GDPR requires organizations to ensure that user data is well protected, not abused, so that users obtain informed consent, and violations will be subject to huge fines.
The EU General Data Protection Regulation (GDPR) was implemented on May 25, 2018. However, until now, many people still don't know anything about GDPR, let alone a clear understanding of how GDPR affects organizations or individuals. So, what is GDPR and who does it apply to? What are the consequences if you violate its regulations?
You can read the official regulations and try to understand their meanings, but they are all "fantasy" because they are full of little golden sentences like this:
"A group of enterprises shall cover a controlling enterprise and its controlled enterprise, among which the controlling enterprise shall be the enterprise that can have a major influence on other enterprises" (Article 37 of the GDPR)
...For these big concepts, I don't think you can do anything about it!
Therefore, I think it should be broken down, at least from a software perspective, and it would be helpful to look at the key issues you should understand. If you find it will affect you, then you will definitely go deeper. GDPR will eventually touch many parts of your organization, and you definitely want to be correct.
GDPR requires organizations to ensure that user data is well protected, not abused, so that users obtain informed consent, and violations will be subject to huge fines. For more information, please keep reading.
What is GDPR?
GDPR aims to protect citizen data. This means protecting access to data, not storing unnecessary data, encrypting personal data, and anonymizing data when possible. In other words, all steps can be taken to limit the possibility of data leakage and the impact when a leakage occurs. In addition, privacy includes unauthorized use of data, such as tracking users without their consent, and any other use of data without their explicit consent.
From its website itself, the GDPR "is designed to harmonize data privacy laws across Europe to protect and authorize the data privacy of all EU citizens, and to reshape the way organizations handle data privacy throughout the region. "
The GDPR also considers the EU's universal "right to be forgotten", which means that in this case, if someone wants to delete their data from the system, it must be done within a reasonable time. In addition, the reporting requirements are strict.
Let's look at the 5 main questions below.
1. Who needs to comply with GDPR regulations?
Of course, EU companies need to comply with the GDPR, but it turns out that even if you are located elsewhere, if you have customers in the EU, then you have to comply with the GDPR.
If you do not store any personal information, you will not be bound, but anyone with EU personal data must comply with the guidelines. If you have employees in the EU, the same is true.
If you share user data or get user data from other places, it can sometimes be tricky. If someone exercises the right to be forgotten, you must chase all these shares and wipe data everywhere. Therefore, even if you obtain data from other people who want to transfer personal data to the EU, you must comply with the guidelines.
2. Consent and transparency
The GDPR states that users must agree to collect any data about them, and that consent is based on "clear affirmative behavior." Clear and affirmative means that the user must perform an operation to choose to accept, rather than the usual "unless you choose to exit, you will enter" method.
"In order to obtain informed consent, the data subject should at least know the identity of the controller and the processing purpose for which the personal data is intended to be used." (Article 42 of the GDPR)
On the web, a good example is a registration form that informs you that data will be collected, what data it is, how it will be used, how to opt out (or be forgotten) in the future, and then the user must do something agreed , Such as clicking a check box. The date of the pre-selection box no longer applies-GDPR specifically prohibits such currently typical methods:
“Therefore, no acquiescence, pre-selection or waiver constitutes consent.” (Article 32 of the GDPR).
The use of data must have certain purposes related to the reason for collecting the data, and must be explained to the user:
"For natural persons, the collection, use, consultation or other processing of personal data related to them and the extent to which such personal data will or will be processed shall be transparent to natural persons" (Article 39 of the GDPR)
3. Control personal data
EU citizens are granted full control over their personal data, including the right to access, transfer, correct and be forgotten, including "request and free access, especially personal data and the exercise of the right to object to the acquisition, correction and erasure or deletion Mechanism.” (Article 59 GDPR)
The right to access data is based on Article 63 of the GDPR, "The data subject shall have the right to access personal data", while the right to data correction is Article 65 of the GDPR, "The data subject shall have the right to correct his or her personal data. "Next time you compete with a credit reporting agency, please think about it, hoping to apply it to your own data.
The GDPR further ensures that no vendors lock user data. The right to transfer data is also listed:
"The data subject shall also be allowed to receive his or her personal data about him or her provided to the controller in a structured, commonly used, machine-readable and interoperable format, and transmit it to another controller." Article 68 of the GDPR)
This means that you can obtain data from a supplier in a reasonable digital form in order to move it to another provider.
