This article was originally posted on our blog.
If you have an application that collects personal data with users in Europe, you’ll soon need to comply with a new European directive called the General Data Protection Regulation (GDPR).
What is GDPR?
GDPR seeks to protect personal data of all EU citizens. Compliance with GDPR applies to all companies with customers in the EU, so even if your company is based elsewhere this law may apply to you.
Even if a new law might be regarded as a burden, GDPR is actually good news for application developers. All EU members states base their local laws on the same directive, so this makes compliance across all countries actually easier.
What Does This Mean for Application Developers?
Developers will often use third-party libraries, tools or services to help improve their workflows, efficiency, or even security. For example, engineers may use Bugfender to log data from their applications to solve bugs or even provide better customer support.
As a developer, you need to be aware though that besides complying with the law yourself, you might inadvertently be sending personal data to third-party services, so GDPR compliance should be extended to those as well (gotcha!). For anyone wondering, Bugfender will be compliant when the law comes in (more on that below).
What Do You Need to Do to Comply?
There are little details in the directive, but for most cases you need to be aware of two things:
- Your users have the right to know which data you process from them and, if you are using external companies to do part of the processing, who those companies are.
- Your users also have the right to modify, delete and export their data.
Here are two easy first steps you can take towards compliance:
Check Your Data Model
Look at your databases and check just which pieces of your user personal data you’re storing . It’s also a good idea to try to find out other places where you might be storing personal or common info such as email or help desk systems.
You’re most likely collecting at least names and email addresses. If you are providing some sort of local service you might also be collecting physical addresses.
Be especially careful with data such as geo-positioning, medical records, religion, sexual preferences, bank details, psychological profiling, criminal records and similar, as those constitute protected data classes requiring additional security measures.
List Your Suppliers Processing This Personal Data
There are two easy ways to find out those suppliers:
- Check your applications for external libraries. It’s very common here to find storage, analytics and log collection tools.
- Check your accounting. You may find company invoices from third party services you use.
Once you have listed the third party companies processing data for you, you must ensure those companies can help you comply with your obligations. Usually you do this by contacting them and establishing a Data Processing Agreement.
For more information, here is a link to the full text of the directive, please make sure you read it and understand it in full, as we're only providing a summary here and there might be other details you need to know about: https://www.eugdpr.org/.
GDPR Compliance with Bugfender
If you’re using Bugfender to store your application logs (if not, you should!), check the data you are sending to us and see if there is any personal data. You may want to establish a Data Processing Agreement with us if you do.
We are currently doing the steps listed above. We are contacting our suppliers and establishing Data Processing Agreements with them, and we expect to be fully compliant when the law comes into effect.
If you need a Data Processing Agreement with us, please get in touch and we’ll be pleased to help you.
This article was originally posted on our blog.
Top comments (2)
This article really looks like an ads, but I definitely will send it to my boss. Thanks for the information
Feel free to update the blog with the latest news, it's a funny thing, I was just looking for 2021 updates and came across this fun facts:
The UK left the EU on January 1, 2021.
But what happens now to the EU’s GDPR and the UK’s domestic data privacy laws?
Read this article to know more about the EU’s GDPR, the “new UK-GDPR”, the amended Data Protection Act 2018, the PECR and how to be compliant all around.
GDPR UK update 2021
Since the UK has left the EU, the question of personal data transfers is top of the list for many websites, companies and privacy organizations.
In the agreement signed by the UK and EU in end of December 2020, a provision allows for the continued, unrestricted flow of data between the two blocs for an interim period of six months (until June 2021).
In the meantime, the UK already has in place a new domestic data privacy law called UK-GDPR that is exactly the same as the EU version and is supported by the older Data Protection Act of 2018.
Compliance with the UK-GDPR and EU’s GDPR remains an obligation for any website, company or organization who process personal data form either inside the UK or EU: the explicit consent of users must be obtained before any processing or transfer is allowed to take place.