GDPR wakeup call: 3 ways dev teams can build in privacy like security

In eight months, many companies may find themselves in legal jeopardy, unprepared for a wide-ranging privacy regulation whose penalties could end up costing as much as 4% of annual revenue.

The European Union's General Data Protection Regulation (GDPR)—a document whose 88 pages contain nearly a hundred articles—passed in April of last year and goes into effect in May. GDPR applies to any firm—including US companies—that have personally identifiable information on European customers. 

Under the GDPR, citizens must be notified about any data collection in clear language and they have the right to both access the collected information and correct any errors. Data controllers must ensure that the data is used only for the stated purpose and protect both the data and its confidentiality.

Developers are key to complying with these regulations. Applications that collect and store information must be rewritten—and in many cases, redesigned—for more strict privacy.

Here are three ways that companies should work with developers to make sure they are ready for the GDPR.

GDPR and Your Business: What You Need to Know

1. The privacy buck has to stop somewhere

Privacy cannot just live in a written privacy statement, said Trevor Hughes, CEO and president of the International Association of Privacy Professionals.

"It is not about policies; it is about the way you build products and services inside your organization."
Trevor Hughes

The GDPR requires that companies address a wide variety of privacy regulations. Larger companies—or those whose core activities focus on data—need a data protection officer (DPO), but more than half of companies aren't planning on hiring one or plan to wait until the second half of the year, after the GDPR takes effect, according to a survey by security firm Imperva.

Delaying the hiring of a DPO is not a showstopper, said Hughes, but every organization needs someone to lead the push for privacy, especially to push development efforts in the right direction. "Not every company has the size or the need for a chief privacy officer, but no matter what, there needs to be privacy leadership incorporated somewhere," he said.

Right now, however, many companies do not know if the GDPR applies to them. More than one third of businesses (37%) did not know if they needed to comply, while 35% believed that the regulations did not apply to their companies, according to a recent survey by WatchGuard Technologies. Among those who thought they did not need to comply with the EU regulations, one in seven collected information on Europeans deemed identifiable under GDPR.

People are cutting it a little bit close, said Tracy Hillstrom, director of product marketing at WatchGuard.

"If they are not yet understanding that they need to be compliant and they do, and they haven't kicked off a project today, then they could be in trouble."
Tracy Hillstrom

2. Review data collection with developers, marketers

Developers and marketing professionals must understand that they may not be able to gather and use the same information as in the past.  Your executive leader in charge of privacy should meet with the engineering and marketing leads to set rules for the type of data to collect and how it can be used.

"That has to come from the director of engineering, or sometimes from the CISO or the data protection officer," said Tim Matthews, vice president of marketing for Imperva. "And I can imagine that there is going to be some very fraught conversations because you will have to balance having more users for your app or offsetting the risk for your company."

Training is an important part of getting the message out, since you don't want developers don't do something that puts the company at risk, said the IAPP's Hughes.

"A great example here are the engineers at Uber who created a function called 'God View,'" he said, referring to an administrative feature in Uber's service that allowed some internal employees to monitor rides in real time.

"Out of the gate, designers creating something called 'God View' should set off every alarm bell inside your organization."
—Trevor Hughes

3. Technology will likely be necessary

The GDPR requires that you design privacy into products and services and make privacy the default. For that reason, privacy impact assessments, which gauge the privacy implications of certain features in an application, should be completed regularly. But that's challenging because documenting privacy impacts can quickly become unwieldy.

"Any product or service that touches data—any upgrade, amendment, or new feature that touches data—that is, just about everything an organization is doing—needs to go through a privacy impact assessment," Hughes said. "A large organization may go through hundreds or thousands of impact assessments, and that means they need technology."

Most companies, especially larger ones, will technology that helps track compliance and turns requirements into design goals for developers. In the end, companies must determine whether or not they fall under the GDPR, and then strive for compliance. Developers are key to making it work.

"You are required to understand what data you have and demonstrate that you are complying with the GDPR. That has many organizations scrambling."
—Trevor Hughes

Get real about GDPR

The GDPR underscores that companies need to prioritize the protection of user data, and it highlights the importance of developers to that mission. Penalties are steep for noncompliance: Penalties can run up to 20 million Euros, or 4% of revenue, whichever is greater.

According to WatchGuard's survey, only 10% of companies thought they were ready to meet the deadline next May, while 44% believe that they need to comply but did not know how close they were to completion.

"The surprising part is how many people outside the EU don't realize that this is important to them," Hughes said. Even companies that believe they have data belonging to EU citizens don't always understand that the GDPR pertains to them.

Many large companies concerned with security and privacy have incorporated the issues into their development process, but smaller companies and their developers need to focus on privacy as well.

The way companies handle data and feed their marketing efforts also needs to change, said Matthews. "They are going to be told by someone that they will not be able to use all these great tools they have come to rely on. They may not be able to use those cookies, or they may not be able to use those mobile numbers."

"Some of the cool features that they are conceiving may not be allowed."
Tim Matthews

GDPR and Your Business: What You Need to Know
Topics: Security