|CNIL Publishes GDPR Guide For Developers|
|Written by Nikos Vaggalis|
|Tuesday, 13 October 2020|
The GDPR is a headache for developers. It's just not clear enough what we have to do to keep our apps compliant. Fortunately CNIL has published a detailed guide for just this case.
French institute "Commission Nationale de l'Informatique et des Libertés" abbreviated to CNIL, is an independent administrative authority that exercises its functions in accordance with the 1978 French Data Protection Act, amended in August 2004.
It was set up in the seventies by the French government as an independent oversight authority to make recommendations of concrete measures intended to guarantee that any developments in information technology would continue to respect privacy, individual rights and public liberties. Since then it has kept up to date with the latest developments in the industry and collaborates closely with its European and international counterparts to analyze the consequences of new technologies on the private life of citizens.
With its GDPR guide its approach is at a more technical level, addressing software developers instead of just the wider public.
So what does the guide contain?
It comprises 16 thematic files that cover most of the developers' needs at each stage of their projects, from preparation to audience measurement:
From that list, the ones that stand out the most :
In Sheet n°1: Identify personal data, there are some examples of what constitutes personal data, such as:
It also mentions the Anonymisation and Pseudonymization of the personal data and the difference between them.
At this point it's important to note that the guidelines are relatively abstract and do not address the technicalities. That is you are not shown how to actually anonymize data; the technical solutions are up to the developers themselves.
In Sheet n°4: Manage your source code, among other its other advice, you are told to implement code quality metrics tools that will scan the code as soon as it is committed and to keep secrets and passwords out of the source code repository by storing them in separate files, which have not been committed. Also check that environment variables are not accidentally written to logs or displayed when an application error occurs.
In Sheet n°5: Make an informed choice of architecture, there's an under-appreciated case that not many consider :
Make sure you know the geographical location of the servers that will host your data. You may be required to transfer data outside the European Union (EU) and the European Economic Area (EEA).
While data can move freely within the EU/EEA, transfers outside the EU/EEA are possible, provided that sufficient and appropriate level of data protection is ensured. The CNIL provides an on-site map showing the different levels of data protection in countries around the world.
In Sheet n°6: Secure your websites, applications and servers, the instructions are more hands on:
Sheet n°7: Minimize the data collection reflects the core values of the GDPR:
Before collection, think about the different types of data you need to collect and try to limit your collection to what is strictly necessary
Sheet n°09: Control yo.ur libraries and SDKs, acknowledges that today's applications handle hundreds of dependencies in order to function and, because of that, developers should be better informed about those dependencies in assessing the value of adding each dependency and in choosing maintained software, libraries and SDKs.
Finally in Sheet n°16: Use analytics on your websites and applications, the recommendations go through the most debated topic of them all - cookies, informing users about them and asking for the users' consent. However, subject to a number of conditions, cookies used for audience measurement/analytics are exempt from consent. Read the sheet to find out, but keep in mind that:
"most large audience measurement offerings do not fall within the scope of the exemption, regardless of their configuration."
To sum up, the Guidelines set the correct foundations for compliance. They are to be followed top to bottom and where they get technical they should be acted upon as an Interface that you must provide the Implementation for.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Tuesday, 13 October 2020 )|