General Data Protection Regulation(GDPR) Compliance Expectations is a hot topic nowadays. Although the GDPR is European legislation, it has a global impact. That's why developers worldwide should need to understand the GDPR requirements. We believe that this resource will help web development teams to meet the expectations.

1. GDPR Compliance Expectations from the Development Team
Presented by: Mousume Haque
Senior Software Quality Assurance Engineer
Nascenia Ltd, Dhaka.

2. What is GDPR ?
GDPR is a regulation that requires businesses to protect the personal
data and privacy of EU citizens for transactions that occur within EU
member states. And non-compliance could cost companies dearly.
The European Parliament adopted the GDPR in April 2016, replacing an
outdated data protection directive from 1995. It carries provisions that
require businesses to protect the personal data and privacy of EU
citizens for transactions that occur within EU member states. The GDPR
also regulates the exportation of personal data outside the EU.

3. Why developer should concern about GDPR ?
It has already come into effect from May 25th, 2018. It changes
European privacy rules. One monumental change is the introduction of
the Privacy by Design and Privacy by Default Framework. It is important
to clarify that although the GDPR is European legislation, it will have a
global impact. The data of European citizens is protected, even when in
the systems of business outside of the EU. That is why developers
worldwide need to understand the new requirements.

4. What are the expectations from
development team ?
Developers are a key partner in helping companies adhere to the
GDPR's stronger privacy regulations. So there are so many expectations
from development team in many aspects as follows:
➢ Use fine-grained controls for developers: Many development
environments allow coders access to all data and every resource.
That violates GDPR's requirement.

5. What we do:
❏ Developers are restricted to much finer access controls and
privileges.
❏ In agile development access to sensitive data is limited.
❏ We maintain data access control.
What we don’t:
❏ We don’t hold any personal data.
❏ We don’t store any kind of personal data to anywhere.
Future plan:
❏ We can review GDPR compliance in every two months.

6. ➢ Key issues regarding data processing:
What we do:
❏ We record the legal reason for processing any kind of data.
❏ Always analyse what minimal data is required.
❏ We provide notices when data obtained mechanism has been
changed in our end.
What we don’t:
❏ We don’t process any data without client’s confirmation.

7. Future plan:
❏ We can periodically review how we seek record and manage
consents for acquiring new data into the system to meet GDPR
compliance.
➢ Communication:
Communication with users/customers is the key and very essential
according to GDPR compliance.
What we do:
❏ We communicate with users/customers at the initial design
stages and throughout the complete development process.
❏ If personal data will be kept, we let the user know for how long

8. ❏ we keep the personal data and why/how their data is being
used.
❏ We maintain clear communication with clients, also when
something backfires.
❏ If any data breach happens, we always ready to report the
user/customer and the EU within 72 hours.
What we don’t:
❏ Till now we didn’t breach any data and charged for any of this
occurrence from client end.
Future plan:
❏ No action point is set yet regarding communication.

9. ➢ Individual’s rights:
What we do:
❏ We permit our user to access their own data.
❏ They rectify and erase their own data.
❏ They have the right to their own data portability.
What we don’t:
❏ We don’t keep any record when users modify their data.
Future Plan:
❏ We can keep logs when users modify or delete any data for
transparency.

10. ➢ Data retention:
What we do:
❏ We don’t delete any data which is no longer needed without
client’s permission.
What we don’t:
❏ We didn’t mention the retention period of our data.
❏ We didn’t keep record what data we are deleting and when we
are deleting.
Future plan:
❏ We can maintain a record for any kind of data deletion.

11. ➢ Development & Deployment:
What we do:
❏ Depending on project type and delivery date we follow Waterfall
or Agile development.
❏ We deploy in staging/test server first and after completing QA
we give the final deployment in production server.
What we don’t:
❏ We don’t push staging/test data to production server.
❏ We don’t dump production data to staging server without
client’s permission.

12. Future plan:
❏ We can check the compliance for a particular country when we
store the data in a server where a server is located in that
particular country.
➢ Cookie Policies:
What we do:
❏ We provide pop up notice while we are tracking cookies.
What we don’t:
❏ We don’t inform our users about tracking services like google
analytics has been integrated into our site through the cookie
policy.

13. Future plan:
❏ We can inform users when we integrate any kind of tracking
services.
➢ Security:
What we do:
❏ We integrate SSL to our sites.
What we don’t:
❏ We don’t hold any kind of credit card data.

14. Future plan:
❏ We can make our sites to support Pseudonymization
(Pseudonymization is a data management and de-identification
procedure by which personally identifiable information fields
within a data record are replaced by one or more artificial
identifiers, or pseudonyms.)

15. Thank You