The right to be forgotten extends to organizations with which data is shared:
"The right to erasure should also be extended in the following way: the controller who has disclosed personal data should be obliged to inform the controller who is processing such personal data in order to eliminate any link or copying or copying of such personal data." (GDPR Article 66 Article)
In other words, erasures must be cascaded.
If you obtain data about a person from another organization and intend to use and/or store that data, you must notify that person-so that they can knowingly consent (see GDPR Article 60, 61). This is also true if you decide to use the data in a way not included in the original consent form.
"If the controller intends to process personal data for purposes other than the purpose of collection, the controller shall provide the data subject with information about that other purpose and other necessary information before further processing." (Article 61 of the GDPR)
And pay attention to automatic algorithms such as loan applications:
"The data subject shall have the right not to be subject to any decision, which may include a measure to assess personal aspects related to him or her, which is based solely on automatic processing and will have a significant impact on his or her legal effect or similar. He or she, for example, automatically rejects online credit applications or electronic recruitment practices without any manual intervention" (Article 71 of the GDPR)
If you are using a fully automated algorithm to make decisions, then this can make you shudder.
4. Data protection-management and defense
Once you have someone’s data, you need to manage and protect it appropriately. The real key is the so-called "personally identifiable information" (PII). PII has a very broad definition, such as cookie IE, which can directly or indirectly identify individuals including IP addresses. If you are going to perform any type of network analysis, then you are collecting PII and you need to make sure that the work you do is in compliance with the GDPR.
One of the key aspects of handling PII in the GDPR is the concept of design security. The regulation stipulates:
"The controller shall adopt internal strategies and implement measures, especially in accordance with the principle of protecting data through design and protecting data by default." (Article 78 of the GDPR)
Designing security methods is a saying, you can't simply test security and data protection in your application. You need to design your application to be secure first, rather than building some code and trying to red-team it, so things like encryption are things that are turned off by default only under approved exceptions. Ensuring safety through design also means taking static code analysis seriously, with an emphasis on software engineering standards and "preventive" static analysis rules.
Moreover, if you are collecting health-related data, you need to be extra careful to ensure its safety (see Article 53 of the GDPR), although certain types of research are about health rather than certain regulations on marketing opportunities (see Article 54 of the GDPR).
Data retention is another important issue when collecting and storing PII. The main principle here is to keep data that is no longer needed:
"...The right to delete personal data whose personal data is no longer needed" (Article 65 of the GDPR).
In other words, data used only for temporary purposes (such as completing a transaction) should only exist for the required amount of time. After that, you should clear the data instead of storing it for convenience or future analysis.
It is important to show that you actually need to collect data:
"The data subject can reasonably expect that processing may be performed for this purpose within the time and scope of the collection of personal data" (Article 47 of the GDPR)
After that, you cannot just use the data for other purposes, unless other content is related to the original purpose of the data and/or the processing (analysis) of the data.
"Only if the processing is compatible with the purpose for which the personal data was originally collected, the processing of personal data should be permitted for purposes other than the purpose for which the personal data was originally collected." (Article 50 of the GDPR)
5. What should I do if I violate?
Violation will result in fines. The EU can impose daily fines for persistent violations. The fine can be based on the income of the parent organization, so it may be larger than you think. The fine varies according to the violation of the law and can be as high as 20 million euros. Make sure you can prove compliance.
"In order to prove compliance with this regulation, the controller or processor shall keep records of the processing activities under its responsibility." (Article 82 of the GDPR)
So what would you do?
I want to tell you that you can use a simple tool or a set of tools to simply comply with the GDPR, but this is not the case. Even so, Parasoft can provide you with a lot of help. First, you can use Java, C/C++, and .NET static code analysis engines in combination with good security and privacy configurations to ensure that your code is as safe as possible. You can even configure them to enforce strict encoding strategies, such as encryption by default.
Second, you can even use service virtualization to drive complete end-to-end testing in the early stages of the developer’s desktop. Being able to fully test what happened to the data without the need for expensive test labs makes compliance easier, and by allowing developers to perform more in-depth testing, you can find problems easier and cheaper.
to sum up
Considering the potential financial penalties, this is a bit frightening, and in a sense it should be. But in general, unless your business model is based on tracking users and selling their data, it's actually not that scary. If you have a typical business model and have customer data and sales, then you will find that compliance is not a headache, and in the case of increasing frequency of data breaches, it can also make the entire system more secure . What we need to do is to formulate the right strategy, conduct comprehensive and comprehensive testing, and ensure your data privacy through powerful static code analysis.