Cybersecurity Tip #14
Developer’s Guide to Comply with CCPA and GDPR
The digital landscape is continuously evolving, and privacy regulations such as CCPA (California Consumer Privacy Act) and the European Union’s GDPR (General Data Protection Regulation) are in effect to give consumers their fundamental right to data privacy. These regulations force organizations to revamp their operations to comply. This means all departments within an organization, from marketing to software development and everything in between, have to keep privacy regulations in mind and tweak their workflows accordingly.
In this article, we will discuss the steps developers can take to stay compliant with these regulations.
Understanding the Rights under these Privacy Regulations
With more people concerned about their data rights, giving them complete control over their data is essential in today’s world. Under both GDPR and CCPA, the following list contains all the consumer’s rights concerning their data.
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object to processing
- the rights concerning automated decision making and profiling
A consumer can practice these rights at any given time, and enterprises must fulfill these requests as soon as possible.
GDPR and CCPA realize that more and more consumer data is available online, which increases the cyber threat and invites other malicious activities. The genuine threat is why these regulations must protect the consumers’ data while dissuading any data breach instances or sprawl.
The risks for non-compliant businesses.
The European Union (EU) has a history of making an example out of companies that are non-compliant with its regulations. One of the EU’s most recent actions was against Google.
It all started in France when Google was accused of infringement regarding the essential principles of the GDPR: transparency, information, and consent. Myriah Jaworski, an attorney at Beckage PLLC, stated, “enforcement action was geared toward the way Google obtained consent.”
Google did not present how and why an individual’s data was collected and stored, nor did Google make it easily accessible. Due to this infringement of GDPR, Google was fined an amount of $57 million by the EU. But where is all the data? Did they destroy it? Did you get your data back?
Seeing what happened to an industry giant like Google, it is clear that no industry can get away with GDPR or CDPR non-compliance. They will be fined — but they have the money. What about YOU? What about your company???
In order to stay safe, developers in an organization must be well-versed in all the regulations and build their websites, apps, and software with compliance in mind.
CCPA vs. GDPR: What’s the Difference?
While both laws serve to protect the individual’s rights, there are some differences between the two regulations. The following are the significant differences between the two laws.
Who Needs to Comply
The GDPR has a broad scope concerning who has to stay compliant with the law. The GDPR covers all EU citizens and regulates all organizations that collect and store personal information of EU citizens irrespective of their location and size.
In contrast, the CCPA places constraints on the size of organizations that need to comply. It applies to organizations with $25 million or more in annual revenue; or possess the personal data of more than 50,000 “consumers, households, or devices,” or earn more than half of its yearly income selling consumers’ data.
Financial Penalties
The GDPR mandates penalties based on non-compliance and data breaches. These penalties can reach up to 4% of the company’s annual global revenues, or 20 million euros (whichever amount is higher), with the commitment that administrative levies will be applied proportionately. CCPA fines are not cumulative but instead are applied per violation, reaching up to $2,500 per unintentional violation and $7,500 per intentional violation, with no upper cap.
Consumer Rights
Both regulations give the consumer specific rights that they can exercise. Some of these rights include the right to have information deleted or accessed. The GDPR specifically focuses on all the data related to European Union consumers, whereas the CCPA considers both consumers and households as identifiable entities. Businesses need to test their processes and ensure they can accommodate these rights.
Use of Encryption
The clauses on encryption in both laws constitute an area that, although similar, still have some differences. Both laws call for access to data encryption, making this an essential part of businesses’ privacy protection components.
Steps Towards Compliance: How Developers can Comply with CCPA and GDPR.
Developers are the frontline infantry in this struggle towards compliance because websites and mobile apps are the first interactions a consumer will have with an organization. It is essential to cover all your bases from the get-go to make the compliance workflow as smooth and efficient as possible. Let’s take a look at the steps developers can take to comply with each regulation.
