A day with .Net

My day to day experince in .net

GDPR(General Data Protection Regulation) rules for Software Developers and Architects

Posted by vivekcek on May 29, 2018

As a user I love GDPR. I own my data. No one can use my data for their advantage.
But as a software professional, I am concerned about the systems we are developing.
So to address the concerns of Software professionals, I am writing this blog.
I am going to write about some of the rules you need to implement in your systems to agree GDPR.

Hey what the @&** is this GDPR? I don’t want to follow.

If you don’t want to follow GDPR this is going to happen “Penalties and fines can be as high as 4% of annual revenue or €20 million, whichever is greater”.

So better to follow GDPR, I can help you.

What is GDPR?

Its a set of guidelines you need to implement in your systems to protect users personal or simply user data. User is the king. Even if you own the software system, User has the complete ownership of his data.

So What kind of data?

Any data that identify the user.
Name, Location, Health, Genetic, Social handles and more.
Other than that the data created by user like Orders, Messages, Tweets etc..

Is my website need to implement GDPR? Yes, You should if.

Your website collects data on visitors, such as via Google analytics.
Your site has a registration form.
You have e-commerce functionality on your site; that is, you collect information to process payments, orders etc…
You have a newsletter sign-up form.
You include social media links on your pages e.g. Facebook, Twitter etc…
You use a comments system for your articles, such as Disqus.
Your site has scripts that use cookies.
You have a contact form for users to get in touch.

So What are the rules?. The rules are not from actual regulation, I just grouped some guidelines as rules.

Rule 1

You should only collect data necessary for your business.

Rule 2

Data at rest and data in transmit must be encrypted.
Good encryption algorithm need to be used.
Protect your encryption key in a secure place.
Use SSL for data communication.
Encrypt your backups.
You should inform user their data is stored by encrypting.

Rule 3

Your sessions and cookies must expire.
Make sure disabled users can’t use still to expire cookies.
Perfect authentication token revocation should be implemented.

Rule 4

Never try to track users.

Rule 5

If you store users IP or location, it must be informed

Rule 6

Implement Password complexity and store as salted SHA-256 hash.

Rule 7

Avoid personal security questions, ask users to create custom questions that is not related to their personal things.
Use 2 factor authentication.

Rule 8

Data sharing with 3rd parties must be informed to users.
Like to splunk, google analytics, Azure.

Rule 9

Hacking attempts or breach must be informed to users and government.

Rule 10

User must be able to delete all the data generated by him.
Do a Cascade delete.
Use Nullable foreign key for userid.
Keep only user id while delete, anonymize name, email etc..
Can have a background job to delete.

Rule 11

User must able to map him as restricted.
Back office staff can’t see restricted users data.
Restricted users must not be listed in search results.
Add a Boolean column in your database against user to mark him as restricted.

Rule 12

User must be able to export all his data personnel orders messages etc.
Export format can be JSON, XML,CSV etc.
Can be exported to other vendor.
Can be manual like twitter, send an email later.
May be a background job.

Rule 13

User must be able to edit all his personal info.
After change re validate email , phone if needed.

Rule 14

Ask for consent.
Checkbox for each data processing purpose.
if using for machine learning get consent.
Able to withdraw consent.
Consent management location.
Request new consent via email or app popup.

Rule 15

User must be able to see data

Rule 16

Age check, above 18?
Can be violated do your part.

Rule 17

Anonymous data, don’t use production data in test staging.

Rule 18

Data integrity via checksum, audit trail.

Rule 19

Log access to personal data.
Do not put personnel data in blockchain
Forgotten users id need to keep in separate, because during backup restore data should not come back
Data retention- delete data after some time, let the user decide.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s