ScienceSoft Global Menu icon Go to ScienceSoft Global

Careers

For journalists

email contact@scnsoft.com en flag +1 214 306 68 37
en flag +1 214 306 68 37
Contact us

GDPR Compliance in Software Development 

Checklist, Roles, Hints

In software development since 1989 and in information security since 2003, ScienceSoft develops GDPR-compliant software helping ensure data confidentiality and integrity.

Check Our Software Development Offer
GDPR Compliance in Software Development - ScienceSoft
GDPR Compliance in Software Development - ScienceSoft

GDPR-Compliant Software Development: The Gist

GDPR-compliant software development is aimed at building software with secure architecture, encryption mechanisms for in-transit and at-rest data, data backup mechanisms, etc. to ensure security of data subjects’ personal information.

Note: To get a closer look at GDPR requirements for software, you can see the guide by EU Commission.

  • Key steps of GDPR-compliant software development: eliciting GDPR-specific software requirements, planning secure architecture, GDPR-compliant UX and UI design, software development using secure coding practices, penetration testing.
  • A team for GDPR-compliant software development: a GDPR compliance consultant, a project manager, a solution architect, a business analyst, UX and UI designers, software engineers, DevSecOps engineers, penetration testers.

GDPR-Compliant Software Development Plan

The specifics of a GDPR-compliant software development plan depend on the type of software and its functionality. Below, we provide a generalized plan of GDPR-compliant software development based on ScienceSoft’s experience in the domain.

Step 1. Requirements elicitation and analysis

At this stage, in addition to general functional and technical software requirements elaboration, ScienceSoft:

  • Identifies what personal data (names, bank account details, etc.) needs to be collected, processed, and transferred by the new software.
  • Helps with modelling consent for processing data subject’s information.
  • Defines who has access to personal data.
  • Helps decide on data retention period.

Step 2. Secure software architecture design and planning security features

At this stage, ScienceSoft’s team:

  • Designs secure resilient software architecture.

Best practice: At ScienceSoft, a solution architect often works on architecture planning together with a GDPR consultant and a business analyst to achieve the desired level of software security and fully meet clients’ preferences.

  • Plans data archival/erasure mechanisms, including automated deletion upon request.
  • Creates data flow diagrams.
  • Creates logging architecture to enable data access, data modifications tracking, etc.
  • Plans encryption for at-rest and in-transit data.
  • Selects secure technology stack to support compliance.

Step 3. GDPR-compliant UX and UI design

Below are examples of GUI elements to support compliance:

  • Precise and easy-to-understand consent forms.

Best practice: ScienceSoft recommends complementing a form with an explanation of how data subjects will benefit from data collection and processing and how they can withdraw consent.

  • An easy-to-scan privacy policy that describes the data processing methods, data storage period, and third parties able to access the data.

Step 4. Secure software development

At this stage, ScienceSoft’s developers:

  • Create software front end and back end following the OWASP guidelines on secure coding.

Note: At ScienceSoft, we properly document each development step and conduct regular unit testing.

  • Implement data encryption, pseudonymization, or anonymization.

Simultaneously with development, we conduct regular code reviews to detect and further remediate vulnerabilities.

Best practice: At ScienceSoft, we facilitate security testing automation by adding static application security testing (SAST) and dynamic application security testing (DAST) to the CI/CD pipeline. This way, vulnerabilities in code can be identified as early as possible.

Step 5. Software penetration testing

  • Choosing the penetration testing approach (black box, gray box, or white box) and test execution.
  • Report on the vulnerabilities found.
  • Outlining preventive measures and recommendations on solving security issues.

ScienceSoft’s tip: It’s advisable to conduct penetration testing after any significant change in software and/or IT infrastructure.

Step 6. GDPR-compliant software deployment

Our team proceeds with:

  • Final review of security controls in software and IT infrastructure to meet GDPR standards.
  • Preparing an incident response plan.
  • Providing the required documentation (the description of personal data used in the system and its lifecycle, all parties that get access to personal data, the basis for collecting personal data, etc.).

GDPR-Compliant Software Development Services by ScienceSoft

Having 35 years of experience in software development and 21 years in information security, ScienceSoft’s team expertly plans and develops GDPR-compliant software.

Consulting on GDPR-compliant software development

For existing software:

  • Reviewing the security of software architecture and database management system. Source code review and penetration testing.
  • Preparing a plan on GDPR compliance remediation, if needed.

For future software:

  • Business needs analysis and requirements engineering.
  • Business case development.
  • Secure architecture, UX and UI design and integrations planning.
  • Creating a roadmap for secure software development.
Get a consultation

Development of GDPR-compliant software

  • Requirements elicitation and analysis.
  • Secure architecture design.
  • GDPR-compliant UX and UI design.
  • Software development using secure coding practices and GDPR-compliant software development tools.
  • Secure CI/CD configuration.
  • Quality assurance.
  • Security testing.
  • Software maintenance and security monitoring.
Go for development

What makes ScienceSoft different

We achieve project success no matter what

ScienceSoft does not pass mere project administration off as project management, which, unfortunately, often happens on the market. We practice real project management, achieving project success for our clients no matter what.

See how we do it

Our Satisfied Customers

ScienceSoft brought to the table substantial expertise in iOS and Android application development and a customer-centered approach to the application design. They proved to be a reliable and agile technology partner. We especially appreciate their professional approach to security, which was among our main concerns due to strict regulations.

Khalid Ahadov, Executive Director, Unibank

Read original

We commissioned ScienceSoft to carry out penetration testing of our external and internal infrastructure, including penetration testing of a communication web app. The team conducted penetration testing in line with all our requirements, one of which was performing the project within the EU borders in order to comply with the GDPR regulations.

