GDPR Compliance in Software Development
Checklist, Roles, Hints
In software development since 1989 and in information security since 2003, ScienceSoft develops GDPR-compliant software helping ensure data confidentiality and integrity.
GDPR-Compliant Software Development: The Gist
GDPR-compliant software development is aimed at building software with secure architecture, encryption mechanisms for in-transit and at-rest data, data backup mechanisms, etc. to ensure security of data subjects’ personal information.
Note: To get a closer look at GDPR requirements for software, you can see the guide by EU Commission.
- Key steps of GDPR-compliant software development: eliciting GDPR-specific software requirements, planning secure architecture, GDPR-compliant UX and UI design, software development using secure coding practices, penetration testing.
- A team for GDPR-compliant software development: a GDPR compliance consultant, a project manager, a solution architect, a business analyst, UX and UI designers, software engineers, DevSecOps engineers, penetration testers.
GDPR-Compliant Software Development Plan
The specifics of a GDPR-compliant software development plan depend on the type of software and its functionality. Below, we provide a generalized plan of GDPR-compliant software development based on ScienceSoft’s experience in the domain.
Step 1. Requirements elicitation and analysis
At this stage, in addition to general functional and technical software requirements elaboration, ScienceSoft:
- Identifies what personal data (names, bank account details, etc.) needs to be collected, processed, and transferred by the new software.
- Helps with modelling consent for processing data subject’s information.
- Defines who has access to personal data.
- Helps decide on data retention period.
Step 2. Secure software architecture design and planning security features
At this stage, ScienceSoft’s team:
- Designs secure resilient software architecture.
Best practice: At ScienceSoft, a solution architect often works on architecture planning together with a GDPR consultant and a business analyst to achieve the desired level of software security and fully meet clients’ preferences.
- Plans data archival/erasure mechanisms, including automated deletion upon request.
- Creates data flow diagrams.
- Creates logging architecture to enable data access, data modifications tracking, etc.
- Plans encryption for at-rest and in-transit data.
- Selects secure technology stack to support compliance.
Step 3. GDPR-compliant UX and UI design
Below are examples of GUI elements to support compliance:
- Precise and easy-to-understand consent forms.
Best practice: ScienceSoft recommends complementing a form with an explanation of how data subjects will benefit from data collection and processing and how they can withdraw consent.
Step 4. Secure software development
At this stage, ScienceSoft’s developers:
- Create software front end and back end following the OWASP guidelines on secure coding.
Note: At ScienceSoft, we properly document each development step and conduct regular unit testing.
- Implement data encryption, pseudonymization, or anonymization.
Simultaneously with development, we conduct regular code reviews to detect and further remediate vulnerabilities.
Best practice: At ScienceSoft, we facilitate security testing automation by adding static application security testing (SAST) and dynamic application security testing (DAST) to the CI/CD pipeline. This way, vulnerabilities in code can be identified as early as possible.
Step 5. Software penetration testing
- Choosing the penetration testing approach (black box, gray box, or white box) and test execution.
- Report on the vulnerabilities found.
- Outlining preventive measures and recommendations on solving security issues.
ScienceSoft’s tip: It’s advisable to conduct penetration testing after any significant change in software and/or IT infrastructure.
Step 6. GDPR-compliant software deployment
Our team proceeds with:
- Final review of security controls in software and IT infrastructure to meet GDPR standards.
- Preparing an incident response plan.
- Providing the required documentation (the description of personal data used in the system and its lifecycle, all parties that get access to personal data, the basis for collecting personal data, etc.).
GDPR-Compliant Software Development Services by ScienceSoft
Having 34 years of experience in software development and 20 years in information security, ScienceSoft’s team expertly plans and develops GDPR-compliant software.
Consulting on GDPR-compliant software development
- Reviewing the security of software architecture and database management system. Source code review and penetration testing.
- Preparing a plan on GDPR compliance remediation, if needed.
- Business needs analysis and requirements engineering.
- Business case development.
- Secure architecture, UX and UI design and integrations planning.
- Creating a roadmap for secure software development.
Development of GDPR-compliant software
- Quality assurance.
Our Happy Clients
ScienceSoft brought to the table substantial expertise in iOS and Android application development and a customer-centered approach to the application design. They proved to be a reliable and agile technology partner. We especially appreciate their professional approach to security, which was among our main concerns due to strict regulations.
Khalid Ahadov, Executive Director, Unibank
We commissioned ScienceSoft to carry out penetration testing of our external and internal infrastructure, including penetration testing of a communication web app. The team conducted penetration testing in line with all our requirements, one of which was performing the project within the EU borders in order to comply with the GDPR regulations.
