GDPR To Shake Up Software Development

A Look at the Hidden Impact of Data Protection Rules

A new set of regulations regarding data protection comes into force next year. What are the impacts for your business and the data it uses?

As businesses have become ever more reliant on increasing amounts of data to deliver a better service to their customers, the question of how all that information is managed, stored and protected is ever present.

We already have the UK Data Protection Act (1998), but in April 2018, a new EU regulation entitled the General Data Protection Regulation will come into force. And no, in case you were wondering, Brexit will not affect its implementation in the UK.

Here, we take a look at how the new regulations will affect the technological aspects of your business including data storage, software development and other areas.

 

Personal data

Let’s get this out of the way up front. The biggest game changer is that any data your business uses to derive inferences that are linked to a living person is considered personal data under GDPR.

That means IP addresses, cookie IDs, even metadata. In truth, this is no different to the existing legislation. The difference, however, is that under the GDRP, the rules will be rigorously enforced.

Right now, there is a whole raft of business practices around data monetisation that depend on that data not being considered personal. Fudging it through concepts of weak consent, data reuse and onward transfer is no longer going to cut the mustard.

 

PET and PbD

Privacy enhancing technology (PET), along with Privacy by Design (PbD), will be mandatory requirements under GDPR. Easily said, but there is no formal definition of exactly what these terms mean.

PbD is generally agreed to be an evidencing step in the software development process that takes into account privacy requirements. In other words, by incorporating PET, you also take care of the PbD.

Two PET techniques that are gaining traction are differential privacy & homomorphic encryption.

Differential privacy seeks to counter the risk of re-identification by injecting noise, to obscure such data as is specific to an individual. Homomorphic encryption allows encrypted data to be analysed through special algorithms that release information. This is a cutting edge approach that is being explored by pioneers in companies like IBM and Fujitsu.

 

Ensuring compliance

Organisations need to be thinking now about how they can meet the challenge of the GDPR. When it comes into force, there will be an implementation window of just two years.

Here are some areas that most companies will need to consider:

  1. Delete the junk – if you don’t need it, ditch it. For example, data relating to inactive customers.
  2. More encryption – at present, most organisations only apply encryption where they have to, for example payment card data.
  3. Improve IT governance – from service level agreements to internal controls, there are numerous ways to improve transparency and at the same time enhance procedures.
  4. Look at your PET skills – we can see that PET is going to be crucial. Now is the time to get the expertise on hand to make sure your organisation is at the forefront.

The good news is that if you are in compliance with the UK DPA, it is more a matter of shoring up weaknesses in your existing processes than reinventing wheels.

 

 

Got something to say? Go for it!