How relevant is the GDPR for you as (app)developer?
Most of the articles written about the EU’s General Data Protection Regulation are focused upon the impact that the new data protection legislation could have on businesses that process personal data. There seems to be little to no attention for the implications the new regulation will have upon the development of new software or apps. This blog will argue that this has led to the unfair and misleading assumption that developers are free from any concern when it comes to the GDPR.
Influence of the GDPR on developers
The lack of attention when it comes to the influence of the GDPR on developers, stems from the fact that the developer, often creating the software used by businesses that do fall under the scope of the GDPR, is often not considered to be a ‘processor’ or ‘controller’ in terms of the GDPR but solely a supplier of software. If you are not processing the personal data of EU citizens yourself (or through the use of a third party), then it is highly unlikely that you will be classified as a data processor or controller under GDPR. However, such a simple approach ("I don't fall under the scope of the EU data protection regulation so I have nothing to do with it") is unsustainable in light of the new regulation that will come into force in may 2018. As we will describe in this blog, even if you’re not directly falling under the scope of the new EU regulation, it is in your best interest as a developer to develop software that honors the principles of data protection and data control as stipulated in the GDPR. Let us explain why.
Increase in fees under the GDPR
First of all, under the GDPR there is an exponential increase in the fees for violating and failure to comply with any of the new rules. Businesses could be liable to pay a fine of 4% annual turnover, or 20 million Euros. As a result, compliance with the GDPR is no longer a luxury but a necessity for a company's survival. The use of software systems that helps to safeguard the rights of data subjects is crucial for a company’s ability to comply with these new requirements. Since the stakes are high, businesses will make sure to purchase new (or replace old) software systems or apps that are honoring the data protection rules under the GDPR. It is highly likely that investors or big parties such as Google Play Store and App Store will refuse -or withdraw- their support for apps that are not aligning with these new privacy regulations. In other words: as a developer it could be in your best interest to ensure your products meet these criteria, in order to help your customers to comply and thus, simultaneously, meet their demands!
By design and by default
Secondly, data protection by design and data protection by default are central requirements in the GDPR. No idea what this means? No need to stress out, in our upcoming blogs, we will explain to you in detail about this topic so you'll know how to comply with the requirements. For now it is enough to know that these principles entail that companies must pay attention to the protection of personal data from the very beginning of the development of their products and services. Caution: paying attention is not enough! Article 25 requires companies to actively implement privacy enhancing measures in the early stages of development -including during software development- measures in order to comply with the GDPR. One could think of the encryption or anonymization of personal data for instance. This means that developers must ensure that data protection is build into a system from the very start!
Want to know more about the (technological) measures needed in order to comply with the requirements of privacy of design and privacy of default? Spaans&Spaans legal experts are more then willing to consult you on this topic.