Legal Requirements

In this topic we will look at the Legal requirements when developing software.

While you may not be directly responsible for these elements, designing your software to take the requirements of legislation into account will make it easier to comply.

GDPR

The main piece of legislation we will need to deal with is the GDPR.

GDPR¹ (General Data Protection Regulation) came into force in 2018, and was aimed at updating previous data protection legislation to make it a better fit for the modern world, and provide consistency between members of the European Union.

Under GDPR Any organisation (including non EU ones) that handles the personal data of European citizens must comply with GDPR regulations, and there are fines of up to 20 Million Euros (~£17.5 Million) for failure to comply.

The 1998 DPA

GDPR superseded the UK's Data Protection Act (DPA) of 1998 It was needed, there had been huge changes in tech levels over those 20 years:

• Windows 98 was being Launched including the famous blue screen demo
• WiFi Wasn't Invented yet....
• Google was born and looked like this
• The Nokia 5510 was the must have fashion phone. And The Original Nokia 8810 was a "Top of the range" mobile phone.
• You Connected to the Internet over dial up
• The Coventry University Website Looked like this.

While GDPR directly regulates the data of European citizens, its model has been adopted by a number of countries. Similar legislation has also been adopted by the Californian Consumer Privacy Act²

Is GDPR A Good thing #GoodGDPR?

Before we get into details, lets see your Gut Feeling about GDPR.

Using the Feed on Aula and the tag #GoodGDPR? to discuss the following:

• What are your views on GDPR?
• Why do you think it this?
• Can you think of an example where GDPR has helped you?

Key Components of GDPR

GDPR ensures the rights of an individual data subject to understand the information that is collected about them, and how it is processed.

While the GDPR covers a lot of areas, the main one we are concerned about it are the privacy rights of users, processing of data, and the way we safeguard the data we store.

There are seven Key components of GDPR:

1. Consent You need a clear and affirmative action from an individual to possess and process their personal data.

2. Right to Access An individual has the right to know what personal data you have and what you are doing with it. You must provide them an electronic copy upon request.

3. Right to Erasure An individual has the right to require the deletion of their personal data if the continued processing is not justified.

4. Data Portability Individuals have the right to require companies transmit their personal data to another company.

5. Breach Notification Individuals must be notified with 72 hours of a data breach involving their personal data.

6. Privacy by Design Data protection must be incorporated into the design of systems from the beginning, not just added later. And companies can only hold and process the data absolutely necessary to complete its duties (data minimisation) and limit the access to that data.

7. Data Protection Officers Certain large-scale data processing companies must hire a Data Protection Officer, who acts independently to assess the company’s compliance to the regulations.

Not all of these components will directly affect us. For example, as developers we are unlikely to be responsible for employing a Data Protection officer (DPO).

How do we support GDPR? #supportGDPR

We have looked at the Components of GDPR, and an individuals rights. While not all of the components directly apply, as developers we will need to support them.

Using the feed on Aula and the tag #supportGDPR discuss:

• What Elements of GDPR can we support as developers?
• How could we implement functionality that supports these elements?

Legal Basis for processing.

Quote

“In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis"⁴

This means that to collect, or process data about individuals we need to provide an appropriate Legal Basis. Without this justification, any data collection or processing is illegal under the legislation.

Article 6³ of GDPR sets out several lawful bases for processing data.

a. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

b. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

c. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

d. Vital interests: the processing is necessary to protect someone’s life.

e. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

f. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

These bases also require the processing to be necessary, or a targeted way of achieving a specific purpose. You will have to demonstrate that the data collected is required, rather than useful.

Important

Different elements of your program may have different legal basis, For example in a travel app you may want to have some form of GPS based map.

It would be appropriate for this to be covered under Legitimate Interest, as without using the location data you would not be able to provide the service.

If you were to add an recommendations feature, that makes use of prior locations, to suggest where the user may want to visit next it may be use either Consent (we make the recommendations optional), or Legitimate Interest (its a travel app, and part of its core business is to help people find interesting sites) as the Legal Basis.

