Advise on DPA/GDPR for internal apps

**MarillionFan** · 9 November 2017, 10:08

Originally posted by skygge View Post

Hi,

I work as a contractor for an organization and been handed over about 20 internally developed apps in VBA/MS Access from someone who is retiring. My concern is that a couple of the apps contain personal data and protections in place are not adequate in my opinion(folder permissions control who has access to the db file but there is shared front end which can easily be subject to sql injections because all apps share the same dsn connection string and I can think of a dozen other vectors to get to the data without folder permission). I raised this to the management but they don't seem to have minimum security/compliance understanding and told me not to worry but as a developer with full access to the data, I feel concerned about this whole thing.

Am I overthinking this? Does the fact that I have access and decision making powers on how to develop this app not make me a data controller?

I read lots of posts online about this on the ICO site but all seem to focus on either mobile or online services and as this is internal, I'm a bit lost.

Thanks in advance

I'm working on a GDPR project at the moment. If you want to send me the Access database via email or pop it in the post on a pen drive I can take a look at it for you and let you know if it's going to be a problem.

**skygge** · 9 November 2017, 10:16

Originally posted by MarillionFan View Post

I'm working on a GDPR project at the moment. If you want to send me the Access database via email or pop it in the post on a pen drive I can take a look at it for you and let you know if it's going to be a problem.

I'm afraid I can't do that unfortunately, as I would be violating a couple dozen laws

. My main issue is not deciding whether the data is personal or not or whether is falls under gdpr or not, my question is more in terms of "... should a developer be just handed over an internally created app containing personal information and ignore all possible attack vectors..." or where is the line of responsibility of a developer towards the data when programming internal apps?

**SueEllen** · 9 November 2017, 10:50

Originally posted by skygge View Post

I'm afraid I can't do that unfortunately, as I would be violating a couple dozen laws

. My main issue is not deciding whether the data is personal or not or whether is falls under gdpr or not, my question is more in terms of "... should a developer be just handed over an internally created app containing personal information and ignore all possible attack vectors..." or where is the line of responsibility of a developer towards the data when programming internal apps?

GDPR regs aren't in place at the moment but under the DPA you still shouldn't be handing over someone's personal data just like that.

I would suggest you raise it as a concern in an email after first talking to a project manager or someone in a similar position in the client company.

Make sure you bbc the email plus replies to an outside business address or print it out and retain a copy. You then have covered your back by informing them both verbally and in writing of potential breaches of data protection.

When mentioning it don't sound as hysterical as your original post sounds.

**Lance** · 9 November 2017, 11:07

Originally posted by skygge View Post

Hi,

I work as a contractor for an organization and been handed over about 20 internally developed apps in VBA/MS Access from someone who is retiring. My concern is that a couple of the apps contain personal data and protections in place are not adequate in my opinion(folder permissions control who has access to the db file but there is shared front end which can easily be subject to sql injections because all apps share the same dsn connection string and I can think of a dozen other vectors to get to the data without folder permission). I raised this to the management but they don't seem to have minimum security/compliance understanding and told me not to worry but as a developer with full access to the data, I feel concerned about this whole thing.

Am I overthinking this? Does the fact that I have access and decision making powers on how to develop this app not make me a data controller?

I read lots of posts online about this on the ICO site but all seem to focus on either mobile or online services and as this is internal, I'm a bit lost.

Thanks in advance

You're not the data controller.
Raise your concerns, as risks, to the data controller. If they don't have a data controller add that to the risks you see and take it to the highest person in the company.
If you have some recommendations and mitigations for those risks then provide them at the same time.
You may well then find yourself in contract for quite a while.

and as SE says. Don't be hysterical about it. They may know they carry the risk but don't have an approach to fix. You can provide that (presumably).

**skygge** · 9 November 2017, 11:10

Originally posted by SueEllen View Post

GDPR regs aren't in place at the moment but under the DPA you still shouldn't be handing over someone's personal data just like that.

I would suggest you raise it as a concern in an email after first talking to a project manager or someone in a similar position in the client company.

Make sure you bbc the email plus replies to an outside business address or print it out and retain a copy. You then have covered your back by informing them both verbally and in writing of potential breaches of data protection.

When mentioning it don't sound as hysterical as your original post sounds.

Thanks for the input, haven't thought of having it in writing but now you mention it, it's been logged into the minutes of the meeting we had but will also send an email.

Advise on DPA/GDPR for internal apps