November 2018 - Data Protection & Privacy

Data Protection in Software Development

With the GDPR now in force in the EU, it is now not only a question of ensuring compliance in company processes, but also in the software being used. Dr. Judith Nink from eyeo, on developing data-protection compliant software, and the relationship between data protection and IT security.

Data Protection in Software Development

© xpoint | istockphoto.com

Watch the 8-minute video above or on YouTube, or read the transcript below:

Transcript

DOTMAGAZINE: How do you see the connection between cyber security and data protection?

DR. JUDITH NINK: I believe they complement each other. The data protection laws provide the legal framework to protect individuals in their fundamental rights, whereas cyber security, of course, enforces the protection in a technical way. A colleague of mine always told me: “You, with your legal stuff, that’s all about trust. But I don’t care about trust. I really want to ensure that it’s technically enforced and that can be only done with security.” I believe that this condenses the story of data protection laws maybe a bit too much, because you have a lot more options with law than he was referring to. It’s not all about trust. But of course, you do need security to enforce the legal stipulations. So they can’t exist without each other, I believe, when it comes to the protection of privacy rights of users. 

DOT: Are there any special challenges involved in ensuring GDPR compliance in the development of software?

DR. NINK: First of all, I would say that highly depends on how you interpret the GDPR. Because there is a principle which is really important for software in general, and that is Privacy by Design. Privacy by Design requires software to follow the basic data protection principles, such as data minimization, or implementing technical and organizational measures to protect fundamental rights of users. But this article only addresses the controller and not the developer. The controller is the one who is responsible for determining the purposes for data processing. That does not necessarily mean it’s the same one as the developer. I’ll give you an example: Companies, for example, are using external application tools to hire candidates via their website. These are first developed by a third party company. This article doesn’t address a third party company developing the application software; but the company using it to hire candidates needs to be responsible for implementing Privacy by Design. And that’s weird, right? How can they do that? They are not responsible for the software. If it’s not an open source software, they can’t do anything about it. 

European companies could create value in providing software which already complies with privacy standards, and helping companies to ensure that they are compliant with GDPR stipulations.

But I totally believe that you couldn’t take the GDPR literally – developers must also take the GDPR seriously and implement Privacy by Design. Not only because it’s very important to protect users’ rights, but also they can take that as a value, especially for European companies. European development companies could create a value in providing software which already complies with privacy standards, and helping companies to ensure that they are compliant with GDPR stipulations. So that is something they should definitely do.

And if we are interpreting the GDPR in that way, then there are of course challenges for developers. Considering the Privacy by Design stipulation, then they would have to ensure and be creative about how can they implement the data minimization principle, for example, and still provide or develop software which is convenient for the users, which provides a good and usable and intuitive UI. And also, how they can implement functions which already allow a company to automatically delete data, which would be a great value. That’s also a challenge. And, of course, a developer must have some basic knowledge about privacy laws.

DOT: With the GDPR now in force, what have the biggest challenges been so far for tech companies?

Electronic health record

CC0 Pixabay.com

DR. NINK: Actually, two things. First of all the register of procedures, and secondly deletion of data. The register of procedures is basically the documentation of everything that you’re doing in connection with processing personal data in a company. So, documentation about almost everything. What the hell is a “procedure”?! Nobody would really know. And it’s a hell of a work. 

Especially when it comes to tech companies and startups – they really like to use a lot of fancy tools. They wouldn’t really know how the third party tools have implemented privacy and all that kind of stuff. So, they need to do a lot of work finding out what kind of tools they are using, how the tools are working, how they have implemented privacy, etc. And when it comes to the deletion of data, first of all you have to know where your data is stored, and therefore you need first a register of procedures to be able to delete data. So, I guess the two of them are complementing each other somehow. 

DOT: What best practices would you recommend for companies to ensure data protection?

For the register of procedures, think in processes, not procedures. Companies are used to processes.

DR. NINK: Taking the register of procedures as an example, because it is such a big challenge, I would highly recommend to think not in procedures – which is quite challenging because companies are not used to it – but rather think in processes. Companies are used to processes. If you’re going through your processes you have at a company, you can ensure that everything that you are doing in connection with the processing of personal data will be documented. Walk through your processes. That’s the first advice. Secondly, involve your teams. The teams who own the processes would know best what kind of data will be processed, to what extent, how long they are needed, etc. Then for the future, ensure that the team stays in connection with the register of procedures, meaning owning the register of procedures for their respective process. They are the ones who would know if something changes, so they are the ones who can directly document that and add the change. In addition, it would be really helpful if the teams get proper training, so they would know what to do. Being aware of what are the basic privacy principles and stuff like that. 


Dr. Judith Nink takes care of everything in connection with privacy at eyeo, the company behind the famous adblocker Adblock Plus. In her daily work she works closely together with eyeo’s technical infrastructure team and the security experts. She talks quite frequently about privacy at conferences and also provides privacy training programs and publishes in journals and blogs.


Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.