GDPR or EU Data Protection Act
The proposed new EU GDPR [General Data Protection Regulation] law extends the scope of the EU data protection regulation to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these GDPR acts; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.
The general data protection regulation applies if the data protection officer ( the organization that collects data from EU residents) or processor ( the organization that processes data on behalf of the data controller, e.g., cloud service providers) or the data subject (person) is based in the EU. Furthermore, the GDPR also applies to organizations based outside the European Union if they collect or process personal data of EU residents. According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
Many EU companies are getting the benefit of working with software developers in Ukraine. Our guys are great! New GDPR law brings a challenge to their work because developers are not eligible to work with personal data of EU users. We come up with the following model to keep supporting our Clients from Ukraine:
- Live server must be in EU / UK. Access to live server must be restricted.
- Staging environment must be in EU / UK (staging environment is used to test out newer versions of software before it is moved live – into production).
- Together with the Client, we identify all the fields in the project that can determine the persons.
- We develop the script that allows us to copy production database to the staging server and anonymize personal data. After that, the development team is working with an internal user ID.
- Development environment may be in EU / UK or locally. Developers are using a database from staging if they need to debug.
- We at Ukad are using continuous integration for all our projects. It means that deployments to staging and live environment are fully automated. So, there are no needs for any team member to have access to live and staging servers.
- In worst case scenario, we have a devops in our Poland office to access the server and fix any issue.
References
- EU GDPR
- General Data Protection Regulation