As a web developer, part of your responsibility is to help make sure the applications you build and maintain are compliant with applicable regulations and laws. This might be PCI compliance for ecommerce applications or HIPAA compliance for healthcare applications.
Even when you’re developing according to best practices with your users’ data security in mind, there are specific guidelines you need to be aware of to keep your customers safe. A major legislation change related to data security is going into effect soon in the European Union: the GDPR, or General Data Protection Regulation. If you haven't ensured your application's compliance with these regulations yet, you could be subject to massive fines – fines of up to 4 percent of your company's annual worldwide revenue, to be specific.
But fear not! While the regulation is 261 pages of complex legalese, the concepts behind the regulation are not as complicated as you might think. Here’s a quick guide to what these legislation changes mean, who they apply to, and how to make sure your web application is GDPR compliant. Plus, we've linked off to several resources at the bottom of this page that will help you better understand the regulation.
What is GDPR?
The GDPR stands for the General Data Protection Regulation. This regulation change was voted into place by the European Union Parliament in April of 2016, with an enforcement date of May 25, 2018. This regulation is the most thorough data protection legislation passed in the European Union in two decades.
- Easier access to your own data: individuals will have more information on how their data is processed and this information should be available in a clear and understandable way.
- A right to data portability: it will be easier to transfer your personal data between service providers.
- A clarified "right to be forgotten": when you no longer want your data to be processed and provided that there are no legitimate grounds for retaining it, the data will be deleted.
- The right to know when your data has been hacked: For example, companies and organizations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.
Essentially, this legislation was enacted to bring data protection laws from the mid-90s into today. When previous data protection regulations were introduced, consumers weren’t purchasing everything from takeout to tissues online. We live in a hyperconnected world, and the governing powers in the EU decided that business regulations needed to keep up with these changes to protect their users.
Who needs to follow GDPR?
If you’re reading this and thinking, “Ok, but I’m not a European company. Why does this matter to me?” Good question. This legislation is relevant not only to businesses physically located inside of the European Union, but also any company outside of the EU who does business with EU residents. If you conduct business in the region, you’ll need to comply with GDPR.
These regulations also do not stipulate that they only apply to businesses of a certain size. Regardless of whether you do $10,000 or $10 billion worth of business each year, you’ll need to make sure you comply with the GDPR. Don't assume you'll slip under the radar if you're a small business. In this case, "it's better to be safe than sorry" definitely applies.
Who can help my company become GDPR-compliant?
What’s interesting about sweeping regulation changes like GDPR (or HIPAA, for a U.S.-based comparison) is that it creates an opportunity for savvy entrepreneurs to position themselves as the experts in these regulations and charge exorbitant fees for their specialized consulting services. While you may very likely need the help of an outside technical team who’s knowledgeable about data security, be wary of anyone claiming to be the expert in this area or offering a "Simple 3 Step Solution".
If you plan to enlist the help of an outside consultant or agency, ask about their experience with data protection in past projects to make sure they’re qualified to help. And if you partner with a technical team who can help you with the aspects of GDPR that are baked into your web application, it’s still important that you follow the organizational guidelines as well (like designating a Data Protection Office role in your organization).
How do I ensure my web app is GDPR-compliant?
Regardless of the technology in which your web application was developed, a great first step toward ensuring your app is secure and GDPR-compliant is upgrading to the newest version of your framework. Since we specialize in Ruby on Rails, we’ll focus on that tech stack.
First, make sure your application is running on an actively supported version of Rails. When Rails 5.0 was released on June 30 of 2016, versions of Rails below 4.1.x became officially unsupported. From the official Rails 5.0 release notes:
Note: As per our maintenance policy, the release of Rails 5.0 will mean that bug fixes will only apply to 5.0.x, regular security issues to 5.0.x and 4.2.x, and severe security issues also to 5.0.x and 4.2.x (but when 5.1 drops, to 5.1.x, 5.0.x, and 4.2.x). This means 4.1.x and below will essentially be unsupported! Ruby 2.2.2+ is now also the only supported version of Rails 5.0+.
Under strict data protection regulations, a severe security threat on an unsupported version of Rails is a bad combination. If you want to keep your customers’ data safe, make sure your app is running on a supported version.
We put together a list of helpful resources for upgrading your Rails app.
From here, the basic guidelines for your custom application include:
Encrypting your data end to end – in transit, storage, and backups. In 2018, encrypted data is a big part of all web development best practices. It’s probably not too long ago that you were thinking about encryption for your SSL certificates. Just make sure any data you collect from your customers is encrypted.
Make sure all data is able to be “forgotten”. Under the GDPR, users have the right to be forgotten – all of their data that is stored about them can be wiped at any moment upon their request. This also applies to any 3rd-party integrations where you send data. It's also a best practice to dispose of temporary data as soon as possible after it is used.
Provide individual consent checkboxes for each data processing capability. How many times have you checked “I accept the terms and conditions” without reading what you actually just consented to? A major change in the GDPR’s data protection regulations includes specifying how data is processed and allowing the user to consent to (or revoke consent to) each activity. This does not just apply to new users. It's also required that you contact existing users who may have joined under less specific terms and conditions and request their consent.
Allow users (and non-users) the ability to see if you have their personal data stored. Ideally, any person would be able to submit their email address and find out if your company has any personal information stored about them in your databases. Beyond that, the ability for a user to see all of the data that they have given you in a non-spreadsheet format is desired.
Allow users to edit collected data. If you're collecting information about a user (phone number, shipping address, etc.) they should also be able to edit this information if it's incorrect, ideally without needing to contact you to do so.
Most of these expectations (except for, perhaps, the consent checkboxes) are part of web development best practices. While GDPR seems like an overwhelming change in regulations, you're likely following most of these guidelines already.
Resources for learning more about GDPR
- GDPR regulation in full: Quick access to the entire content of the regulation as an easily browsable website.
- GDPR: A Practical Guide for Developers: This is one of the few explainers out there that is targeted at developers instead of managers or legal specialists. Bozhidar Bozhanov is a privacy advocate in the EU who has been deeply involved in privacy legislation. This article provides a list of specific do’s and don’ts related to developing applications for GDPR compliance.
- Preparing for the GDPR - 12 steps to take now: A helpful, thorough PDF from the Information Commissioner’s Office on the 12 steps a company should make to ensure they’re GDPR-compliant. This whitepaper is targeted at non-technical managers rather than developers and explains the changes at a high level.
- How I learned to love GDPR and so can you: Johannes Brodwall, a software engineer in Norway, explains the surprises he encountered when learning about GDPR and how he learned to love the new legislation.
- Video: GDPR explained in 3 minutes: If you're a visual learner and need something quick to get you up to speed, this video is a great start.
I hope this quick overview of the GDPR and how it relates to your custom web application helps you feel more confident in your ability to quickly become compliant. While we won't claim to be the experts in GDPR compliance, we do know a thing or two about keeping Ruby on Rails applications secure and compliant with all types of regulations. If you'd like to talk shop about getting your applications up to date and secure, click the button below to get in touch and schedule a call. We'd love to chat.