TM
Blog

A Guide to GDPR Compliance When Using Third-Party APIs

Hoss@Hossapp /

Data Privacy and Compliance Series: What Engineering and IT Leaders Need to Know

A Guide to GDPR Compliance When Using Third-Party APIs

The average small-to-medium-sized team uses 18 APIs to power their applications - and 50% of all B2B collaboration occurs using an API. But did you know that there are unique data privacy and compliance challenges associated with using these third-party APIs? As an engineering or IT leader, it’s important to be familiar with those challenges and implement proactive strategies to protect your customers’ privacy and stay compliant.

What The GDPR Is

The General Data Protection Regulation (GDPR) is a European Union (EU) law designed to protect the personal data privacy of EU citizens. The law created uniform guidance for handling personal data across the EU, which had previously been managed individually by EU member countries, and went into effect in 2018.

What It Protects

The GDPR was created to protect personal data, which can include any information that is personally identifying (think: full name, home address, social security number, photographs, etc.) or more sensitive personal information including biometric or genetic data or economic, cultural or social information.

Why It Matters If You’re Consuming APIs

The GDPR is important for all organizations globally to understand because it applies to any entity that might store or process an EU citizen’s data.

This means if your business collects personal information or data (as defined by the GDPR here) from EU citizens, you are subject to the GDPR even if your business is not located in the EU.

Even if that doesn’t immediately sound like it applies to you – consider whether your company uses any third-party APIs that might process personal information. Does your platform send appointment reminders or other notifications through Twilio? Or does your team use a CRM like Salesforce to track and manage your customer relationships? Then you are most likely subject to the GDPR. Maybe you integrate with an EHR system to transmit personal health data, in which case you could be subject to the GDPR in addition to HIPAA.

The consequences for failing to comply with GDPR regulations are steep – infringements carry a fine of up to 4% of a company’s global revenue, or around $20 million, whichever number is higher.

What You Are Required to Provide for Your Customers

Under the GDPR, your customers or users have a number of rights that hadn’t previously existed in the world of data privacy. These include the right to:

  • Access their data. You need to be able to tell them what personal data the company has about them and where/how it’s being processed.
  • Be forgotten. Customers can request that companies delete their existing data and stop processing it at any time.
  • Restrict the processing of their data, under certain circumstances.
  • Object to the processing of their data.
  • Correct any inaccurate or incomplete personal data.
  • Receive a copy of their personal data and transfer it to other companies or organizations.
  • Be informed about data processing activities.

What the GDPR Requires of Your Business

To be in compliance with the GDPR, you need to get “informed” and “unambiguous” consent from each of your customers or users prior to storing or processing any of their personal data, notify users in the event of a data breach and conduct data protection impact assessments to evaluate the risks associated with data processing activities.

It’s especially important to note that you’re also required to keep detailed records of all data processing activities. Not only are these records a legal requirement, but you’ll also need detailed, organized records to be able to comply with any of the user rights listed above. You won’t be able to provide access to data or delete personal data records if you haven’t adequately kept track of those records to begin with.

Three Things You’ll Need to (Easily) Comply with the GDPR When Using APIs

  1. Visibility.

Make sure you know and keep track of all personal data, including what information has been sent to third-party APIs and other vendors.

  1. Monitoring and alerting.

Enforce monitoring across all of your API integrations to reliably monitor transactions in real time and flag any violations.

  1. Data Policies.

Know which types of data are OK to transmit to which third parties to comply with the requests of those who have asked to restrict or delete their personal data. Implment enforceable data policies to ensure compliance.

Hoss gives you total visibility into all of your data processing activities and provides seamless automatic tracking and monitoring to help you stay easily compliant with the GDPR. Get in touch to learn how you can set up customized solutions so you can stay focused on your business.

Subscribe to Hoss ModeA weekly newsletter with curated articles, community discussions, news and trends.

A Guide to PIPEDA Compliance When Using Third-Party APIs

Hoss
Read more
All businesses that handle the personal information of Canadians, regardless of where they are based, are subject to PIPEDA (you can double check if you’re subject to PIPEDA here) – and the law lays out some specific requirements when it comes to sharing data with third parties.
Many APIs enforce rate limits or quotas, which often go unnoticed while call volumes are low in development, but appear unexpectedly after going into production. Having visibility into the number of calls is also important to keep an eye on the health of the system. If calls drop to zero or suddenly spike, it could be an indication of a problem elsewhere that needs to be addressed.
TM

Copyright © Hoss Technologies, Inc. 2020 - All rights reserved. Terms of Service & Privacy Policy