GDPR Compliance for Business Applications

This paper summarizes how GDPR applies to the context of business applications
and explains how Visual Guard helps to make your applications GDPR compliant

I. How is GDPR impacting you Applications?

You may have heard of GDPR, but do you know if your applications are impacted?
Do they have to be modified? If so, how?

Did you know that GDPR may apply to non-European organizations?
Or that user consent is not always required?

You will find below some answers to these questions.

1.1 What is GDPR?

The General Data Protection Regulation (GDPR) is a European regulation, enforceable from 25 May 2018, aiming at protecting personal data for all individuals within the EU.

Sanctions for non-compliance can go up to 20 million € or 4% of your organization’s annual revenue.

1.2 Does GDPR apply to your application(s)?

Your application(s) should comply with GDPR if:

  • Your organization is based in the EU, or
  • If your application(s) process data from EU residents.

Note: Application owners are responsible for implementing data protection measures and demonstrating their GDPR compliance, even if the production of their applications is outsourced to another company (for instance a cloud provider, hosting them in production) - see Recital 74.

1.3 Which data is concerned?

Any personal, professional, private or public information, related to an individual (name, address, photo, email, financial details, medical information…).

1.4 Is user consent required?

Not necessarily.

By default, user consent is required, unless processing his personal data is necessary for legal reasons.

For instance:

  • The performance of a contract to which the user is party (employment contract for an employee, commercial contract for a client, etc.).
  • Compliance with a legal obligation to which your organization is subject to.
  • Protecting the vital interests of the user or another person.
  • The performance of a task carried out in the public interest (police for instance) or the exercise of official authority vested in your organization.
  • etc.

1.5 What are your obligations under the GDPR?

Application owners should comply with the following requirements:

  • Design: you should design and implement data protection measures during the design and development phase of the application - i.e., not after they go live (Article 25).
    See below: "Design data protection and application together"
  • Data access control: you should implement mechanisms to ensure that personal data is only processed when necessary for each specific purpose: access to data should be strictly restricted to authorized personnel, and to perform authorized activities only (Article 25).
    1. This implies: A secured mechanism should control the identity of personnel accessing data.
    2. A control mechanism should restrict access to data according to each personnel authorizations.
    See below: "Control Access to sensitive data"
  • Log and Audit: you should maintain records of processing activities for all personal data. These records must be made available to supervisory authorities on request (Article 30).
    See below: "Record and Audit sensitive activities".
  • Data breaches: in case of a data breach, you are under a legal obligation to notify the Authorities within 72 hours after having become aware of it (Article 33). All the persons impacted by this breach must also be identified and notified (Article 34).
  • User consent & access: should you request user consent, it must be explicit (opt-in) and easy to withdraw. You should explain which personal data is processed and how. You should indicate their retention time, and providing contact information to access, modify, erase or transfer their data to another system if they wish to.

II. GDPR and Visual Guard

This chapter explain how Visual Guard will help making your applications GDPR compliant.

2.1 What is Visual Guard?

Visual Guard adds security features inside your applications.

  • Control the identity of users accessing your applications (Authentication),
  • Automatically restrict their access to sensitive data,
  • Keep track of their activities within your applications
  • Audit activities processing personal data, as well as any other sensitive activity.

The traditional alternative to Visual Guard consists in developing custom security code within each application. This is usually much more expensive and risky, as software developers are rarely security experts. These costs will increase with the number of development languages used in your organization, as you will have to develop specific security code for each of them.

On the contrary, Visual Guard can secure off-the-shelf all types of application (desktop, web, mobile, SaaS...), based on any development language (Java, .Net, PHP…). It also supports most architectures and network requirements.

Visual Guard comprises the following modules:

Visual Guard Modules
  • 3 consoles (graphical applications), for developers, administrators and auditors to manage and audit application security
  • Server components, to enforce security when applications are in production.
  • Security engines, embedded in the application, to verify the user identity, restrict his access to data and record his sensitive activities.
  • A Repository, to store and encrypt user accounts, authorizations and security rules.

2.2 Verify the identity of your users

For systems with high-security requirements, passwords do not provide sufficient protection. Visual Guard offers strong, multi-factors, authentication mechanisms, to ensure that users are who they claim to be.

For example, before accessing a secured application, users must fill a login form, receive a notification on their mobile, and validate it with a pin code or fingerprint.

2.3 Control Access to your data.

Visual Guard controls which personnel is authorized to view or edit sensitive data:

  • Authorizations are independent from one data to another. Each personnel access only the data he has to process. Authorizations also control the type of processing activities allowed.
  • Authorizations can relate to several applications, no matter their respective development languages. Visual Guard can secure a large number of applications, and define consistent and simultaneous authorizations across all of them (for instance, the right to view a personal address should be granted/revoked to the same personnel(s), at the same time, across all the applications processing this info).
  • Authorizations are managed with an administration console, independent from your applications, that does not require any technical skill. You can delegate daily security management to the best personnel - for instance a business manager granting access to his team members.
Managing Users Authorizations

2.4 Record and Audit sensitive activities

  • Record activities processing personal, banking or any other sensitive data. Keep track of administrator operations managing personnel accounts and their authorizations.
  • Audit and filter sensitive activities with various criteria: for instance, you can review the past activities of a given personnel and his current authorizations - check which data have been processed within given application, when? by whom?
    GDPR Audit Sensitive Activities
  • Send email notifications when sensitive activities are performed, and monitor them with real-time graphs.
  • Recording activities is transversal for all your applications. The information is stored in a central location. No need to review each system separately. You get an instant and comprehensive view of all applications.

2.5 Detect data breaches and report them

Visual Guard monitors accesses to sensitive data, and help detecting data breaches:

  • Review real-time and historical graphs about sensitive activities.
  • Detect suspicious activities - for instance data processed at unusual times, like nights or weekends, or unusually large amounts of data being accessed. Such activities may reveal data breaches - for example data being illegally and massively copied.
  • Send email alerts to concerned personnel or authorities, to inform them of a possible breach.
  • Generate reports detailing which data were illegally processed, by which user, from where, with a list of all the persons impacted by the data breach.
Historical Data

2.6 Design application and data protection together

When using Visual Guard, the features enforcing data protection are designed and embedded inside your application, to guarantee a comprehensive and robust protection.

If you need to modify data protection rules while applications are in production (i.e. which user can access which data), authorized personnel can edit them with the administration console: changes will apply in real-time.

Go Further

You can find more details about GDPR here