GDPR quick wins for software developers and teams

Quick win

Many blog posts and articles have been written around the new EU data protection regulations that are coming into force next year.

We've prepared a tool called Anonymizer that can help you with securing personal data within your development team. It's released under the MIT license and ready to download on Github: https://github.com/DivanteLtd/anonymizer

Good practices

Anybody who deals with with personal data should start preparing for the new regulations, as fines for violations have been raised up to even ... millions! Of course, as you might hear, it's not 100% clear how some of the expectations should be implemented.

Nevertheless, Software Houses and IT teams that deal with with personal data (like almost all internet app devs do) should prepare themselves to make data protection a key priority next year.

I don’t feel like any kind of authority on that matter but I just wanted to share some insights and tools that might help you secure the personal data processing, in a very pragmatic way.

DPO

A Data Protection Officer will be obligatory next year. I think it's kind of a good solution to make things clear and to maintain one key stakeholder for data protection at the company. We hired a DPO last year and he's doing a great job - not only maintaining the whole documentation and legal aspects but also training developers. He's also runs a hot-line where anybody can call and ask about or report some data violations.

Data Encryption  

We've got the policy that each employee of Divante has to work on a company computer where all the data is encrypted (for example TrueCrypt or just MacOSX default Home Directory encryption would be enough). There could be a case where somebody loses his or her computer; it is not so hard to imagine :) If you have your customers data there - you're in trouble (if not using encryption).

Of course, it's also easy to require all the computers to be protected by passwords, etc. Quite obvious isn't it? :)

Data processing on dev machines

It's quite often the case that while developing or maintaining software projects, developers have to get the latest snapshot of the production database back to stage/dev. environments to reproduce the issue or just test new features.

When you take a look at this, it's an extremely dangerous situation when, especially in smaller teams, usually anybody can access the production database and can get or do anything with ... your customers, customer data.

To avoid this kind of risk our DevOps team leader Mateusz Koszutowski created a very useful tool we've recently published on Github called Anonymizer - https://github.com/DivanteLtd/anonymizer

It can be used with Magento, Pimcore and custom software to generate database dumps that are personal-data free. You just setup data tables in configuration and this simple tool changes the personal data to some random names and emails. What is important - the data still seems like names and emails after anonymization and it's therefore usable for tests!

If your team is not using this kind of tool - maybe it's a good moment to start :) Anonymizer is released on the MIT license, and written in Ruby (but to be honest requires no dev skills to be run and configured).

Trainings

Anybody who's being onboarded to our team has 1h of training regarding the data protection act, and of course, has to sign some paperwork afterward (a kind of NDA) which really underlines that we're pretty serious about data protection. It's also a kind of process which is very easy to implement or outsource.

Of course, this blog post is too short to describe all the policies and techniques we have at Divante to prevent data protection violations. The topic is crucial for us as we're operating in eCommerce where any data leak can lead to severe losses - not only of revenues but also a brand’s degradation and the lost confidence of customers. The topic of security tests and audits is a different story!

Next steps

Please take data protection seriously when it comes to data protection. It will become a more and more serious issue in the coming years. Hoping that some of the quick wins I've just mentioned will be helpful for you!

Check out the Anonymizer - it's a quick win for your team: https://github.com/DivanteLtd/anonymizer. Then invest in training and DPO.

If you want to share some other thoughts or solutions, it would be great to hear from you in the comments!