+45 45 34 44 00
Need a penetration test?
Contact us for a no-obligation conversation about your security needs.
Contact us0. GDPR-Compliant Development
Whether you work alone, are part of a team developing a project, lead a development team, or are a service provider developing for third parties, it is crucial to ensure that user data and all processing of personal data is adequately protected throughout the project lifecycle.
The following steps will help you develop privacy-friendly applications or websites:
Understand the basic GDPR principles. If you work in a team, we recommend designating a person to monitor compliance. If your company has a Data Protection Officer (DPO), this person is a key figure in understanding and meeting GDPR requirements. In some cases, it may also be mandatory to appoint a DPO, for example if your programs or applications process so-called “sensitive” data (see examples) on a large scale or perform regular and systematic monitoring on a large scale.
Map and categorize data and processing in your system. A precise mapping of data handling in your program or application helps you ensure they comply with legal requirements. Keeping a record of processing activities (an example can be found on CNIL’s website) gives you an overall overview of the data and helps identify and prioritize associated risks. Personal data can be in unexpected places such as server logs, cache files, Excel files, etc. Such registration is mandatory in most cases.
Prioritize necessary actions. Based on your register of data processing, you must identify the necessary actions to comply with GDPR requirements in advance and prioritize focus areas in relation to the risks that processing poses to data subjects. These focus areas include especially the necessity and types of data collected and processed by your software, the legal basis for your data processing activities, the information your software or application provides to users, contract terms between you and your suppliers, conditions for exercising rights, and the measures implemented to secure your processing.
Manage risks. If you identify that processing of personal data may pose a high risk to data subjects, you must ensure that these risks are handled correctly in context. A Privacy Impact Assessment (PIA) can help you assess risks. CNIL has developed a method, templates, and a tool that can help you identify risks, as well as a collection of best practices to remediate them. A Privacy Impact Assessment is also mandatory for all processing that is likely to involve a high risk to the rights and freedoms of data subjects. CNIL has on its website a list of processing where a PIA is required.
Establish internal processes to ensure compliance through all development phases. Ensure that internal procedures ensure that data protection is considered in all aspects of your project and in all events that may arise (e.g., security breaches, requests for rectification or access, changes to collected data, supplier changes, data breaches, etc.). The requirements in governance labeling (although this is no longer issued by CNIL after GDPR’s entry into force) can be a useful source of inspiration for establishing the necessary processes.
Document compliance in development to always be able to prove your GDPR compliance. The actions performed and the documents produced in each development phase must be controlled. This involves regular review and updating of your documentation so that it always matches the features implemented in your software.
CNIL’s website contains many practical guides that can help you ensure legal data processing depending on your industry.