1. The French Data protection authority, CNIL, has issued a “Developer Kit” setting forth best practices for data protection.

Key takeaways:

  • Before using a development tool, especially for personal data, read the conditions of use.
  • If the data requires a maximum level of confidentiality, use tools with a local instance, rather than the cloud.
  • Conduct a data protection impact assessment (DPIA) at the outset, even if not required by GDPR.
  • Start from a simple, correctly designed and secure system. Increase the complexity gradually while continuing to secure new additions.
  • If you use agile methods for your development, consider integrating security into the heart of your process.
  • Implement “defense in depth.”
  • If using cloud-based code management, ensure your code repository visibility setting is set to “private.”
  • Never use real personal data in the dev environment.
  • Change the default configuration of your third-party libraries and SDKs.
  • When using third-party components, only enable the features you need.
  • Develop a clean code and check it.
  • Document your architecture.
  • Version the documentation with the code.