In this post we will look at how the new GDPR regulation meets the 3.12 principle of the Software Engineering Code of Ethics: “Work to develop software and related documents that respect the privacy of those who will be affected by that software.”
This turns out to be a hot topic, as we learnt just before publishing this post:
The European Court of Justice has struck down Privacy Shield, the EU-US data-sharing agreement, creating uncertainty for European countries that share data with the US and pressuring the US to reform surveillance laws.Published by Computer Weekly – 16 Jul 2020
We won’t discuss the reasons for this decision and all its possible impacts. But we hope that this article will help you understand the major stakes of personal data processing, and how to avoid “data privacy” traps when developing software.
Our data belong to us
Living in a data based economy: What a wonderful life!
In the past 10 years, rapid technological advancements and globalization have significantly increased the scale of collection, sharing and flow of personal data. Today, leveraging data is undoubtedly one of the most promising sources of business and value creation.
In the beginning we all gently accepted to publicly share a lot of personal data in order to benefit from innovative services provided by Internet players.
Providing our data in exchange for easy and immediate access to information, ability to communicate with the entire world via social networks, shopping online or saving time on admin seemed to be a very good deal indeed!
To what extent did we agree?
Nice but… as individuals, we now come to realize that the ever growing flow of data sharing allows both private and public actors to use our personal data on an unprecedented scale, and often without our really knowing it.
We also become increasingly aware of the value of our data, and rightfully cautious about the dangers of sharing them on a large scale and without distinction. That lack of trust is utterly understandable given the recent history of high-profile consumer-data breaches. Not to mention new issues risen by data mining, advances in data analytics and AI, which we will discuss in a another post. Recent studies from Boston Consulting Group showed that at least 4 out 5 European consumers are concerned about sharing their data, regardless of their age!
In this context, it becomes essential to make sure that we, as individuals, will be able to have the use of our data under control.
The stake is high, as it must reconcile ethics and business. The European commission put it very well: “Ensuring natural persons minimal trust about the processing of their data is not only a fundamental right, it’s also an essential condition to allow digital economy to continue to develop”.
Here comes GDPR: What it means in practice
Adopted in May 2016 by the European Parliament and effective since 25 May 2018, the General Data Protection Regulation (GDPR) aims at strengthening and harmonizing individuals’ fundamental rights with regards to the processing of personal data.
Isn’t that a good resolution?
“Fortune’s Global 500 companies had spent $7.8 billion by 2018 preparing for GDPR”International Association of Privacy Professionals
Although GDPR basic principles seem clear and obvious, ensuring compliance at company level required the investment of hefty sums and a number of sleepless nights for managers around the world. This is not only due to the complexity of ensuring compliance with GDPR, but also because of the level of penal and financial applicable penalties.
The hardest thing is that GDPR covers a wide and complex scope regarding the geographical area and number of individuals protected, the type of data and the various data processing activities.
GDPR principles are based on 3 main pillars
Strengthen and harmonize individual rights regarding the processing of personal data
- This covers any action on any data describing an individual on any level.
- “Processing” includes all operations made on data: collection, storage, recording, modification, access, sharing, use, destruction, etc.
- “Personal data” means any data that identifies a natural person directly OR indirectly. It thus can be immediately identifiable data such as name, but also a combination of “innocent” data such as age, job position, company, city, etc. as when combined can allow the identification of a person. Some of them are even classified as “sensitive” with higher protection, such as health data or political opinions among many others.
Engage the responsibility of all actors
- Includes any organization that is established in the territory of the European Union OR which activity directly targets European residents.
- Public or private
- Whatever its size, country of establishment and activity
- Being data controller or data processor, i.e processing data on its own account or not
- Including its relationships with partners, prospects and customers, suppliers, sub-contractors, and of course its own employees.
Increase control and sanctions
- Each company failing to comply with the law is subject to financial penalties up to 20 million Euro or 4 % of its annual worldwide revenue, whichever is greater. That gives some food for thought…
Why you should feel concerned as a developer
As an individual, GDPR is undoubtedly your friend, as it helps you taking back control of your personal data.
As a software engineer, you should feel concerned. Among the actors being involved, software editors and software teams in general are definitely at the forefront, as nowadays most personal data are processed using software. Undeniably, GDPR will help you modify your software development practices towards better application design and greater security.
And you should feel even more concerned if you remember our former post on the presentation of the SE code of Ethics. Just look at this:
That makes sense, doesn’t it? That’s why GDPR is also your friend as a developer, since it will help you being compliant with the Software Engineering code of Ethics. QED 😊
How to comply at software projects level?
Apply Privacy by design and Privacy by default
Applied to software development, GDPR comes with 2 basic concepts that you should apply all along the development lifecycle, from requirements to tests, validation, and deployment:
- Privacy by design
Article 25(1) of the GDPR specifies that “The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures […] to integrate the necessary safeguards into the processing […] and protect the rights of data subjects.”
-> Ensure transparency and data security, and ease user’s control.
- Privacy by default
According to Article 25(2), “The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.
-> Minimize data collection and processing.
Whatever type of software you design
Keep in mind that this doesn’t only apply to websites or mobile apps or consumer-oriented software. Business software used in a professional context or embedded software are equally concerned!
Just think one second about the implications of GDPR on data collected by connected cars or ADAS for example. Have you ever rent a car and found personal data left by former users who connected their smartphones, with the result of giving you access to their contacts’ names and phone numbers? In any case, rest assured that it happened to the writer of this post in real life 😉.
GDPR: Be aware, but don’t panic!
But don’t panic! There are many things that can easily be done when designing software, once you are aware of these issues from the outset. Moreover, you will have to adapt your efforts depending on the risk level of your system: sensibility of the information processed, size of your database, degree of data exposure.
To help you find your way: in our next post we will go through 6 leading principles you should consider when developing software… stay tuned!