If you have an application that collects personal data with users in Europe, you’ll soon need to comply with a new European directive called the General Data Protection Regulation (GDPR).
What is GDPR?
GDPR seeks to protect personal data of all EU citizens. Compliance with GDPR applies to all companies with customers in the EU, so even if your company is based elsewhere this law may apply to you.
Even if a new law might be regarded as a burden, GDPR is actually good news for application developers. All EU members states base their local laws on the same directive, so this makes compliance across all countries actually easier.
What Does This Mean for Application Developers?
Developers will often use third-party libraries, tools or services to help improve their workflows, efficiency, or even security. For example, engineers may use Bugfender to log data from their applications to solve bugs or even provide better customer support.
As a developer, you need to be aware though that besides complying with the law yourself, you might inadvertently be sending personal data to third-party services, so GDPR compliance should be extended to those as well (gotcha!). For anyone wondering, Bugfender will be compliant when the law comes in (more on that below).
What Do You Need to Do to Comply?
There are little details in the directive, but for most cases you need to be aware of two things:
- Your users have the right to know which data you process from them and, if you are using external companies to do part of the processing, who those companies are.
- Your users also have the right to modify, delete and export their data.
Here are two easy first steps you can take towards compliance:
Check Your Data Model
Look at your databases and check just which pieces of your user personal data you’re storing . It’s also a good idea to try to find out other places where you might be storing personal or common info such as email or help desk systems.
You’re most likely collecting at least names and email addresses. If you are providing some sort of local service you might also be collecting physical addresses.
Be especially careful with data such as geo-positioning, medical records, religion, sexual preferences, bank details, psychological profiling, criminal records and similar, as those constitute protected data classes requiring additional security measures.
List Your Suppliers Processing This Personal Data
There are two easy ways to find out those suppliers:
- Check your applications for external libraries. It’s very common here to find storage, analytics and log collection tools.
- Check your accounting. You may find company invoices from third party services you use.
Once you have listed the third party companies processing data for you, you must ensure those companies can help you comply with your obligations. Usually you do this by contacting them and establishing a Data Processing Agreement.
For more information, here is a link to the full text of the directive, please make sure you read it and understand it in full, as we’re only providing a summary here and there might be other details you need to know about: https://www.eugdpr.org/.
GDPR Compliance with Bugfender
If you’re using Bugfender to store your application logs (if not, you should!), check the data you are sending to us and see if there is any personal data. You may want to establish a Data Processing Agreement with us if you do.
We are currently doing the steps listed above. We are contacting our suppliers and establishing Data Processing Agreements with them, and we expect to be fully compliant when the law comes into effect.
If you need a Data Processing Agreement with us, please get in touch and we’ll be pleased to help you.