Software engineers, like many other professionals, will face major changes to the way they work when the EU General Data Protection Regulation (GDPR) takes effect from 25 May 2018.
The Regulation strengthens data subjects’ rights related to their personal data, and requires all organisations that handle EU residents’ personal information to follow a long list of requirements. Software engineers should be most concerned about the requirement that organisations adopt a privacy-by-design approach. This means that, before products and services are built, the organisation needs to know how it will meet the principles of data protection.
A large part of that will come down to addressing the way data subjects’ rights will be met. The GDPR lists eight data subjects’ rights, but the biggest challenge for software engineers will be the following three:
- Right to access
The GDPR gives data subjects the right to access any information that an organisation holds on them. To meet this requirement, organisations need a system in place that allows staff to access information quickly. This information should be made available to download where possible.
Organisations also need to provide full visibility across their business so they can detect and resolve any problems.
- Right to rectification
All data subjects need to be able to amend inaccurate or incomplete information about them. The GDPR doesn’t specify how organisations should fulfil this request – only that they need to respond to requests within 30 days. Organisations will save a lot of time and money if they allow individuals to make these changes directly, such as through a user account page where they can review and update their personal information.
As software company InfoQ writes: “The more documentation you can cover with automated processes, the cheaper it becomes. Also, users are happier with real-time access, as opposed to making a request that takes 30 days to process.”
- Right to erasure
Under the right to erasure (also known as the right to be forgotten), individuals can request that an organisation deletes the data it holds on them if:
- It’s no longer needed for the purpose that it was originally collected;
- There’s no overriding legitimate interest for continuing the processing;
- The personal data was unlawfully processed;
- The personal data must be erased to comply with a legal obligation; or
- The personal data is processed for an information society service provided to a child.
If an individual consented to the processing of their data, they are entitled to withdraw that consent and therefore request the removal of any data that relied on that basis.
“You can achieve erasure by deleting information but it’s easier is to partially overwrite it, effectively anonymizing it. The format for data export does not seem to matter right now, but it might be a good idea to plan for it, even if your domain would not contain any GDPR user interfaces,” writes InfoQ.
Preparing for the GDPR
This certainly isn’t the be-all and end-all of the GDPR. For one, there are five other data subject rights:
- The right to restrict processing
- The right to data portability
- The right to object
- The right to be informed
- Rights in relation to automated decision making and profiling
There are also many other requirements that organisations need to meet, including mandatory data protection impact assessments and restrictions on international data transfers.
It’s also important to note that if you build software with access to actual personal data (as opposed to dummy information), you become a data processor and are subject to many other requirements.
Those who are unsure what this entails and what else they need to do to prepare for the Regulation should read EU GDPR – A Pocket Guide.
Written by Alan Calder, the founder and executive chairman of IT Governance, this guide is the ideal resource for anyone who wants a clear primer on the principles of data protection and their obligations under the GDPR. It helps you understand the terms and definitions used in the Regulation, the key compliance requirements and how to meet them.