General Data Protection Regulation (GDPR) and Web Application Security

GDPR in Short

1. Any company either based in the EU or which deals with any data involving EU citizens or organizations are required to comply.
2. Under the GDPR, personal data includes anything that might identify an EU citizen, including IP addresses and cookie IDs.
3. Companies will now need to report incidents that could risk customer data to their country’s Data Protection Authority within 72 hours of discovery. For major breaches, the affected company has an additional requirement of informing their customers or users themselves.

Application Security Requirements in the GDPR

1. In order to discover any weak points in how data is processed or handled, the GDPR mandates that organizations assess their current systems and processes for how they currently handle data and perform a gap analysis to find what works and what needs to be changed or removed.
2. There needs to be Security by Design and by default to ensure data is secured from the beginning of the application or system. This concept describes the idea that security and privacy need to be considered during the planning phases.
3. Encryption and pseudonymization of personal data.
4. The ability to restore personal data availability in the event of a security incident or technical issue in a timely manner.
5. Ensuring ongoing confidentiality, integrity, and availability (the tenets of InfoSec) of data processing systems and services.
6. Establishing a process for regular security testing and assessment of the effectiveness of security practices and solutions in place.
7. Organizations should practice the principle of least privilege, as well as regularly ‘cleaning house’ and removing any data that is no longer needed.
8. Lastly, it is recommended, though not mandated, the organizations, especially larger ones, create centralized application and data repositories to maintain better control over customer data.

Web Applications must follow

1. Encrypting data end to end – Make sure any data you collect from your customers is encrypted.
2. Make sure all data is able to be “forgotten”. Under the GDPR, users have the right to be forgotten – all of their data that is stored about them can be wiped at any moment upon their request. This also applies to any 3rd-party integrations where you send data. It’s also a best practice to dispose of temporary data as soon as possible after it is used.
3. Provide individual consent checkboxes for each data processing capability. How many times have you checked “I accept the terms and conditions” without reading what you actually just consented to? A major change in the GDPR’s data protection regulations includes specifying how data is processed and allowing the user to consent to (or revoke consent to) each activity. This does not just apply to new users. It’s also required that you contact existing users who may have joined under less specific terms and conditions and request their consent.
4. Allow users (and non-users) the ability to see if you have their personal data stored. Ideally, any person would be able to submit their email address and find out if your company has any personal information stored about them in your databases. Beyond that, the ability for a user to see all of the data that they have given you in a non-spreadsheet format is desired.
5. Allow users to edit collected data. If you’re collecting information about a user (phone number, shipping address, etc.) they should also be able to edit this information if it’s incorrect, ideally without needing to contact you to do so.
   GDPR is no burden. It has been introduced for benevolence of customers and companies.