How GDPR is guiding software development in Europe
Much modern software development involves engineering a personalised experience for the user. Whilst it’s true that individualisation is in greater demand than ever before, an imminent EU-led directive dictates how businesses must deliver these experiences. It’s called the General Data Protection Regulation (GDPR), and it’s due to be enforced all across Europe in May 2018.
GDPR, by its very nature, will impact the British and European software industry – a market that currently thrives on the use of personal information. Here, we take a closer look at the fundamental principles of GDPR, and the directions in which the regulation is going to steer software development.
The basics of GDPR
GDPR has been drafted by EU courts, and will replace the Data Protection Act 1998 when it comes into force next May. Significant fines face any company that steps beyond the guidelines – up to 4% annual turnover or €20 million (whatever is greater).
As the Digital Single Market continues to flow between member states (and the UK), these regulations ask for greater security on ‘personal data’ – that is, any information that can identify someone in a private or public capacity. Such data may take the form of names, addresses, ID numbers, a racial/cultural origin, genetic figures or sexual orientations, to name a few. To avoid penalties, businesses must ensure they have robust processes in place to manage and protect this data effectively.
There’s more information here for anyone questioning the finer points of GDPR. However, it’s clear that the implications for software development are fairly huge. Most of this boils down to the two groups GDPR concerns: ‘Controllers’ and ‘Processors’.
Understanding the implications
Under GDPR legislation, a Controller says why and how data should be processed, whereas a Processor is any person, company or tool that collects or stores this data. Processors can handle data on a Controller’s behalf, or an organisation could adopt both roles.
Whether a company is a Controller or Processor (or both) depends, in many cases, on the software in question. If it’s gathering data for the benefit of a third party – such as Facebook, for example, which shares info to apps like Spotify and Tinder – then it is merely processing a user’s likes, interests and demographic stats. Yet a direct SaaS (Software as a Service) tool, like Just Eat, both collects and stores the consumer data themselves; they are equally processing and controlling it.
If a preventable data crime occurs, the ICO will investigate what happened. Controllers, having more responsibility on their hands, are at far greater risk of being hit with the penalty. If handing the role of Processor over to another party, therefore, they must have faith in their capabilities.
The same goes for data capture solutions within your organisation. Workfront, for instance, lets you create report fields for profits, timesheets and resource management calculation. This is different to Slack, which acts as a platform to message and solve problems as a team – the first relies on data input, whereas the second is a conduit to other people. Slack may collect data and sell it on to a third party, but doesn’t do anything with it, unlike the Workfront functionality.
Distinguishing when a software provider may be a Controller, Processor or both doesn’t seem too crucial from the outset. Yet GDPR will change how a data breach is cleaned up; in practice, it puts the final onus on controller-type software, and how they plug a personal data leak.
So what will this mean for new and existing software on the market?
Tightening up security protocols
In the pre-GDPR climate, there isn’t any clear definition of what should be done in the event of a data catastrophe. A Facebook account may be hacked – the Controllers linked to it on a ‘sign-in’ basis (Shazam, MyFitnessPal etc.) may use the same profile details, but they don’t have to get rid of them. Doing so, for many companies, produces high overheads, and isn’t something they readily prepare for.
But once GDPR comes into play, it’ll demand that any victims of personal data breaches have to be notified, as well as the Controller benefitting from the captured information. We can imagine a scenario where a social account is compromised…. Here, Facebook would have to warn the account holder, then go to each of the third-party associates and request they wipe the same data from their storage system. As long as the Processor has met the GDPR best-practice rules, they won’t be blamed for anything; however, if the Controller doesn’t act in accordance, they’ll be up for the 4% turnover/€20m fine we mentioned earlier.
This will result in extra, GDPR-specific terms and conditions for every user and data sharing agreement. A software company will state their liabilities, anticipating how they will act in the event of a data loss or request. Any efforts to finalise these promises will be worth it, long-term, to avoid the penalties.
In addition, software owners must keep a closer eye on where their data goes, who’s handling it, and how it’s being guarded. Bleeding-edge cyber security is more than an idealistic thought – it’s going to be a necessity, held up to the lines drawn by GDPR. Such business will also have to perform regular tests on their systems, ensuring they’re safe against any basic threats. A Data Protection Officer (assigned by the GDPR authority in each country) can help fine-tune any protocols so they’re requisitely intelligent.
A new dawn for software strategy
In any case, the bottom line is this: digital products are going to be subject to tough rules around data protection, there to protect our personal information. More transparency will be enforced as customers start to be aware of GDPR and its promises to them. The UK therefore has to stay abreast of these changes, and more that will follow, to comply with the evolving state of personal data protection.
Webantic’s own products will be built around GDPR standards; we’d love to explain how they might influence your digital concept, if you’d like to get in touch with our team.