Data subject rights (DSRs) are not optional check boxes. They are legally enforceable rights granted to individuals whose personal data is processed. Businesses must respect data subject rights throughout all stages of AI development, deployment, and ongoing system management. The GDPR grants individuals several rights over their personal data. Let us focus on four of these here:

1. Right to be informed: As with other data protection frameworks, transparency is key under the GDPR. This right takes the form of a duty to inform prior to the processing taking place. Businesses must include information on how they collect, use, store, and share data, the purpose of processing, the legal basis, data retention periods, and who may receive the data. Privacy notices are the typical repositories for this information. They must be concise, accessible, and written in plain language.
2. Right of access: Data subjects can request access to the exact personal data a business holds about them. Businesses must provide information about processing activities, data categories, and any third parties with whom they share the data.
3. Right to rectification: Data subjects can request organizations to correct incorrect or incomplete data without delay. Businesses must respond promptly and update the data across systems and third-party processors where necessary.
4. Right to object, right to be forgotten and right to revoke consent: It allows individuals to exercise control. The European Data Protection Board (EDPB)  published a case digest on right to object and erasure. Data subjects must be able to object to the use of their data and request its erasure when it is no longer necessary, when they withdraw consent, or for purposes like direct marketing.

Incorporating data minimization in AI Systems

One of the most effective ways businesses can respect data subject rights is by adhering to the data protection principle of data minimization. This GDPR principle requires businesses to collect and process only the minimum personal data necessary to achieve their specific purpose. Avoid over-collecting data, use anonymized or synthetic data for training, and regularly review AI outputs to remove unnecessary personal information.

Implement transparent data practices

Transparency is central to building trust and achieving legal compliance. Always define the purpose of processing, specifically the training of AI models. If businesses rely on legitimate interest, they must show that they gave data subjects the chance to object; otherwise, they invalidate their legal basis.

Clearly inform existing customers in advance when using their data to train AI models, and provide opt-out options before processing begins. Transparency is key. 

When there’s no direct relationship with the individual (such as when using publicly available data or from data brokers), the GDPR requires information to be provided within one month of its collection GDPR Articles 14.  

In 2023, the Italian DPA temporarily banned OpenAI’s ChatGPT, citing a lack of transparency around how it used personal data for training. The DPA later required the company to implement clear privacy notices and provide users with ways to exercise their rights.

Respect the right to access 

Can data owners request access to training data? 

This becomes complicated with large language models, but under the GDPR, individuals have the right to know if and how their data is being used.

How to exercise that right? 

Under the GDPR, individuals have the right to know if and how their personal data is used, including data processed by AI systems. While this is straightforward for users with an existing relationship (who can submit data subject access requests via account settings or customer support), it’s more complicated when there’s no direct connection.

In such cases, organizations must ensure proactive transparency by clearly informing people through privacy policies and AI transparency reports. Failure to uphold this right contributes to loss of trust and accountability in AI use and development.

Develop clear processes for data deletion and rectification 

Can data be corrected or deleted after it has been used to train an AI model? 

While difficult, companies must explore the use of data architectures that allow tracing of personal data contributions. The GDPR (Recital 26) considers even pseudonymous data, like randomly generated user IDs, as personal data since organizations can technically link it back to a person, directly or indirectly.

To reduce data subject risk while improving compliance, companies could implement the following measures:

• Data encryption: Businesses should ensure proper security implementation, especially when handling sensitive personal information.
• Anonymization and pseudonymization: Where possible, anonymize or pseudonymize data before using it in AI models. Anonymization and pseudonymization protect personal data by reducing breach risks and limiting the impact on individuals in case of a data exposure.
• Access control: Implement strict access controls and monitoring to ensure only authorized personnel can access personal data. This prevents unauthorized exposure of sensitive information.

By embedding these practices into AI development pipelines, organizations can take meaningful steps toward compliance, trust-building, and ethical AI deployment.

Ensure security and privacy by design

Organizations should build user trust and meet regulations by embedding privacy from the start, not treating it as an afterthought. This is the core of the privacy by design principle under the GDPR.

