Data protection can hardly keep up with the swift development of technology. However, the consciousness of individuals and stricter laws all urge companies to pay close attention to data protection and create trust towards their services – to gain competitive advantage. The safety of data, the essential steps, tools, and processes to guarantee it, and providing the necessary software raise numerous questions – especially about who has what role and responsibility.
When does data protection enter the picture during a development project?
Looking at the different steps of development – and not including the different methods of development – we might agree on four phases: Planning, Development, Testing, and Release. Naturally, all these are preceded by brainstorming, since the idea of an application has to be born in someone’s mind. It might be excused if you are not dreaming of data protection at this stage – not like in the Planning phase, where user experience and the functional and non-functional parameters are being designed. Here you need to keep those principles in mind that provide data protection and meet the requirements.
Naturally, during the Development stage, the technical parameterizing of the pre-defined requirements and expectations will happen. Afterward, your product will (likely) go through quality assurance and testing, when the users can give you feedback and suggestions. Their role is essential regarding data protection, too – the user’s experiences, the usability might be crucial in obeying the principles.
Finally, your product is being tested, usually through market actors (Play Store, App Store). This will have interesting aspects on the level of documentation. During these four phases – especially if the development is done carrying out an order – clarifying the responsibilities might cause some sleepless nights.
Who has the responsibility?
Our first and foremost question is when you need to start thinking about data protection. Who has to think of it being a responsibility first? If we want to start at the very beginning, we might say that it starts at starting the business and hangs on throughout the whole journey, until the last project – and even after that, until all the legal responsibilities are taken care of.
We can dream even bigger but this should be the base – and therefore the leadership’s commitment is crucial. Looking at only a single project, we need to start with the relationship between the customer and the provider. The negotiations between these two parties will be the basis of what and how to do. But to the question of “Who is responsible for obeying the regulations?” each party’s answer is simple: “No me”.
Both parties are right, have their pro-contra arguments and the situation is not this simple in real life, either. The customer says I don’t care about this whole GDPR, I won’t pay for developing these extra functions. However, the GDPR puts some responsibility on the provider, as well.
If the data management is carried out by someone else on behalf of the data controller, it might only use data processors that provide adequate guarantees for implementing the right technical and organizational measures – that ensure compliance with the requirements of the data management regulations and the protection of the rights of those involved.
To clarify it, first, we have to clarify the exact relationship between the two parties: who will be the data controller, who will be the data processor, and maybe even the common data controller. Naturally, we have to take what the provider undertook into account. Will there be an operational task, later on, remote access, or some kind of SLA? To define it all, it is recommended to involve the data protection officer – if there is one – and the other members of the project, as well.
If the management succeeded at clarifying everything, then you still need to remember that there are certain tasks on the data protection side, too, during a project. This should be the task of the project manager, who reminds the other team members now and then and treats the matter as a priority.
From the developmental side, the implementation of the data protection and security rules takes place along the pre-set specifications. What many don’t think of is that even designers have a role in data protection. The solutions created by them affect the user experience, therefore are connected to the principle of data protection and transparency related to the rights of those involved.
Not to mention testers whose task is examining the solutions, and rating their usability and functional operation. For example, specific requirements need to be met when it comes to a data handling guide or consent – it matters how many clicks are necessary for the “Clear my data” button or if it works at all.
Principles
Though in many cases regulations don’t prescribe specific requirements, the principles defined in them can serve as a control point that may verify the conformity of a service or product.
In the case of legality, fair procedure, and transparency, the legal basis for processing personal data must be established – with which the decree was very generous, taking the case of the previous IT law into account. The handling of data has to happen in a format that is clear and transparent towards those involved. It is immediately accompanied by a purpose limitation, which requires the handling of personal data for a set, specific purpose.
Integrity and confidential nature: you might be familiar with it the ISO 27001 standard – with which data must be protected from unauthorized access, accidental and intentional damage, and with measures to prevent these.
The purpose limitation is completed by data saving, which limits the amount of used data to only that and that much, as is necessary for meeting the purpose. In addition, this data needs to be accurate and up-to-date.
The limited storage might be the most debated principle. According to it, all data handling has an “expiry date”, which is the fulfillment of the defined purpose.
The functions of the software or application
In addition to obeying the principles, attention must also be paid to ensuring the rights of those involved. Depending on the functions of the given product, it can be part of it or may also be performed manually. Taking a deletion request for example, the user must be able to initiate the deletion of their data from the application.
It’s possible to fulfill this request by developing automated processes, especially when planning with a great number of users. In this case, the process must be able to distinguish between deletable data and data that needs to be preserved. This same process can be completed manually, too but you must take care to comply with the deadlines set in the decree.
Therefore, risk-based preliminary planning is recommended for the development of software that meets data protection requirements – the basis of which is the preparation of an impact assessment tailored to the activity.
Users are increasingly aware of their data and there is a great demand for control over their data – therefore the selection of services and providers is becoming a matter of trust.
We can help create this trust with our services, whether it’s about matching data protection requirements to the organization/application or testing them.
