GDPR Interface Testing
www.hklaw.com
Are Your End-User Interfaces Ready for the Data Protection Authorities (DPAs)?
WHY TEST?
1
Because they may represent your greatest GDPR risk.
2
The DPAs can test these interfaces without notice because your web, mobile and IoT interfaces are publicfacing.
Organizations typically don’t realize the nature and extent of the data collected or disclosed to third parties. The time pressure of so-called “agile development” and “dev ops” means your
developers probably have not tested the privacy properties
used by third-party code in your interfaces (e.g., SDKs, APIs, JavaScript tags), and the chances that they have tested the code sufficiently to meet GPDR standards is likely zero.
Inadvertent disclosure of personal and sensitive data to third parties is common because:
Development is increasingly modularized – a large amount of third-party code is used for advertising, analytics, graphics, functionality, etc., meaning more disclosure.
Testing for privacy compliance is difficult and requires economies
of scale and legal analysis to do well.
3 Disclosure caused by third-party code won’t show up in your logs.
4
The reason the disclosure to third parties is invisible is because it is almost always intermediated by the end-user’s device.
This means the thirdparty disclosure is publicly visible, but not susceptible to your server-side audit.
No industry sector is immune – including healthcare, financial services, media, retail, energy, and more.