GDPR Guide for Software Engineers and Engineering Organizations
Recently (early 2022), the news has been full of stories about Google Analytics (specifically Universal Analytics) being declared illegal, Facebook facing fines, etc.
Suppose you are a Software Engineer or run an engineering organization. In that case, you might wonder how to avoid such compliance hurdles.
How to become compliant in these 5 EASY STEPS
Just joking. That would be misleading at best and harmful at worst.
Unfortunately, there are no easy hacks, and rather than being misleading, we will be honest.
GDPR and most legal compliance requirements can only be fulfilled with the right amount of preparation and process. Therefore, the sooner you start, the less painful these will be.
How do you start your compliance journey?
The most comprehensive and complete guide comes from what some might consider the least likely source. The French National Commission on Informatics and Liberty, CNIL.
CNIL is a French regulator that is tasked with executing privacy regulations. It is responsible for multiple high-profile rulings that made it appear on the front page of many news outlets.
Back in June 2020, CNIL published a GDPR for developers. This is a very comprehensive guide that covers a lot of details.
Sixteen steps
The guide lists 17 steps. It is a bit cheeky. The last step is marked as the sixteenth, but don't get fooled. In true developer fashion, we count from zero :)
These steps are:
- Develop in compliance with the GDPR
- Identify personal data
- Prepare your development
- Secure your development environment
- Manage your source code
- Make an informed choice of architecture
- Secure your websites, applications and servers
- Minimize the data collection
- Manage user profiles
- Control your libraries and SDKs
- Ensure the quality of the code and its documentation
- Test your applications
- Inform users
- Prepare for the exercise of people's rights
- Define a data retention period
- Take into account the legal basis in the technical implementation
- Use analytics on your websites and applications
I highly encourage you to dive deeper into these sections. There is a lot of information. In addition, the text is concise, approachable and engineer friendly.
This is an excellent example of a regulatory institution making a great effort to educate rather than penalize.
Do I have to go through all seventeen steps?
Yes and no.
Yes, you have to get familiar with all these steps. The good news is that assuming you adhere to modern development practices such as:
- source code versioning,
- change traceability,
- project documentation,
- testing, and
- implementing security practices.
You are likely going to quickly tick off multiple steps straight away.
Depending on your current organizational maturity, processes and more legal aspects of your operations will be left.
There will be a few subjects that will require your further attention. These are likely:
- questions around data retention,
- understanding the need for data minimization,
- getting a complete picture of how your vendors (aka Data Processors) handle entrusted information,
- etc.
Going even further
The CNIL documents go even further, beyond GDPR. For example, section 16th covers Use analytics on your websites and applications.
The rules listed in this section pertain to the ePrivacy Directive. Directive means that it is not automatically a law, and each EU member state will adopt it with local variations.
Suppose you deploy web analytics to your website and don't ask for explicit consent. In that case, your selected solution must adhere to the following rules:
- To inform users of their use, for example, via Privacy Policy;
- To give them the ability to object to their use;
- To limit to the following purposes only audience measurement and or A/B testing;
- Not to cross-check the data processed with other processing;
- To limit the scope of the tracer to a single site or application editor;
- To truncate the last byte of the IP address;
- To limit the lifetime of the trackers to 13 months.
Luckily, Wide Angle Analytics ticks all the above boxes, assuming you disclose its usage in your public privacy policy.