Claus Lavendt, FileMaker DevCon 2018
Menu:
- Introduction
- What Is GDPR and Why Was It Introduced?
- Key Principles of GDPR: A Developer’s Perspective
- How FileMaker Systems Can Support GDPR Compliance
- GDPR for FileMaker Developers: Why It Matters
- Business Opportunities for FileMaker Developers Under GDPR
- Building GDPR-Compliant Solutions in FileMaker
- Case Studies: Real-world Applications of GDPR Solutions
- Conclusion: The Role of Developers in Shaping GDPR Compliance
Introduction
With the growing demand for data protection and privacy, the General Data Protection Regulation (GDPR) has become one of the most significant data protection laws in modern history. The regulation is not limited to European companies, as it applies to any business that handles the personal data of EU residents, even if they operate outside the EU.
This article explores the GDPR in depth, focusing on how it affects FileMaker developers and their role in ensuring compliance. While GDPR may seem like a burden at first, it also opens new opportunities for developers to add value to their clients. In this post, we will break down GDPR, explore how FileMaker systems can help achieve compliance, and discuss the business potential it offers to developers.
What Is GDPR and Why Was It Introduced?
Historical Context
The idea behind GDPR goes back to the post-WWII era, when Europe recognized the need to establish fundamental human rights. Among these rights was the right to privacy, which led to the creation of the European Convention on Human Rights in 1950. However, as the digital world evolved, privacy in the online and data-driven landscape started to erode.
By 1995, the internet was still in its infancy, and legislation regarding digital privacy was severely outdated. For instance, the last significant privacy laws in Denmark were written in 1995 when dial-up modems and Netscape Navigator were considered cutting-edge technologies. Fast-forward to the 21st century, where personal data has become a new form of currency for businesses, and the need for an updated law became inevitable.
The Birth of GDPR
The General Data Protection Regulation (GDPR) was officially enforced in May 2018 to protect personal data in a way that aligned with modern data usage practices. Its core focus is to return control of personal data to individuals, making it clear that personal data is not owned by companies but rather borrowed under specific terms. GDPR aims to safeguard the rights of EU residents by enforcing strict rules on how businesses collect, store, process, and share personal data. These rules also apply to companies outside the EU, making GDPR a global concern.
Key Principles of GDPR: A Developer’s Perspective
As FileMaker developers, it’s essential to understand the key principles of GDPR, not just from a legal perspective but also from a practical, technical viewpoint.
1. Personal Data Ownership and Consent
One of the most significant changes brought by GDPR is the understanding that personal data belongs to the individual, not the company. Companies are only temporary custodians of this data, and they must receive explicit permission from the individual to store or process it. This is not a one-time action; consent must be obtained whenever the company wants to use the data for a different purpose than originally stated. This requires clear and unambiguous consent from the user, which can be withdrawn at any time.
2. Transparency and Documentation
GDPR demands full transparency about what personal data is collected, why it’s collected, how it’s processed, and how long it’s stored. Developers must ensure that systems offer data flow transparency and detailed documentation of all data interactions. The days of vague privacy policies are over. Under GDPR, users must be informed in plain language about how their data is handled.
3. Security by Design
GDPR introduced the concept of Security by Design, which requires that security features be integrated into systems from the outset, not as an afterthought. This means that data encryption, access control, and auditing mechanisms should be part of the core architecture of any system handling personal data.
4. Right to Be Forgotten
One of the most revolutionary aspects of GDPR is the Right to Be Forgotten. This allows individuals to request the permanent deletion of their personal data from a company’s systems. Implementing this feature can be challenging for developers, particularly when dealing with legacy systems or complex databases. However, GDPR mandates that companies have the necessary tools and workflows to comply with such requests.
5. Privacy by Design
Similar to Security by Design, Privacy by Design requires developers to build systems that prioritize user privacy. This could mean minimizing data collection to only what is necessary, anonymizing personal data, or even deleting it after a certain period. Systems must have mechanisms to ensure data is only kept as long as it is legally and contractually necessary.
How FileMaker Systems Can Support GDPR Compliance
FileMaker provides a versatile platform that can help businesses navigate the complexities of GDPR compliance. Many features built into the FileMaker platform can be leveraged to support GDPR requirements.
1. Encryption at Rest
One of the most critical aspects of GDPR is the requirement to protect data from unauthorized access. FileMaker’s encryption at rest feature allows developers to encrypt the contents of a FileMaker database, ensuring that sensitive data is protected even if the physical server or storage medium is compromised.
2. SSL Encryption for Data Transmission
To comply with GDPR’s mandate for securing personal data during transmission, FileMaker developers must ensure that SSL encryption is used. This protects data as it moves between FileMaker Server and clients, making it harder for unauthorized parties to intercept or tamper with sensitive information.
3. Granular Account Privileges
FileMaker provides a robust account management system that allows developers to set highly granular privilege sets. This ensures that users only have access to the data they need to perform their tasks, which is critical for GDPR compliance.
4. Field-Level Encryption
For sensitive personal data such as social security numbers or health records, developers can implement field-level encryption to add an additional layer of security. Even if the database is compromised, this ensures that highly sensitive fields remain encrypted and unusable.
5. Audit Logging
GDPR requires businesses to log who has accessed personal data, when, and why. FileMaker’s logging features allow developers to track user activity, offering a critical compliance tool to ensure businesses can provide a full audit trail if required.
GDPR for FileMaker Developers: Why It Matters
FileMaker Developers as Data Processors
As developers working on systems that store, manage, or process personal data, we are classified as data processors under GDPR. This means we share legal responsibility for ensuring that the systems we build are compliant with the law. Even if we do not actively collect or manipulate the data, simply having access to it makes us responsible. This is why it’s essential to have clear data processor agreements in place with clients.
