A New GDPR Solution for Application Development

Developed in partnership with a large tech company client

“Don’t GDPR me, bro!”

I overheard someone say this to a barker on the floor at RSA. The number of products promising to help meet General Data Protection Regulation compliance is overwhelming, especially since a lot of them seem to “stretch” at best and “snake oil” in some cases.

We need a unique value proposition to even attempt this messaging.

Why should anyone listen to Security Compass when it comes to GDPR compliance?

We are the professionals who help 5 of the top 15 banks, as well as major technology companies. We build privacy and security into their applications, through our “SD Elements” offering.

SD Elements translates legalese to code and presents that information in Jira

GDPR was written by a consortium of lawyers and privacy experts, but these 173 articles can be difficult for developers to understand and implement.

SD Elements is totally unique, and, unlike any other system on the market, its knowledge base helps teams translate “legalese” to “code.”

If you describe your application in SD Elements, it will sift through the GDPR (and around 20 other compliance frameworks) and figure out which requirements apply to your specific software project. It will then present coding guidance to the developers in a language that they understand (namely, code), in a system that they prefer to use (ALM systems, like Jira and TFS). It does the same thing for QA teams so that they know how to test whether the GDPR requirements are met.

It’s the only time-efficient way to ‘shift left’ with GDPR

Data Protection by Design and Default (Article 25) is a GDPR requirement that says you must build in security and privacy controls as you design and implement your applications. Unfortunately, there are 173 articles and minimal guidance regarding how to implement them in the various contexts that your developers are likely to encounter (for example, encrypting data at rest is really different on an iPhone versus a Java web app).

You can use SD Elements to rapidly “profile” your project and get tailored, actionable guidance (and code samples), starting as early as the design phase.

SD Elements will even provide all the GDPR requirements listed out as “use cases” and automatically create Jira stories to accelerate the process.

Deduplicate work and reduce developer overhead

If you have to comply with more than one regulation, such as GDPR, GLBA, PCI, HIPAA or SOX, you can create a single SD Elements profile, and it will deduplicate and harmonize all the requirements and synchronize them with Jira.

You do NOT have to go through multiple audits, you can just build the application properly the first time and then demonstrate compliance with any number of regulatory frameworks.

Automation is the only way to Agile and DevSecOps with GDPR

With shorter (“sprint”) planning cycles than old-school Waterfall development approaches, there are not enough privacy engineers to perform enough privacy impact assessments across a portfolio of applications. In DevSecOps, the developers (and automated systems) have increased responsibility for the security, privacy, and compliance posture of their applications. Then again, how can a software engineer be expected to know about all the security, privacy, and compliance implications of GDPR in addition to other frameworks? With automation, that’s how!

Engineers need a self-service way to learn what controls are in scope for their particular application, based on the kind of data it is handling, what types of users it has (Europeans? Minors?), and what jurisdictions it will operate in. Then, they need the coding guidance supplied to them in the proper programming language, not just a regurgitation of the privacy framework that requires them to interpret it.

SD Elements implementation of GDPR developed in partnership with a large technology company

We developed SD Elements’ guidance for translating GDPR into actionable code and then shared the profiling rules and knowledge base content with the customer’s privacy engineering office. They have dozens of expert privacy engineers and very mature privacy engineering practices. They have provided their insights and amendments, and we went through multiple rounds of review with their team. Today, SD Elements’ GDPR content is among the best in the industry.

We also went a step further and created two reports for GDPR: one for auditors and one for implementers.

The GDPR audit report takes all the software engineering-related articles for GDPR and presents all the controls in the order the auditor would expect. The report shows which controls were in scope, who implemented each one, and when it was implemented, as well as who tested each one and when it was verified.

The Agile GPDR report contains the same information, but instead of presenting it as an auditor would want to see it, it describes each of GDPR’s demands as familiar user stories which are more helpful for software engineers.

For example:

Description: As a data custodian, I want to be able to archive personal data lawfully with the appropriate safeguards so that I can ensure the privacy and safety of archived data. (GDPR: Article 89 / Recital 156)

Many companies promise GDPR-compliant products, but few actually accomplish this goal, leaving many clients skeptical. The GDPR’s exhaustive list of 173 articles was developed by legal professionals, and it was written in terms that developers can’t readily understand. That’s where SD Elements fills a crucial gap. It’s able to quickly translate “legalese” to code, and it delivers custom-made security instructions to developers in language they understand.

SD Elements isn’t just compatible with the GDPR; it works with a number of other regulatory frameworks as well. With a growing emphasis on Agile development and shorter sprint cycles there’s limited time for checking security compliance — which increases the need for lightweight, scalable processes like those implemented in SD Elements.

If you’d like to know more about SD Elements, you can self-study here or reach us at [email protected].

Author: Eric Heitzman, Director of Business Development at Security Compass