SEC 126 Developing Software For GDPR Compliance
About The Developing Software For GDPR Compliance Course
GDPR for developers is a training program that will helps software developers and system engineers to implement GDPR compliance into their software development Lifecyle. When creating software, data protection and privacy by default should be part of the software development Lifecyle. This training is intended to provide software developers an overview of GDPR from the software and database development perspective.
Key Features of the Training:
Every developer is also expected to understand and implement the following GDPR concepts:
- Conduct a Data Flow Mapping.
- Data classification.
- How to apply the 7 Principles of Privacy by Design.
- Managing code repo and deployment practices.
- Secure your data at rest and in transit.
- Ensure that you have appropriate access controls for Personal Information.
- Enforcement of the organization Data Retention Policy.
- Anonymize and Pseudonymise data.
- Review third third-party processors.
- Review how employees access and process personal information using BYOD.
- Ensure your data hosting arrangements meets to GDPR compliance level.
- Understand automated decision-making and profiling.
- Understand and assess the basis of processing personal information.
GDPR Data protection Principles
Data protection by design
- The use of pseudonymisation (replacing personally identifiable material with artificial identifiers).
- Encryption (encoding messages so only those authorised can read them).
Data protection by default
- Ensure user profile settings is in the most privacy-friendly setting.
- How to assure the users’ profile isn’t accessible by default to an indefinite number of persons.
Data loss Protection
Detects potential data breaches/data loss and prevents them by monitoring, detecting and blocking sensitive data while in-use, in-motion, and at-rest.
Choosing the right authentication scheme.
- What should I consider when implementing a password system?
- How should we store passwords?
- How should our users enter their passwords?
- What requirements should be set for user passwords?
- What should we do about password expirations and resets?
- What defenses can be put in place against attacks?
Building encryption into your application
- Encryption and data storage
- Encryption and data transfer
- What types of encryption are there?
- How should we implement encryption?
Ensure data integrity and confidentiality
Authentication scheme for GDPR compliance
To comply with GDPR the organization must comply with the security principles of ‘integrity and confidentiality’ The security principle requires you to take appropriate technical and organizational measures to prevent unauthorized processing of personal data you hold. To uphold these tenants’ security have to be build into your technological design.
Building the GDPR User Rights into systems
- Consent – A clear and affirmative action from users is required to possess and process their personal data.
- Right to Access – An individual has the right to know what personal data you have and what you are doing with it.
- Right to Erasure – An individual has the right to require the deletion of their personal data if the continued processing is not justified.
- Data Portability – Individuals have the right to require companies transmit their personal data to another company.
- Breach Notification – Individuals must be notified with 72 hours of a data breach involving their personal data.
- Privacy by Design – Data protection must be incorporated into the design of systems from the beginning, not just added later. And companies can only hold and process the data absolutely necessary to complete its duties (data minimalization) and limit the access to that data.
Implementing Right to Limited Processing
- Restriction of Processing:Users have the right to “restrict” processing, which means their data cannot be used or leveraged further without the user’s explicit consent.
- Erasure:All users must have the option to be forgotten or deleted from the system.
Data Portability: All collected data and information must be portable so users can export contents and view or read it in a proper format.
- Rectification:The option or ability to fix personal data that is inaccurate or incomplete.
- View Data:Every user has the right to be informed about data collection and use, including information outside of standard terms and conditions.
- Access:Any data collected, processed, or stored should be visible to the relevant user at all times.
This training course is intended for professionals who are involved in any form with software development and needs to design software to meet the GDPR requirements. The training is ideal for those working in positions such as, but not limited to: