The impact of the GDPR on IT projects

Redakcja 9bits 30.11.2020

Only a few years ago, the topic of personal data protection in information and internet technologies did not exist. Users used the tools that programmers prepared for them and no one was worried about who and how collects personal data, how it protects it and, above all, how it uses it.


The overwhelming majority of all types of companies collect personal data. 3 out of 4 companies cannot answer the question why and do not see the need to use them in the future. In the times of the GDPR, this approach to data cannot take place because each entity must define the purpose and conditions of data storage.


The GDPR was introduced in 2015 in place of the EU directive on the protection of personal data, which was in force for 20 years. The GDPR was a response to the rapidly changing market of new technologies. Technologies have become an increasingly important part of the economy, and their development has been steadily growing. Why was the introduction of the GDPR so important? Because GDPR is technologically neutral. This means that regardless of technological development, the provisions on the protection of personal data have effect in every place and at any time. Regardless of whether the processing of personal data takes place on a computer disk or on paper, the provisions of the GDPR regulate them in the same way.


The personal data administrator is responsible for data security, who de facto decides on the method of security. Depending on how sensitive the data is stored or processed, the method of their security may be different. As a consequence of this provision, institutions and enterprises that are dealing with sensitive data such as date of birth or PESEL of the user are obliged to store them securely.


From the programming point of view, the GDPR Regulation introduces two key concepts: privacy by design and by default. The first of them introduces the need for the administrator to enter the principles of personal data protection within the scope of the project. It must be a set of specific technological solutions and implementation of these principles. These include defining only data that is necessary for a given purpose, periodically erasing this data, ensuring appropriate levels of data access.


The second means that the maximum scope of personal data protection should be introduced by default. So if the project does not specify additional data requirements, the level of their security should meet the requirements of the GDPR.


In practice, this means that if any project concerns users' personal data, the principles of the GDPR should be taken into account.


This translates directly into software development. Wherever we deal with personal data, developers must take on their shoulders solutions that will serve to protect this data.


Get an estimate in 48h