What GDPR Article 6 Compliance Means for the Average App Developer

What GDPR Article 6 Compliance Means for the Average App Developer

Rebecca Yarbrough — March 29th, 2018

Scheduled to go into effect on May 25, 2018, the EU General Data Protection Regulation (GDPR) is set to bring about significant and widespread changes in the way that companies manage and protect consumer data. In fact, the very way that you think about data and the code that supports it about to change. While the more salient points of this federal law are often hidden behind a cloud of legalese, this simple breakdown will tell you everything you need to know about GDPR Article 6, one of the most critical GDPR points for developers.

What Is the GDPR?

The new law, to be enacted throughout the EU, applies to any company with EU operations or EU-based clients, creating a more uniformed approach to data protection while giving EU citizens more control, privacy and protection from data breaches. A violation of GDPR rules will prove costly, as companies may be fined up to 4 percent of their annual global revenue. Not having records in order, violating the consumer's right to be forgotten (Data Erasure) or failing to notify consumers and or regulatory agencies in the event of a data breach are just a few of the ways that organizations could find themselves in hot water.

GDPR Article 6: Lawfulness of Processing

This Article addresses one of the most fundamental issues making headlines across the world - what data businesses can collect from users and how they can use that information. According to the UK Information Commissioner's Office, GDPR stipulates there are only 6 valid bases for processing personal data:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

The most relevant for many app developers is "consent."  Under Article 6, the "data subject" must give consent for the use of their data. If data is to be used for a purpose other than that to which the consumer originally consented, the "data controller" must determine if this new purpose is appropriate. Key considerations include the relationship between the two uses, the context in which the data was acquired and whether or not data safeguards like encryption are in place to protect the consumer.

What This Means for Developers

If an app has users in the EU and is using "consent" as the lawful basis for data proccessing, GDPR Article 6 requires consumer consent before any data can be collected, moved or used. A data usage consent form must be part of the app's interface so users know exactly how their data will be used. Developers who are also data controllers are responsible for the protection of consumer data, no matter where it eventually resides. This means that software can no longer be launched with known vulnerabilities or bugs that could expose consumer data to unauthorized third parties or attackers. Likewise, developers need to make sure that any code used for data processing is protected by a safeguard like encryption so that customer information is secure from prying eyes, whether it's being stored in the cloud or sent over the Internet.

End-to-End Encryption and GDPR Article 6 Compliance

End-to-end encryption is the preferred safeguard for GDPR Article 6 compliance because it provides the highest level of data protection. How does end-to-end encryption work? Bob wants to send a secure email to Sally so he uses a public key, similar to a house address, to encrypt the information in the email and send it to Sally. With her private key, which acts like a house key, Sally can decrypt the message that Bob has sent. Virgil Card Services, which stores and manages users' public keys, allows you to easily manage application users, validate their identities and encrypt data without ever exposing the user's data to prying eyes.

End-to-end encryption also helps makes GDPR Article 6 compliance easier for app developers assessing the suitability of using consumer data for non-explicitly stated purposes since encrypted data hides consumer information, which means it can be more widely used without fear of liability.

We're happy to answer any questions that you may have to learn more about how End-to-End Encryption and GDPR work together.. If you'd like to find out how to upgrade your app’s security with end-to-end encryption, join our Slack community or sign up for a free Virgil account.

Virgil Security, Inc. is a stack of security libraries and all the necessary infrastructure to enable seamless, end-to-end encryption for any application, platform or device.

We guide software developers into the forthcoming security world in which everything will be encrypted (and passwords will be eliminated). In this world, the days of developers having to raise millions of dollars to build secure chat, secure email, secure file-sharing, or a secure anything have come to an end. Now developers can instead focus on building features that give them a competitive market advantage while end-users can enjoy the privacy and security they increasingly demand.

Breaking Down GDPR Article 9
Rebecca Yarbrough — March 29th, 2018