Video


Practical ways to protect personal data in web applications in accordance with the GDPR

Posted: by Wojciech Najman

Category: gdpr | data security | application security | gdpr audit | security audit |

Each creator of a web product or application on which personal data is processed is obliged to secure them by implementing the GDPR. Therefore, the application should contain several functionalities that increase the protection of data provided by users. How can a product designer ensure information security in accordance with the applicable GDPR rules?

The Data Protection Regulation (GDPR) contains detailed requirements that must be met by enterprises and organizations, including the collection, storage and processing of personal data. Personal data is any information about a specific person or an identifiable person and includes the following information: name, address, ID / passport number, income, cultural characteristics, IP address, data identifying the person for medical purposes. The personal data administrator is responsible for the data security provided.

The above-mentioned information requires appropriate protection so that it does not fall into the wrong hands and thus is not used illegally. Therefore, the website or application that collects user data is obliged to protect data in accordance with the GDPR regulation. How can the website builder ensure the required data security? The most common ways are:

  • the possibility of completely removing the user and his personal data from the database – when the data is no longer needed for the purpose of processing, a natural person may ask the administrator to delete it. There are some exceptions to this rule: for example, payment-related data or system-critical data - neither data nor the user assigned to it can be deleted,
  • the website must publish the privacy policy in a visible place and describe in it what the protection and processing of users' personal data is - the document should precisely describe the purpose of data collection, entities to which it will be transferred and who the personal data administrator is,
  • password policy – appropriate strength of passwords and, if possible, their cyclical change as a means of securing user accounts against hacking. The application for entering the password should force the user to use a password with complicated content that is more difficult to break, and additionally remind the user to change it,
  • use of an encrypted connection (SSL) – in order to encrypt all user communication with the website and protect his credentials and personal data, an encrypted connection should be introduced SSL is a protocol that enables the encryption of the information stream that runs between the user of a website and the server of that website. It guarantees that the transmitted data is safe and confidential,
  • continuous verification of cybersecurity and GDPR compliance – in order to strengthen data security, especially when adding new functions to a website or application, regular security checks should be carried out and any gaps or vulnerabilities should be reacted quickly.

Failure to comply with the provisions of the GDPR may lead to the imposition of high fines, up to EUR 20 million or 4% of the company's global turnover. In addition, the data protection authority may order additional corrective measures, such as no longer processing personal data. Therefore, in case of any doubts, it is worth conducting a GDPR compliance audit, which is performed on both web and mobile applications.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Udostępnij
Read more:
Step-by-step preparation for GDPR - checklist
GDPR

Step-by-step preparation for GDPR - checklist
An overview of the Regulation and its most frequently discussed issues
GDPR

An overview of the Regulation and its most frequently discussed issues
How was GDPR introduced? Facts.
GDPR

How was GDPR introduced? Facts.
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to [email protected], or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: [email protected].

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact