But what are PETs exactly, and how can they help organizations meet GDPR standards? PETs are crucial to securing data and serve a critical role PETs in modern data privacy.

What Are Privacy Enhancing Technologies (PETs)?

Privacy Enhancing Technologies (PETs) are a set of tools and techniques designed to protect personal data throughout its lifecycle. PETs can help reduce the risk to individuals while enabling further analysis of personal data without a controller necessarily sharing it, or a processor having access to it. They aim to minimize the exposure of sensitive information while still enabling data processing. PETs can be categorized based on their primary function: minimization, confidentiality, and control.

Some of the key types of PETs are as follows:

• Anonymization: This technique removes or alters personal identifiers so data cannot be traced back to an individual. Under the GDPR, true anonymization is considered irreversible; allowing the data to be stored and used without further GDPR constraints.
• Pseudonymization: Unlike anonymization, pseudonymization replaces private identifiers with artificial labels. Although it is reversible under strict controls, it adds a layer of protection by decoupling personal identifiers from the dataset. It is very important to understand pseudonymized data is not the same as anonymized data. 
• Encryption: Encryption converts data into a coded format, accessible only with a specific decryption key. This ensures that even if the data is intercepted, it remains unreadable to unauthorized parties.
• Synthetic data: This allows organizations to create artificial data that mimics real data but preserves user privacy. Synthetic data is often used in AI and machine learning as well as software testing and development. 
• Differential privacy: This is a mathematical concept that adds randomness or noise to data analysis, making it more difficult to identify individuals. 

• Confidential computing: This form of data processing prevents unauthorized access to data during computation. It is often used in cloud computing and for healthcare and financial services. 
• Federated learning: This machine learning approach allows multiple organizations to train algorithms collaboratively without sharing raw data, enhancing both privacy and compliance.
• Trusted execution environments: Secure hardware or software environments within a system that provide an isolated area of execution of sensitive operations and protect code and data from external tampering. 

By using these technologies, organizations can significantly reduce the risk of data breaches and support GDPR’s core principles. PETs help to ensure that an individual’s data is better protected to avoid any potential data breaches or misuse of data. 

GDPR Principles Supported by PETs

The GDPR is built around principles that prioritize data protection at every stage of processing. PETs offer a practical path to compliance by reinforcing these key principles.

The key GDPR Principles can be reinforced through the usage of PETs:

• Data Minimization (Article 5): PETs like anonymization and pseudonymization ensure that only necessary personal data is processed, reducing exposure. Techniques like differential privacy also enable organizations to analyze data sets without exposing individual identities, aligning with GDPR’s minimization principle.
• Integrity and Confidentiality (Article 5): Technologies such as encryption protect data against unauthorized access, maintaining its confidentiality and integrity. Homomorphic encryption, for instance, allows for computations on encrypted data without revealing its contents, offering enhanced protection.
• Technical and Organizational Measures (Article 25): Implementing PETs as part of system design supports privacy by design, a core requirement of the GDPR. This includes pseudonymizing or encrypting data by default, ensuring that privacy safeguards are active even before processing begins.

Organizations can further strengthen their compliance by incorporating PETs into Data Protection Impact Assessments (DPIAs), identifying and addressing potential risks before processing begins. DPIAs help document how PETs mitigate risks by offering a transparent view of data processing activities.

PETs and International Data Transfers

Cross-border data transfers are a major concern under the GDPR, especially after the Schrems II ruling. PETs help address these challenges by adding layers of security to data during transit. Technologies like encryption and federated learning ensure that sensitive information remains protected even during international exchanges. PETs act as supplementary measures to meet the GDPR Chapter 5 (Art 44-50) requirements, reducing risks during cross-border transfers and maintaining compliance with European standards.

Some examples of how PETs can help mitigate this include federated learning that allows for machine learning models to be trained across multiple locations without sharing raw data. This reduces exposure and facilitates compliance with strict European data protection laws. Encryption helps to further ensure that even if data is intercepted during transfer, it remains unreadable without the right decryption keys.

