20 Action items to make your product GDPR compliant
If you have even a single EU user registered on your platform you need to be GDPR compliant ready. The General Data Protection Regulation(GDPR) is designed to impact the businesses with connections to Europe broadly. GDPR is meant to protect data of EU citizens all across the EU nations. The personal data protected under GDPR includes but not restricted to data such as mailing address, payment information, product purchases, employee data, IP address, and so on. Non-compliance with GDPR may either fine companies up to 20 million Euros or 4% of the annual revenue for the prior year. If you own an app, website, software or any digital platform, ready further to understand how to get your product GDPR compliance ready.
What is GDPR Compliance?
GDPR stands for General Data Protection Regulation. It is applicable to the companies that have to collect and process data which belongs to European Union Citizens. This law will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law which regulates how companies protect the personal details of EU citizens. This law is not just admissible to companies with operations in EU but also to applications or websites that gather sensitive data of EU citizens.
before time runs out
May 25, 2018 CET
before time runs out
May 25, 2018 CET
The last date for compliance with the European Union General Data Protection Regulation is 25th May 2018. The companies unable to comply with GDPR before the scheduled deadline will have to pay a hefty fine.
Who should care about GDPR compliance ready?
All software developer, startups, companies who has any sort of software, apps, website that they own, need to be GDPR compliant.
What technology products are required to be complaint ready?
- iPhone App
- iPad App
- Android App
- Windows App
- Apple TV Apps
- Smart TV Apps
- Web Portals
- Marketing Websites
- Cloud storage
- Browser Extensions
Points to be considered while making your product GDPR compliance ready or improving the security of data
- If you have even a single EU user registered on your platform you need to be GDPR compliant ready.
- Distinguish between what user data is necessary to run the platform and what user data is being collected to run business intelligence.
- The right of access, states that user must be aware of that the app is collecting user’s personal information with the intention to save it. Take user permission before collecting any of the following information:
- Storing Cookies on the device
- Saving data in the cloud or 3rd party storage
- Tracking user activities or behavior on the platformGive user an option to clear all historical data
- Give the user an option to export all the data
- Give the user an option to delete everything
- Use secured protocols like https, SFTP to transfer data on the network
- Use 2-way Authentication or OAuth 2.0 standards for authentication
- User permission and access control should be revised to comply with GDPR
- Make sure sensitive information like passwords etc are hashed and saved on encrypted databases or filesystems with restricted access to IPs.
- Make sure cookies and sessions are cleared out once the user logs out
- The user should be well informed of the data being shared with third parties if any
- The user should be made aware immediately in case of any Data Breach
- If you are logging data into an analytics tool, like Google Analytics, Mixpanel or anything similar, you will need to provide an interface so that user can view and delete the data.
Few other security measures to consider
- All the API’s or Web Portals should be protected against DDoS/CORS and other security vulnerabilities
- Any API or web service that will allow the user to export the data, should comply with highest security measures such as:
- SHA256 encryption,
- Https enabled
- OAuth 2.0 standard implementation for the APIs,
- DDoS/CORS security,
- IP restriction,
- Throttle handling
- Circuit break mechanism for delayed responses
- All security credentials saved locally on the client interfaces like mobile apps, browser etc, should be hashed and encrypted. If possible, perform a secured handshake on each session creation.
- Perform a monthly audit of your security standards for all the component and keep revising the security practices based on the industry learning.
LeewayHertz provides end to end service to make an app, website or a platforms GDPR ready.
Talk to us to discuss your project requirement.