What Software Developers Need to Know About Data Security Laws



An increasing trend toward data security laws, in response to the sharp rise in cybercrimes affecting private individuals, puts more focus on software applications’ abilities to protect consumer data and privacy. In 2018, the European Union launched sweeping regulation with its General Data Protection Regulation (GDPR) as a coordinated defense against breaches of EU citizen data. Other countries followed suit, with privacy laws now in effect in Australia, Japan, Brazil, South Korea and others. While the U.S. does not have a federal data security law yet, states like California protected citizen data by taking independent action and passing their own data security laws. This trend towards proactive data security has a direct impact on software developers and the products they provide to customers. Data security, privacy, and compliance with regulations have risen to the top of the non-functional requirements a developer must deliver with each new product.

Data Security Compliance Changes How Organizations Use Software

Organizations that fail to comply with data security laws such as GDPR and the California Consumer Privacy Act earn stiff penalties and can face legal action against them. The financial consequence of a data breach can be ruinous. IBM reported that each cyber incident costs US companies an average of $221 per compromised record.

As an ISV, you are not liable for a potential breach or failure to comply with regulations, but that doesn’t mean you shouldn’t consider compliance when creating new products for clients. In fact, it is in the best interest of your business to put yourself in your client’s shoes and solve their compliance challenges within your application itself.

The greatest compliance challenge for large organizations is data management, says Dr. David Brumley, co-founder and CEO of ForAllSecure. “Businesses need to keep track of where information is stored and [know] how to remove it. Sounds simple in theory. The fact is businesses use tons of different apps, from in-house to SaaS, and keeping track of their users’ information across all business logic can be complex.”

Facing this reality, businesses look for ISVs to protect data at the individual application level. Every application has its own data security controls, and those with the strongest regulations, most rigorous testing, and most transparent collection processes will overtake market ownership.

Consent and Transparency Simplify Compliance

If there is a unifying theme among the disparate laws and regulations around the country, and the world, it is informed consent. Giving users the choice of whether to share data—and what data they share—is the first step toward protecting the collecting organization from complaints, non-compliance fines, and legal actions. “The common theme is informed consent,” says Brumley. “The new laws and regulations are adding a modicum of guardrails where people can limit—at least one a case-by-case basis—what information is retained or shared about them.”

Transparent data collection and usage policies also protect organizations. At every data collection point, the application should explicitly state how data will be collected and for what purposes it will be used. The more transparent a company is about its data management, the greater confidence and trust of its customers.

Confidence and trust are pillars of customer success, and they are fragile. Transparency and consent are only the beginning of data security protocols in software development. Rigorous security testing of individual applications and integrated systems is critical to protecting the data individuals chose to share with an organization. ISVs who build these into their regular service delivery have a powerful added value statement over the competition that leaves security up to their clients.

Prepare for Data Protection and Privacy Laws Now

Software is at the heart of the data protection issue, and ISVs must lead the transformation to smarter, more secure applications. Dr. Brumley concludes, “The three most important things are to explicitly track consent, have a plan for removing data, and track user personal information flow between business apps.”

Protecting data within your own database isn’t enough when your client uses an ETL process to integrate data from multiple applications. Cybersecurity must be holistic, starting at the application level and encompassing the ETL. This includes ingesting data without cleansing for data governance, producing clean data insights and models for businesses purposes, and tracking data removal across all related applications. Developers need to build solutions that make data integration smarter and more compliant—tracking consent, data storage, and data usage across a suite of applications.

Compliant Development Builds Relationships

Data is the lifeblood of organizational growth, innovation and customer experience. But, along with the transformative insights data makes possible, is the concern of who data ultimately belongs to and who is responsible for safeguarding it from bad actors. Software is naturally at the center of this conversation, as the primary vehicle of data collection.

Far from a dilemma, this growing focus on data security is an opportunity for forward-thinking ISVs. Continue to seek out new models of data collection, management, and usage. Communicate openly with your clients to deeply understand their pain points in data collection and security. Become continuous learners of compliance regulations and data security laws in order to better predict the next challenge your customers will face. Be the trusted advisor clients turn to in moments of data security uncertainty. Developing applications and providing guidance that solve the pain points your clients know they have, and the ones they aren’t yet aware of, builds a relationship of trust that will ultimately grow your business.