Real-World Applications of PETs

PETs are already being used across various industries to maintain privacy and GDPR compliance.

Here are some of core examples of PET usage:

• Healthcare: Differential privacy allows hospitals to share patient data for research while protecting confidentiality.
• Technology: Companies like Google and Apple use federated learning to improve their services without centralizing user data. Apple also uses differential privacy. 
• Finance: Secure computation enables financial institutions to analyze sensitive data while maintaining strict confidentiality.

Implementing PETs requires careful planning and collaboration across IT, legal, and privacy teams. Legal ambiguities around anonymization, integration with legacy systems, and the complexity of deployment can pose challenges. However, conducting DPIAs, aligning strategies with GDPR Article 32, and ongoing training for staff help smooth the integration process. Regular audits and collaborative cross-functional efforts also contribute to effective implementation.

PETs as a Strategic Enabler for GDPR Compliance

Privacy Enhancing Technologies are not just compliance tools; they are strategic assets that enable secure, responsible data processing. For organizations striving to meet GDPR standards, PETs offer a practical path to data minimization, enhanced confidentiality, and secure international transfers.

Implementing PETs as part of your data privacy strategy not only reduces compliance risks but also fosters trust with clients and partners. By embracing these technologies, businesses can navigate the complexities of GDPR with confidence and accountability.

The post How Privacy Enhancing Technologies (PETs) Can Help Organizations Stay GDPR Compliant appeared first on TechGDPR.

What does self-hosting an AI model mean?

To be explicit: if one self hosts AI models, it occurs directly on the hardware they own (i.e. one can run Ollama on their laptop). This control allows for enhanced privacy and security. Arguably, if you host an AI model on your device, there is no need for the data to ever leave your device. Therefore, the risk of data breaches or unauthorized access decreases drastically. If one hosts an AI directly on their device, the data does not need to travel far distance. This means the latency is decreased and one receives a faster response (this aspect of speed is hardware dependent). Latency can best be understood as how much time passes between when a question is asked to an AI model and when a response is received.

Most modern computers can run smaller AI models with no issue, but larger models tend to be more resource intensive. There are many resources available that allow one to examine the free open-source models and the hardware compatibility. The benefits to using an open source model can be greater privacy and transparency. The decreased latency also allows for reduced risks of data breaches and a better level of compliance if processing sensitive data using AI models. 

Why and how to invest in self-hosting AI models?

To run usable AI models, hardware plays a crucial role. Self-hosting AI models require a graphical processing unit (GPU) for optimal performance, as running AI solely on a central processing unit (CPU) leads to slower computations and, as aforementioned, higher latency.

What are the key benefits of self-hosting AI models:

• Improved Performance: GPUs significantly enhance processing speed, allowing AI models to generate responses faster.
• Cost Savings Over Time: While the initial investment in hardware may be high, self-hosting eliminates recurring cloud subscription fees—leading to long-term financial benefits.
• Data Control & Privacy: Self-hosting removes dependence on third-party cloud providers, ensuring full control over sensitive data.
• Regulatory Compliance: Self-hosting reduces the risk of breaches and helps meet strict regulations like the GDPR and the HIPAA.
• Avoids External Policy Changes: Cloud-based AI providers frequently update pricing models, governance rules, and data policies. Self-hosting AI models provide stability and predictability in data management.
• Eliminates Token Costs: Using AI services from major providers (e.g., OpenAI, Google) requires purchasing tokens, making usage costs unpredictable. Self-hosting avoids reliance on fluctuating pricing. As demonstrated in the included chart, these prices are ever fluctuating and the cost of using AI that is not self-hosted is that one is at the whim of the cost dictated by the service provider. 

Fluctuating AI Token Costs

By investing in local AI infrastructure, businesses and individuals regain autonomy over AI processing, ensuring cost efficiency, data privacy, and long-term stability. Investing in the hardware means that one is not at the whims of the service provider for your virtual cloud instance. It allows for complete control over the data and for an eventual decrease in the amount of money self-hosting AI costs. 

