Product Owners and GDPR
If you don’t know what the General Data Protection Regulations (GDPR) are then where have you been hiding. It’s responsible for the piles of email most people recently received about updated privacy policies and consent requests. Whatever you think of GDPR, it’s now law across the European Union (EU). If you are processing personal data it will probably apply to you, even if you are outside of the EU as it casts a very wide net. It may not be easy to enforce but GDPR covers the processing of personal data by any company in the EU and the personal data of EU citizens anywhere in the world. The point of this post isn’t to explain GDPR in general but to draw attention to Article 25.
Data protection by design and by default
If you are responsible for the features/requirements of a piece of software that processes personal data then you need to comply with the requirements of Article 25.
“This means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.”
Where the processing activities are automated with software then also consider automating the various searches, updates and deletions required to comply with a persons rights under GDPR. Do you really want to be manually running queries against your database every time someone wants to know what data you hold on them? It’s important to think about all the places where personal data is held. The email server, backups of the database, any cloud providers such as mailing list services and what about that notebook you wrote something in about a customer last month.
“Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the GDPRs fundamental principles and requirements, and forms part of the focus on accountability.”
Whenever the processing of personal data is instigated or changed in a way that presents a new risk to the security of the personal data then a Data Protection Impact Assessment (DPIA) should be carried out. If a Data Protection Officer (DPO) is available, they will oversee and advise on the DPIA. This will guide you when considering how much security needs to be implemented in order to protect the personal data being processed. At the very least, you should include features in your product that allow for a persons rights to be honoured in a timely manor. When responding to requests about personal data you must respond without undue delay and at least within one month.
“This concept is not new. Previously known as ‘privacy by design’, it has have always been part of data protection law. The key change with the GDPR is that it is now a legal requirement.”
If you suffer a data breach it is very likely your supervisory authority (The ICO in the UK) will want to see evidence of compliance which includes data protection by design and by default. Would you be able to demonstrate this, can you point at work items from your product backlog that support data protection? Does your definition of “Done” include updating your records (and the DPO if available) whenever changes occur to the storage or processing of personal data? These are all things the supervisory authority are likely to take in to account when deciding if you did enough to protect the data, if not you could be liable for a massive fine.
There is no need to become a GDPR expert, that responsibility lies with the DPO, but a little research or the one day GDPR foundation course can give you the knowledge you need to understand the terms and implications of GDPR. The ICO website has a GDPR section that’s an excellent place to start.
All quotes take from the Information Commissioners Office under the Open Government Licence v3.0.