GDPR Compliance in Software Development
Checklist, Roles, Hints
In software development since 1989 and in information security since 2003, ScienceSoft develops GDPR-compliant software helping ensure data confidentiality and integrity.
Schedule a call
GDPR-Compliant Software Development: The Gist
GDPR-compliant software development is aimed at building software with secure architecture, encryption mechanisms for in-transit and at-rest data, data backup mechanisms, etc. to ensure security of data subjects’ personal information.
|
|
Note: To get a closer look at GDPR requirements for software, you can see the guide by EU Commission. |
- Key steps of GDPR-compliant software development: eliciting GDPR-specific software requirements, planning secure architecture, GDPR-compliant UX and UI design, software development using secure coding practices, penetration testing.
- A team for GDPR-compliant software development: a GDPR compliance consultant, a project manager, a solution architect, a business analyst, UX and UI designers, software engineers, DevSecOps engineers, penetration testers.
GDPR-Compliant Software Development Plan
The specifics of a GDPR-compliant software development plan depend on the type of software and its functionality. Below, we provide a generalized plan of GDPR-compliant software development based on ScienceSoft’s experience in the domain.
Step 1. Requirements elicitation and analysis
At this stage, in addition to general functional and technical software requirements elaboration, ScienceSoft:
- Identifies what personal data (names, bank account details, etc.) needs to be collected, processed, and transferred by the new software.
- Helps with modelling consent for processing data subject’s information.
- Defines who has access to personal data.
- Helps decide on data retention period.
Step 2. Secure software architecture design and planning security features
At this stage, ScienceSoft’s team:
- Designs secure resilient software architecture.
|
|
Best practice: At ScienceSoft, a solution architect often works on architecture planning together with a GDPR consultant and a business analyst to achieve the desired level of software security and fully meet clients’ preferences. |
- Plans data archival/erasure mechanisms, including automated deletion upon request.
- Creates data flow diagrams.
- Creates logging architecture to enable data access, data modifications tracking, etc.
- Plans encryption for at-rest and in-transit data.
- Selects secure technology stack to support compliance.
Step 3. GDPR-compliant UX and UI design
Below are examples of GUI elements to support compliance:
- Precise and easy-to-understand consent forms.
|
|
Best practice: ScienceSoft recommends complementing a form with an explanation of how data subjects will benefit from data collection and processing and how they can withdraw consent. |
- An easy-to-scan privacy policy that describes the data processing methods, data storage period, and third parties able to access the data.
Step 4. Secure software development
At this stage, ScienceSoft’s developers:
- Create software front end and back end following the OWASP guidelines on secure coding.
|
|
Note: At ScienceSoft, we properly document each development step and conduct regular unit testing. |
- Implement data encryption, pseudonymization, or anonymization.
Simultaneously with development, we conduct regular code reviews to detect and further remediate vulnerabilities.
|
|
Best practice: At ScienceSoft, we facilitate security testing automation by adding static application security testing (SAST) and dynamic application security testing (DAST) to the CI/CD pipeline. This way, vulnerabilities in code can be identified as early as possible. |
Step 5. Software penetration testing
- Choosing the penetration testing approach (black box, gray box, or white box) and test execution.
- Report on the vulnerabilities found.
- Outlining preventive measures and recommendations on solving security issues.
|
|
ScienceSoft’s tip: It’s advisable to conduct penetration testing after any significant change in software and/or IT infrastructure. |
Step 6. GDPR-compliant software deployment
Our team proceeds with:
- Final review of security controls in software and IT infrastructure to meet GDPR standards.
- Preparing an incident response plan.
- Providing the required documentation (the description of personal data used in the system and its lifecycle, all parties that get access to personal data, the basis for collecting personal data, etc.).
GDPR-Compliant Software Development Services by ScienceSoft
Having 34 years of experience in software development and 20 years in information security, ScienceSoft’s team expertly plans and develops GDPR-compliant software.
Consulting on GDPR-compliant software development
For existing software:
- Reviewing the security of software architecture and database management system. Source code review and penetration testing.
- Preparing a plan on GDPR compliance remediation, if needed.
For future software:
- Business needs analysis and requirements engineering.
- Business case development.
- Secure architecture, UX and UI design and integrations planning.
- Creating a roadmap for secure software development.
Development of GDPR-compliant software
- Requirements elicitation and analysis.
- Secure architecture design.
- GDPR-compliant UX and UI design.
- Software development using secure coding practices and GDPR-compliant software development tools.
- Secure CI/CD configuration.
- Quality assurance.
- Security testing.