Ilya Ostrovskiy, Chief Product Officer, Apifonica
Roles on ScienceSoft’s GDPR-Compliant Development Team
The team composition may vary depending on the project goals and scope. Below we describe sample roles on ScienceSoft’s team engaged in GDPR-compliant software development:
- Provides time and budget estimates, schedules the project and ensures adherence to deadlines.
- Ensures all secure software development standards are met at each project stage.
- Regularly reports client on the progress.
- Defines and documents functional and non-functional software requirements, including requirements specific to GDPR.
- Prepares a software requirements specification (SRS).
- Develop databases and map data flows to ensure secure data storage and transfer.
- Set custom access controls.
- Conduct static and dynamic application security analysis, add SAST and DAST to CI/CD pipeline.
- Configure application and network security monitoring tools.
- Identify and manage security issues at all SDLC stages.
- Support SecOps pipelines.
- Develop front end and back using secure coding practices and GDPR-compliant software development tools.
- Define goals, source data, and scope of the target environment.
- Prepare penetration scripts and tests.
- Simulate cyberattacks on the software to reveal security weaknesses.
- Compose reports with instruments used, units tested and exploited vulnerabilities.
- Provide recommendations on vulnerability remediation.
UX and UI designers
- Build UX wireframes or mockups.
- Work out GUI elements to comply with GDPR.
GDPR compliance consultant
- Conducts gap analysis and creates a roadmap on achieving compliance.
- Ensures all data protection measures are well-documented to be demonstrated within a GDPR compliance audit.
Sourcing Models for GDPR-compliant Software Development
In-house GDPR-compliant software development
- Full control over the project.
- Extra efforts to establish security at each stage of SDLC.
- Lack of in-house devs with specific skills.
- Risks of insufficient documentation.
Turn to ScienceSoft if you need help with GDPR development process planning or other consulting services.
Team augmentation for GDPR-compliant software development
- On-demand expert help from a scalable development team with required skills.
- Balanced project costs.
- Management, QA, and project risks are fully/partially on your side.
Turn to ScienceSoft if you need GDPR experts to augment your software development team.
Outsourced GDPR-compliant software development
- A fully managed team with required skills.
- Established secure practices for GDPR-compliant software development.
- Transparent KPIs.
- Higher vendor risks.
Turn to ScienceSoft if you need a reliable ISO-certified vendor for GDPR-compliant software development.
Tools We Use in GDPR-Compliant Software Development
We have outlined several pentesting tools ScienceSoft prefers for detecting and analyzing security vulnerabilities in software and its infrastructure:
Network penetration testing.
An open-source tool for promptly scanning remote and local networks and single hosts.
- Detecting a host within the network, free and occupied ports, and all services on the target host.
- Determining the host essence (web server, mail service, etc.), which facilitates planning of further penetration testing.
- Convenient command-line and graphical interfaces with many scanning techniques.
- Suitable for diverse operating systems, including Linux, Windows, BSD and Mac.
- Scan results can be exported to a text file, XML, or plain text.
Vulnerability assessment and network traffic analysis.
Packet analyzer for troubleshooting network security problems.
- Provides deep examination of multiple protocols.
- All captured packets are shown on a dashboard with detailed data on each unit (time, source, destination, protocol name, length).
- Extensive display filters enhance sorting out different packet types.
- Runs on Windows, Linux, Mac, Solaris, FreeBSD, NetBSD, and more.
- Scan results can be exported XML, PostScript®, CSV, or plain text.
All types of penetration testing.
A Ruby-based modular penetration testing framework designed to detect server and network vulnerabilities.
- Provides modules (exploits, encoders, payloads, auxiliaries and posts) needed for the full penetration testing lifecycle.
- Offers more than 2,000 easy to navigate exploits and over 550 payloads.
- Convenient GUI with the function of visualizing targets and advising on exploits.
- Suitable for any platforms and programming languages.
- With msfdb, scan results can be imported from external tools, such as Nmap or Nessus.
Cost Factors for GDPR-Compliant Software Development
Besides general software development costs factors like the complexity of business workflows to cover and the presence of advanced technologies, the cost of GDPR-compliant software development depends on the level of security you want to achieve. These specific factors include:
- The number and complexity of security features (cryptography, audit trail, etc.).
- The amount of data that needs to be encrypted, pseudonymized, anonymized.
- The amount of software documentation needed for final GDPR compliance audit.
- The scope of penetration testing and the number of penetration testing iterations.
In software development since 1989, ScienceSoft is a global IT consulting and software development company headquartered in McKinney, Texas. We have 20 years of experience in information security, a vast pool of experienced security engineers, software architects, and developers trained in secure software coding. Following the OWASP guidelines, we design and develop highly secure GDPR-compliant solutions.