OK, in an effort to be more constructive here is a helpful list of things that we as app developers need to consider for GDPR compliance… (This includes any third party that has access to any data including Corona’s automatic data harvesting).
For definition, personal data now includes IP addresses and all advertising identifiers - basically any data that is not anonymized.
1. Determine whether the app really needs all the requested personal data
The ideal privacy implementation saves as little personal data as possible, such as birth date, name, country of residence, etc. This is not possible in all cases; some entities will need more information. In all cases, though, developers and management should define exactly which data is absolutely necessary.
2. Encrypt all personal data and inform users about it
If an application needs to save personal information, the data should be encrypted with proper and strong encryption algorithms, including hashing. In the Ashley Madison data breach, all personal data was in clear text, which had huge consequences for its users. It should be explicitly stated to users that all their personal data, including phone numbers, country of residence, and address, will be encrypted and hashed to avoid any form of data extraction and potential exposure in case of a data breach.
3. Think OAUTH for data portability
Protocols for single sign-on such as OAUTH allow users to create accounts by simply providing another account, but they also assure that no personal data other than the authentication ID from the other service is stored.
4. Enforce secure communications through HTTPS
Many entities do not use HTTPS for their websites because they do not consider it necessary. For example, if the application does not require any form of authentication, then HTTPS might not seem needed. But it’s easy to overlook some things. For instance, some applications collect personal information through their “contact us” forms. If this information is sent in clear text, it will be exposed through the Internet. Also, you should make sure that the SSL certificate has been properly deployed and is not exposed to vulnerabilities related to SSL protocols.
5. Inform users about and encrypt personal data from ‘contact us’ forms
Applications do not collect information only through authentication or subscription, but also through contact forms. Most of this information is personal, including email address, phone number, and country of residence. Users must be informed how this data will be stored and for how long. The use of strong encryption is highly recommended for storing this information.
6. Make sure sessions and cookies expire and are destroyed after logout
Users must have proper visibility about the use of cookies by the application. They must be informed that the application is using cookies, the application should provide the opportunity for users to accept or deny cookies, and cookies must be properly destroyed after inactivity or logout.
7. Do not track user activity for business intelligence
Many e-commerce applications on the web track users to determine their tastes through their searches or products bought. Often, companies such as Amazon and Netflix use this sort of information for their recommender systems. Because users’ personal taste and choices are being monitored and stored for commercial purposes, the users should be able to accept or reject this as an option. If users decide to accept such tracking, they should then be told how the data is saved in the system and for how long. And, of course, anything related to personal information should be encrypted.
8. Tell users about logs that save location or IP addresses
Many applications use IP addresses or locations as a parameter to control authentication and authorizations, and they log this information in case someone attempts to bypass authentication controls. Users should be told about this, as well as how long the logs will be saved in the system. Never include more sensitive information such as passwords in the logs.
9. Store logs in a safe place, preferably encrypted
Keep any logs that contain user information in a safe place and inform users about what happens to these logs: how they are stored and how long are they retained. The logs themselves should be encrypted.
10. Security questions should not turn on users’ personal data
In many applications, security questions are used as a form to confirm the identity of a user. These questions should not include personal components such as mother’s maiden name or even the user’s favorite color. If possible, replace these questions with two-factor authentication. If that isn’t possible, let users create their own questions and warn them against creating questions that contain personal data. Any information provided should be encrypted.
11. Create clear terms and conditions and make sure users read them
Don’t hide away your terms and conditions. Under the new EU privacy laws, terms and conditions should be on the landing page of any web application and be highly visible at all times while the user navigates the application. An enforcement mechanism is necessary so that users have to agree to terms and conditions before being allowed to access to the app, especially when terms have been changed. The terms and conditions should also be in language that is easily understood.
12. Inform users about any data sharing with third parties
If your organization shares personal data with third parties, whether they are external plugins, affiliates, or government organizations, that fact should be included in the terms and conditions.
13. Create clear policies for data breaches
One of the most important aspects of the EU law is the right of users to be informed if a data breach occurs. Organizations must implement clear policies that establish roles and steps to follow so that, for example, users are promptly informed about any breach.
14. Delete data of users who cancel their service
Many web applications do not make it clear what happens with personal data after a user has canceled the service or deleted an account. With the right to be forgotten, companies should respect the right of users to delete all their account information and related data. It must be visible to users that they can leave a service and all their data will be deleted. Companies that treat deleted accounts as merely inactive could run afoul of the law.
15. Patch web vulnerabilities
As mentioned on the OWASP Top 10 list, one of the major data privacy risks involves web application vulnerabilities: “Vulnerability is a key problem in any system that guards or operates on sensitive user data. Failure to suitably design and implement an application, detect a problem or promptly apply a fix (patch) is likely to result in a privacy breach.” Make sure your organization has a program in place to assess cyber risks and do penetration tests and patches effectively.