- Software maintenance and security monitoring.
Our Happy Clients
ScienceSoft brought to the table substantial expertise in iOS and Android application development and a customer-centered approach to the application design. They proved to be a reliable and agile technology partner. We especially appreciate their professional approach to security, which was among our main concerns due to strict regulations.
Khalid Ahadov, Executive Director, Unibank
We commissioned ScienceSoft to carry out penetration testing of our external and internal infrastructure, including penetration testing of a communication web app. The team conducted penetration testing in line with all our requirements, one of which was performing the project within the EU borders in order to comply with the GDPR regulations.
Ilya Ostrovskiy, Chief Product Officer, Apifonica
Roles on ScienceSoft’s GDPR-Compliant Development Team
The team composition may vary depending on the project goals and scope. Below we describe sample roles on ScienceSoft’s team engaged in GDPR-compliant software development:
Project manager
- Provides time and budget estimates, schedules the project and ensures adherence to deadlines.
Business Analyst
- Defines and documents functional and non-functional software requirements, including requirements specific to GDPR.
- Prepares a software requirements specification (SRS).
System architect
- Decides on software architecture and technological stack taking into account security and resilience requirements.
Data engineers
- Develop databases and map data flows to ensure secure data storage and transfer.
- Set custom access controls.
Security engineers/DevSecOps
- Conduct static and dynamic application security analysis, add SAST and DAST to CI/CD pipeline.
- Configure application and network security monitoring tools.
Software engineers
- Develop front end and back using secure coding practices and GDPR-compliant software development tools.
Penetration testers
- Define goals, source data, and scope of the target environment.
- Prepare penetration scripts and tests.
UX and UI designers
- Build UX wireframes or mockups.
- Work out GUI elements to comply with GDPR.
GDPR compliance consultant
- Conducts gap analysis and creates a roadmap on achieving compliance.
- Ensures all data protection measures are well-documented to be demonstrated within a GDPR compliance audit.
Sourcing Models for GDPR-compliant Software Development
Tools We Use in GDPR-Compliant Software Development
We have outlined several pentesting tools ScienceSoft prefers for detecting and analyzing security vulnerabilities in software and its infrastructure:
Nmap
Best for
Network penetration testing.
Description
An open-source tool for promptly scanning remote and local networks and single hosts.
- Detecting a host within the network, free and occupied ports, and all services on the target host.
- Determining the host essence (web server, mail service, etc.), which facilitates planning of further penetration testing.
- Convenient command-line and graphical interfaces with many scanning techniques.
- Suitable for diverse operating systems, including Linux, Windows, BSD and Mac.
- Scan results can be exported to a text file, XML, or plain text.
Pricing
Open source.
Wireshark
Best for
Vulnerability assessment and network traffic analysis.
Description
Packet analyzer for troubleshooting network security problems.
- Provides deep examination of multiple protocols.
- All captured packets are shown on a dashboard with detailed data on each unit (time, source, destination, protocol name, length).
- Extensive display filters enhance sorting out different packet types.
- Runs on Windows, Linux, Mac, Solaris, FreeBSD, NetBSD, and more.
- Scan results can be exported XML, PostScript®, CSV, or plain text.
Pricing
Open source.
Metasploit Framework
Best for
All types of penetration testing.
Description
A Ruby-based modular penetration testing framework designed to detect server and network vulnerabilities.
- Provides modules (exploits, encoders, payloads, auxiliaries and posts) needed for the full penetration testing lifecycle.
- Offers more than 2,000 easy to navigate exploits and over 550 payloads.
- Convenient GUI with the function of visualizing targets and advising on exploits.
- Suitable for any platforms and programming languages.
- With msfdb, scan results can be imported from external tools, such as Nmap or Nessus.
Pricing
Open source.
Cost Factors for GDPR-Compliant Software Development
Besides general software development costs factors like the complexity of business workflows to cover and the presence of advanced technologies, the cost of GDPR-compliant software development depends on the level of security you want to achieve. These specific factors include:
- The number and complexity of security features (cryptography, audit trail, etc.).
- The amount of data that needs to be encrypted, pseudonymized, anonymized.
- The amount of software documentation needed for final GDPR compliance audit.
- The scope of penetration testing and the number of penetration testing iterations.
About ScienceSoft
In software development since 1989, ScienceSoft is a global IT consulting and software development company headquartered in McKinney, Texas. We have 20 years of experience in information security, a vast pool of experienced security engineers, software architects, and developers trained in secure software coding. Following the OWASP guidelines, we design and develop highly secure GDPR-compliant solutions.