Software architects and designers face a new challenge. That is delivering software that comply with the new EU GDPR data protection regulation. The new law came into effect from 25 may 2018.
Tools to Assist GDPR Compliance
The GDPR requires that you carry out a data protection impact assessment to ascertain the risks when planning a data processing or controlling task.
GPDR is applicable if your app maintain or monitor private information of EU citizens. Although other regulatory bodies such as the one in Australia have already adopted similar rules with the Notifiable Data Breaches scheme.
In this article I will outline the tools we provide to assist with compliance. I will briefly describe some of the measures we have taken to be compliant ourselves.
The key requirements of GDPR are as follows:
- Adopt transparent information handling practices
- Adopt “privacy by design” approach to compliance
- Be able to demonstrate compliance with key rules and regulations
The measures outlined next will prove useful to meet requirements of GDPR.
You are required to notify the affected parties within 72 hours if a system has been compromised.
We have taken various measures to protect information. For example, secure protocols, network filtering, firewalls, strong ciphers have been selected for guarding access to the system. Only secure keys are accepted instead of passwords.
As an additional precaution all access are audited by an external server. The external auditor ensures the audit records themselves aren’t compromised in the event of a breach.
The audit records can be monitored or queried using the API.
The above screen from the Nester Deploy shows audit records that have tracked successful and failed login attempts.
Availability and Backups
We use AWS and Vultr virtual machines to host your apps ensuring high availability. In addition, two consecutive backups of the app are maintained at all times.
The above screen from the Nester Deploy shows a backup in progress. Backups can be scheduled as well as manually triggered when necessary.
Right to be Forgotten
Only the minimal amount of private information is captured. When the account is closed all private data are removed from the servers.
The above screen from the Nester Deploy presents the sign-off screen. All your private information are removed from our servers when the account is closed.
An important concept to consider is the “privacy by design” approach to compliance. The amount of data and length of time it is retained becomes a key consideration when designing the app.
The database design and various data capturing processors should only capture minimum personal information and keep only until its needed to support the client.
Investigate how your own situation can be made GDPR compliant with the links provided below.