Building a GDPR compliant application
As GDPR is becoming mandatory for EU, organization should quickly align themselves with the regulation. Be it small, medium or large business, GDPR compliance is required for all. Organizations should plan for it and move forward. To comply with GDPR, first they need to understand the definition of private data, data subject, data controller, procession & Data protection officer. Then the following features need to be implemented in the application.
Data export and retention
First thing data controller or processor need to get started with GDPR is to know which of their software module hold personal information. What are those personal data. And how long we are intending to retain that. Whenever requested these personal data needs to be provided to user.
Encryption and Right to be forgotten
Right to be forgotten is an important point of GDPR. If a user asks to delete their info, application must oblige (unless any other law makes this request impossible – e.g. for fiscal reasons you may have to keep it). Doing this inside a live application is still easy but you also need to manage this within backups.
Under GDPR you can't have just "Agreed" boxes or pre-checked checkboxes. For one kind of information there will be one check-box which user have to manually check. Application must have the provision for that.
Allow users to edit their profile
User should be able to edit their profile as and when needed. In case of any correction also he/she should be able to do that in application.
User can restrict further processing of some of his personal data for any data analytics or profiling purpose.
Under the GDPR, age below 16 is considered as child, but it allows member states to adjust that limit to anywhere between 13 and 16. Data controllers therefore must know the age of consent and in case of child they must obtain consent from a person holding “parental responsibility”. Application to support this feature.
Application must have a provision to send (e.g. through email) notification to users in case of any data breach happens. It should also mention the possible consequence of it.