Advise on DPA/GDPR for internal apps

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

skygge replied

9 November 2017, 11:10
Originally posted by SueEllen View Post

GDPR regs aren't in place at the moment but under the DPA you still shouldn't be handing over someone's personal data just like that.

I would suggest you raise it as a concern in an email after first talking to a project manager or someone in a similar position in the client company.

Make sure you bbc the email plus replies to an outside business address or print it out and retain a copy. You then have covered your back by informing them both verbally and in writing of potential breaches of data protection.

When mentioning it don't sound as hysterical as your original post sounds.

Thanks for the input, haven't thought of having it in writing but now you mention it, it's been logged into the minutes of the meeting we had but will also send an email.
Leave a comment:
Lance replied

9 November 2017, 11:07
Originally posted by skygge View Post

Hi,

I work as a contractor for an organization and been handed over about 20 internally developed apps in VBA/MS Access from someone who is retiring. My concern is that a couple of the apps contain personal data and protections in place are not adequate in my opinion(folder permissions control who has access to the db file but there is shared front end which can easily be subject to sql injections because all apps share the same dsn connection string and I can think of a dozen other vectors to get to the data without folder permission). I raised this to the management but they don't seem to have minimum security/compliance understanding and told me not to worry but as a developer with full access to the data, I feel concerned about this whole thing.

Am I overthinking this? Does the fact that I have access and decision making powers on how to develop this app not make me a data controller?

I read lots of posts online about this on the ICO site but all seem to focus on either mobile or online services and as this is internal, I'm a bit lost.

Thanks in advance

You're not the data controller.
Raise your concerns, as risks, to the data controller. If they don't have a data controller add that to the risks you see and take it to the highest person in the company.
If you have some recommendations and mitigations for those risks then provide them at the same time.
You may well then find yourself in contract for quite a while.

and as SE says. Don't be hysterical about it. They may know they carry the risk but don't have an approach to fix. You can provide that (presumably).
Leave a comment:
SueEllen replied

9 November 2017, 10:50
Originally posted by skygge View Post

I'm afraid I can't do that unfortunately, as I would be violating a couple dozen laws . My main issue is not deciding whether the data is personal or not or whether is falls under gdpr or not, my question is more in terms of "... should a developer be just handed over an internally created app containing personal information and ignore all possible attack vectors..." or where is the line of responsibility of a developer towards the data when programming internal apps?

GDPR regs aren't in place at the moment but under the DPA you still shouldn't be handing over someone's personal data just like that.

I would suggest you raise it as a concern in an email after first talking to a project manager or someone in a similar position in the client company.

Make sure you bbc the email plus replies to an outside business address or print it out and retain a copy. You then have covered your back by informing them both verbally and in writing of potential breaches of data protection.

When mentioning it don't sound as hysterical as your original post sounds.
Leave a comment:
skygge replied

9 November 2017, 10:16
Originally posted by MarillionFan View Post

I'm working on a GDPR project at the moment. If you want to send me the Access database via email or pop it in the post on a pen drive I can take a look at it for you and let you know if it's going to be a problem.

I'm afraid I can't do that unfortunately, as I would be violating a couple dozen laws . My main issue is not deciding whether the data is personal or not or whether is falls under gdpr or not, my question is more in terms of "... should a developer be just handed over an internally created app containing personal information and ignore all possible attack vectors..." or where is the line of responsibility of a developer towards the data when programming internal apps?
Leave a comment:
MarillionFan replied

9 November 2017, 10:08
Originally posted by skygge View Post

Hi,

I work as a contractor for an organization and been handed over about 20 internally developed apps in VBA/MS Access from someone who is retiring. My concern is that a couple of the apps contain personal data and protections in place are not adequate in my opinion(folder permissions control who has access to the db file but there is shared front end which can easily be subject to sql injections because all apps share the same dsn connection string and I can think of a dozen other vectors to get to the data without folder permission). I raised this to the management but they don't seem to have minimum security/compliance understanding and told me not to worry but as a developer with full access to the data, I feel concerned about this whole thing.

Am I overthinking this? Does the fact that I have access and decision making powers on how to develop this app not make me a data controller?

I read lots of posts online about this on the ICO site but all seem to focus on either mobile or online services and as this is internal, I'm a bit lost.

Thanks in advance

I'm working on a GDPR project at the moment. If you want to send me the Access database via email or pop it in the post on a pen drive I can take a look at it for you and let you know if it's going to be a problem.
Leave a comment:
skygge started a topic Advise on DPA/GDPR for internal apps

9 November 2017, 09:30
Advise on DPA/GDPR for internal apps

Hi,

I work as a contractor for an organization and been handed over about 20 internally developed apps in VBA/MS Access from someone who is retiring. My concern is that a couple of the apps contain personal data and protections in place are not adequate in my opinion(folder permissions control who has access to the db file but there is shared front end which can easily be subject to sql injections because all apps share the same dsn connection string and I can think of a dozen other vectors to get to the data without folder permission). I raised this to the management but they don't seem to have minimum security/compliance understanding and told me not to worry but as a developer with full access to the data, I feel concerned about this whole thing.

Am I overthinking this? Does the fact that I have access and decision making powers on how to develop this app not make me a data controller?

I read lots of posts online about this on the ICO site but all seem to focus on either mobile or online services and as this is internal, I'm a bit lost.

Thanks in advance
Tags: None