Key steps include:

• Promoting user choice and control: Provide clear opt-out options before processing data—whether in email campaigns, mobile app popups, or web trackers.). Empower users with privacy dashboards that let them view, manage, and delete their personal data at any time.
• Secure data handling: Businesses must encrypt personal data used in AI training while transmitting and at rest. Implement strict access control mechanisms to ensure that only authorized personnel can interact with sensitive data.

Embedding privacy and security into system architecture from the outset not only ensures compliance, trust-building, and ethical AI deployment.

Maintain ongoing communication and feedback loops

Transparency shouldn’t stop at data collection. When introducing AI processing, update your privacy notices to reflect new processing activities, as required by the GDPR. Use layered notices to highlight AI-specific practices like model training, profiling or automated decision-making. Importantly, inform users before processing, not after. True consent means giving people a real choice. Building feedback loops as user input is essential for improving fairness, spotting issues, and building trust in your AI systems.

Conclusion

As AI continues to shape modern business, respecting data subject rights is not just a legal obligation; it’s a foundation for responsible innovation. By embedding privacy by design, adopting transparent data practices, and enabling user control, organizations can align AI development with GDPR principles and foster long-term trust. Data protection isn’t a compliance checkbox, it’s a strategic imperative for ethical and sustainable AI.

Feel free to reach out to us for any clarification of AI compliance needs.

The post Respecting Data Subject Rights in AI: A Practical Guide for Businesses appeared first on TechGDPR.

Exploring key aspects of password security involves evaluating password strength to resist brute force attacks and using password managers for secure and unique passwords. It also includes leveraging multi-factor authentication (MFA) to enhance protection and recognizing the risks of using browser-suggested passwords and potential vulnerabilities if the browser or device gets compromised.

How secure is my password?

One of the ways to access the strength of a password is through entropy. Entropy measures password complexity by assessing its randomness, indicating how unpredictable and difficult it is for attackers to guess. Higher entropy, or more randomness, in lay man’s terms means a more secure password. Factors that contribute to higher password entropy include:

• Length: Longer passwords are generally harder to crack.
• Complexity: Including a mix of uppercase and lowercase letters, numbers, and symbols.
• Unpredictability: Avoiding predictable patterns like common words and phrases.

If one is curious about understanding how secure their password is this Password Entropy Calculator helps an individual understand password strength and evaluate their own passwords. A secure password should have high entropy, which makes it resistant to brute-force attacks, where attackers systematically try every possible combination of passwords or keys until they find the correct one.

How password managers enhance security?

According to the German Federal Office for Information Security (BSI), using a password manager is one of the most effective ways to securely store and manage passwords. These standards ensure that the strategies outlined are both robust and reliable, offering a trusted framework for enhancing password security. Password managers are powerful tools for improving password security and convenience. They securely store and manage passwords, making it easier to use complex, unique credentials for each account. This not only enhances security by reducing the risk of weak or reused passwords, but also simplifies the online experience by eliminating the need to remember multiple passwords. Password managers enhance security by:

• Generating strong passwords: Password managers create random, complex passwords that are nearly impossible to crack.
• Secure /storage: Passwords are encrypted and stored securely, reducing the risk of exposure.
• Unique passwords for every account: Using unique passwords for each account limits the damage if one account is compromised (for instance if logging into a service while using public WiFi leads to a third party intercepting an individual’s credentials).
• Automatic filling: Password managers can auto fill login credentials, reducing the risk of phishing attacks by ensuring only the authentic individual can  enter credentials on legitimate sites.

There are many popular password managers that offer both free and premium versions to suit individual or organizational needs. Organizational password management needs often focus on collaboration, centralized control, and compliance with security policies, requiring features like shared vaults, role-based access, and audit trails. In contrast, individual users prioritize personal security, ease of use, and cross-device synchronization to protect their accounts.

How Multi-factor Authentication (MFA) adds an extra layer of security

While strong passwords are essential, they are not reliable. The European Union has emphasised how MFA protects consumer sensitive data, enhances operational resilience, and mitigates cybersecurity risks. Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to provide two or more verification factors to access an account. These factors typically include a combination of at least two of the following:

• Something you know: A password or PIN.
• Something you have [i.e. physically]: A smartphone, hardware token, or security key.
• Something you are: Biometric data, such as fingerprints or facial biometrics.
• Somewhere you are: The location matches the expected location (VPNs).

