GDPR checklist for applications

on


"The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years"


 Your organization could pay up to the greater of €20 million or 4% of global annual turnover, if it does not comply with the GDPR. So if you use 3d party applications or develop your own to deal with the personal data, you would better make sure they are compliant.

 It all goes around these simple questions:
  • How do you collect personal information?
  • How do you store it?
  • Who has access to it?
  • How do you protect it?
  • How to show the proof of it?
  • How to change/delete it for the particular user?
  • How could you provide it to the user?
  • Has the user agreed that you handle his personal data?


I was trying to find a simple checklist, that I could apply to the applications that we use, but in the end I have created this one:

Checklist
    1. There is a list of personal data, which is being processed;
    2. There is a data flow diagram;
    3. There is a list of IT systems and its components, which process and store the personal data;
    4. There is a list of interfaces between IT systems/components, if the data moves thru a network;
    5. No personal data is being collected, which is not directly required to achieve the business goals;
    6. The personal data is encrypted at rest and during transition, including API access;
    7. There is no anonymous API access;
    8. The personal data is removed or pseudonymized, when required (testing, reporting);
    9. There is a list of application users/roles, permissions, and business justification to access the personal data;
    10. The application users are authenticated and authorized, based on their roles;
    11. The authentication, authorization, password management follows the best security practices;
    12. There is a mechanism to automatically backup the data with the applied encryption;
    13. There is a mechanism to verify the data integrity;
    14. There are mechanisms for an identified customer to provide the following data:
      1. all processed personal data;
      2. all parties, which have access to the personal data.
    15. There are mechanisms for an identified  customer to 
      1. change personal data;
      2. restrict its processing;
      3. delete it;
      4. export it.
    16. The logs exist, which track the access and modification of the personal data and its related settings;
    17. The personal data is not logged;
    18. There is a mechanism to automatically delete the personal data, after the business purpose has been fulfilled;
    19. There is a mechanism to verify the age of a customer;
    20. There is a mechanism to receive an explicit user consent for each business purpose to process the personal data.

 Of course, some of the items (like 19-20)  could be skipped, depending on the use case.

The efforts to comply increase significantly if your have more, than one system, to process the personal data of the same customer during one particular business process.

If the answer is NO to at least one of these questions, you have a problem. Or a task to do.


Links:
  • https://hackernoon.com/im-a-developer-and-general-data-protection-regulation-gdpr-is-no-big-deal-or-is-it-2f2b7b3f124
  • https://developer.ibm.com/tv/impact-gdpr-developers-security/?lnk=hm
  • https://techblog.bozho.net/gdpr-practical-guide-developers/
  • https://techbeacon.com/15-steps-developing-eu-privacy-policy-compliant-apps
  • https://techblog.bozho.net/gdpr-practical-guide-developers/
  • https://sonin.agency/what-does-the-new-eu-gdpr-mean-for-your-app/
  • https://www.imperva.com/blog/2017/03/gdpr-series-part-4-penalties-non-compliance/
  • https://gdpr-info.eu

Comments

Post a Comment