Tips for achieving privacy law compliance

Tips for achieving privacy law compliance

Applications collecting personal and sensitive data must comply with Data Protection Laws. For application developers identifying relevant laws, extracting rules and obligations and implementing them within their applications could be extremely challenging, expensive and risky in case of errors.

To achieve compliance, developers should consider privacy during the whole application development life cycle.

This is also known as the Privacy by Design principle and is one of the fundamental principles of the forthcoming EU General Data Protection Regulation. Achieving compliance means fulfilling different types of rules and obligations that we tried to group into three categories:

  • Administrative requirements e.g. collecting consents, notifying Data Protection Authorities, writing Privacy Impact Assessment,
  • Technological requirements e.g. implementing safeguards such as encryption or access control,
  • Physical requirements e.g. ensuring physical safety and access to servers or documents.

Identifying service liability chain

To identify what are exactly the requirements that developers need to fulfill for each single application, they first need to understand what is their role within the service liability chain. Namely, according to EU laws, there are 3 different roles:

  • Data Subject: is an individual who is the subject of personal/sensitive data.
  • Data Controllers: are those who control the contents and use of personal data. They are either legal entities such as companies, Government Departments or voluntary organizations, or they can be individuals such as app developers distributing apps.
  • Data Processors are those who process personal data on behalf of a data controller for some specific purpose (e.g. marketing, financials).

For example, application developers can act as:

  • Data Controllers in case they provide their services directly to consumers/subjects (e.g. this is typical for fitness/disease tracking apps e.g. diabetes tracking, etc)
  • Data Processors in case they sell their services to health or public institutions (e.g. this is the case of apps delivered by physicians, hospitals, private clinics to their consumers)

The ultimate guide on GDPR and HIPAA compliance

Download our FREE eBook now

Obligations for Data Controllers managing personal data

Data controllers that manage personal data must:

  • Ensure that subjects’ rights are observed (i.e. inform them, give them access to their data);
  • Ensure collection is done only for specified, explicit and legitimate purposes;
  • Ensure that the criteria for making data-processing legitimate are observed, for example, provide clear consent forms, privacy policies, contracts, or legal obligations, etc.;
  • Ensure confidentiality of the processing of data;
  • Ensure that, when a transfer of data occurs to countries outside the EU, these countries guarantee an adequate level of protection;
  • Dispose of data once customers leave;
  • Usually, personal data processing does not require special security safeguards and administrative obligations. This is not the case in case data controllers manage sensitive data.

Obligations for Data Controllers managing sensitive data

In addition to the obligations valid for personal data, Data Controllers need to:

  • Ask for explicit consent to the data subjects enrolled in the service, as per data protection Directive (95/46/EC)
  • Notify the supervisory Data Protection Authority which has monitoring and complaint investigation functions
  • Administrative staff have access only to non-sensitive data
  • All employees or third-party have been trained to the issue of privacy and have signed a commitment to confidentiality by contract

Implement technical safeguards according to best practices in data protection techniques, including:

  • Access control (authorization and authentication) procedures
  • Secure transmission between mobile app and server (TLS)
  • Data encryption (both when at rest and when in transit) and integrity verification on server side
  • Audit of all accesses to data
  • Protect logical security perimeters of your server
  • Preventing unauthorized physical access to the IT infrastructure
  • Implement pseudonymization or anonymisation where possible
  • Limit retention period
  • Ensure that the data storage location is chosen in accordance with existing legal requirements.
  • Ensure that access to data is tracked and documented by the system
  • Unauthorized access attempts are recorded and reported immediately to the Data Controller.
  • In addition, a risk assessment is recommended in order to identify additional safeguards

Complying with data protection laws is challenging. To facilitate satisfying all those requirements we have built Chino. We offer to developers a service that is cost effective, simple to use, secure, tailored to customers’ needs and fully compliant with current EU laws and guidelines for health data management.

The ultimate guide on GDPR and HIPAA compliance

Download our FREE eBook now

You may also be interested in