How can using self-hosting AI help with regulatory compliance?

Self-hosting AI models is a crucial step toward ensuring compliance with data protection regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), while also reducing reliance on big tech companies. Under Article 9 of the GDPR, sensitive personal data, such as health information, biometric data, and racial or ethnic origin, requires strict protection and cannot be processed without explicit consent or a lawful basis. By self-hosting AI models, organizations retain full control over such data, minimizing the risk of unauthorized access and third-party breaches. 

Studies have shown that developing AI models within institutional boundaries, particularly in healthcare, enhances privacy and regulatory compliance. It allows for more ethical and secure AI deployment. Furthermore, reliance on centralized AI models controlled by major corporations raises concerns about monopolized access to data. This can potentially leading to biased decision-making and limited transparency. Self-hosting AI fosters greater ethical responsibility, ensuring that data governance aligns with user interests rather than corporate agendas.

Case study: Deepseek

In the beginning of 2025, there was a huge shock in the AI sphere with the introduction of DeepSeek R1. DeepSeek, a Chinese startup, was able to create and train an open sourced AI model for a fraction of the cost of its competitors. It is free to download and use. Since DeepSeek is based in China, there were growing concerns about using chat.deepseek.com or the application because of where the data is sent. However, if one is to host DeepSeek R1 the data is not sent anywhere the controller. Running DeepSeek as a self-hosted AI model is a simple and cost-effective way to explore the benefits of self-hosted AI, including privacy, performance, and cost savings.

Why is DeepSeek good for privacy?

But, do self-hosted AI models perform worse?

Short answer: No. A Swiss study showed that using a small local Deep Neural Net (DNN) alongside a remote large-scale AI model can help reduce the prediction cost by half without affecting the system’s accuracy. Essentially in 2022, Chat GPT-3 models cost $0.48 per request. The study worked by putting the input to a local hosted DNN for a response. If the response was trustworthy, the response was not forwarded to the GPT. If the output was not trustworthy, the GPT would need to compute the response. The local DNN was able to generate a correct prediction or response for 48% of the input needed and lost very little accuracy. Self-hosted AI models are able to save money for individuals. This is done by saving tokens and avoiding expensive calls with very little loss in terms of accuracy.

Why should businesses adopt self-hosting AI?

In a world where AI is increasingly intertwined with daily life, the decision to self-host AI models offers a powerful alternative to cloud-based solutions. By self-hosting AI models on personal hardware, one can improve: 

• Data Security: Eliminates external risks by keeping information in-house.
• Regulatory Compliance: Easier to meet industry-specific privacy laws.
• Cost Efficiency: Reduces long-term expenses related to cloud computing and API usage.
• Customization & Flexibility: Empowers users to fine-tune models to their specific needs, ensuring greater transparency and understanding of how AI systems operate.
• Improved Performance: Faster response times and reduced latency lead to better user experiences.

With advancements in open-source models like DeepSeek R1, running self-hosted AI models is more accessible than ever. This allows users to benefit from high-performance models without sacrificing privacy or autonomy. As AI continues to evolve, self-hosting AI models stands as a viable and increasingly necessary choice for those who prioritize control, security, and ethical responsibility in their AI usage.

The post Self-Hosting AI: For Privacy, Compliance, and Cost Efficiency appeared first on TechGDPR.

Exploring key aspects of password security involves evaluating password strength to resist brute force attacks and using password managers for secure and unique passwords. It also includes leveraging multi-factor authentication (MFA) to enhance protection and recognizing the risks of using browser-suggested passwords and potential vulnerabilities if the browser or device gets compromised.

How secure is my password?

One of the ways to access the strength of a password is through entropy. Entropy measures password complexity by assessing its randomness, indicating how unpredictable and difficult it is for attackers to guess. Higher entropy, or more randomness, in lay man’s terms means a more secure password. Factors that contribute to higher password entropy include:

• Length: Longer passwords are generally harder to crack.
• Complexity: Including a mix of uppercase and lowercase letters, numbers, and symbols.
• Unpredictability: Avoiding predictable patterns like common words and phrases.

