GDPR, software design, and implementation: a process perspective

Data controllers and data processors continue to remain under scrutiny in the post-GDPR world, with harsh fines for non-conformity. But enabling and maintaining compliance doesn’t have to be onerous, thanks to LEAP low-code software.

In this article, we review the impact of GDPR on business, plus, the steps you can take to ensure that your software projects remain on the right side of the law.

Overview

The General Data Protection Regulation (GDPR) is the most comprehensive European data privacy law in decades. It came into effect on 25th May 2018, replacing the Data Protection Act of 1998.

There are 99 Articles within GDPR. This blog is limited to reviewing those that cover the impact of GDPR on business, specifically software design and implementation. It is not an alternative to legal advice.

GDPR: What’s The Objective?

GDPR aims to protect European citizens, strengthening user data privacy.  The two central objectives of GDPR are to:

  1. give citizens and residents back control of their personal data.
  2. simplify the regulatory environment for international business by unifying the regulations within the EU.

Thanks to the law, individuals now have more control over how and where their data is processed. Nevertheless, GDPR not only impacts European companies – it has global consequences. In fact, any organisations that handle EU citizens’ data, regardless of their location, must adhere to the law. Non-compliance is severely punished.

For example, data controllers and processors face administrative fines of:

the higher of €10 million or 2% of annual global turnover for infringements of articles:

  • 8 (conditions for children’s consent),
  • 11 (processing that doesn’t require identification),
  • 25-39 (general obligations of processors and controllers),
  • 42 (certification),
  • 43 (certification bodies)

the higher of €20 million or 4% of annual global turnover for infringements of articles:

  • 5 (data processing principles),
  • 6 (lawful bases for processing),
  • 7 (conditions for consent),
  • 9 (processing of special categories of data),
  • 12-22 (data subjects’ rights),
  • 44-49 (data transfers to third countries)
The Core Principles of GDPR In Software Design

GDPR introduces new concepts and companies will have new obligations toward individuals.  Here are the key points and goals of GDPR applicable to software design and implementation. We also highlight how our own software, LEAP low-code, helps businesses stay compliant.

Data Portability (article 20)

Companies will need to be able to provide users with their data in a machine-readable format when requested.

  • Within FLOvate LEAP low-code, the ability to export this data in XML format can be easily configured as required.

Consent (articles 6, 7, 8, 9, 17, 18 and 22)

The consent request form will need to use plain and clear language, avoid pre-ticked boxes and include the purpose of data processing in an easily accessible form. In addition, companies will be obliged to keep records of the consent forms received.

Right to Erasure (article 17)

Also referred to as “the right to be forgotten”, it means that individuals can withdraw consent and companies will be obliged to delete any information about the person exercising their right.

  • FLOvate LEAP low-code can either remove or anonymise personal information.

Right to Access (article 15)

Data handlers will need to be able to provide individuals with information about where and for what purpose data is being processed.

Privacy by Design (article 25)

Organisations will need to implement technical and organisational measures to demonstrate that GDPR is fully integrated into the company activity. This also means that companies will be obliged to use only data processors that guarantee to meet the requirements of the regulation.

  • FLOvate is committed to helping our customers comply with GDPR. As a data processor, we are fully GDPR compliant.
What About Small Businesses?

GDPR recognises that smaller businesses require different treatment to large or public enterprises. In fact, Article 30 of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR – although there are several stipulations that suggest that they would be wise to be.

In particular the following needs to be considered:

  • If the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9 then GDPR will affect small businesses under 250 employees.
  • Any breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) which is responsible for enforcing GDPR in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
  • Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
Are Certain Data Types More Sensitive Than Others?

Yes. If you are creating a process within FLOvate LEAP low-code that contains the following information, you will have to be more cautious:

  • race;
  • ethnic origin;
  • politics;
  • religion;
  • trade union membership;
  • genetics;
  • biometrics (where used for ID purposes);
  • health;
  • sex life;
  • sexual orientation
What If My Process Gathers This Information?

If your process requires this information, we would recommend you create these fields in a separate data object and control permissions around who can access this data. This is in addition to logging when access is used.

Storing this data, together with other personal data, makes GDPR-compliant processes far easier to implement.

  • Data of this nature is embedded within the CRM structures (contact records) of all FLOvate Solutions. Access is continually logged.
Do You Have A LEAP Solution?

FLOvate LEAP Solutions are GDPR compliant and FLOvate is committed to maintaining our support and compliance going forward. We are able to provide advice on how to configure FLOvate LEAP to enable/maintain compliance for tailored solutions.

We hope this is helpful and provides an overview of how FLOvate and its LEAP platform are GDPR compliant.