More Detail on Legal Basis.

Several of the bases are well defined, to avoid discussing all the options, The two most interesting bases are:

• Consent:⁵

  Here we give people the choice to have their data processed in a given way. This can give us a lot of flexibility, especially when we want to deal with data that may not be covered under one of the other bases. For example, consent from users can allow us to perform automated decision making, or transfer data overseas.

  However, we need to offer people a genuine choice and control over how the data is used. If we ask for consent for one form of processing, then perform another then it is not a lawful basis. Additionally, consent must be freely given, and require a positive action to opt-in. If there is no choice other than consent to use a service, this may not be an appropriate lawful basis. This means the organisations in positions of power over individuals should avoid relying on consent unless they can demonstrate it is freely given.

  Example

  Lets imagine your workplace wants to track your application usage, or uses Geo-location information, consent cannot be freely given, as it can be assumed that there may be negative consequences for not agreeing to the tracking.

  In this case the organisation would have to demonstrate another legal basis for the collection and processing of this information.

Another important element of consent, is that the user has the right to withdraw it at any time. This means you are obliged to stop processing information if the user withdraws consent, this applies to all data on a user, not just that collected after consent has been withdrawn.

• Legitimate Interest ⁶

  Legitimate interests are the most flexible of the bases. However, while it gives some freedom to process data according to business needs, it doesn't give us a right to do whatever we want and justify it as a business case, we still need to take into account the users rights.

  We can demonstrate a legitimate interest if it meets three criteria:

  1. Purpose, Are you perusing a legitimate interest? Does the interest meet your own business needs, those of a 3^rd party organisation or have wider commercial or societal benefits. The key point here is demonstrating that there is a benefit from processing the data in this way.
  2. Necessity Is the processing going to help you meet the purpose. Is this a reasonable way to meet the purpose, or can you do the same thing without relying on PII.
  3. Balance Can we balance your own interests against that of the individual. If you can justify a clear reason for processing data in this way then you are likely to have a legitimate interest. However, if you are processing data in a way that a user may not expect, or they are likely to disagree to, then you may need to reconsider.

  With legitimate interest you still need to tell the users you are processing the data using legitimate interests, and explain what these interests are.

How do Interests and Rights map.

The Legal Basis for processing, will effect the users rights. For example: Data users who's data processed under a Legal Obligation, (for example Criminal Records), won't automatically have the right for deletion.

	Right to Erasure	Right to Portability	Right to Object
Consent			Right to Withdraw consent
Contract			No
Legal Obligation	No	No	No
Vital Interest		No	No
Public Task	No	No
Legitimate Interest		No

Discussing Legal Basis #legalBasis

We have looked at the different Legal Basis for data processing under GDPR

For this discussion task, I would like you to consider what might be the most appropriate legal basis in the following scenarios. Use the feed to discuss the two scenarios using the tag #legalBasis

Scenario 1:

An organisation is looking into the way it stores job applicants’ personal details. It is legally required to store this information for six months, in case a candidate lodges a discrimination case.

However, the organisation decides it wants to retain the data for longer than this, because it foresees scenarios where an applicant wasn’t right for the role being advertised but they might be suitable for a future position.

Scenario 2:

A online retailer, wants to make use of previous data to make personalised recommendations for products. It also wants to use this information for direct marketing, sending details of offers that might interest the user.

Summary

In this article we have had a brief overview of GDPR, and some of the legal requirements when dealing with data that you should be aware of as a developer.

Note that the requirements here are primarily focused around PII, if you design the system based on the principle of minimal information, by avoiding collecting personal information you avoid this problem.

While at a junior level you probably wont be responsible for these elements, understanding the requirements can help understand implementation choices, and reduce the design life cycle for software.

---

1. What is the GDPR ↩

2. Californian Consumer Privacy Act ↩

3. GDPR Article 6 ↩

4. GRPD Recital 40 ↩

5. Consent (ICO) ↩

6. Legitimate Interests (ICO) ↩