MFA significantly reduces the risk of unauthorized access, even if a password is compromised. According to Microsoft, MFA can prevent 99.9% of account compromise attacks, making it a crucial component of any security strategy. 

Password security and compliance

Many industries are subject to regulations that require high password security to protect sensitive data such as:

• The General Data Protection Regulation (GDPR): Mandates the protection of personal data for EU residents.
• The Payment Card Industry Data Security Standard (PCI DSS): Requires strong password policies for organizations handling credit card data.
• Health Insurance Portability and Accountability Act (HIPAA): Enforces password security to safeguard patient information.

Failure to comply with these regulations can result in huge fines and legal consequences. Implementing best practices for password security is not just about protection best practices, it’s a compliance necessity.

Are browser-suggested passwords safe?

They are generally safe and convenient because modern web browsers like Chrome, Firefox, and Safari use encrypted storage and advanced algorithms offering built-in password managers that suggest and store passwords. While convenient, there are some risks to consider.

• Limited security features: Browser-based password managers may not offer the same level of encryption and security as dedicated password manager apps.
• Device dependency: If a device is compromised or lost, the stored passwords may be at risk, especially if the device lacks proper security controls.
• Synchronization risks: Attackers could make passwords synced across devices via a cloud service vulnerable if they compromise the cloud account.
• Phishing vulnerability: Phishing websites can exploit auto fill features by cloning legitimate sites.

When choosing to use browser-suggested passwords, ensure an up-to-date browser, use strong device security, and consider enabling MFA for cloud accounts.

Conclusion

Password security is a staple of digital safety and regulatory compliance. Creating strong, unique passwords, using password managers, and enabling multi factor authentication helps individuals and organizations reduce unauthorized access and breaches.

While browser-suggested passwords offer convenience, understanding their limitations and risks is essential. Ultimately, a proactive approach to password security can protect an individual’s data, ensure compliance, and build trust with customers.

Feel free to reach out to TechGDPR for any clarification of technical compliance needs.

The post Password security: how strong passwords work and the tools to simplify appeared first on TechGDPR.

The Privacy Tech Directory serves two purposes: 

1. it empowers users to enhance their privacy and
2. provides a list of tools that can help to maintain compliance with relevant data protection laws. 

It offers a large selection of tools categorized meticulously to address different aspects of privacy and security.

It should be noted that the directory is not an exhaustive list but rather an initial stepping point to figure out what services and/or products are available to help with your specific privacy or security concern.

Here’s a detailed look at the categories available:

Features of the Privacy Tech Directory 

The tools are divided into the following categories: 

• Consent Management Platforms: Manage user consent and ensure compliance with the GDPR and other regulations.
• Access Control: Implement secure access controls to protect sensitive information.
• Analytics: Use privacy-focused analytics tools to gather insights without compromising user data.
• File Management: Secure file storage and sharing solutions to protect data integrity.
• Privacy Alternatives: Discover privacy-respecting alternatives to mainstream services.
• AI: Leverage AI tools designed with privacy in mind.
• Forms: Create and manage forms that prioritize user data protection.
• Fonts: Use fonts that respect user privacy.
• Encryption: Employ encryption tools to secure data in transit and at rest.
• Bookmarking: Find privacy-focused bookmarking tools.
• Advertising: Access advertising tools that prioritize user privacy.
• Compliance/Risk Management: Simplify compliance and risk management processes.
• DPO-as-a-Service: Utilize data protection officer services for expert guidance.

The diversity of tools underscores multiple ways technology intersects with privacy, and seeks to highlight the necessity of preserving privacy on various fronts.

The Creation and Evolution of the Privacy Tech Directory 

The Privacy Tech Directory was crafted through independent research and the innovative use of generative AI. Should any inaccuracies be found in the tool descriptions, users are encouraged to contact TechGDPR at privacydirectory@techgdpr.com to correct the information. The directory aggregates information from various sources, including Privacy Guides, Web3 Privacy on GitHub, and the IAPP privacy vendor directory, alongside independent research efforts.

The directory attempts to highlight open source and free tools. There is a landing page to navigate all of the tools with the following options presented.

This database is located on our Privacy Tech Directory landing page. It allows for users to search the database directly by Name, Format, Category or even words that appear in Short Description such as for example: “GDPR.”

For each tool described in the directory, we strive to include the: 

• Name
• Short description (AI generated)
• Format category (Is this tool for developers (low level code)? Is it a working software or application?)
• Long descriptions (AI generated)
• URL / Github
• Languages supported
• Whether the tool is free or not, if the tool is not free, the cost is included if it could be discerned from the website
• Open Source (if applicable)
  • Link Github/open source (if applicable)

If you have new tools to add or wish to feature or remove a tool from the Privacy Tech Directory, please reach out to TechGDPR at privacydirectory@techgdpr.com.

Conclusion

The Privacy Tech Directory by TechGDPR is a resource for anyone interested in data protection and privacy compliance. The directory is a curated collection of tools to enhance security, streamline compliance, and maintain transparency. 

For any requests and issue reporting, contact TechGDPR at privacydirectory@techgdpr.com.

The post Introducing the Privacy Tech Directory: A Tool for Data Protection and Compliance appeared first on TechGDPR.

Crucial to AI Act is that organisations using high-risk AI systems must conduct a comprehensive Fundamental Rights Impact Assessment (FRIA). This assessment proactively identifies and mitigates potential harms to individuals. Notably, the FRIA shares similarities with the Data Protection Impact Assessment (DPIA) mandated under the GDPR. This underscores the intersection of data protection and fundamental rights in the context of AI systems.

What is a Fundamental Rights Impact Assessment (FRIA)?

While the EU AI Act does not expressly define the FRIA, it explains what the objective of the assessment is. The Act also states what the assessment must contain. Recital 96 of the AI Act states that “The aim of the fundamental rights impact assessment is for the deployer to identify the specific risks to the rights of individuals or groups of individuals…”. Moreso, the FRIA helps to “identify measures [to take] in the case of a materialisation of those risks”. Orgnaisations must conduct the FRIA “prior to deploying the high-risk AI system”. They are also required to update it “when ... any of the relevant factors have changed”.

In other words, a FRIA is an evaluation of the risks high risk AI systems present in relation to individuals’ rights. It is also the determination of remediation strategies to manage and mitigate the risks in case they occur.

What should a Fundamental Rights Impact Assessment contain?

According to Article 27(1) of the EU AI Act, the Fundamental Rights Impact Assessment should contain the following information:

Interestingly, Article 27(4) of the EU AI Act states that if organisations meet “any of the obligations laid down in this Article […] through the data protection impact assessment conducted pursuant to Article 35 of [the GDPR]…, the fundamental rights impact assessment referred to in paragraph 1 of this Article shall complement that data protection impact assessment”. Essentially, the fundamental rights impact assessment should complement the data protection impact assessment.

Intersection between Fundamental Rights Impact Assessment and Data Protection Impact Assessment

Article 35 of the GDPR states that a DPIA evaluates the impact of processing operations on the protection of personal data. This is especially where the processing operations make use of new technologies and is likely to result in a high risk to the rights and freedoms of natural persons. Based on this, it appears that the FRIA and DPIA relate to the impact, rights and protection of personal data for high risk AI systems and high risk processing operations respectively.

The table below offers a quick overview of the minimum information requirement for the FRIA and DPIA:

FRIA and DPIA in practice

The minimum requirements for FRIA and DPIA differ. Although in practice, both assessments often include additional information, making them quite similar. For example, Article 35 of the GDPR does not mandate the inclusion of data subject categories in the DPIA. However, organisations logically include such details to identify risks to individuals’ rights and freedoms. Similarly, the EU AI Act does not explicitly require the purpose and proportionality of processes in the FRIA. Yet organisations naturally include them when describing the processes and the necessity of the AI system.

What are the differences?

The major difference between the Fundamental Rights Impact Assessment and the Data Protection Impact Assessment is their focus point. The FRIA focuses on how the AI system directly impacts the rights of individuals. The DPIA focuses on how the processing operation impacts the protection of personal data and the rights of individuals.

The table below provides an overview of the major differences between the FRIA and the DPIA:

Summary

The major takeaway is that the Fundamental Rights and Data Protection Impact Assessment play a complementary role. At least, this is the intent of the EU AI Act according to Article 27(4). Therefore, organisations deploying high risk AI systems processing personal data, will have to conduct both assessments. If your organisation is a provider of high risk AI systems, there is no requirement to conduct the FRIA. However, providers must make information available to deployers of the AI system to make the conduct of the FRIA possible. This is because a substantial part of the assessment relies on the information presented by AI providers.

