The EU General Data Protection Regulation (GDPR) comes into effect on the 4th May 2018 and has wide ranging implications for any company anywhere that processes the personal data of EU citizens. A lot has been written about how GDPR applies at the organisation level, and what general controls should be in place to comply with the regulation. But the GDPR also has implications for building software applications.
All software that handles personal data of EU citizens will have additional functional and non-functional requirements that were previously not necessary.
What’s more, these requirements will differ depending on the type of functionality offered by the component in your application. For example, a web application that exposes a web UI to end users would be required to display and capture explicit consent from the user for processing their data and include specific information in the privacy notice that states the purposes of data processing. These can be regarded as new functional requirements for every web application that processes EU citizens’ data, but these would not apply to a private backend web API that processes the same data but exposes no UI to the end user.
Similarly, there are a number of non-functional requirements that are only applicable to components that store EU citizens’ data. For example, it should be possible to completely delete a specific user’s data at their request (including from backups) and an automatic deletion process should be triggered when the data retention period expires.
So how do you educate your security team and your development teams in building GDPR compliant software? Do they all have to read and understand the entire regulation before building their applications?
Since IriusRisk is based on components, questionnaires and risk patterns – we’ve done this leg work for you. By providing accurate answers to the questions when designing a new application (or reviewing an existing one), IriusRisk will automatically apply the appropriate set of security requirements to help comply with the GDPR and automatically push those requirements to your development teams’ issue trackers. So that they have actionable tasks right in their main task dashboard.
The security and compliance teams can view the status of these requirements as well as the impact of the risks in the IriusRisk console. No more shuffling documents, spreadsheets and emails to find out what the compliance state of a piece of software is.