On January 27, 2020, the French Supervisory Authority (“CNIL”) issued a guidance for developers of websites and applications which sets out the main principles of the General Data Protection Regulation (“GDPR”), expounds on their application in the online environment, and gives practical tips to help developers respect users’ privacy when deploying websites and apps.
The guidance consists of 17 recommendations, each covering a key principle supported by additional advice and examples. Below, we list all 17 of these recommendations and provide a brief summary of the CNIL’s advice related to each.
- Comply with the GDPR throughout the development process. This recommendation sets out 5 action steps to ensure that personal data and processing operations are protected throughout the life cycle of an online development project, including:
- Acquaint yourself with the main principles of the GDPR;
- Map and categorize personal data processing operations in your systems;
- Prioritize and manage risks;
- Implement any needed internal processes to ensure compliance; and
- Document how your website or application complies with the GDPR.
- Identify personal data. This recommendation focuses on helping developers understand the broad concept of “personal data” and also defines other key terms (e.g., “processing”, “purpose”, “anonymization” and “pseudonymization”) to make clear how these concepts are applied under the GDPR.
- Apply privacy by design at the development phase. This recommendation explains how to integrate privacy-by-design principles at the development phase, including “methodological” choices (e.g., the configuration of default privacy settings and completion of a DPIA) and technological choices (e.g., security controls, systems architecture, and programming standards).
- Secure the development environment. This recommendation gives guidance on how developers can appropriately secure the testing and production environment, including the configuration and integration of servers and workstations, as well as the use of state-of-the-art cryptography, strong authentication methods, and automated analysis of systems logs.
- Safeguard your source code. This recommendation promotes the use of source code management tools, strong authentication controls and user permissions, and regular backups of the source code manager. It also lists certain indicators for configuring the source code manager and ensuring the quality of the code over time.
- Make an informed choice about architecture. This recommendation focuses on identifying personal data that will be processed in order to define an appropriate data life cycle. It also advises to choose data service providers (e.g., local storage, server, cloud service) in accordance with the developer’s needs and technical knowledge.
- Secure websites, applications and servers. This recommendation lists various state-of-the-art security measures that developers should consider implementing.
- Minimize the collection of personal data. This recommendation advises developers to determine – before they collect personal data – whether they actually need the data, and to generally limit the collect personal data to what is strictly necessary. In this regard, the CNIL also recommends setting up an automatic erasure mechanism.
- Manage users. This recommendation sets out best practices on how to manage user access rights, profiles, passwords, administrative privileges, and so forth.
- Master libraries and SDKs. This recommendation provides tips on how to integrate libraries, SDKs and other software components written by third parties, without the developer losing control over the developed software. It also recommends auditing libraries and SDKs and examining what personal data is sent through these channels.
- Ensure code quality through documentation. This recommendation advises documenting the code and the architecture to ensure better control over the code’s quality (e.g., to reduce efforts related maintenance, audits and bug fixes).
- Test applications. This recommendation advises automating tests of apps and integrating regular tests into the developer’s business strategy.
- Inform people. This recommendation explains how developers can fulfill their transparency obligations under the GDPR by specifying who to inform, when to do it, what information to give, and how the information should be provided, as well as how to communicate data breaches to the CNIL and (if required) to affected persons.
- Implement processes to facilitate the exercise of data protection rights. This recommendation sets out the minimum measures that developers should implement to ensure that data subjects can exercise their data protection rights and controllers can appropriately respond to them. It also establishes best practices for responding to each type of the data protection rights request.
- Administer proper data retention periods. This recommendation advises developers to categorize personal data into 3 life cycle stages: (i) active base (e.g., presently in use); (ii) intermediate archiving; and (iii) final archiving and deletion/destruction.
- Ensure a valid legal basis. This recommendation identifies the various legal bases for processing personal data under the GDPR that developers may rely upon, as well as what factors to consider when choosing the appropriate legal basis.
- Monitor websites and app traffic. Finally, this recommendation instructs developers on how to implement audience measurement tools in a GDPR-compliant way.
This is the second guide published by the CNIL in relation to compliance with the GDPR in the online context. Earlier this month, the CNIL published a draft guidance on cookies and similar technologies.