Given that the EU AI Act is new, organisations may struggle with identifying their role in the AI value chain. Orgnaisations may also struggle to comply with requirements based on that role. At TechGDPR, we assess your processing operations, the information provided by AI providers as well as the envisaged implementation of the AI system to help determine what requirements apply under the EU AI Act. We can help you correctly classify the AI system(s) your organization plans to manufacture or deploy, ensuring early detection of any outright prohibitions. This will prevent your organisation from wasting valuable resources on systems not allowed within the EU.

The post Difference between Fundamental Rights Impact Assessment & Data Protection Impact Assessment appeared first on TechGDPR.

The EDPB audit tool can be installed directly from the source code or through pre-built releases. There is a version for easy installation on Linux, Windows, and MacOS machines. One can also download the official source code of the EDPB WAT tool rather than the pre-compiled application file. 

Capabilities of the EDPB Website Auditing Tool

With the tool, individuals are able to start new analyses of a website. There is the possibility to create multiple scenarios such as: 

• No cookies accepted; 
• Reject all;  
• Accept all; and
• Any other categorization of cookies available on the website for example:  performance, marketing, etc. 

For each of these scenarios, the cookies and external sources loaded are collected by the tool to form a report. The user of the tool is then able to test out different banner and consent box options. This allows for them to inspect how the user experience changes. In assessing various consent box options, the tool allows for easy verification that all the cookies are correctly categorized. This ensures that no non necessary cookie is loaded without permission from the user. 

By using the EDPB WAT, one is able to analyze different aspects of a website such as: 

• Which cookies are loaded for various consent scenarios; 
• Local storage that is being used; 
• Verifying the use of HTTPS or SSL to protect the flow of data to and from the website; 
• Traffic analysis to identify what requests are being made; 
• Identifying if any web forms on a website are being set with non-encrypted transmission to ensure that what could potentially be personal data is being sent securely; and 
• The presence of any web beacons. 

How to get started

The program can be installed through an application installer for Linux, Windows, and MacOS. One is also able to download the source code directly. For easy installation, using the pre-configured installers is recommended for simplicity. The EDPB also released official guidance to use in conjunction with the tool and that can be accessed here.

Testing out the EDPB WAT: An example

After installing EDPB WAT, one can easily test out the capabilities of the tool by requesting a specific URL for the tool to access. Consider the URL: website.com which is owned by CompX and has a cookie banner with “Accept All” and “Reject All” as the only two options for consent. 

Since there is a cookie banner present, there are three scenarios that we need to assess. 

1. Accept All → When the option to “Accept All” is chosen, review all of the scripts, resources and cookies that are loaded. 
2. Reject All → When the option to “Reject All” is chosen, it is important to review 
3. No consent given  → It is important to see if any cookies, resources or scripts are loaded even if one does not interact with the cookie banner.

The tool will then access that URL and data will be collected based on the consent option chosen. When assessing the website scenarios one can label each scenario as being: compliant, not compliant, or indeterminate. This ability also translates to the labeling of specific cookies that are set by a website as well. If website.com was found to be using third party advertising cookies when the option to Reject All is chosen, that would be in violation of the GDPR and ePrivacy directive. 

Regular use of this tool on one’s own website and other websites allows for an understanding of which technologies are used by competitors as well as potentially granting the upper hand in contract negotiations,  in order to  prove a higher level of compliance to EU regulations. The WAT tool also allows for the manual creation of a knowledge base for cookies which can be created over time through the assessment of various websites. 

Screenshot of EDPB Auditing Tool

How is the EDPB Website Auditing Tool helpful for businesses?

It is important to be aware of all of the resources used by a website in order to ensure compliance with the GDPR. This tool allows for a quick overview of what resources are called, and how these are placed, or utilized by a website. In order to maintain compliance with the GDPR, it is important to understand how a website might impact a visitor through potentially the setting of cookies, usage of local storage or calls to external resources. 

