The GDPR is a headache for developers. It's just not clear enough what we have to do to keep our apps compliant. Fortunately CNIL has published a detailed guide for just this case.

French institute "Commission Nationale de l'Informatique et des Libertés"  abbreviated to CNIL, is an independent administrative authority that exercises its functions in accordance with the 1978 French Data Protection Act, amended in August 2004.

It was set up in the seventies by the French government as an independent oversight authority to make recommendations of concrete measures intended to guarantee that any developments in information technology would continue to respect privacy, individual rights and public liberties. Since then it has kept up to date with the latest developments in the industry and collaborates closely with its European and international counterparts to analyze the consequences of new technologies on the private life of citizens.

With its GDPR guide its approach is at a more technical level, addressing software developers instead of just the wider public.

So what does the guide contain?

It comprises 16 thematic files that cover most of the developers' needs at each stage of their projects, from preparation to  audience measurement: 

• Sheet n°0: Develop in compliance with the GDPR
• Sheet n°1: Identify personal data
• Sheet n°2: Prepare your development
• Sheet n°3: Secure your development environment
• Sheet n°4: Manage your source code
• Sheet n°5: Make an informed choice of architecture
• Sheet n°6: Secure your websites, applications and servers
• Sheet n°7: Minimize the data collection
• Sheet n°8: Manage user profiles
• Sheet n°09: Control your libraries and SDKs
• Sheet n°10: Ensure quality of the code and its documentation
• Sheet n°11: Test your applications
• Sheet n°12: Inform users
• Sheet n°13: Prepare for the exercise of people’s rights
• Sheet n°14: Define a data retention period
• Sheet n°15: Take into account the legal basis in the technical implementation
• Sheet n°16: Use analytics on your websites and applications

From that list, the ones that stand out the most :

In Sheet n°1: Identify personal data, there are some examples of what constitutes personal data, such as: 

• fixed or mobile telephone number, postal address, email address
• IP address, computer connection identifier and cookie identifiers. 

It also mentions the Anonymisation and Pseudonymization of the personal data and the difference between them.

At this point it's important to note that the guidelines are relatively abstract and do not address the technicalities. That is you are not shown how to actually anonymize data; the technical solutions are up to the developers themselves.

In Sheet n°4: Manage your source code, among other its other advice, you are told to implement code quality metrics tools that will scan the code as soon as it is committed and to keep secrets and passwords out of the source code repository by storing them in separate files, which have not been committed. Also check that environment variables are not accidentally written to logs or displayed when an application error occurs.

In Sheet n°5: Make an informed choice of architecture, there's an under-appreciated case that not many consider :

Make sure you know the geographical location of the servers that will host your data. You may be required to transfer data outside the European Union (EU) and the European Economic Area (EEA).

While data can move freely within the EU/EEA, transfers outside the EU/EEA are possible, provided that sufficient and appropriate level of data protection is ensured. The CNIL provides an on-site map showing the different levels of data protection in countries around the world.

In Sheet n°6: Secure your websites, applications and servers, the instructions are more hands on: 

• Implement TLS version 1.2 or 1.3
• Make the use of TLS mandatory
• Limit the communication ports
• Never store passwords in clear text
• Test the cryptographic suites installed on the systems and disable obsolete one
• Make backups, if possible encrypted and checked regularly.
• Install critical updates without delay by scheduling an automatic weekly check
• Protect the databases you make available on the Internet, at least by restricting access as much as possible (for example, by IP filtering) 

Sheet n°7: Minimize the data collection reflects the core values of the GDPR: 

Before collection, think about the different types of data you need to collect and try to limit your collection to what is strictly necessary

Sheet n°09: Control yo.ur libraries and SDKs, acknowledges that today's applications handle hundreds of dependencies in order to function and, because of that, developers should be better informed about those dependencies in assessing the value of adding each dependency and in choosing maintained software, libraries and SDKs.

Finally in Sheet n°16: Use analytics on your websites and applications, the recommendations go through the most debated topic of them all - cookies, informing users about them and asking for the users' consent. However, subject to a number of conditions, cookies used for audience measurement/analytics are exempt from consent. Read the sheet to find out, but keep in mind that:

"most large audience measurement offerings do not fall within the scope of the exemption, regardless of their configuration."

To sum up, the Guidelines set the correct foundations for compliance. They are to be followed top to bottom and where they get technical they should be acted upon as an Interface that you must provide the Implementation for.

More Information

The GDPR guide for developers

Related Articles

Ethics Guidelines For Trustworthy AI

How AI Discriminates

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info