david-email

How do we stay GDPR-friendly for our clients in an outsourcing environment?

Under the GDPR, data management is carried out by the “controller” and the “processor.” How the personal data of an individual is used is determined by the controller. The role of the processor is to process the personal data on the part of the controller. 

providers play the role of the data processors and the companies that outsource are the data controllers.

Outsourcing firms that want to work with EU-based companies require strengthening their data security and privacy policies in order to align themselves with the standards laid down by the GDPR

In the case of a data breach, both the company and the outsourcing provider can be held liable and penalized heavily. Therefore, both the data controller (company) and the data processor (outsourcing services provider) should strictly adhere to the guidelines laid down by the General Data Protection Regulation (GDPR).

The following steps can help us in becoming fully compliant with GDPR:

  1. We Know What Is GDPR: 

We know about the GDPR and its effects on our business. First of all, we identify which of our business processes require changes in order to attain full compliance with the GDPR. We make all of our employees aware of the GDPR by providing training to them so that each and every department in our organization knows how to safely handle the users’ data.

  1. We Have A Review Of our Technologies And Business Processes each 3 month 

We review our business processes and look for where they are lacking in following the GDPR standards. Adopt new procedures and, if required, hire specialists so that we are able to meet the standards. Examine the technologies that are actively being deployed in your firm. Check if these technologies are adequately meeting the technical requirements for ensuring data security and privacy as required by the GDPR.

We could implement all the necessities in your product to be GDPR friendy.

  1. We could Set Up A Data Register for your business: 

As part of the GDPR, data protection associations have been set up by the European countries. They have been set up for the purpose of enforcing the GDPR and monitoring compliance. You should create a data register, which is a record of data processing activities. If for any reason, a data breach takes place, you will be required to show the data register to the data protection association.

  1. We will Build A Data Security Roadmap for your product : 

We will prepare a data security road map at the beginning of the projects. It helps us in prioritizing where the greatest security risks are present and in setting up goals and milestones. Data security techniques like encrypting, pseudonymization, etc. can help us meet our security goals.

  1. We could carry Out Periodic Assessments: 

Once we have set up and put into practice the technologies and processes required for becoming fully compliant with the GDPR, our next step is to carry out periodic assessments for ensuring everything is working as expected. Keeping data management and security in order will help you in preventing any sort of data breach, and will, therefore, save you from heavy penalties for GDPR non-compliance.

david-email

GDPR and how do we implement it in the software development process?

All the companies providing goods or services for the EU citizens will have to adhere to the new data protection rules or face fines of up to 4% annual global turnover or roughly $24.5M. As the GDPR comes into force it will affect businesses all over the world.

What is GDPR? Who needs to prepare for GDPR?

Any organization which gathers or processes EU citizens’ personal data is subject to the regulation. Moreover, all your contractors (including software development companies) need to adhere to the standard for your app to be GDPR-compliant.

How we implement it into your software:

1. Get informed consent from the user

The GDPR states that businesses now have to ask users to agree to collecting and processing their personal information. The request “must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent

2.We will minimize the collected data

We will make sure that you are collecting only the information you can’t do without. And, if possible, implement automatic deletion of the data you no longer need. 

3. We will encrypt personal data

Encryption adds an extra layer of security the hacker must defeat before they can access the information. The GDPR Article 32 requires that personal data is protected by the “state-of-the-art” measures. However, the exact nature of those measures is left for the companies to decide

4. We will implement “privacy by design” 

we making sure privacy is taken care of at every stage of the product’s lifecycle. Implementing this idea is a much larger undertaking.

4.1 Two-Factor Authentication

It protects from online fraud and identity theft

4.2 Blocking brute force attacks

If a hacker intends to use automated login/password guessing, these measures can stop them.

4.3 Automatic Log-Off

This feature helps prevent unauthorized access and modification of data

4.4 Separate domain names for Customer and Admin portals

Separating portals helps protect the information and allows securing the admin section without hampering users.

4.5 HTTP Authentication for Web Admin Panel

This feature adds another layer of protection against them.

4.6 SSL Certificate

SSL certificates protect the information transfer between app server and database or between the user and your service.

4.7 Locking Unused Database Ports

New servers are shipped with all the ports open. Lock the unneeded ones so they can’t be used for intrusion.

4.8 Database can be accessed only from API server IP

Allowing only one IP address will prevent unauthorized access and locate data breaches. Cloud firewalls could help with that.

4.9 Database connects to API server via HTTPS

Encryption helps protect the information while it is in transfer.

4.10 Server is accessed via VPN

VPN adds another layer of security to the data on the server.

4.11 Regular Database backup

Back up the information in the DB and store it on an external cloud service. In the event of a data breach, it will help to minimize losses.

4.12 Regular Server Log Backup

All the server logs should be kept and stored externally. It helps locate inconsistencies in case of hacker attacks.

4.13 Adjust Inotify

Set up triggers and notifications to detect intrusion quickly.

4.14 Log all the Server Actions

Logs allow to find out which data was modified.

5.We will implement “Privacy by default”

“Privacy by default” essentially means that if there are privacy settings in your product, they must be set to maximum at the start.

6.We will implement Pseudonymization

Pseudonymization means storing information that can identify a person (e.g. social security number) and the related data (gender, age, location, etc.) separately.