The performance of regular website audits by a business can help to ensure: 

• compliance with legal requirements such as the GDPR and the ePrivacy Directive; 
• a way of addressing potential unknown risks on a website such as unintentionally set cookies; 
• trust and transparency with website visitors; and 
• improved website performance. 

The EDPB WAT can be helpful to determine the current level of compliance for a website or an organization. It is important to remain cognizant of how a website changes over time. Through using this tool, a website owner can assess how the various technologies that make up the website impact the user e.g. WordPress, as the largest website content management system powering over 40% of websites on the Internet. Website developers might add plugins to their website that add cookies unknowingly. 

Through a quick scan using the EDPB WAT one is then able to easily find out about the oversight and fix the issue before it becomes a citable instance of noncompliance under the GDPR and/or ePrivacy Directive. 

How we use the EDPB Website Auditing Tool

TechGDPR performs website audits on behalf of organizations to analyze the current state of compliance for a website. With the release of this new tool by the EDPB, we will integrate the use of the EDPB WAT into the technical assessment methodology. By leveraging this tool, we at TechGDPR aim to enhance the effectiveness and efficiency of the website audit performed on behalf of our clients. When appointed as an organization’s DPO, TechGDPR performs annual website audits to work towards GDPR and/or ePrivacy compliance. Feel free to reach out to TechGDPR if you are interested in having an in-depth, independent audit carried out beyond the capabilities of the EDPB WAT tool. 

The post Improving GDPR compliance with the EDPB Website Auditing Tool appeared first on TechGDPR.

GDPR compliance as a market differentiator 

Companies serious about GDPR compliance understand its role in maintaining their market position. Those who are proactive are quicker at placing themselves on a purchaser’s list of adequate suppliers. When processing data from people in Europe, the GDPR applies. It forces an organization to implement measures and maintain records of compliance. Even if an organization is not currently processing that data, building in regulatory compliance early supports future collaborations and partnerships with larger organizations and ensures the trust of product users.

Regardless of whether a software developer operates in a B2C, B2B or B2B2C context is irrelevant. The processing of personal data anywhere on that chain of services needs to comply with GDPR requirements. Thus achieving and maintaining compliance allows an organisation to be a supplier that implementing clients consider. For instance, a software developer for a small start up is able to integrate fundamental privacy by design and default principles in their design. This includes practices such as implementing end-to-end security, hashing, and other cryptographic measures.

Transparency makes the product more competitive if it is to be implemented through partnerships or sold as a SaaS. Procurement negotiations might still bring up specific questions and feature requests to be added to the agreements your organization signs as a vendor. By prioritizing compliance, any solution developed is more likely to remain on the list of suppliers worth considering especially if the negotiation deals with business in the EU. Implementing privacy preserving design features allows an organization the competitive edge of transparency.

Major fines

Tech giants, Facebook, Google and Amazon, regularly face severe fines for non compliance. These fines are essentially caused by deliberate ambiguity in their data processing and the fulfillment of their transparency requirements. Worse, they disregard their data controller obligations and get fined for a combination of hidden processing practices and implemented dark patterns. In May 2023, Meta, was hit with a 1.3 billion euro fine for lack of GDPR compliance. This is the largest fine to date. Amazon was fined for 746 million in 2021 for lack of user consent collection when advertising. When companies get fined, several factors come into play. This could potentially include their willingness to cooperate and implement corrective actions. However, a constant factor includes lack of transparency, misleading patterns and a lack of legitimization of processing.

However, most businesses are small-to-medium-sized enterprises (SMEs). This term is technically defined by the European Commission as a company with less than 250 employees. For an SME, GDPR compliance is harder to achieve due to proportionally reduced resources or access to expertise. Therefore, if an SME is able to achieve compliance, they recover the competitive advantage over larger players lost on operational costs. Tech giants are consistently pressured to maintain compliance due to their increased visibility. Therefore, compliance, when managed efficiently, is a defining competitive advantage for smaller companies.

GDPR compliance as a political or social issue 

When tech-savvy individuals go online, they tend to protect their own privacy by using strong passwords. Some examples of this includes increasingly using MFA where available or using pseudonyms and single use email addresses where possible. With the help of a few high profile breaches and updates to app marketplace practices and communication strategies, the average user has become more aware of the online privacy risks. Software developers tend to implement best security practices in their own use of software and apps. As a result, they are particularly best suited to understand the need for security. They are also specifically instructed to implement strong security practices and privacy design patterns such as content security policies for websites. As creators of technology, software developers have an ethical responsibility to protect the privacy of individuals and empower them to use their software or services more privately. 

