GDPR—EU regulation that protects the personal data and privacy of EU residents on a completely new level—is to be enforced May 25. Fines for non-compliance with this regulation are rather large. If you do business in Europe, you will definitely need to know the following.
This new regulation standardizes data protection law across all EU member states. It will have an impact on businesses that offer products and services to EU residents, regardless of geographical location. Most importantly, it will change the ways of collection, storage, and use of personal customer data, which concerns software products with a necessity to meet GDPR compliance requirements.
GDPR will become a replacement for the Data Protection Directive, which dates back to 1995. In stark contrast to the new regulation, DPD was not a directly binding act. Each member state had to implement DPD principles in its own legislation. Fines for violations had to be specified locally and were out of proportion to potential damage.
Meanwhile over 23 years of its existence the digital world underwent global changes. Data became omnipresent, but there was no single unifying act that would regulate data protection issues equally and predictably. Until now.
The GDPR regulation is flexible enough to be universally applicable, and will be directly binding, not requiring any enabling legislation passed by governments. And unlike healthcare-oriented HIPAA, it goes far beyond covering a single specific sector. The fines imposed on a violating company can be as high as €20 million or 4% of total global revenue – whichever is larger.
Basic principles for data protection, according to GDPR
Before we proceed to basic principles of GDPR, let us clarify the 3 main roles:
Your business becomes a Data Controller, which is defined by Article 4 of GDPR as “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law.”
Additionally, there is a role of Data Processor, which is defined as “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” The company that creates software for you basically becomes the Data Processor for your clients. And if they are EU residents, they become Data Subjects.
That said, here are the guiding principles for personal data protection.
| Lawfulness | Data should be processed only when there is a lawful basis for processing, e.g. consent, contract, legal obligation. |
| Transparency | Information provided to Data Subjects should be in a concise, easy-to-understand format. |
| Purpose Limitation | Data may be collected only for specific, explicit, legitimate purposes. |
| Data Minimization | Processing of data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is used. |
| Accuracy | Data should be accurate and kept up to date. |
| Storage Limitation | Data should not be held in a format that permits personal identification any longer than necessary. |
| Security | Data should be processed in a manner that ensures security and protection against unlawful processing, accidental loss and damage. |
| Accountability | Data Controller is responsible for demonstrating compliance. |
In a nutshell, GDPR gives control to EU residents. It provides them with the right to know what is going to be done with their data. They can have incorrect data corrected or have data erased. They can restrict or object to data processing. They have the right to obtain copies of all the data being processed and not be subject to automated processing. All of these rights must be met at no charge, within 1 month upon request.
It is worth noting that cases may differ according to the specifics of the data that the software product works with. For example, employee data requires transparent data retention policy; and it depends on each specific case whether the grounds, on which data is retained and processed, should be changed under GDPR. Different countries have certain dissimilarities as well. For example, you may check an insightful IT Governance page about GDPR in UK.
GDPR compliance of your software products
The first step in compliance with the new regulation is Privacy and Security by Design – the principles that make privacy and security an integral part of software product development. It starts from the very core, including key architectural solutions. Software must be designed considering organisational and technological safeguards—directly inherited from DPD—as well as capabilities that embed privacy, ensuring compliance and reducing the risks of data breach to a minimum.
| PERSONAL DATA | SPECIAL CATEGORIES |
| Name | Race |
| Address | Religion |
| Political Opinions | |
| Photo | Trade Union Membership |
| IP Address | Sexual Orientation |
| Cookies | Health Data |
| Location Data | Biometric Data |
| Profiling & Analytics Data | Genetic Data |
There must be careful consideration as to what data should be collected and for what purposes. The task is to collect it legitimately and minimize its processing, storage and accessibility, limiting its use to the minimum required by the product.
As for more direct technological means—which may naturally vary depending on the project—we can list a number of examples applied in our projects:
- Data encryption
- Pseudonymisation
- Notification mechanisms
- Report generation and JSON/XML data export mechanisms
- Profile editing features for users
- Age verification
- Checkboxes that ensure “active consent”
- Timely updates of terms and conditions and privacy policies
- Reporting and log access to personal data
Whether you have a software product with a long and rich history, or you are just starting your next endeavor, compliance measures are essential. Feel free to contact us and we will gladly answer any questions regarding your particular case.