7. We will prepare for the users to exercise their rights

The new European regulation has given people extra rights that companies must grant: Right to be forgotten; Right to object; Right to rectification; Right to access; Right to portability.

8.We will document everything

The regulation requires companies to not only implement additional data protection measures but also document them to be able to prove that they’ve taken the necessary steps.

9. We will prepare a plan for contingencies

No matter how well you are defended at the moment, it pays to be prepared for personal data breaches.

In most cases, you’ll need to notify the Information Commissioner’s Office (ICO) within 72 hours of detecting a breach. If you opt not to, you must have a valid (and properly supported by documents) reason for it. But if there is a “high risk to the rights and freedoms of individuals”, you need to inform your users as well.

david-email

What is the GDPR?

  • What is the GDPR and what does it stand for?

GDPR stands for General Data Protection Regulation also referred to as Regulation (EU) 2016/679. GDPR replaces the existing protection directive that was introduced in 1995 and has been created by the European Parliament, the Council of the European Union, and the European Commission to strengthen and unify data protection for all residents of the European Union.

Additionally, GDPR addresses data protection rules for personal data export outside of the European Union. It also enforces EU data protection laws to guide foreign organizations that process personal data pertaining to residents of the European Union.

In the case of a data breach, both the company and the outsourcing provider can be held liable and penalized heavily. Therefore, both the data controller (company) and the data processor (outsourcing services provider) should strictly adhere to the guidelines laid down by the General Data Protection Regulation (GDPR).

  • When does GDPR come into effect?

GDPR was approved by the European parliament in April 2016. After a two-year transition period, GDPR will be in force for all organisations that handle the data of EU residents from the 25th of May 2018.

  • What is the purpose of GDPR?

The primary purpose of GDPR is to define standardised data protection laws for all member countries across the European Union.

GDPR will:

  • Increase privacy and extend data rights for EU residents.
  • Help EU residents understand personal data use.
  • Address the export of personal data outside of the EU.
  • Give regulatory authorities greater powers to take action against organisations that breach the new data protection regulations.
  • Simplify the regulatory environment for international business by unifying data protection regulations within the European Union.
  • Require every new business process that uses personal data to abide by the GDPR data protection regulations and Privacy by Design rule.
  • Who does the GDPR apply to?

Similar to the Data Protection Act, GDPR applies to company data controllers and data processors. If you are the controller, the GDPR places additional emphasis on meeting contractual obligations with the processor to ensure they comply with GDPR.  As a processor, the GDPR requires you to maintain records of all processing activities and personal data use.  This increases the legal liability for processors in the event of a breach.

GDPR does NOT apply to specific activities such as processing under the Law Enforcement Directive, the processing is done by individuals for personal or household matters, any processing carried out for the purpose of national security.

  • What type of information applies to GDPR?

Like the Data Protection Act, the GDPR rules apply to personal data. However, the GDPR extends the scope of what is considered personal data such as an IP address that acts as an online identifier.

The GDPR rules also apply to sensitive data which uniquely identifies a specific individual. This includes categories such as genetic or biometric data.

  • According to the EU, What constitutes personal data?

Under GDPR, the definition of personal data has been much simplified to ‘any information relating to an identified or identifiable person.’

According to the European Commission, personal data constitutes “Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

  • Does GDPR apply to companies outside of the EU?

Yes. Similar to UK compliance post-Brexit, GDPR regulations apply to foreign companies outside of the EU that collect, process and hold the personal data of EU residents, regardless of their location.

  • 9 Key changes under GDPR
    • A single set of data protection rules will now apply to all EU member states. In addition, increased territorial scope means that GDPR will apply to all companies that process the personal data of EU residents, regardless of their location.
    • ‘Right to be forgotten’ – also known as Data Erasure. EU residents will have the right to request that personal data relating to them is erased. This could be based on a number of grounds that include non-compliance, data no longer being relevant to its original purposes, or data subjects withdrawing consent.
    • ‘Right to access’ – Data subjects will have the right to obtain confirmation from the data controller whether or not their personal data concerning them has been processed, where it has been processed and for what purpose.
    • Data Breach notifications will become mandatory in all member states – in the instance that the data breach is likely to “result in risk pertaining to the rights and freedoms of individuals.
    • Consent rules are changing and opt-in requirements for obtaining personal data are stricter. The conditions for consent have been strengthened, as companies will no longer be able to utilize long illegible terms and conditions full of legalese. Organisations are required to ensure that consent is clear, distinguishable and provided in an easily accessible form with the purpose of the data processing disclosed and attached to the consent. It must be just as easy to withdraw consent as it is to give it.
    • ‘Privacy by Design’ – Now part of a legal requirement with the GDPR, Privacy by Design calls for the inclusion of data protection from the onset of the designing of systems, instead of just being an addition.
    • Data Controllers and Data Processors will be required to conduct privacy risk impact assessments for projects that have high privacy risks.
    • Data processing activity notification rules are changing. Under GDPR it will no longer be necessary for Data Controllers to submit notifications/registrations of data processing activities to local Data Protection Officers. In addition, it will no longer be a requirement to notify/obtain approval for transfers based on the Model Contract Clauses (MCCs). This will be replaced by an internal record-keeping requirement. There is an exception to this.
    • The new Accountability Principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.