Through implementing best design practices such as the minimization of cookies, the forced use of MFA, the encryption of user data, a privacy by default approach to design, designers create privacy-preserving environments. While the expectation might be that less tech-savvy individuals are likely to show relative indifference about their own privacy, one study entitled Caring is not enough: the importance of Internet skills for online privacy protection, argues that even if people do care they also need to be educated on how to protect their own privacy. It is not uncommon to feel helpless protecting one’s own data or safely using the internet. Typically, a lot of the burden for security falls, wrongfully, on the individual.

Should the average user be expected to know how to make use of encryption to feel safe online? 

For many, cookie banners are annoying interfaces, easily brushed away by clicking the “Accept all” button. Configuring a cookie banner to not set non-essential cookies by default, makes the organization compliant on that requirement. It also provides users with a choice. Amongst other principles, privacy by default also requires the developer to ensure the most private settings are set by default. Software designers, familiar with ePrivacy requirements, are able to notify the marketing team that silent opt-ins is illegal in the EU. This allows the organization to engage in discussions as to whether to design for compliance or to accept the risk. In accepting the risk, an organisation increasing user distrust for the benefit of tracking, profiling and advertising KPIs.

As digitization continues, there is a pervasive use of selling user data or mishandling personal information in the tech field. This trend occurs without much regard to the significance of this action. This has become regretfully normalized even though it is against the GDPR. This is likely due partially to many companies solely operating within the US. At the moment, the US does not have a federal governing law similar to the GDPR. Regardless, this precedent is pervasive.

People should have the right to use and access the internet and software related tools/services without being seen as a commodity. Through the use of tracking elements and abuse of consumer metrics, individuals are becoming commodified and sold as such. This should not be the case where individuals can be so easily manipulated and tracked through their actions online. When software developers prioritize GDPR compliance, they are able to help prevent the commodification of individuals by their company. 

GDPR compliance in software development as an intellectual challenge

It is easy to do things in a non secure manner. It would be easier to access one’s phone to text people if one didn’t have a password, but most individuals likely have a password on their phone to protect from strangers accessing the content on their device. Therefore, the easiest solution is not always the best solution. This stems from the common dilemma of convenience versus privacy that one is confronted with daily. Instead of seeing this as an issue, one should frame it a challenge. If one views compliance as an intellectual challenge of how to protect others, the issue becomes more intriguing and fun to solve. An issue bears the connotation of an obligation or nuisance. 

Individuals are motivated to do things either intrinsically or extrinsically. When a supervisor informs a developer that they must make the system compliant with the GDPR, that would be the definition of an extrinsic motivator as it is external; however, intrinsic motivation is a powerful and compelling motivator. Due to intrinsic motivation, this is part of the reason as to why computer games are fun to learn.

An intellectual challenge has a better and more enthralling connotation. This idea has been theorized since the 1950s and academics have postulated through research that intrinsic motivation is correlated with how challenging the activity is. Considering those who have a background in computer science are confronted with technical issues and problems to solve all the time, compliance is best viewed as an intellectual challenge to avoid the easiest solution but create the most secure solution. 

Concluding thoughts 

Compliance is the law. As a software developer, one will likely need to work to implement or maintain compliance with the GDPR. It is easy to see it as a tedious endeavor handed down to a higher up, who might not necessarily understand the ramifications of the technical assignment they are bestowing. Instead, one should view the GDPR through an intrinsically motivated lens as an intellectual challenge to protect the rights of individuals. There are other reasons as to why as a software developer one should care about the GDPR. This includes but is not limited to securing contracts and helping others with less knowledge of proper internet privacy practices.

The joy of the internet and technology should be able to benefit and be enjoyed by all individuals. Any individual regardless of their technical background and without the fear of loss of rights. The question should not be: “does one engage with technology and in doing so give up their right to privacy?” but rather the burden should fall less on the technically ignorant users and be built into technology inherently. 

