- The French Data protection authority, CNIL, has issued a “Developer Kit” setting forth best practices for data protection.
Key takeaways:
- Before using a development tool, especially for personal data, read the conditions of use.
- If the data requires a maximum level of confidentiality, use tools with a local instance, rather than the cloud.
- Conduct a data protection impact assessment (DPIA) at the outset, even if not required by GDPR.
- Start from a simple, correctly designed and secure system. Increase the complexity gradually while continuing to secure new additions.
- If you use agile methods for your development, consider integrating security into the heart of your process.
- Implement “defense in depth.”
- If using cloud-based code management, ensure your code repository visibility setting is set to “private.”
- Never use real personal data in the dev environment.
- Change the default configuration of your third-party libraries and SDKs.
- When using third-party components, only enable the features you need.
- Develop a clean code and check it.
- Document your architecture.
- Version the documentation with the code.