- European regulation
- Personal data
- What is the GDPR purpose?
- First principle : User consent
- Second principle : Processing is necessary for the performance of a task.
- Third principle : limited and relevant data must be collected for processing.
- Fourth principle : data must be accurate and, where necessary, kept up to date.
- Fifth principle : personal data must be erased when no longer necessary for processing
- Sixth principle : guarantee data security
- Obligations toward data subjects and the supervisory authority
- Obligations toward data subjects
- Obligations toward the supervisory authority
- The solutions proposed by WINDEV/WEBDEV and WINDEV Mobile to help you
- A GDPR audit in WINDEV
- Anonymization and pseudonymization
GDPR: General Data Protection Regulation
The General Data Protection Regulation (GDPR) came into force on May 25 2018, and must be implemented on existing applications, current and forthcoming development projects!
Let's see a quick summary of obligations issued from GDPR as well as the WINDEV, WEBDEV and WINDEV Mobile tools that can be used to implement GDPR.
The European Regulation is a binding legislative act that must be applied in its entirety across the EU.
This law enforces the access, the use and the distribution of personal data. Any company that is handling personal data is concerned with GDPR!
The GDPR applies to ‘personal data' meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. : last and first names, date of birth, address, email, etc.
What is the GDPR purpose?
First principle : User consent
The user must explicitly give his consent for processing operations.
An explicit consent
For a site, let's see 3 obligations to respect:
- Don't use pre-ticked boxes or any other type of default consent.
- Give a specific right to withdraw consent.. Make it easy for individuals to withdraw their consent at any time.
- Keep records to evidence consent - who consented, when, how, and what they were told.
An implicit consent
The consent is not required when processing is necessary in order to protect the vital interests of the data subject.
For example, when the customer places an order, an invoice must be generated and the products must be sent to him, ... therefore, personal data must be handled (first and last names, etc.)
Consent is not required in 3 cases:
- If the consent is required to run the contract or service. An order cannot be shipped to customer without knowing his personal details.
- If the consent is required to respect a legal obligation. This applies to orders for example : tjey must be kept during 10 years. To respect this obligation, data must be stored during 10 years.
- If the consent is required for legitimate interests. This applies to health data for example.
Second principle : Processing is necessary for the performance of a task.
Individuals have the right to be informed about the collection and use of their personal data. For example, if you've got the user consent to send commercial information, this data cannot be used for statistical purpose.
Third principle : limited and relevant data must be collected for processing.
You must collect limited data for processing. For example, the data of birth is not required to process a customer order. Therefore, asking for the date of birth is illegal when processing an order.
Caution : all thes rules apply to metadata as well. A metadata is for example the IP address with which the user connects, or the header of incoming emails.
Similarly, only limited data must be given to a provider if necessary.
Fourth principle : data must be accurate and, where necessary, kept up to date.
The data must be accurate and stores for no longer than necessary : an inaccurate email address must be erased or rectified without delay.
Fifth principle : personal data must be erased when no longer necessary for processing
Personal data should not be retained for longer than necessary in relation to the purposes for which they were collected.
Sixth principle : guarantee data security
A main principle is used to guarantee data security : Privacy by Design. But "basic" security principles also exist:
- Encrypt data (for the HFSQL databases, all you have to do is specify it in the data model editor).
- Protect the databases via identifiers: user identifiers/passwords from the HFSQL Control Center.
- Protect the opening of data files by password (HPass on HFSQL databases).
- Encrypt the communications (HFSQL allows you to restrict the opening of connections to encrypted connections) and use SSL (https).
Obligations toward data subjects and the supervisory authority
Obligations toward data subjects
GDPR does not stop here, obligations exist toward data subjects. In addition to user consent, you will find:
- the right to be forgotten: the data subject shall have the right to obtain the erasure of personal data .
- the right to portability: the data subject shall have the right to receive his/her personal data (to do so, several export features are available in WINDEV: Excel, XML, the HToFile function, JSON serialization, etc.).
Obligations toward the supervisory authority
Obligations exist toward the supervisory authorities. In France, this role will be assigned to CNIL.
For example, a DPO will have to be assigned to the companies exceeding 250 employes.
The DPO (Data Protection Officer) must check whether the company complies with a set of obligations defined in GDPR
In case of personal data breach, the controller shall without undue delay and no later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority.
Each company shall maintain a record of processing activities under its responsibility.
This record of processing activities contains the list of all company processes that use, store or handle personal data.
The solutions proposed by WINDEV/WEBDEV and WINDEV Mobile to help you
A GDPR audit in WINDEV
WINDEV, WEBDEV and WINDEV Mobile already propose several options to guarantee the data security.
To simplify the identification and the tracking of personal data in a WINDEV, WEBDEV or WINDEV Mobile application, a new GDPR audit is available in version 23.
In the data model editor, all you have to do is identify the items containing personal data affected by GDPR.
Then, starting the GDPR audit allows you to get a set of tips as well as the location of data use. You even have the ability to generate the base of "Records of processing activities" document.
Anonymization and pseudonymization
The best solution being not to use personal data, the anonymous data is not impacted by GDPR.
The "pseudonymisation" is recommended for ay other use ; it consists in using pseudonymised data (via a GUID identifier for example) instead of personal data.
This page is also available for…