Building GDPR compliant software with IriusRisk
The EU General Data Protection Regulation (GDPR) comes into effect on the 4th May 2018 and has wide ranging implications for any company anywhere that processes the personal data of EU citizens. A lot has been written about how GDPR applies at the organisation level, and what general controls should be in place to comply with the regulation. But the GDPR also has implications for building software applications.
All software that handles personal data of EU citizens will have additional functional and non-functional requirements that were previously not necessary.
What’s more, these requirements will differ depending on the type of functionality offered by the component in your application. For example, a web application that exposes a web UI to end users would be required to display and capture explicit consent from the user for processing their data and include specific information in the privacy notice that states the purposes of data processing. These can be regarded as new functional requirements for every web application that processes EU citizens’ data, but these would not apply to a private backend web API that processes the same data but exposes no UI to the end user.
Similarly, there are a number of non-functional requirements that are only applicable to components that store EU citizens’ data. For example, it should be possible to completely delete a specific user’s data at their request (including from backups) and an automatic deletion process should be triggered when the data retention period expires.
So how do you educate your security team and your development teams in building GDPR compliant software? Do they all have to read and understand the entire regulation before building their applications?
Since IriusRisk is based on components, questionnaires and risk patterns – we’ve done this leg work for you. By providing accurate answers to the questions when designing a new application (or reviewing an existing one), IriusRisk will automatically apply the appropriate set of security requirements to help comply with the GDPR and automatically push those requirements to your development teams’ issue trackers. So that they have actionable tasks right in their main task dashboard.
The security and compliance teams can view the status of these requirements as well as the impact of the risks in the IriusRisk console. No more shuffling documents, spreadsheets and emails to find out what the compliance state of a piece of software is.
Did you like this article?
- Schedule a meeting with us at RSA to discuss #EasyThreatModeling21 March 2018The Continuum Security team will be at RSA in San Francisco to answer all your threat modeling and DevSecOps questions. Threat Modeling is often seen as a complex activity that can only be performed by skilled security analysts who have to invest significant time and energy into producing a useful threat model and its corresponding […]READ MORE
- Continuum Security raises 1,5M€ investment from Swanlaab, JME & Sonae IM30 November 2017PRESS RELEASE Madrid, November the 29th, 2017.- Continuum Security, a cybersecurity company in the Application Security sector and creator of an industry leading Threat Modeling platform has raised an investment round of 1,5M€ that will allow them to realise their international growth plans. The round was lead by Swanlaab Venture Factory, a joint Spanish-Israeli fund […]READ MORE
- Looking for a career in Threat Modeling? Talk to us!9 October 2017We’re looking for an experienced Security Architect or Threat Modeler who understands how to design and build secure systems and is technically orientated. The objectives of the role are to: Research, create and update threat models for key architectures, e.g. web, mobile and for specific technologies like React.js and AWS. Provide pre-sales support by creating […]READ MORE