Pseudonymy by default: Aliases must be created for each person, and the person’s identity data must be stored in a fully partitioned area separate from other user data (for example, personal account information in an application or software platform) .
The right to be forgotten: Every EU citizen has the “right to be forgotten”, which means that, upon request, companies are obliged to give up all personal data related to a certain person. Therefore, your software or database should include tools that allow you to isolate and delete personal data as needed.
Right to be portable: According to this requirement, users must retain the ability to transfer their personal data from one service provider to another service provider. The company must configure the software to allow users to do this.
Mandatory reporting of security incidents involving personal data: The IT company must inform the affected users and the ANSPDCP (National Authority for the Supervision of Personal Data Processing) within 72 hours. Therefore, the IT company needs to detect the incidents in a very short period of time. When developing software or a mobile application, it is generally best to maximize security measures and include a security incident detection and reporting tool that can send notifications to the technical team (in real time if possible).
Design privacy: GDPR requires privacy by default, which means that the software, mobile application, or website must, by default, provide users with the highest level of security and privacy. For example, instead of automatically using a person’s name or email address as their username, the software should provide a completely random username during the account creation process.
Informed consent: Users must be allowed to provide informed consent for the collection and processing of their data. An example of informed consent applies to checkboxes when you sign up for an account on websites, software platforms, and mobile applications. In most cases, checkboxes do not need to be checked by default; the user must check them manually.