GDPR Developer Guide

In order to assist web and application developers in making their work GDPR-compliant, the CNIL has drawn up a new guide to best practices under an open source license, which is intended to be enriched by professionals.

This guide is published under license GPLv3 and under open license 2.0 (explicitly compatible with CC-BY 4.0 FR). You can freely contribute to its redaction.

The French version is the authentic version of this guide. An Italian version of this guide is also available in pdf and for contributions.

Is this guide for developers only?

This guide is mainly aimed at developers working alone or in teams, team leaders, service providers but also at anyone interested in web or application development.

It provides advice and best practices, and thus gives useful keys to understand the GDPR for every stakeholder, regardless of the size of their structure. It can also stimulate discussions and practices within the organisations and in customer relationships.

What does the guide contain?

This guide is divided into 16 thematic sheets which cover most of the needs of developers at each stage of their project, from the preparation of the development to the use of analytics.

The General Data Protection Regulation (or GDPR) specifies that the protection of the rights and freedoms of natural persons requires that "appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met" (Recital 78).

The determination of these measures is necessarily related to the context of the processing operations put in place, and the controller (the public or private entity processing personal data) must therefore ensure the security of the data it is called upon to process.

The good practices in this guide are therefore not intended to cover all the requirements of the regulations nor to be prescriptive, they provide a first level of measures to take into account privacy protection issues in IT developments that are intended to be applied to all data processing projects. Depending on the nature of the processing carried out in certain cases, additional measures will have to be implemented in order to fully comply with the regulations.

Table of contents

  1. Develop in compliance with the GDPR

  2. Identify personal data

  3. Prepare your development

  4. Securing your development environment

  5. Manage your source code

  6. Make an informed choice of architecture

  7. Securing your websites, applications and servers

  8. Minimize data collection

  9. Manage user profiles

  10. Control your libraries and SDKs

  11. Ensure the quality of the code and its documentation

  12. Test your applications

  13. Inform users

  14. Prepare to exercise people's rights

  15. Define a data retention period

  16. Take into account the legal basis in the technical implementation

  17. Use analytics on your websites and applications

How can I contribute to this guide?

This guide is available in two versions:

The contribution is done in a few steps:

Your contribution proposal will be examined by the CNIL before publication. The web version of the GDPR developer's guide will be regularly updated.

Usage

To release this repository yourself, you can use the Pandoc tool. This tool will allow you to convert the records into a docx file or an HTML document.

You can find the instructions to install this tool here

pandoc -s --toc --toc-depth=1 -o GDPR_developer_guide.docx [0-9][0-9]*.md
pandoc -s --template="templates/mytemplate.html" -H templates/pandoc.css -o index.html README.md [0-9][0-9]*.md

Sheet n°0: Develop in compliance with the GDPR

Whether you work alone, are part of a team developing a project, manage a development team, or are a service provider carrying out developments for third parties, it is essential to ensure that user data and all personal data processing are sufficiently protected throughout the lifecycle of the project.

The following steps will help you in developing privacy-friendly applications or websites:

  1. Be aware of the GDPR core principles. If you work in a team, we recommend that you identify a person responsible for monitoring compliance. If your company has a Data Protection Officer (DPO), then that person is a key asset in understanding and meeting the GDPR obligations. The appointment of a DPO may also be mandatory in some cases, for example if your programs or applications process so-called "sensitive" data (see examples) on a large scale or conduct regular and systematic monitoring on a large scale.

  2. Map and categorize the data and processing in your system. Accurately mapping the data processing performed by your program or application will help you ensuring that they comply with legal requirements. Keeping a record of processing activities (an example of which can be found on the CNIL website), allows you to have an overall view of these data, and to identify and prioritize the associated risks. Indeed, personal data may be present in unexpected places such as in server logs, cache files, Excel files, etc., and may be stored in a number of different places. Such record-keeping is mandatory in most cases.

  3. Prioritize the required actions. On the basis of the data processing registry, identify the required actions to comply with the obligations of the GDPR in advance of the development and prioritize the attention points with regard to the risks that the processing carries for the data subjects. These points of attention concern in particular the necessity and types of data collected and processed by your software, the legal basis on which your data processing operations are based, the information mentions of your software or application, the contractual clauses binding you to your contractors, the terms and conditions for exercising rights, the measures implemented to secure your processing.

  4. Manage the risks. When you find out that a processing of personal data is likely to create high risks for data subjects, make sure that you manage those risks appropriately in the context. A Privacy Impact Assessment (PIA) can help you manage those risks. The CNIL has developed a method, model documents and a tool that will help you to identify those risks, as well as a catalogue of good practices that will assist you in implementing measures to address the identified risks. Furthermore, a Privacy Impact Assessment is mandatory for all processing operations that are likely to create high risks to the rights and freedoms of data subjects. The CNIL proposes, on its website, a list of types of processing operations for which a DPA is required or not.

  5. Put in place internal processes to ensure compliance during all development stages, ensure that internal procedures guarantee that data protection is taken into account in all aspects of your project and for all events that may occur (e.g. security breach, requests for rectification or access fulfillment, modification of data collected, change of provider, data breach, etc.). The requirements of the governance label (even if this one is no longer granted by the CNIL since the entry into force of the GDPR) can constitute a useful basis of inspiration to help you set up the necessary organization.

