Data privacy has become a heated discussion in political and information technologies, including software development. Things got really heated when businesses were deemed responsible for exposing user data if it could be proven they did not sufficiently protect it. For some time, data-breach responsibility rested with the attacker.
Two milestones signify the shift in online data privacy regulation. 2016 marks the release of the General Data Protection Regulation (GDPR), which protects the European Union’s citizens’ data. In the US – California Consumer Privacy Act (CCPA), a similar initiative modeled after GDPR in 2018.
Although there are more global data privacy initiatives, only these two have developed robust laws that are in action. Let’s see how they relate to software development.
How Does Data Privacy Relate to Software Development?
Data is a powerful tool. In the right hands, it can create engaging software applications with a personalized experience, increasing user comfort. Simultaneously, collecting excessive amounts of user data, doing so illegally, or failing to protect it, may result in a disaster, as illustrated by the Cambridge Analytica scandal.
A more contemporary example is TikTok. This service is so controversial that it was almost banned in the US during Trump’s presidency. Moreover, it is currently banned in India due to its ties to the Chinese Communist Party.
According to a Reddit post by a guy who claims to have reverse-engineered TikTok, this service gathers extraordinary amounts of user data (such as hardware details, networking details, GPS data, and more) and sends it to Chinese servers. In other words, it more resembles an espionage service than a lip sync platform.
To summarize, software applications that handle user data hold significant importance because user data carries a heavy weight. As a software developer, you must understand this principle because it will help you to develop safe and transparent privacy policies.
What Developers Need to Know About User Privacy?
Let’s get back to GDPR and CCPA and go over their established principles.
Data Storage
Two main rules regulate data storage. First, all personally identifiable data must be kept secure. If your software requires storing data, you must secure your servers. Luckily, with the rise of cloud computing, you don’t have to implement advanced encryption algorithms alone.
However, you need to be transparent about how you store the data. If you’re using a third-party cloud storage service, you must inform your users about this information. Furthermore, choosing a secure and reliable service provider for cloud storage is up to you. They must use advanced encryption algorithms to prevent unauthorized access, which extends to physical server rooms.
It’s worth mentioning to keep in mind your security during software development. If hackers get access to your code on GitHub because they brute-forced your “pythongod666” password, they’ll later work around it and introduce vulnerabilities, gaining access to user data. Use a password manager to protect all business accounts, and remember that the Colonial Pipeline hack involved bad password hygiene.
Second, you can only collect data necessary to upkeep your software. Gathering excessive amounts of data can result in troubles with the law. Even more so, if you get caught mining user data, you will irreversibly hurt your reputation.
It’s best to do this before going deep into the development phase, as reversing the code is harder than writing it correctly from the beginning. It often involves executives from different branches:
- Marketing advice on required data for promotion and customer retention;
- Lawyer’s advice on compliance;
- Developers on the technical data gathering implementation;
- Risk on safe storage option.
Remember that it is always tempting to gather more data because it helps improve your services or expands marketing capabilities. These regulations do not allow it; you can only collect information required to maintain your software functions.
The Right to Be Forgotten
Much thanks to Google, the Right to Be Forgotten is crucial. You must make modifying and deleting data upon request easy, which is more complicated than it sounds.
During the development process, you must ensure that all data gets deleted from the very beginning. If there are multiple data entry points, you must link them so that no information gets left behind. There is a time limit when the user requests to be removed from the systems, and it would be even worse if they noticed that the company still uses some information.
In cases when clean data deletion is not possible, you must ensure the remainder is anonymized. It is impossible to point at a specific person, even when multiple data points are combined.
As always, there are exemptions to this rule. Businesses can retain some user data purely because it is mandatory to upkeep their record books or future operations. In this case, GDPR has clear protocols called Legitimate Business Interest (LBI), which you must follow to prove this information is crucial. Furthermore, this data must remain relevant to your business operations. Once it is no longer relevant, you must remove it from your servers.
Conclusion
As a software developer, you don’t have to be the mastermind of GDPR or CCPA, but knowing their principles will also be helpful. In reality, hackers demonstrated how exposed user data can lead to organized phishing campaigns and other cybercrime methods, so it’s best to take it seriously and involve data privacy and security in code development from the beginning.