If you are interested in taking your GDPR knowledge to the next level, dive into TechGDPR’s specialized training for developers. This course is designed to equip you with the skills and understanding needed to navigate GDPR compliance within your projects. It will help you ensure your software is up to standard and gain a competitive edge. Discover more and enroll today at GDPR for Developers – Online Course.

The post Why should software developers care about GDPR compliance? appeared first on TechGDPR.

Bring your own device allows employees to use their own devices (smartphones, tablets, laptops) in the workplace but also allows them to access corporate tools from these devices. This means they are likely to carry corporate information or confidential personal data of the company’s clients on personal, mobile hardware. BYOD could increase productivity and efficiency. Remarkably, a survey performed by Samsung in collaboration with Frost and Sullivan “Employees Say Smartphones Boost Productivity by 34 Percent: Frost & Sullivan Research” concluded that applying BYOD in the workplace could increase productivity by up to 34%. Nevertheless, this initiative carries some data protection risks as data loss can occur not only through the device getting lost or stolen but also through it getting hacked due to unsecured or unsupervised use.

Art.5.1.f) of the GDPR requires personal data to be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). Additionally, article 32 specifies the obligations of the controllers to ensure the security, availability and confidentiality of the personal data, three goals data protection shares with information security.

It becomes apparent therefore, that for BOYD’s benefits to be felt, companies must also implement security measures to safeguard their personal data assets.

What can companies do to support GDPR-compliance despite the implementation of BYOD?

Companies should ensure that employees are aware of the risks an unprotected or ill-used personal device poses to the security and availability of the company assets. This can be achieved through training employees about security risks, through drafting a BYOD acceptable use policy, a record-keeping policy and a security procedure policy.

When implementing BYOD, it is advisable to draft an Acceptable Use Policy, which determines the apps and tools an employee is allowed to access from their phone when they are at the workplace, the process for accessing and handling confidential data of the company as well as the reporting duties involving security concerns. This policy could also foresee the fate of the company’s confidential data stored on the employee’s phone when they leave the company and conditions for transferring data securely from one device to another. Additionally, the company should consider an enforcement process and accountability provisions in case an employee doesn’t comply with the policy. Drafting a BYOD acceptable use policy will facilitate compliance with the GDPR as it implements the principle of accountability. This principle is defined in GDPR Art.5.2, stipulating that: The controller shall be responsible for, and be able to demonstrate compliance with [other data protection principles] -and crucially with the principles of security and confidentiality introduced in Art.5.1.f).

In addition, employees should be trained and educated to understand and apply the provisions of the policy such as to use their device in a secure way to avoid hacking, as well as to keep their phone updated and secure it from data access attempts in case of loss or theft.

Moreover, a record-keeping policy ensures that the location of all company’s confidential data is known, that the data is kept up-to-date and not stored longer than necessary. As mentioned above, this practice could also ensure compliance with the principle of accountability (GDPR Art. 5,2). Some companies additionally opt for a data classification scheme, making it easier for anyone to understand the risk associated with different types of data.

Finally, a policy outlining the security procedures should be in place, foreseeing the use of user authentication procedures when accessing applications hosting company personal data. Some companies opt for a widely-scoped access rights policy, that defines which roles require a need-to-know access and what security measures must be observed when accessing tools or datasets. Other technical measures should also be included in the policy, such as the encryption of data and the use of a firewall or the installation of anti-malware software, which helps prevent the hacking or unauthorised access to personal data in case the device is stolen, lost or compromised.

Although a wide variety of measures exist, some of them pose considerable privacy concerns, a significant one being the lack of company oversight that often results from making use of BYOD. For example, some mobile device management systems allow for the third-party tracking of the devices, the viewing of contacts, photos and videos, the reading of text messages and, in some cases, the remote wiping of data from the device. Companies therefore should pay attention to the measures they are planning on implementing as much as the software environment in use on employee-owned devices.

Conclusion

To recapitulate, when implemented wisely and accompanied by policies and security measures, BYOD can increase productivity and efficiency. Nevertheless, companies should bear in mind that a smartphone is an extension of a person’s private sphere and that this itself comes with privacy concerns. Therefore, when implementing measures to protect your company’s confidential information, you ought to tread cautiously the line between your company’s need for safety and your colleague’s right to privacy.

The post Bring your own device and data protection appeared first on TechGDPR.