Breaking Down GDPR Article 9

Breaking Down GDPR Article 9

Rebecca Yarbrough — March 29th, 2018

Header image by

In just a few short months, companies throughout the EU will experience a seismic shift in their approach to data protection, and many organizations in the US will be feel the ripple effects. Known as the EU General Data Protection Regulation, GDPR is something that every app developer needs to know about. Maybe you've even heard about it but took a look at the complicated language and decided to pass. However, understanding the most relevant parts of GDPR are critical to the security and success of your software. We've already covered GDPR Article 6, let's dive into GDPR Article 9.

What Is GDPR?

To review, GDPR is a EU-mandated regulation requiring all companies in the region and those that have clients or operations there to comply with new data protection requirements. With 99 Articles, GDPR represents the most comprehensive treatment of data protection to emerge since the digital era began. As a result, data protection laws are going to be significantly more uniform, requiring companies to meet stringent new laws that offer the highest level of data protection and privacy to consumers. Organizations that fail to comply could be fined €20 million or 4 percent of their global turnover.

GDPR Article 9: Processing of Special Categories of Personal Data

Not all data is created equally, nor should it be treated equally. GDPR aims to ensure that the most sensitive kinds of data are protected at all times. The processing of data that reveals a consumer's race, ethnicity, sexual orientation, health status, religious or political affiliation, as well as similarly potentially discriminatory data, is strictly prohibited without explicit consent from the app user. This includes the collection and storing of such data. Further, marketing or monetization of this type of data requires additional consent. Some notable exceptions include safeguarded or encrypted data used by nonprofit groups solely for operational purposes (i.e. no data is released to third parties), data used for scientific or historical research, and data that is utilized in a judiciary or legal capacity.

What This Means for Developers

Developers must ensure that their platform sufficiency informs the user of how their data will be used and explicitly obtains the user's consent to such uses. If consent is obtained, safeguards like encryption should be implemented to protect against the unauthorized exposure of Article 9 data. As data is often most vulnerable at the processing stage, developers also need to ensure that compliant code (i.e no backdoor bugs) is in place throughout each component of the processing system, as "data controllers" are liable for all data handling. App creators should be especially vigilant against the unnecessary flow of consumer data during the initial user sign-up stage.

End-to-End Encryption and GDPR Article 9 Compliance

With a public key to encrypt sent data and a private key to decrypt received data, end-to-end encryption offers the highest level of data security, whether a user is logging in, chatting or sending an email. However, data is just as secure in the cloud because all ingoing and outgoing data is encrypted, which means that even the most sensitive GDPR Article 9 data is safe from prying eyes. In addition, with tools like Perfect Forward Secrecy (PFS) past messages contain Article 9 details are also safe, even if keys or passwords are compromised. Best of all, as a developer, you can breathe easy knowing that your software and is in full compliance with GDPR regulations.

We're happy to answer any questions that you may have to learn more about how End-to-End Encryption and GDPR work together.. If you'd like to find out how to upgrade your app’s security with end-to-end encryption, join our Slack community or sign up for a free Virgil account.

Virgil Security, Inc. is a stack of security libraries and all the necessary infrastructure to enable seamless, end-to-end encryption for any application, platform or device.

We guide software developers into the forthcoming security world in which everything will be encrypted (and passwords will be eliminated). In this world, the days of developers having to raise millions of dollars to build secure chat, secure email, secure file-sharing, or a secure anything have come to an end. Now developers can instead focus on building features that give them a competitive market advantage while end-users can enjoy the privacy and security they increasingly demand.

GDPR Guidance: What the New Regulations Mean for Developers
Rebecca Yarbrough — March 22nd, 2018