The EU’s General Data Protection Regulation (GDPR) legislation went into effect on May 25, 2018. With fines of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, (whichever is higher) it’s a piece of legislation that has caught the attention of companies worldwide. That’s because any business that works with clients or customers in the EU is required to be GDPR compliant — or face some potentially costly fines.
When evaluating your company’s GDPR compliance, software development is one area that must be scrutinized. You must ensure that your software is GDPR compliant, whether it’s an ERP platform, a CRM, a mobile app, or a data lake.
What is GDPR’s Definition of Personal Data?
GDPR governs the way in which businesses handle consumers’ personal data; that is, any information relating to an identifiable person. If the data could potentially be used, in conjunction with other information, to identify a particular individual, then it’s considered “personal data” and is therefore subject to GDPR. Examples of personal data according to GDPR include:
- A full name (including pseudonyms);
- A party’s occupation;
- A person’s address; or
- Physical characteristics (including written descriptions or photographs).
Notably, data that has been de-identified through the use of pseudonyms or encryption is still considered personal data if the information could be unencrypted, thereby leading to a particular individual.
Key Requirements of GDPR for Software Development
Prior to the implementation of GDPR, the European Union already had some stringent privacy rules in place thanks to the EU Personal Data Protection Law. But GDPR is even stricter, with legislation that’s so complex that many large corporations have spent millions of dollars on GDPR consulting services and GDPR software overhauls.
Every new piece of software should be fully GDPR compliant, even if you don’t currently serve EU citizens. If there’s a possibility that you may work with an EU citizen in the foreseeable future, then it’s generally best to opt for GDPR compliance. Software developers can implement GDPR-related measures far easier when building a brand-new platform. Retrofitting an existing app or software platform is usually more challenging and more costly.
Consider these tips for a GDPR-complaint mobile app or software platform:
- Pseudonymization by Default: Pseudonyms must be created for each individual, and data about the person’s identity should be stored in an area that is fully partitioned and separate from other user data, such as information on the individual’s account within an app or software platform.
- The Right to Be Forgotten: Every EU citizen has “the right to be forgotten,” meaning that, upon request, companies are required to discard any and all personal data related to a particular individual. Therefore, your software or database should include tools that let you isolate and delete personal data as needed.
- The Right to Be Portable: Under this requirement, users must retain the ability to transfer their personal data from one service provider to another service provider. For instance, if you provide mobile phone services, you’ll need to configure your software so it allows users to take their phone number to another service provider.
- Mandatory Data Breach Reporting: If your company suffers a data breach, you are required to inform users and law enforcement within 72 hours. This means you must detect a data breach in very short order. When developing software or a mobile app, it’s generally best to maximize security measures and include a security breach detection and reporting tool that can send notifications to your tech team.
- Privacy by Design: GDPR requires privacy by default, meaning that your software, mobile app or website must default to provide users with the highest level of security and privacy. For instance, instead of automatically using a person’s name or email address as their username, your software should offer up a totally random username during the account creation process.
- Informed Consent: Users must be given an opportunity to provide informed consent for the collection and processing of their personal data. This is why so many privacy-related disclaimer panels have popped up on websites, software platforms and mobile apps in recent months. Another example of informed consent applies to tickboxes when registering for an account. In most cases, tickboxes should not be ticked by default; the user must tick them manually.
Large companies are required to appoint a data protection officer (DPO) who can respond to any GDPR-related requests and maintain documentation of all measures and actions performed to maintain GDPR compliance.
Documentation is also extremely important for GDPR compliance. A software developer may create a platform that is fully compliant, but that’s insufficient if the software does not have a way to generate and export documentation that proves your platform is compliant. Therefore, documentation capabilities are a key measure for maintaining GDPR compliance both in software development projects and in your company’s general operations.
GDPR has prompted many companies to reconsider what personal data they collect from users, as more data inherently results in a greater risk. As you begin the software development process, take some time to really consider what personal data is necessary. Additionally, determine what data sets could be pseudonymized or encrypted in a way that prevents identification of an individual through de-encryption or un-pseudonymization.
Finding a GDPR Compliant Software Development Company
If you’re required to adhere to GDPR, then it’s important that you choose a software development company that is well-versed on GDPR and the requirements that impact the development process.
At SevenTablets, we partner with companies worldwide, so we understand what it takes to build a GDPR-compliant software platform, mobile app, or data lake. We can also help your business grow by integrating cutting-edge technologies such as Machine Learning and Augmented Reality (AR). We integrate these technologies into a custom software platform, including Enterprise Resource Planning (ERP) platforms, Customer Relationship Management (CRM) software, SaaS solutions and mobile apps.
Headquartered in Dallas, Texas, SevenTablets maintains regional offices located in Houston and Chicago. Our clientele is located worldwide, so if you’re seeking to build a GDPR compliant mobile app or software platform, contact the team at SevenTablets today.