If one is curious about understanding how secure their password is this Password Entropy Calculator helps an individual understand password strength and evaluate their own passwords. A secure password should have high entropy, which makes it resistant to brute-force attacks, where attackers systematically try every possible combination of passwords or keys until they find the correct one.

How password managers enhance security?

According to the German Federal Office for Information Security (BSI), using a password manager is one of the most effective ways to securely store and manage passwords. These standards ensure that the strategies outlined are both robust and reliable, offering a trusted framework for enhancing password security. Password managers are powerful tools for improving password security and convenience. They securely store and manage passwords, making it easier to use complex, unique credentials for each account. This not only enhances security by reducing the risk of weak or reused passwords, but also simplifies the online experience by eliminating the need to remember multiple passwords. Password managers enhance security by:

• Generating strong passwords: Password managers create random, complex passwords that are nearly impossible to crack.
• Secure /storage: Passwords are encrypted and stored securely, reducing the risk of exposure.
• Unique passwords for every account: Using unique passwords for each account limits the damage if one account is compromised (for instance if logging into a service while using public WiFi leads to a third party intercepting an individual’s credentials).
• Automatic filling: Password managers can auto fill login credentials, reducing the risk of phishing attacks by ensuring only the authentic individual can  enter credentials on legitimate sites.

There are many popular password managers that offer both free and premium versions to suit individual or organizational needs. Organizational password management needs often focus on collaboration, centralized control, and compliance with security policies, requiring features like shared vaults, role-based access, and audit trails. In contrast, individual users prioritize personal security, ease of use, and cross-device synchronization to protect their accounts.

How Multi-factor Authentication (MFA) adds an extra layer of security

While strong passwords are essential, they are not reliable. The European Union has emphasised how MFA protects consumer sensitive data, enhances operational resilience, and mitigates cybersecurity risks. Multi-factor Authentication (MFA) adds an extra layer of security by requiring users to provide two or more verification factors to access an account. These factors typically include a combination of at least two of the following:

• Something you know: A password or PIN.
• Something you have [i.e. physically]: A smartphone, hardware token, or security key.
• Something you are: Biometric data, such as fingerprints or facial biometrics.
• Somewhere you are: The location matches the expected location (VPNs).

MFA significantly reduces the risk of unauthorized access, even if a password is compromised. According to Microsoft, MFA can prevent 99.9% of account compromise attacks, making it a crucial component of any security strategy. 

Password security and compliance

Many industries are subject to regulations that require high password security to protect sensitive data such as:

• The General Data Protection Regulation (GDPR): Mandates the protection of personal data for EU residents.
• The Payment Card Industry Data Security Standard (PCI DSS): Requires strong password policies for organizations handling credit card data.
• Health Insurance Portability and Accountability Act (HIPAA): Enforces password security to safeguard patient information.

Failure to comply with these regulations can result in huge fines and legal consequences. Implementing best practices for password security is not just about protection best practices, it’s a compliance necessity.

Are browser-suggested passwords safe?

They are generally safe and convenient because modern web browsers like Chrome, Firefox, and Safari use encrypted storage and advanced algorithms offering built-in password managers that suggest and store passwords. While convenient, there are some risks to consider.

• Limited security features: Browser-based password managers may not offer the same level of encryption and security as dedicated password manager apps.
• Device dependency: If a device is compromised or lost, the stored passwords may be at risk, especially if the device lacks proper security controls.
• Synchronization risks: Attackers could make passwords synced across devices via a cloud service vulnerable if they compromise the cloud account.
• Phishing vulnerability: Phishing websites can exploit auto fill features by cloning legitimate sites.

When choosing to use browser-suggested passwords, ensure an up-to-date browser, use strong device security, and consider enabling MFA for cloud accounts.

Conclusion

Password security is a staple of digital safety and regulatory compliance. Creating strong, unique passwords, using password managers, and enabling multi factor authentication helps individuals and organizations reduce unauthorized access and breaches.

