GDPR Developer Guide

In order to assist web and application developers in making their work GDPR-compliant, the CNIL has drawn up a new guide to best practices under an open source license, which is intended to be enriched by professionals.

This guide is published under license GPLv3 and under open license 2.0 (explicitly compatible with CC-BY 4.0 FR). You can freely contribute to its redaction.

The French version is the authentic version of this guide. An Italian version of this guide is also available in pdf and for contributions.

Is this guide for developers only?

This guide is mainly aimed at developers working alone or in teams, team leaders, service providers but also at anyone interested in web or application development.

It provides advice and best practices, and thus gives useful keys to understand the GDPR for every stakeholder, regardless of the size of their structure. It can also stimulate discussions and practices within the organisations and in customer relationships.

What does the guide contain?

This guide is divided into 16 thematic sheets which cover most of the needs of developers at each stage of their project, from the preparation of the development to the use of analytics.

The General Data Protection Regulation (or GDPR) specifies that the protection of the rights and freedoms of natural persons requires that "appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met" (Recital 78).

The determination of these measures is necessarily related to the context of the processing operations put in place, and the controller (the public or private entity processing personal data) must therefore ensure the security of the data it is called upon to process.

The good practices in this guide are therefore not intended to cover all the requirements of the regulations nor to be prescriptive, they provide a first level of measures to take into account privacy protection issues in IT developments that are intended to be applied to all data processing projects. Depending on the nature of the processing carried out in certain cases, additional measures will have to be implemented in order to fully comply with the regulations.

Table of contents

0. Develop in compliance with the GDPR

1. Identify personal data

2. Prepare your development

3. Securing your development environment

4. Manage your source code

5. Make an informed choice of architecture

6. Securing your websites, applications and servers

7. Minimize data collection

8. Manage user profiles

9. Control your libraries and SDKs

10. Ensure the quality of the code and its documentation

11. Test your applications

12. Inform users

13. Prepare to exercise people's rights

14. Define a data retention period

15. Take into account the legal basis in the technical implementation

16. Use analytics on your websites and applications

How can I contribute to this guide?

This guide is available in two versions:

• A web version on the CNIL website and in the tab the "Releases" tab of this repository;
• This GitHub version, which offers the possibility for everyone to contribute.

The contribution is done in a few steps:

• Register on Github;
• Go to the project page;
• You can:
  • Use the "Issue" tab to open comments or participate in the discussion
  • Use the "Fork" option to make your own modifications and propose their inclusion via the "Pull Requests" button.

Your contribution proposal will be examined by the CNIL before publication. The web version of the GDPR developer's guide will be regularly updated.

Usage

To release this repository yourself, you can use the Pandoc tool. This tool will allow you to convert the records into a docx file or an HTML document.

You can find the instructions to install this tool here

• To generate a .docx file:

pandoc -s --toc --toc-depth=1 -o GDPR_developer_guide.docx [0-9][0-9]*.md

• To generate an .html file:

pandoc -s --template="templates/mytemplate.html" -H templates/pandoc.css -o index.html README.md [0-9][0-9]*.md