Websites and applications handling personal data that are based in the EU or which process data on behalf of EU citizens fall under the General Data Protection Regulation (GDPR). This law came into effect on 25th May 2018.
When developing a website or application, consideration is given to how the data in the project should be handled in terms of GDPR. Something which can be overlooked is how GDPR applies to your working relationship with your software development company. This post is a very brief outline of your responsibilities when engaging a software development company and what you may need to think about when it comes to GDPR.
Under GDPR, generally speaking, you will be the controller who determines the purposes and means of the processing of personal data. Your software development company will be the processor, which processes personal data on behalf of the controller.
As the controller it is your responsibility to choose a software company that provides sufficient guarantees to have appropriate technical and organisational controls in place that meet GDPR requirements. These are legally required to be covered in your contract with your development team. Some of these requirements include the following and may be discussed with your legal team when creating a contract with your software development company. :
- The processor must only process data on instructions from the controller.
- The processor cannot use the data for other purposes
- If the processor is using sub contractors that they are subject to the same data protection obligations as the primary processor.
- There are reasonable steps taken by the processor to ensure the data is secure, such as pseudonymisation and encryption.
- Notify the controller if there is any data breach.
- Restrict personal data transfer to a third country (see below)
- Allow access to the relevant Data Protection Commission in the event of an investigation.
- The processor must keep a record of processing activities when certain criteria are met.
Having your software company based outside of the EU presents a number of challenges. The GDPR has specific requirements about transferring of data to third countries or international organisations.
The EU maintains a list of countries where an "adequacy decision" has been made. That is, a country which has sufficient levels of data projection in place. This list is available on the EU website.
In the event your software company is not located in the EU or a in country with an "adequacy decision", then GDRP allows for transfers providing "appropriate safeguards" are in place. These include:
- Standard data protection clauses
- Binding corporate rules
- Approved codes of conduct
- Approved certification mechanism
More information on international transfers can be obtained from the Irish Data Protection Commission website
Building a website or application that will use and manage data for EU citizens will mean it is subject to GDPR. When engaging a software development company to build and manage the project, you will need to ensure that you have a contract in place with the development company to ensure that they meet GDPR requirements.