Software development, testing, and deployment are intrinsically linked processes which fall within the scope of DevOps. This scope varies from company to company – for example, the Convox scope can be checked here- but the basic principles remain constant. A successful DevOps initiative requires an application of these principles to some extent, but the approach can vary from manual to highly automated.
The DevOps Approach
The DevOps model seeks to bring the distinct disciplines of software development and operations under a common roof. The benefits of this approach are numerous. First, DevOps promotes a culture of collaboration and increased communications across teams. Second, a more formal approach to software delivery means that the software, once tested, is ready to be deployed to customers. Third, the involvement of different teams means increased scope for innovative ideas. Finally, the closer integration with development and operations means that feedback can be more effectively incorporated into new product and process iterations.
Compliance As A Priority
The global economy is in a constant state of flux, and as a result, organizations must adjust their approach to business and compliance according to the current environment. To put it another way, as businesses evolve to become more agile, effective, and responsive, their approach to legal and ethical issues must evolve with them.
As previously stated, DevOps promotes a closer collaboration between development and operations. The two teams, typically working in different locations, may now work side-by-side, sharing information and insights through daily interactions and automated notifications. This close integration, though, raises several compliance concerns since it can be difficult, if not nearly impossible, to ensure that all relevant parties are operating in compliance with the relevant regulations. Specifically, what are your responsibilities as a software developer or manager when it comes to GDPR, CCPA, and other similar regulations? What information do you need to keep confidential, and what documentation do you need to keep? What are your responsibilities when it comes to ensuring that your software is not infected with malware, especially since you will most likely be working with external suppliers and partners?
The short answer to this question is: a lot. You will have to walk the line between ensuring a high level of privacy and security for your users while also meeting the demands of the regulatory body, often in the context of a limited knowledge base. Let’s examine each aspect of this question in turn.
First, you will need to determine whether or not your company is a data processor under GDPR. A data processor is an organization that collects, stores, and processes your personal data on behalf of various parties (e.g., marketing vendors, government agencies, etc.). If you think that your company functions in a similar capacity, then you should consider establishing contractual agreements with the various data processors that you work with, specifying the data that they will process on your behalf and the purposes for which the data will be used. You should also consider establishing standardized data privacy and security processes that are compliant with GDPR, as well as ensuring that your employees and third parties working on behalf of your company have adequate training in respect of data privacy and security.
The Credit Card Processing Act, more commonly known as CCPA, was passed in the United States in 2018. One of the primary goals of this act was to bring the payment processing industry into compliance with the California Consumer Privacy Act (“CCPA”).
CCPA, like GDPR, is a European regulation that requires organizations to protect the private data of their customers. CCPA applies to companies that offer goods or services to customers inside California and that have a business presence inside the state. Specifically, your company must comply with §1700(a) of CCPA which states: “A business may not impose any condition on a person that requires the person to disclose their personal information to the business or any third party, nor may the business use or share the person’s personal information for any purpose other than to provide the person with related goods or services.”
The good news is that CCPA provides exceptions for certain businesses, including those that offer goods or services in a “personalized” manner, as defined by the California Insurance Commissioner. Your company does not have to comply with CCPA if your business is not “personalized” as defined by the California Insurance Department. In other words, if you are not collecting or using personal information to uniquely identify and contact a person, then you are not subject to the requirements of CCPA. However, you should still ensure that your employees and third parties working on behalf of your company have adequate training in compliance with GDPR and CCPA.
Data Breach And Incident Reporting
When a data security incident occurs, there is usually an incident report that needs to be filed. Depending on the type of incident that you experience, you may be mandated to file a report with the government or relevant data protection authorities. You should have a process in place to alert the relevant authorities in the event of a data security incident and, in turn, comply with any data security regulations or mandates. Furthermore, you should have a process in place for reporting and analyzing data breaches which might occur in the future. This should include processes for identifying at-risk groups, notifying affected individuals and/or legal authorities, analyzing the source and scope of an incident, and taking appropriate corrective measures to ensure that similar incidents do not occur in the future.
Who Is Responsible For What?
It is important to determine who is responsible for various aspects of a software delivery process. This is especially important when discussing GDPR and other similar regulations. It is typically the case that software developers are responsible for creating applications and managing the underlying databases, while operations is responsible for installing the applications on servers and managing the day-to-day operations. However, this is not always the case. For example, if you have an in-house legal department that drafts contracts and performs other legal services for your company, then they would be considered part of your operations team.
To put it simply, every role, regardless of the role, has responsibilities when it comes to ensuring that legal and regulatory issues are consistently and effectively managed. Ultimately, the onus is on the individual to ensure that they operate within the rules and regulations outlined by their organization. In some cases, this may mean closing off certain opportunities, while in other cases, it could mean revising current processes in a manner that is more compliant.
At this point, you should have a good idea of what is required of you as a software developer or manager in the context of legal and regulatory compliance. In the next and final part of this series, we will discuss some of the implications that GDPR and CCPA may have for your business.