Let me shed some light on this HEAVILY legalized regulation.
You have probably read so many articles about how the European Union is going to enforce a regulation protecting EU citizens’ privacy. It’s HYPED!
But lets put aside the legal terminology of GDPR (which is available here if you need it — https://gdpr-info.eu/).
How should I approach GDPR from an engineering perspective?
As the DPO (Data Protection Officer), one of my new hats, at Yobs Technologies, I’ve already broken down the regulation into 8 key elements that will make you sleep well at night — again. As Software Engineers, we like to feel in control of our software and all of its implications. I promise to make you feel this way again, if you don’t already.
Data Processing/Data Manipulation
That includes transferring data between cloud entities, managing and accessing data during processing time. If you haven’t done so already, switch to AWS (Amazon Web Services). AWS offers valuable solutions such as SQS for distributed systems and micro-services, SNS for sending and receiving notifications from the cloud, ElastiCache for in-memory data and so on. AWS peeps work hard on making sure that these tools are GDPR compliant, so my advice is to always look for the secure solution in AWS first.
In order to become GDPR compliant, you need to flag European data. In addition, you must classify your data according to sensitivity level. That will require some Database changes, but it’s definitely worth the fine you can get if you choose not to do so. Plus, it’ll help you deal with breeches and client’s GDPR demands (keep reading to know more) later on.
That’s probably the most popular one — you need to secure your API. Use OAuth for Authentication, or any other JWT related protocol. Always make sure you authenticate users under SSL/TLS. You also need to ensure user authorization/permission. Data should only be accessed by the entity having a valid reason for the access request (for example — one client shouldn’t be able to access other client’s private data) — I know you’re confident about what you have been working on for a while now, but please run the necessary security tests). If you don’t have a cybersecurity team at your company, in some cases it’s recommended to hire a team of experts to take ownership of this element.
Your data must be reliable. The best approach to this element is to automate periodic system tests and send alerts to the relevant person/team if any functionally or data is broken. Jenkins is awesome for those periodic jobs you don’t want to take care of manually (with Jenkins you can also automate deployment — super helpful). The regulation requires you to respond to any data corruption in a short time — automation is the key to nail this element.
Clients have the right to remove any data related to them from your platform. Ask yourself: what is the process for users to delete their data? You don’t want to have your engineers spend time deleting data from your database manually — It’s risky too. In addition, Data Control includes pulling data on any EU customer, or all EU data (remember that flag from data classification — it’s going to help you here too).
AWS. AWS .AWS!!!!!. You should use S3 buckets to store files and RDS for SQL. Or, if you need a non relational database, use DynamoDB or host any other DB on an EC2 instance. Avoid using multiple services for hosting and storage. My advice is to centralize all in AWS.
This one may seem an over-kill. But it’s either that or a 20 million euro fine (don’t freak out — just in some cases!). You must draft your company’s policies regarding anything related to EU data. On-boarding manual for new employees explaining how to deal with data (TO DO/ NOT TO DO policies), a policy for sharing data with third parties, due-diligence to asses third parties GDPR wise, and so on. This one is verbal — the more the better. Moreover, the DPO (Data Protection Officer that you need to hire as a part of the regulation), must inform all employees of these policies and make sure they are enforced.
This one is the most challenging. In order to be GDPR complaint, you must monitor security breeches and react to them in 72 hours! Crazy! But possible if you constantly research new solutions, security fixes for libraries, OS and so on. Keep your platform up-to-date with industry standards. I recommend integrating with SumoLogic for log management and real-time security analytics.
It can never be perfect. It’s understandable. The regulation only requires you to be constantly active and try doing your best protecting your users’ data.
If you invest time in improving these elements, you can certainly feel confident about your engineering approach to GDPR. But this blog post is not a legal advice by any means. I recommend reaching out to a GDPR attorney for the legal process to comply with GDPR on all levels.