The controller you or the organization you represent
Data processor is any entity that processes the data for the controller
GDPR covers only Europe, right? NO
If you deal with data from any European entity (customers, users, business, etc) you need to protect it under GDPR. The fact that the USA currently doesn't have a far reaching set of laws or governances for protecting data is not a reason to push this under the rug. The US views these privacies mostly under contract and property law - right now; but remember the internet has no boundaries. Pretty soon there will be a collision of practices about how we protect data so start doing it now as much in accordance to GDPR as you can within your purview. Data protection is not overtly protected by law - the responsibility is very much in the hands of engineers who create and implement these processes.
What you can do now
The Privacy by Design framework
a seven-point development methodology which requires optimal data protection to be provided as standard, by default, across all uses and applications.
Privacy Impact Assessment
TRAINING AND PROFESSIONAL DEVELOPMENTinclude legal and industry specific and methodologies, frameworks
Technical And Security Measures most data breaches begin internally think access control, segregated data
- Healthy data protection workflows
- Avoid unnecessary data capture or loss
- Require everyone in your project to work from a clearly defined set of code libraries, tools, and frameworks
Technical and security measures to address third parties
Disable unsafe or unnecessary modules ( in APIs and third-party libraries)
Code Reviews
Minimization in front and back end UI design where data is collected
Map where data is stored, protected, encrypted, and sandboxed
Data should be deleted automatically or through user actions
CONSENT AND SUBJECT ACCESS
front end provide better consent mechanisms and user controls
- UI for individual subject access rights, such as the right to edit and correct information, the right to download data, the right to restrict processing, and the right to data deletion. (think account settings)
- develop ways to alert users to any applicable choices and options
On the back end, develop to enforce user consent
- Procedures such as penetration testing
- Test for data protection by default
- Develop ways for the public to notify if your data has been breached GDPR is really about adopting common-sense safeguards for data protection and privacy as fundamental parts of your development workflow. Here is the full GDPR Code of Practice as a start in making changes
Anonymisation managing data protection risk code of practice
The Privacy by Design framework
Privacy Impact Assessment
Key ideas
* Consent
* Notification of data breach
* Right to be forgotten
every individual reserves the right to ask for the deletion of their personal data in situations when the data is no longer required
Top comments (10)
We're working on it. We're currently building systems left right and center to be ready.
It's a fantastic move from the EU, I just don't know where stand on analytics data and that's what gets me. Is location, (read: country) data considered personal data? Personally I'd say no, but it depends on the situation.
Yes, agreed. That really points to consent - imho. Creating UI experiences that put the onus on the product to provide triggers that give the user the option to consent to the retention and storage of the information is key to the success of that. What do you think?
I think you're probably correct. But at some point it might get ridiculous consistently agreeing to every websites data policy. And I wonder how many aren't going to adhere quite as well as they should.
I've also seen a lot of people online complain saying that small business owners now have more hoops to jump through, and I just don't see how?
Good point. Do you think this should be a browser issue as well? Maybe some of the responsibility could rest with browser policies. Instead of a user settings action. For example user inputs that don't just default to add/remove trusted sites. Like the options could include if/else on GDPR policies related to domain/url?
re: hoops
Regulations! Synonym for monetization.... The very reason why we fight the gov on regulating the internet. When you come up with a plan for that, let me know - we'll make >$$$ . lol
I believe I've read somewhere that browsers will have an auto-opt-in and out, and maybe that will alleviate some stress.
The best idea I've got for that is making a new country aha.
I haven't seen the browser implementation of opt/in-out yet but I was thinking it could even be an onboarding process. For example the way Chrome has a settings UI with sections. Also I was "pondering" it as part of the installation flow as well.
Yea, we do need a "new country" -- as in "United World of the Universe" or "Connected Earth". lol
We are working on it as well. I'm on this thread because we've been asked to make recommendations for clients on tools for determining user's locations. Anyone have suggestions?
That is definitely important. And timely. You probably will need different categories for your recommendations to clients.
For instance: if client is android - use the following methods...
If client is web - implement solution in the following way....
iOS do this....
They could be different and depend on the framework, the device(s) targeted, etc
Make sense?
It's actually the 25th - eugdpr.org/
Yes, you are right! Thanks for the update on that :) I made the edit. Appreciate it. Namaste!