• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Advise on DPA/GDPR for internal apps

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Advise on DPA/GDPR for internal apps

    Hi,

    I work as a contractor for an organization and been handed over about 20 internally developed apps in VBA/MS Access from someone who is retiring. My concern is that a couple of the apps contain personal data and protections in place are not adequate in my opinion(folder permissions control who has access to the db file but there is shared front end which can easily be subject to sql injections because all apps share the same dsn connection string and I can think of a dozen other vectors to get to the data without folder permission). I raised this to the management but they don't seem to have minimum security/compliance understanding and told me not to worry but as a developer with full access to the data, I feel concerned about this whole thing.

    Am I overthinking this? Does the fact that I have access and decision making powers on how to develop this app not make me a data controller?

    I read lots of posts online about this on the ICO site but all seem to focus on either mobile or online services and as this is internal, I'm a bit lost.

    Thanks in advance

    #2
    Originally posted by skygge View Post
    Hi,

    I work as a contractor for an organization and been handed over about 20 internally developed apps in VBA/MS Access from someone who is retiring. My concern is that a couple of the apps contain personal data and protections in place are not adequate in my opinion(folder permissions control who has access to the db file but there is shared front end which can easily be subject to sql injections because all apps share the same dsn connection string and I can think of a dozen other vectors to get to the data without folder permission). I raised this to the management but they don't seem to have minimum security/compliance understanding and told me not to worry but as a developer with full access to the data, I feel concerned about this whole thing.

    Am I overthinking this? Does the fact that I have access and decision making powers on how to develop this app not make me a data controller?

    I read lots of posts online about this on the ICO site but all seem to focus on either mobile or online services and as this is internal, I'm a bit lost.

    Thanks in advance
    I'm working on a GDPR project at the moment. If you want to send me the Access database via email or pop it in the post on a pen drive I can take a look at it for you and let you know if it's going to be a problem.
    What happens in General, stays in General.
    You know what they say about assumptions!

    Comment


      #3
      Originally posted by MarillionFan View Post
      I'm working on a GDPR project at the moment. If you want to send me the Access database via email or pop it in the post on a pen drive I can take a look at it for you and let you know if it's going to be a problem.
      I'm afraid I can't do that unfortunately, as I would be violating a couple dozen laws . My main issue is not deciding whether the data is personal or not or whether is falls under gdpr or not, my question is more in terms of "... should a developer be just handed over an internally created app containing personal information and ignore all possible attack vectors..." or where is the line of responsibility of a developer towards the data when programming internal apps?

      Comment


        #4
        Originally posted by skygge View Post
        I'm afraid I can't do that unfortunately, as I would be violating a couple dozen laws . My main issue is not deciding whether the data is personal or not or whether is falls under gdpr or not, my question is more in terms of "... should a developer be just handed over an internally created app containing personal information and ignore all possible attack vectors..." or where is the line of responsibility of a developer towards the data when programming internal apps?

        GDPR regs aren't in place at the moment but under the DPA you still shouldn't be handing over someone's personal data just like that.

        I would suggest you raise it as a concern in an email after first talking to a project manager or someone in a similar position in the client company.

        Make sure you bbc the email plus replies to an outside business address or print it out and retain a copy. You then have covered your back by informing them both verbally and in writing of potential breaches of data protection.

        When mentioning it don't sound as hysterical as your original post sounds.
        "You’re just a bad memory who doesn’t know when to go away" JR

        Comment


          #5
          Originally posted by skygge View Post
          Hi,

          I work as a contractor for an organization and been handed over about 20 internally developed apps in VBA/MS Access from someone who is retiring. My concern is that a couple of the apps contain personal data and protections in place are not adequate in my opinion(folder permissions control who has access to the db file but there is shared front end which can easily be subject to sql injections because all apps share the same dsn connection string and I can think of a dozen other vectors to get to the data without folder permission). I raised this to the management but they don't seem to have minimum security/compliance understanding and told me not to worry but as a developer with full access to the data, I feel concerned about this whole thing.

          Am I overthinking this? Does the fact that I have access and decision making powers on how to develop this app not make me a data controller?

          I read lots of posts online about this on the ICO site but all seem to focus on either mobile or online services and as this is internal, I'm a bit lost.

          Thanks in advance
          You're not the data controller.
          Raise your concerns, as risks, to the data controller. If they don't have a data controller add that to the risks you see and take it to the highest person in the company.
          If you have some recommendations and mitigations for those risks then provide them at the same time.
          You may well then find yourself in contract for quite a while.


          and as SE says. Don't be hysterical about it. They may know they carry the risk but don't have an approach to fix. You can provide that (presumably).
          See You Next Tuesday

          Comment


            #6
            Originally posted by SueEllen View Post
            GDPR regs aren't in place at the moment but under the DPA you still shouldn't be handing over someone's personal data just like that.

            I would suggest you raise it as a concern in an email after first talking to a project manager or someone in a similar position in the client company.

            Make sure you bbc the email plus replies to an outside business address or print it out and retain a copy. You then have covered your back by informing them both verbally and in writing of potential breaches of data protection.

            When mentioning it don't sound as hysterical as your original post sounds.
            Thanks for the input, haven't thought of having it in writing but now you mention it, it's been logged into the minutes of the meeting we had but will also send an email.

            Comment

            Working...
            X