The General Data Protection Act (GDPR) is a European Union-wide legal directive that applies a solid working framework to all digital data collection, storage, and disposal in the EU. If you’re developing or licencing any piece of software for use in or with the EU, you need to be aware of the GDPR’s strict data safety and user consent requirements. This often requires direct communication with the user and behind-the-scenes work to make sure their data stays secure.
End-User Licence Agreements
Every piece of desktop software requires an End User Licence Agreement (EULA) to count as legal under the GDPR. The GDPR requires that any EULA shipped with home consumer or business software must be understandable (to the average adult user), short enough to reasonably read and comprehend if required (no ‘boilerplate’, 100-page plus agreements), and explicitly tells the user what will happen to any data that is entered into the program and stored in any format. The user must have an explicit and advertised chance to accept or decline the EULA.
Online Software
If you’re offering access to an online application that uses tracking or information-based cookies to remember data, users must be informed of that on their first visit on each machine. Users must have a chance to accept or decline the use of cookies. If you offer different levels of interactivity and experience tailoring via cookies, users must be able to choose the specific website configuration that they want.
Storing & Handling Personal Data
All personal data collected by GDPR-compliant software must be stored securely. Confidential databases should be contained on isolated, safe servers. Data in one database must not be shared with others without explicit permission from each customer, client, or provider. Any statistical metadata created from datasets must always anonymise individual entries, even in case studies.
Data Deletion Requests
If the user specifically requests it or cancels their services from you, you must make sure that ALL of their data is permanently deleted; unless retention is required to meet legal obligations, or for the exercise or defence of legal claims. Additionally, the GDPR doesn’t allow you to gather or use data that doesn’t have a specific purpose relevant to what your organisation is doing. If the data you hold is too superficial, ages beyond the point of reasonable use, or becomes irrelevant it must be deleted.
Requesting Data From Users
Similarly, there are strict restrictions on what data can reasonably be requested from users by software. Private, sensitive information such as personal medical records, sexuality, credit history, or political preference(s) cannot be requested or collected unless they’re absolutely vital to the service you’re offering to provide via your software.
GDPR-Compliant Software Development From Brandon Cross
At Brandon Cross, all our bespoke software is designed to be fully GDPR-compliant. We’ll talk you through what you’ll need to do to make sure that your customer data is kept safe, secure, and legal under EU law. Call or email us today for more information.
Image source: Pixabay