Do you develop software? Does your organization order the development of, or plans to purchase, a business application? Whichever side you represent, in the context of software you must have heard the following words repeated like a mantra: GDPR, privacy by design and privacy by default.

It has been over a year since GDPR entered into force, so you are probably aware of its requirements and the fact that that irritating telemarketer trying to sell you pots and pans should not call you 5 times a day, since you have never heard of that company and never agreed to anything. But what has that got to do with the application which you develop or order?

In fact, quite a lot. Telemarketers follow a business process which should be designed in such a way as to meet GDPR requirements. The same applies to your application, if it processes personal data. If you think that this article is not for you because your application will not include personally identifiable information, you might want to take a look at the following definition.

What are personal data?

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

It means that your application does not have to collect data such as first name, last name, e-mail address or place or residence which make it possible to directly identify a person. It is enough that the user can be identified based on unique device and application IDs, such as IP address, MAC, IMEI, Android ID or cookie ID, or even information from browser settings. It is called indirect identification.

Indirect identification can be based on metadata such as the device’s location, browser history or time spent on a given website. Why is it so important? In future, end device data may be connected with other information and used to identify the smartphone and its user. Based on IP address, it is possible to collect a wide range of information (e.g. browsed products and services, information from cookies) which make it possible to create a profile of a given person that may include their culinary preferences and love of kale, but also, more worryingly, their health status, sexual orientation, political opinions or religious beliefs.

So what to do about personal data in your application?

I assume that you carry on reading. 🙂 GDPR applies to any organization which processes personal data in relation to its business operations. Each such organization, regardless of its size, scale of operations and legal form, must be able to prove that it provides an adequate level of data protection, including that it uses them in accordance with the basic principles of personal data processing.

If such an organization chooses a service, product, device or software (whether in the mobile, web, or desktop version) which processes personal data, it must prove their compliance with GDPR.

Why is it so important?

Why is it so important? Everyone knows what consequences a company may face – a supervisory authority may impose a fine up to EUR 20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year (to be precise: a breach does not automatically cause the fine or its highest amount; the supervisory authority may also use warnings or cautions or other corrective measures).  Persons who suffered damage as a result of breach of their personal data may also seek compensation. But what may prove most costly from the organization’s perspective is the loss of customer trust and reputation.

However, it is not the interests of organizations that are most important here. GDPR is all about protecting the privacy of data subjects. Organizations collect enormous amounts of data and there are more and more data breaches as a result of which natural persons may suffer damage. In 2018, the unquestionable “winner” in terms of personal data protection problems was Facebook, which issued APIs with unlimited access for external applications (the Cambridge Analytica scandal). The password leak at Morele.net, which was investigated by the President of the Personal Data Protection Office (Polish supervisory authority), is also widely known. The prospect of heavy fines is supposed to motivate organizations to think of data protection when developing or purchasing software.

Personal data protection is now an integral part of technological development and software delivery.

What should you bear in mind?

If you are a software developer, remember that each conscious client will ask you about your application’s compliance with GDPR, and if you want to place it in an application store, each of them has its own guidelines for developers with regard to minimum privacy requirements.

If you order or purchase software for your organization, avoid risk and do not purchase a solution whose provider is not able to prove compliance with GDPR, as according to law it is the data controller and not the software provider that is responsible for lawful processing of personal data.

Natalia Zacharewicz – Data Protection Officer at Onwelo. She is responsible for personal data protection audits, including GDPR compliance audits of systems and applications, and for implementing personal data and classified information protection systems. In private, she is a fan of good reportage and heritage walks.