Series: Security and Data Privacy

Data privacy

Adhere to the principles of data protection

To adhere to the principles of data processing, perform the following:

  • Identify and document the need for processing each category of personal data. If you cannot identify the need for data processing, do not process the data. Once you have identified the need for processing the data, do not process it for any other reason except the identified need.
  • Process only the minimum personal data required for your needs, and ensure that the data is adequate for the need identified.
  • Ensure that the personal data is accurate. If the data is inaccurate, ensure that the required mechanisms are in place for data updating.
  • Process the personal data only for the required period. Once the data is no longer needed, delete it. Document retention schedules describe the processing of each category of personal data.

    Make sure that personal data is secure

    The security of personal data is considered along with the overall security of the application. You use secure coding techniques to reduce the possibility of an attacker compromising the application and personal data. You test the application at all levels and consider obtaining the services of professional ethical unauthorized users trying to compromise the application. You encrypt personal data wherever possible. You ensure that appropriate access controls are in place such that only the required persons who must access personal data have access to it.

    Allow individuals to exercise their rights

    When an application processes the personal data of a data subject, that individual has specific rights bestowed upon them by privacy regulations. To fulfill an individual’s request, document where the personal data is processed within the application so that the request can be dealt with efficiently.

    Data subjects have the right to access their data. You ensure that mechanisms are in place to provide a copy of the personal information processed by the application. Data subjects also have the right to request that you transfer their data to another organization or data repository. If such a request is made, you transfer the data in a structured, commonly used format. The personal data processed by the application must be accurate and up-to-date. If the data is not accurate and up-to-date, a data subject can request that the data is rectified.

    A data subject can withdraw their consent, oppose the processing of their data, or request it to be deleted. You must have mechanisms in place to enable the deletion of an individual’s data. Alternatively, a data subject can instead request that you stop processing personal data for a specified purpose. In this case, you do not delete the personal data but stop processing the data for the purpose identified.

    Document the geographical location and accessibility of personal data

    Privacy regulations set restrictions on where personal data is processed or mandate appropriate mechanisms for transferring data outside a specified country or region. If you are processing personal data outside a country or region where the data subject resides, you must identify the appropriate legal mechanism for transferring data to another country or region. Your customers must inform their customers and the users on where the data is being processed. You must pass this information on to your customers.

    The organizations using your application must obtain data subject consent in an appropriate manner to make the processing of personal data lawful. Depending on the nature of how data subjects interact with your application, you can require a mechanism to obtain their consent. If so, you must record how and when that consent was provided. You must also have mechanisms in place to remove that consent.

    Make sure that appropriate contractual terms are in place with your customers

    Privacy regulations distinguish between organizations as data controllers and organizations as data processors. The data controllers are organizations that determine the purposes and methods of processing the personal data. The data processors are organizations that process personal data on behalf of the data controller. Mostly, you are a data processor, and your customer is the data controller. You must only process personal data on getting instructions from the data controller. You or your customer must create a legal document with those instructions. You ensure that you have signed the document. 

    Application security :Previous Suggested Article Next Suggested Article: Data processing addendum