Sheet n°0: Develop in compliance with the GDPR
Whether you work alone, are part of a team developing a project, manage a development team, or are a service provider carrying out developments for third parties, it is essential to ensure that user data and all personal data processing are suffisiently protected throughout the lifecycle of the project.
The following steps will help you in the developing privacy-friendly applications or websites:
Be aware of the GDPR core principles
If you work in a team, we recommend that you identify a person responsible for monitoring compliance. If your company has a Data Protection Officer (DPO), then that person is a key asset in understanding and meeting the GDPR obligations. The appointment of a DPO may also be mandatory in some cases, for example if your programs or applications process so-called “sensitive” data (see examples) on a large scale or conduct regular and systematic monitoring on a large scale.
Map and categorize the data and processing in your system
Accurately mapping the data processing performed by your program or application will help you ensuring that they comply with legal requirements. Keeping a record of processing activities (an example of which can be found on the CNIL website), allows you to have an overall view of these data, and to identify and prioritize the associated risks. Indeed, personal data may be present in unexpected places such as in server logs, cache files, Excel files, etc., and may be stored in a number of different places. Such record-keeping is mandatory in most cases.
Prioritize the required actions
On the basis of the data processing registry, identify the required actions to comply with the obligations of the GDPR in advance of the development and prioritize the attention points with regard to the risks for the data subjects by the processing. These points of attention concern in particular the necessity and types of data collected and processed by your software, the legal basis on which your data processing operations are based, the information mentions of your software or application, the contractual clauses binding you to your contractors, the terms and conditions for exercising rights, the measures implemented to secure your processing.
Manage the risks
When you identify that a processing of personal data is likely to create high risks for data subjects, make sure that you manage those risks appropriately in the context. A Privacy Impact Assessment (PIA) can help you manage those risks. The CNIL has developed a method, model documents and a tool that will help you to identify those risks, as well as a catalogue of good practices that will assist you in implementing measures to address the identified risks. Furthermore, a privacy impact assessment is mandatory for all processing operations that are likely to create high risks to the rights and freedoms of data subjects. The CNIL proposes, on its website, a list of types of processing operations for which a DPA is required or not.
Put in place internal processes
To ensure compliance during all development stages, ensure that internal procedures guarantee that data protection is taken into account in all aspects of your project and into all events that may occur (e.g. security breach, requests for rectification or access fulfillment, modification of data collected, change of provider, data breach, etc.). The requirements of the governance label (even if this one no longer granted by the CNIL since the entry into force of the GDPR) can constitute a useful basis of inspiration to help you set up the necessary organization.
Document developments compliance
To prove your compliance with the GDPR at all times: the actions performed and the documents produced at each stage of development must be mastered. This implies in particular a regular review and update of the documentation of your developments so that it is constantly consistent with the features deployed on your program.
The CNIL website provides numerous practical files which will assist you in setting up law-abiding treatments according to your sector of activity.