Ilya Ostrovskiy, Chief Product Officer, Apifonica

Read original

Roles on ScienceSoft’s GDPR-Compliant Development Team

The team composition may vary depending on the project goals and scope. Below we describe sample roles on ScienceSoft’s team engaged in GDPR-compliant software development:

Project manager

  • Provides time and budget estimates, schedules the project and ensures adherence to deadlines.
MORE RESPONSIBILITIES
  • Ensures all secure software development standards are met at each project stage.
  • Regularly reports client on the progress.

hide

Business Analyst

  • Defines and documents functional and non-functional software requirements, including requirements specific to GDPR.
  • Prepares a software requirements specification (SRS).

System architect

  • Decides on software architecture and technological stack taking into account security and resilience requirements.

Data engineers

  • Develop databases and map data flows to ensure secure data storage and transfer.
  • Set custom access controls.

Security engineers/DevSecOps

  • Conduct static and dynamic application security analysis, add SAST and DAST to CI/CD pipeline.
  • Configure application and network security monitoring tools.
MORE RESPONSIBILITIES
  • Identify and manage security issues at all SDLC stages.
  • Support SecOps pipelines.

hide

Software engineers

  • Develop front end and back using secure coding practices and GDPR-compliant software development tools.

Penetration testers

  • Define goals, source data, and scope of the target environment.
  • Prepare penetration scripts and tests.
MORE RESPONSIBILITIES
  • Simulate cyberattacks on the software to reveal security weaknesses.
  • Compose reports with instruments used, units tested and exploited vulnerabilities.
  • Provide recommendations on vulnerability remediation.

hide

UX and UI designers

  • Build UX wireframes or mockups.
  • Work out GUI elements to comply with GDPR.

GDPR compliance consultant

  • Conducts gap analysis and creates a roadmap on achieving compliance.
  • Ensures all data protection measures are well-documented to be demonstrated within a GDPR compliance audit.

Sourcing Models for GDPR-compliant Software Development

In-house GDPR-compliant software development

  • Full control over the project.
  • Extra efforts to establish security at each stage of SDLC.
  • Lack of in-house devs with specific skills.
  • Risks of insufficient documentation.

Turn to ScienceSoft if you need help with GDPR development process planning or other consulting services.

Turn to us

Team augmentation for GDPR-compliant software development

  • On-demand expert help from a scalable development team with required skills.
  • Balanced project costs.
  • Management, QA, and project risks are fully/partially on your side.

Turn to ScienceSoft if you need GDPR experts to augment your software development team.

Turn to us

Outsourced GDPR-compliant software development

  • A fully managed team with required skills.
  • Established secure practices for GDPR-compliant software development.
  • Transparent KPIs.
  • Higher vendor risks.

Turn to ScienceSoft if you need a reliable ISO-certified vendor for GDPR-compliant software development.

Turn to us

Tools We Use in GDPR-Compliant Software Development

We have outlined several pentesting tools ScienceSoft prefers for detecting and analyzing security vulnerabilities in software and its infrastructure:

Nmap

Best for

Network penetration testing.

Description

An open-source tool for promptly scanning remote and local networks and single hosts.

  • Detecting a host within the network, free and occupied ports, and all services on the target host.
  • Determining the host essence (web server, mail service, etc.), which facilitates planning of further penetration testing.
  • Convenient command-line and graphical interfaces with many scanning techniques.
  • Suitable for diverse operating systems, including Linux, Windows, BSD and Mac.
  • Scan results can be exported to a text file, XML, or plain text.

Pricing

Open source.

Wireshark

Best for

Vulnerability assessment and network traffic analysis.

Description

Packet analyzer for troubleshooting network security problems.

  • Provides deep examination of multiple protocols.
  • All captured packets are shown on a dashboard with detailed data on each unit (time, source, destination, protocol name, length).
  • Extensive display filters enhance sorting out different packet types.
  • Runs on Windows, Linux, Mac, Solaris, FreeBSD, NetBSD, and more.
  • Scan results can be exported XML, PostScript®, CSV, or plain text.

Pricing

Open source.

Metasploit Framework

Best for

All types of penetration testing.

Description

A Ruby-based modular penetration testing framework designed to detect server and network vulnerabilities.

  • Provides modules (exploits, encoders, payloads, auxiliaries and posts) needed for the full penetration testing lifecycle.
  • Offers more than 2,000 easy to navigate exploits and over 550 payloads.
  • Convenient GUI with the function of visualizing targets and advising on exploits.
  • Suitable for any platforms and programming languages.
  • With msfdb, scan results can be imported from external tools, such as Nmap or Nessus.

Pricing

Open source.

Cost Factors for GDPR-Compliant Software Development

Besides general software development costs factors like the complexity of business workflows to cover and the presence of advanced technologies, the cost of GDPR-compliant software development depends on the level of security you want to achieve. These specific factors include:

  • The number and complexity of security features (cryptography, audit trail, etc.).
  • The amount of data that needs to be encrypted, pseudonymized, anonymized.
  • The amount of software documentation needed for final GDPR compliance audit.
  • The scope of penetration testing and the number of penetration testing iterations.

Estimate the Cost of Your GDPR-Compliant Development Project

ScienceSoft’s experts can provide you with cost estimation of your future GDPR-compliant software.

REQUEST COST ESTIMATE

About ScienceSoft

In software development since 1989, ScienceSoft is a global IT consulting and software development company headquartered in McKinney, Texas. We have 21 years of experience in information security, a vast pool of experienced security engineers, software architects, and developers trained in secure software coding. Following the OWASP guidelines, we design and develop highly secure GDPR-compliant solutions.