Table of Contents
IriusRisk Team
IriusRisk Team
|
The Threat Modeling Experts
April 27, 2021

Building GDPR compliant software with IriusRisk

Building GDPR compliant software with IriusRisk

A lot has been written about how GDPR applies at the organisation level, and what general controls should be in place to comply with the regulation. But the GDPR also has implications for building software applications.

screen-shot-2018-03-27-at-13.49.12

All software that handles personal data of EU citizens will have additional functional and non-functional requirements that were previously not necessary.

What’s more, these requirements will differ depending on the type of functionality offered by the component in your application. For example, a web application that exposes a web UI to end users would be required to display and capture explicit consent from the user for processing their data and include specific information in the privacy notice that states the purposes of data processing. These can be regarded as new functional requirements for every web application that processes EU citizens’ data, but these would not apply to a private backend web API that processes the same data but exposes no UI to the end user.

Similarly, there are a number of non-functional requirements that are only applicable to components that store EU citizens’ data. For example, it should be possible to completely delete a specific user’s data at their request (including from backups) and an automatic deletion process should be triggered when the data retention period expires.

So how do you educate your security team and your development teams in building GDPR compliant software? Do they all have to read and understand the entire regulation before building their applications?

Since IriusRisk is based on components, questionnaires and risk patterns – we’ve done this leg work for you. By providing accurate answers to the questions when designing a new application (or reviewing an existing one), IriusRisk will automatically apply the appropriate set of security requirements to help comply with the GDPR and automatically push those requirements to your development teams’ issue trackers. So that they have actionable tasks right in their main task dashboard.

The security and compliance teams can view the status of these requirements as well as the impact of the risks in the IriusRisk console. No more shuffling documents, spreadsheets and emails to find out what the compliance state of a piece of software is.


Logos of the European Union with text 'Funded by the European Union NextGenerationEU', the Spanish Government Ministry of Economic Affairs and Digital Transformation, red.es, and the Plan de Recuperación, Transformación y Resiliencia.

FAQs

keyboard_arrow_down

keyboard_arrow_down

keyboard_arrow_down

keyboard_arrow_down

keyboard_arrow_down
About the author...

IriusRisk Team

The Threat Modeling Experts
IriusRisk
The IriusRisk Team represents the collective expertise and official voice of the company, driven by security researchers, product managers, and engineering leaders dedicated to the automation of threat modeling. This content is curated by the company's core staff to deliver official news, product roadmaps, and feature updates. The team's mission is to ensure every release and announcement is delivered with transparency, technical accuracy, and strategic alignment with the Secure by Design philosophy.