Monday, October 2, 2017

GDPR and Application Development: My question to the EDCC - asked and answered

Development and the Law - Development may often be overlooked - but it is never forgotten nor is it exempt.
Development and the Law - Development may often be overlooked - but it is never forgotten nor is it exempt.
Working for an ISV with European clients – many of which are large corporations that develop their own applications that process EU PII – I’ve been watching this space closely.
To what extent do Controller/Processor obligations (and, by extension, penalties) extend “upstream” into the development organization and its practices?
I’ve poured over the GDPR and pulled out what I think are the relevant bits – a tiny sampling would include
  • The entire notion of “processor”,
  • The use of a “state of the art” standard rather than the normalized “reasonable effort”
(both from SEC 32, Security of processing)…
And in Recital 78: Appropriate technical and organizational measures, “developing and designing” of applications is given an equal weight alongside “selecting and using” of applications…
There is plenty in the GDPR to support the idea that development organizations will be expected to meet the same (or equivalent) standards as their operational or IT counterparts (see GDPR liability: software development and the new law)
…but I wondered what would happen if I asked the European Direct Contact Centre? So I submitted the following (in part)
…and in a few weeks I received the following:
Put more succinctly, the EDCC responded YES.
Yes, Development and DevOps organizations are subject to GDPR obligations (and penalties). These include both incorporating “the state of the art” in data protection (as a development and DevOps practice) as well as a means of “demonstrating” (proving) that such dev and DevOps practices are (have been) consistently and effectively applied.
What is the difference between a “state of the art” standard versus a normalized “reasonable” standard? What are examples of know attack vectors and exploits that fall under this umbrella? How do you know if your development practices can meet this standard? Great questions really... and definitely answerable.
Development may be frequently overlooked in the race to be GDPR ready – but it is most definitely NOT exempt.
For a deeper discussion on these issues, consider registering for App Dev and the Law on October 5, 10 AM EST
For info on PreEmptive's support for GDPR compliance, visit

No comments:

Blog Archive