Co-Liability with Data Controllers
The primary responsibility for data compliance lies with the data controller—the organization that determines why and how personal data is processed. However, as data processors, we can be held co-liable if it’s found that we did not implement the necessary safeguards or if we knowingly allowed non-compliance.
Avoiding Fines and Damage to Reputation
Non-compliance with GDPR can result in fines of up to €20 million or 4% of a company’s global revenue, whichever is higher. For developers working with small businesses, this could easily put a client out of business. For larger organizations, the damage to reputation from a GDPR violation could be even more costly. As developers, we must help clients understand these risks and implement systems that mitigate them.
Business Opportunities for FileMaker Developers Under GDPR
GDPR presents a wealth of business opportunities for FileMaker developers who can offer solutions to help businesses comply with the law. Here are several avenues for expanding your services:
1. Building GDPR-Compliant Systems
FileMaker developers are well-positioned to help businesses build systems that comply with GDPR requirements. This could range from simple solutions like consent management forms to complex systems that include data encryption, logging, and automated data deletion workflows.
2. GDPR Consulting Services
Many businesses, particularly smaller ones, lack the internal resources to fully understand or implement GDPR. FileMaker developers can offer consulting services to help clients assess their current systems, identify gaps in compliance, and implement the necessary changes.
3. Creating Vertical Solutions
Vertical solutions—industry-specific applications built in FileMaker—can be a lucrative opportunity for developers. You can build GDPR-compliant solutions tailored to sectors like healthcare, education, or e-commerce, where personal data is heavily used.
4. Data Flow Documentation Systems
One of the key elements of GDPR is the requirement for data flow documentation. Developers can create tools that help businesses document how personal data is collected, stored, processed, and deleted. These tools can also automate reporting to regulatory authorities if a data breach occurs.
5. Secure Data Exchange Platforms
Under GDPR, businesses must ensure that personal data is transmitted securely. FileMaker developers can create secure data exchange platforms that replace insecure methods like email for sharing personal data with third parties. By implementing user authentication and encryption, these platforms can ensure compliance with GDPR’s security requirements.
6. Automated Deletion Systems
GDPR requires businesses to delete personal data when it is no longer needed. FileMaker developers can build automated deletion workflows that ensure data is removed after a certain period or when it no longer serves a valid business purpose. This minimizes the risk of holding onto data longer than legally allowed.
Building GDPR-Compliant Solutions in FileMaker
Let’s take a closer look at some practical steps you can take to build GDPR-compliant solutions within FileMaker.
1. Data Flow Documentation
Building a data flow documentation tool can help clients track how data moves through their systems. In this solution, businesses can document their processes, identify what data is collected, who has access to it, and how long it should be retained. For each data flow, you can track elements like:
- Data Collection Method: Is data collected via forms, emails, or online portals?
- Data Storage: Where is the data stored (e.g., FileMaker, external databases)?
- Data Retention: How long can the data legally be retained?
- Deletion Policy: When and how will the data be deleted?
2. User Consent Management
A critical component of GDPR compliance is obtaining and managing user consent for data collection. FileMaker can be used to build consent management tools that track when consent was obtained, for what purpose, and how long the consent is valid. This can also include automated features that allow users to withdraw their consent and have their data deleted.
3. Field-Level Encryption and Data Masking
For sensitive data such as medical information or social security numbers, you can implement field-level encryption and data masking to protect this data from unauthorized access. For example, while the full data might be visible to system administrators, other users can only see a masked version (e.g., “****1234”).
4. Audit Logs and Access Control
To comply with GDPR’s audit requirements, developers can build detailed logging systems that track who accessed data, what actions they performed, and when. Coupled with role-based access control, this ensures that only authorized users can interact with sensitive data, and there is always a record of any actions taken.
Case Studies: Real-world Applications of GDPR Solutions
1. Data Flow Documentation System for a Music Venue
One of our clients, a large music venue in Denmark, handles the personal data of hundreds of employees and job applicants. With GDPR in effect, they needed a way to track the flow of personal data through their system—from job applications to employee records. We built a FileMaker-based documentation tool that allows them to track and audit all personal data, ensuring compliance with GDPR.
2. Automated Job Application System for a Recruitment Agency
Another client, a recruitment agency, received hundreds of unsolicited resumes via email each month, many of which contained sensitive personal data. To comply with GDPR, we built an automated job application platform where applicants can securely submit their information, and the agency can easily track and manage it. The system also automatically deletes resumes after a specified period, ensuring compliance with data retention policies.
3. Secure Data Exchange for a Model Agency
A model agency frequently needed to share sensitive personal data, such as passport information, with travel agencies to book flights. To comply with GDPR, we built a secure data exchange platform using FileMaker, which allowed the agency to transmit data securely. The platform logged all data transfers and ensured that all files were stored and shared in compliance with GDPR regulations.
Conclusion: The Role of Developers in Shaping GDPR Compliance
GDPR has transformed how businesses handle personal data, and FileMaker developers play a crucial role in helping businesses navigate this complex regulatory landscape. By leveraging FileMaker’s powerful tools, developers can build secure, efficient, and compliant solutions that not only help businesses avoid costly fines but also create new business opportunities.
In a world where data privacy is paramount, developers have a unique chance to position themselves as trusted advisors who can guide businesses through the challenges of GDPR compliance. Whether it’s creating secure data exchange platforms, building audit trails, or automating data deletion workflows, FileMaker developers can turn the challenges of GDPR into a strategic advantage.
Stay ahead of the curve—start building GDPR-compliant solutions today and become a valuable partner in your clients’ compliance journey!
https://community.claris.com/en/s/article/sec03—eu-gdpr–why-you-should-care—claus-lavendt
