TechGDPR

GDPR code review

The code you use for your app, service, integrated system or website can be among the liabilities towards GDPR compliance, and a GDPR code review may help you comply also on the deepest technical level.

You may be working with code that is several years old, or code that may have been created by developers who are no longer working with you. For that and other reasons, you may want to have the peace of mind that none of your code is functioning in a way that is in violation of the GDPR. There is also the potential that you are using libraries, gems or plug-ins that are dealing with personal data less carefully than your own code.

The GDPR Code Review

Regardless of your situation, we can do a full GDPR code review and evaluate whether or not the handling of personal information is in line with the provisions of the GDPR. We can also do in-depth code audits in many popular programming languages, including (but not limited to) Python, PHP, C, C++, Objective C, Haskell, Rust, JavaScript, Node.js, Java, Ruby and SQL.

When you employ pseudonymisation or anonymisation as part of your data protection processes, a careful evaluation may be justified to ensure that your algorithms leave no possibility to reverse that process unwillingly. Anonymisation that can be reverted cannot be considered as such under the GDPR.

If you are concerned about the GDPR compliance of an open source project you are using, we will extend you a significant discount for its auditing, contact us for more details!

Our code audits are performed together with our security partner Least Authority.

What will you look for in a GDPR code audit/review?

We look specifically at any data that is personal or pseudonymous and follow its way through the code and/or database(s). We look at correct usage of security mechanisms, transfer of data to third parties, and what data may be collected without the user or operator knowing about it.

What things are typically found in GDPR code reviews?

Most applications and systems save more data than absolutely required, such as ‘debug’ information of users equipment or for example IP addresses, which are to be considered personal data under the GDPR. Other things may include third party modules that send users’ location data to its creators for statistical purposes.

When is the right time to consider a GDPR code review?

After a GDPR Compliance Audit has been completed, you will have full insight in the possible problems of your situation under the GDPR, at this point in time it will become clear if GDPR code review would be feasible. In case you have no full visibility of the security your code offers, and it deals with personal data it is recommended as well. In case your code deals with special categories of personal data, it may even become an essential part of the Technical and Organizational Measures you should take.