What Developers Need To Know About The GDPR
3/2/2021
Your Security Director has instructed your team to automate data protection in the development lifecycle so the business can be GDPR compliant – you understand what you need to do, but do you know why?
In this blog, we'll unpack everything you need to know about GDPR compliance and why developers need to take notice.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a data privacy law that affects businesses that offer products and services to European residents and collect or handle their personal data. The GDPR regulates the use of this private data and lays out a set of rules that businesses must adhere to in order to maintain compliance.
The GDPR specifically relates to the processing of data (Article 5), the retention of data (Article 17), the deletion of data (Article 24) and the security of data (Article 32). Article 34 lays out the protection measures needed to mitigate data breaches including data protection methods such as data masking.
That’s where you as a developer come in, as data masking is an essential part of the development toolkit.
What developers need to know about the GDPR
One of the key requirements of the GDPR is for data privacy to be designed into the development of any product, or to put it simply, as a default step of software development. This is known as Privacy By Design.
Article 25 of the GDPR goes into detail about data protection by design and by default and sets out the rules for processing data, such as this description of the role of the controller (that’s you): "The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed."
The GDPR recommends the use of data protection methods to safeguard private data and mentions data masking as a preferred method of protecting data. Automating data masking as part of the development life cycle de-identifies private data early, and also retains its referential integrity so it can still be used in the context of support, analytics, and reporting.
Masking data ensures that personal customer data, or PII, that is stored or processed is safeguarded against unlawful access, hackers and potential breaches, within the business and without.
How to recognize PII
Personally identifiable information (PII) is data that can be used to identify an individual. Examples of PII include a customer’s name, Social Security number, driver’s license, credit card number, and email address.
Developers are ideally placed to ensure data is safeguarded across the entire organization. (Read our blog on why DevOps should be your privacy champions.) Data protection tools like Sensitive Data Discovery can help you locate and classify PII in your databases, and take appropriate remedial action.
As maintaining healthy data privacy practices becomes more important to business survival, developers play a key role in ensuring proper data management systems are in place, from the time of development, to the very end of the product lifecycle. For developers, the GDPR provides a helpful framework of requirements from which to model their activities.
Want to read more on this topic? Check out our GDPR checklist.
Hush-Hush Data Masking components form an essential part of the development toolkit, making it easy to automate the data protection cycle even in larger databases.