  6. Document developments compliance to prove your compliance with the GDPR at all times: the actions performed and the documents produced at each stage of development must be mastered. This implies in particular a regular review and update of the documentation of your developments so that it is constantly consistent with the features deployed on your program.

The CNIL website provides numerous practical files which will assist you in setting up law-abiding treatments according to your sector of activity.

Sheet n°1: Identify personal data

Understanding the notions of "personal data", "purpose" and "processing" is essential to ensure that software complies with the law when it processes user data. In particular, be careful not to confuse "anonymisation" and "pseudonymization", which have very precise and different definitions in the GDPR.

Definition

Examples of personal data

Anonymisation of personal data

Pseudonymization of personal data

Sheet n°2: Prepare your development

The principles of personal data protection must be integrated into IT developments from the design phase onwards in order to protect the privacy of the people whose data you are going to process, to give them better control over their data and to limit errors, losses, unauthorised modifications or misuses of their data in applications.

Methodological choices

Technological choices

Architecture and features

Tools and practices

Sheet n°3: Secure your development environment

The security of production, development and continuous integration servers as well as developer workstations must be a priority because they centralize access to a large amount of data.

Assess your risks and adopt the appropriate security measures

Secure your servers and workstations in a homogeneous and reproducible way

Put special emphasis on access management and traceability of operations

Sheet n°4: Manage your source code

Set up your version control system efficiently, thinking about its security.

Be aware of your source code content.

Finally, if you need to include such data in your repository, consider automatically encrypting/decrypting the files using a plugin from your version control system (e.g. git-crypt).

Examples of tools

Sheet n°5: Make an informed choice of architecture

When designing the architecture of your application, you must identify personal data that will be collected and define a path and life cycle for each of them. The choice of supporting assets (local storage, server, cloud service) is a crucial step, which must be adapted to your needs, but also to your technical knowledge. The registry and conduction a privacy impact assesment can assist you in this choice.

Examining life cycle of data and processes, from collection to erasure

In case of use of external hosting

Sheet n°6: Secure your websites, applications and servers

Any website, application or server must incorporate basic state-of-the-art security rules, not only on network communications but also on authentication and infrastructure.

Securing communication networks

Securing Authentications

Securing infrastructures

Sheet n°7: Minimize data collection

You shall only collect personal data that is adequate, relevant and necessary in relation to the purposes for which they are processed, as defined at the time of collection.

Before collection, think about the different types of data you need to collect and try to limit your collection to what is strictly necessary.

Once the data has been collected, set up automatic deletion mechanisms.

Sheet n°8: Manage user profiles

The way to manage profiles of your collaborators and your end-users must be thought out upstream of your developments. It consists in defining different access and authorization profiles so that each person can access only the data he or she actually needs.

Good practices for user management

Streamline the management of clearance profiles

Sheet n°09: Control your libraries and SDKs

Do you use libraries, SDKs, or other software components written by third parties? Here are a few tips on how to integrate these tools while keeping control of your developments.

Make an informed choice

Evaluate the selected elements

Maintain libraries and SDKs

Sheet n°10: Ensure quality of the code and its documentation

It is essential to adopt good code-writing techniques as soon as possible. Code readability reduce the effort of maintenance and bug fixes over time for you and your (possibly future)collaborators.

Document code and architecture

Check the quality of your code and its documentation.

Sheet n°11: Test your applications

Testing your product allows you to check its correct operation, to ensure a good user experience and to find and prevent defects before it goes into production. Testing your product also reduces the risk of personal data breaches.

Automate testing

Integrate testing into your business strategy.

Watch out for your test data!

Sheet n°12: Inform users

The transparency principle of the GDPR requires that any information or communication relating to the processing of personal data should be concise, transparent, comprehensible and easily accessible in plain and simple language.

Who to inform and when?

What information do I have to give?

In what form should I provide this information?

What communication should be made when data security is compromised?

Useful resources

Sheet n°13: Prepare for the exercise of people rights

The persons whose data you process have rights on his or her data: right of access, to rectification, to object, to erasure, to data portability and to restriction of processing. You must give them the means to effectively exercise their rights and provide in your computer systems the technical tools that will allow their rights to be properly taken into account.

Preparing in advance how they will contact you and how you will deal with their requests will enable you to manage the exercise of these rights effectively.

Minimum measures to be put in place

Here are some examples of rights and their possible implementation

In conclusion

Sheet n°14: Define a data retention period

Personal data cannot be kept for an indefinite period of time: this must be defined according to the purposes of the processing. Once this purpose has been achieved, the data should be archived, deleted or made anonymous (e.g. in order to produce statistics).

Data retention cycles

Some examples of shelf life

Sheet n°15: Take into account the legal basis in the technical implementation

Processing of personal data must be based on one of the "legal basis" mentioned in Article 6 of the GDPR. The legal basis of a processing operation is in a way the justification of the existence of the processing operation. The choice of a legal basis has a direct impact on the conditions for implementing the processing operation and the rights of individuals. Thus, anticipating the legal basis of the processing operations prior to any development will help you integrating the necessary functions to ensure that these processing operations comply with the law and respect the individuals rights.

Right of access Right to rectification Right to erasure Right to restriction of processing Right to data portability Right to object
Consent Withdraw of consent
Contract
Legitimate interest
Legal obligation
Public interest
Protect of vital interests

The specific case of cookies and other trackers

Sheet n°16: Use analytics on your websites and applications

In practice