App Compliance with General Data Protection Regulation (GDPR)

Software architects and designers face a new challenge. That is delivering software that comply with the new EU GDPR data protection regulation. The new law came into effect from 25 may 2018.

Tools to Assist GDPR Compliance

The GDPR requires that you carry out a data protection impact assessment to ascertain the risks when planning a data processing or controlling task.

GPDR is applicable if your app maintain or monitor private information of EU citizens. Although other regulatory bodies such as the one in Australia have already adopted similar rules with the Notifiable Data Breaches scheme.

Implementing data privacy policy as outlined in the GDPR is good practice even if compliance isn’t required at this stage.

In this article I will outline the tools we provide to assist with compliance. I will briefly describe some of the measures we have taken to be compliant ourselves.

The key requirements of GDPR are as follows:

  • Adopt transparent information handling practices
  • Adopt “privacy by design” approach to compliance
  • Be able to demonstrate compliance with key rules and regulations

The measures outlined next will prove useful to meet requirements of GDPR.

Breach Notifications

You are required to notify the affected parties within 72 hours if a system has been compromised.

We have taken various measures to protect information. For example, secure protocols, network filtering, firewalls, strong ciphers have been selected for guarding access to the system. Only secure keys are accepted instead of passwords.

As an additional precaution all access are audited by an external server. The external auditor ensures the audit records themselves aren’t compromised in the event of a breach.

App Audit Process

The audit records can be monitored or queried using the API.

App Audit UI

The above screen from the Nester Deploy shows audit records that have tracked successful and failed login attempts.

Availability and Backups

We use AWS and Vultr virtual machines to host your apps ensuring high availability. In addition, two consecutive backups of the app are maintained at all times.

App Backups

The above screen from the Nester Deploy shows a backup in progress. Backups can be scheduled as well as manually triggered when necessary.

Right to be Forgotten

Only the minimal amount of private information is captured. When the account is closed all private data are removed from the servers.

Right to be forgotten

The above screen from the Nester Deploy presents the sign-off screen. All your private information are removed from our servers when the account is closed.

Conclusion

An important concept to consider is the “privacy by design” approach to compliance. The amount of data and length of time it is retained becomes a key consideration when designing the app.

The database design and various data capturing processors should only capture minimum personal information and keep only until its needed to support the client.

Investigate how your own situation can be made GDPR compliant with the links provided below.

Further Information