In our latest mini blog series surrounding GDPR, xDesign's Head of Web Development, Chris Moss takes a look at GDPR will affect software development and how transparent data encryption can help you when adhering to the upcoming GDPR regulations.
With GDPR at all our doorsteps, everyone has (hopefully!) been busy preparing, checking and confirming that they have all of their bases covered when it comes to data privacy and protection. In the software development industry we are doing the same, however we have a few unique challenges when it comes to meeting the demands of the new legislation. Perhaps the most obvious challenge we face is the way that we could end up building with, and handling your clients and/or clients, clients data; especially if what you are building has a publicly accessible interface. Some food for thought?
What is Transparent Data Encryption?
A great way to deal with some data concerns is with Transparent Data Encryption (TDE). TDE works on an “at-rest” principle, meaning that all data is encrypted whilst the database is not being asked to provide any of that data. The decryption of data only happens when a request is being asked for by the application, then the database handles this directly on the server itself, by using its own engine and two key authentication, a master and a client key. Only if these keys are accepted will the data be returned to the client requesting the data.
Back to the circumstance of using clients data or just generally using real or live data, the best practice approach is not to use it at all, with GDPR this just opens up to many issues. To get around this is simple, you can utilise a system(s) to generate, or seed, fake data that will correctly represent the data in the columns and fields that you need to represent the real live data; This will help you to create the APIs, web applications and mobile applications whilst they are going through the development process. This removes the concerns of seeing, accessing and using real data and having full access to private information whilst you work on a project through its life cycle. The fake data is usually randomly generated and has no association to each other.
Privacy By Design
One of the first things that is often assumed is that there are levels of data security and these have different types of importance attached to them. With GDPR that's an assumption that will undoubtedly lead you down a bad path. Instead of looking at “normal” personal data as some sort of scaled thing; you should, especially now, treat all data as something that requires privilege to access, ask who is accessing it and protect it. This brings heavily into focus, the philosophy of Privacy by Design.
Privacy by Design isn't really a step by step guide or a set of rules to follow, but more of an ethos of thinking about the features you are building and how you will deliver these sections of work. Then asking who and why someone would need to access this data. What you build for your client needs careful consideration by you and your team, so you can deliver the best solution, that has taken into account the best practice to ensure you are doing everything in your power to keep that data you will present, create and update all is as protected as it can be.
A first step approach is always to look at how you are handling the data at the database level. Certainly in our case, this means if you need to encrypt part of the data stored, don’t just encrypt that individual section or part of the data. Instead take a more long term maintainable approach and set the encryption at the database level, this should be setup as Transparent Data Encryption. I truly believe that this is a first step approach that should not be overlooked, especially now. Don’t leave yourself or you client vulnerable.
At xDesign, we always design our mobile and web applications with a privacy first ethos and are always looking at the most up to date ways to keep our clients and their clients data as secure as possible. Want to know more? Check out our latest blog on our top tips for building GDPR compliant apps or contact us to find out how we can help.