How Developers can Comply with CCPA? 5 easy steps
Data Mapping
To stay compliant, developers need to integrate proper data mapping techniques into their systems. The law dictates that organizations should be fully aware of all the data they collect; this refers to what is collected, stored, and how it flows through the organization. Some operational suggestions would include designating a single source of truth, maintaining lineage, and tracking all organization data.
2. Inform Your Consumers
To comply with the CCPA, organizations will need the capability to fulfill data subject access requests (DSAR). Your website must show the consumer what data it will collect and how it will be collected. Developers can work with privacy officers to create a standard privacy notice for the website or an abbreviated pop-up policy at the point the data is collected.
3. Verify Queries
Organizations will be met with a flurry of requests from consumers exercising their rights under these regulations. Developers need to create a system by which the consumer can be authenticated, and the correct information can be given to them. To streamline this process, developers can create a dedicated email account for requests and design workflows for verification purposes.
4. Data Minimization and Purpose Limiting
When collecting data, organizations need to make sure that the data is only used where necessary. To ensure that, developers can create forms that only require minimum information (data minimization). Organizations can make sure that internally used data is in line with privacy policies (purpose limitation).
5. Data Security
Under the CCPA, organizations are required to protect the data an organization keeps about a specific individual. Although not explicitly mentioned, it is beneficial for organizations to encrypt data to prevent further compromise after any data breaches.
Developers can ensure security by implementing robust applications that offer end-to-end encryption and protect your consumers’ data.
How Can Developers Comply with GDPR? Five Easy Steps
Efficiently store data
The way an organization stores data can be the difference between compliance and non-compliance under the GDPR. Developers need to ensure that minimal data is being derived from consumers to reduce liability. Secondly, only store the data that is necessary for your processes. Lastly, implement DSAR tools in your storage to efficiently respond to subject data access requests.
2. Subject Access Requests
Developers need to integrate a system that can map all the data in the data stores and make them easily accessible when consumers request access to the company’s data, even complete deletion.
3. Contacting Users
Under the GDPR, an organization can not assume consent, and it must be asked for. If you’re working on a feature that will trigger an email or another message to be sent to users, you will need to integrate it with your organization’s consent tooling and check if you already have a consent channel for your use case. This will likely take the form of some source-of-truth database and an API that you can query before sending messages.
4. Profiling
Profiling is the use of data to personalize a customer’s experience. To be compliant with GDPR, organizations should have a clear way for users to opt-out of profiling. The only important thing for developers to understand what counts as profiling and respecting a users’ choice before implementing any form of personalization.
5. Rewrite your Privacy Policy
The GDPR has brought several amendments to the current structure of any organization. The IT group is essential for organizations to revamp their privacy policies according to the GDPR. In this case, developers can integrate the privacy policy into company websites or as a pop-up to comply with the GDPR right to notice.
Key Takeaway
The CCPA and GDPR are revolutionizing the data privacy sector, and organizations must comply with these regulations. Developers and marketers alike will have to find new ways to comply with these regulations without efficiently hindering their current performance. Developers need to integrate automation to create a streamlined approach to compliance throughout the organization.
Image Credit: andrea piacquadio; pexels
The post Developer’s Guide to Comply with CCPA and GDPR appeared first on ReadWrite.
Cybersecurity Tip #13
Cybersecurity Tip #12
How to Protect Your Digital Identity
Our digital identities are shaped by personal information about ourselves that we share online: name, age, gender, geographical location, email address, phone number, etc. If someone steals this data to act on our behalf, we might lose our funds, reputation, and social connections. In this article, you’ll find useful tips on protecting your digital identity from theft and enhancing the security of your online presence.
Create Several Digital Identities
Maybe you have two phone numbers or two emails and use the first one for work and the second one for private communication. Similarly, you can create multiple digital identities.
Emails Can Help
Have several emails.
- You can create your first email address to communicate with banks and government bodies.
- The second email address exchanges messages with diverse offline recipients (such as shops, garages, dental clinics).
- Your third email address is for friends, relatives, and social networks.
- A fourth email address will be for subscriptions and registrations.
Each of your digital identities will be connected to a particular email, but they will never overlap — these types of actions create your safety net of digital identities.
You can access all your email addresses from the same mailbox. For instance, you can automatically redirect all the incoming messages to the same Gmail inbox. Gmail will let you select the address that you would like to send each of your emails from.
You won’t even need to use exclusively @gmail.com addresses. Microsoft Outlook functions on the same principle and allows users to attach up to 10 auxiliary emails to the main one so that you have 11 addresses all in all.
Replace Your Password with a Passphrase
A passphrase consists of several words, so it’s much more difficult to brute-force it than a password. Ideally, these words should be generated randomly, and each of them should contain a minimum of 16 characters.
For each site and service you use, you should generate a unique passphrase. Of course, it might be tricky to remember all these combinations — but you can download 1Password, LastPass, or Dashlane. These trusted and credible password managers will safely store your passwords in a well-protected database.
Enable Two-Factor Authentication
Some modern online services include two-factor authentication as a mandatory feature; others offer it optional. After you enable the two-factor authentication, you won’t be able to access your account just by inserting your password. The system will send you a confirmation link or code to your phone or email that will serve as the key to your account.
If someone tries to hack your account from a remote device, you will get to know about it.
Install and Enable an Antivirus
Modern antiviruses are powerful multifunctional programs. They efficiently protect users not only from malicious software but from all sorts of threats. They identify a menace long before it attacks your device and ward it off.
Also, they check your system and software updates to make sure you use the latest versions. Updatings are essential for security because newer versions of the programs don’t contain old vulnerabilities.
Stay Suspicious
If a site or service asks you to share your confidential data, think twice whether it really needs it. Is it necessary for a game, news aggregator, or dating service to know your birth date or bank account number? Or is it just a nefarious trick to cheat confidential information out of you?
Inspect your bank statements and payment history weekly. According to a stereotype, if hackers get hold of your bank account, they will immediately transfer all your funds to their account. But this will inevitably attract your attention, so some smart violators opt for small transfers instead. If you notice payments for goods or services that you never purchased, your account might be hacked.
Don’t include meaningful personal information in your social media profiles.
Indicate only the data that you are ready to share literally with the whole world, including thousands of people that you will never know.
If you receive an email with a link, open it only in case you know the recipient well. Spammers and organizers of phishing attacks might ask you to visit a certain page, to indicate your account data or financial credentials. Some ask you to confirm the receipt of a pre-approved credit card that you never ordered.
If you receive a similar email from your bank, get in touch with its support service, and ask if they indeed sent it.
Use Browser Security Tools
To get rid of the annoying ads for good, install AdBlock Plus. To block spying ads and invisible trackers, use Privacy Badger. To make your browser always redirect you to safer HTTPS versions of websites from the outdated HTTP ones, apply HTTPS Everywhere.
You can choose between dozens of free extensions that are compatible with nearly any browser and will efficiently protect your digital identity.
However, the protective software that you have installed might not be enough to stop tracking completely. To check how safe your browser is, use Panopticlick: it will measure your security level and analyze your system configurations. Relying on the impartial results of the analysis, you will be able to fine-tune your settings, delete or install certain add-ons, etc.
Monitor the News
If a bank, a governmental body, or an e-commerce institution falls prey to a data breach, it will be mentioned in the news. If it turns out that your confidential data might be compromised, change all your passwords immediately.
Conclusion
Hopefully, this article came in handy, and now you know how to protect your digital identity. Losing it might sometimes be just as troublesome as losing your real-life passport.
The above-listed recommendations can be applied to any device that you use to go online, be it a stationary computer, a laptop, a smartphone, or a tablet. As you see, you don’t need to be a geek to enhance your internet privacy and enjoy the time you spend online to the max.
Image Credit: cottonbro: pexels
The post How to Protect Your Digital Identity appeared first on ReadWrite.