While browser-suggested passwords offer convenience, understanding their limitations and risks is essential. Ultimately, a proactive approach to password security can protect an individual’s data, ensure compliance, and build trust with customers.

Feel free to reach out to TechGDPR for any clarification of technical compliance needs.

The post Password security: how strong passwords work and the tools to simplify appeared first on TechGDPR.

The Privacy Tech Directory serves two purposes: 

1. it empowers users to enhance their privacy and
2. provides a list of tools that can help to maintain compliance with relevant data protection laws. 

It offers a large selection of tools categorized meticulously to address different aspects of privacy and security.

It should be noted that the directory is not an exhaustive list but rather an initial stepping point to figure out what services and/or products are available to help with your specific privacy or security concern.

Here’s a detailed look at the categories available:

Features of the Privacy Tech Directory 

The tools are divided into the following categories: 

• Consent Management Platforms: Manage user consent and ensure compliance with the GDPR and other regulations.
• Access Control: Implement secure access controls to protect sensitive information.
• Analytics: Use privacy-focused analytics tools to gather insights without compromising user data.
• File Management: Secure file storage and sharing solutions to protect data integrity.
• Privacy Alternatives: Discover privacy-respecting alternatives to mainstream services.
• AI: Leverage AI tools designed with privacy in mind.
• Forms: Create and manage forms that prioritize user data protection.
• Fonts: Use fonts that respect user privacy.
• Encryption: Employ encryption tools to secure data in transit and at rest.
• Bookmarking: Find privacy-focused bookmarking tools.
• Advertising: Access advertising tools that prioritize user privacy.
• Compliance/Risk Management: Simplify compliance and risk management processes.
• DPO-as-a-Service: Utilize data protection officer services for expert guidance.

The diversity of tools underscores multiple ways technology intersects with privacy, and seeks to highlight the necessity of preserving privacy on various fronts.

The Creation and Evolution of the Privacy Tech Directory 

The Privacy Tech Directory was crafted through independent research and the innovative use of generative AI. Should any inaccuracies be found in the tool descriptions, users are encouraged to contact TechGDPR at privacydirectory@techgdpr.com to correct the information. The directory aggregates information from various sources, including Privacy Guides, Web3 Privacy on GitHub, and the IAPP privacy vendor directory, alongside independent research efforts.

The directory attempts to highlight open source and free tools. There is a landing page to navigate all of the tools with the following options presented.

This database is located on our Privacy Tech Directory landing page. It allows for users to search the database directly by Name, Format, Category or even words that appear in Short Description such as for example: “GDPR.”

For each tool described in the directory, we strive to include the: 

• Name
• Short description (AI generated)
• Format category (Is this tool for developers (low level code)? Is it a working software or application?)
• Long descriptions (AI generated)
• URL / Github
• Languages supported
• Whether the tool is free or not, if the tool is not free, the cost is included if it could be discerned from the website
• Open Source (if applicable)
  • Link Github/open source (if applicable)

If you have new tools to add or wish to feature or remove a tool from the Privacy Tech Directory, please reach out to TechGDPR at privacydirectory@techgdpr.com.

Conclusion

The Privacy Tech Directory by TechGDPR is a resource for anyone interested in data protection and privacy compliance. The directory is a curated collection of tools to enhance security, streamline compliance, and maintain transparency. 

For any requests and issue reporting, contact TechGDPR at privacydirectory@techgdpr.com.

The post Introducing the Privacy Tech Directory: A Tool for Data Protection and Compliance appeared first on TechGDPR.

Data localization is the practice of storing and processing data within a set geographical space. This is different than data residency which is often used interchangeably with data localization; however, it is slightly different. Data residency refers to the actual location of the servers and other infrastructure used to store and process the data. While data localization includes the concept of data residency, it also incorporates the idea of data sovereignty. Data sovereignty refers to the rights of the legal authority or any entity to exercise control over data within its borders. Data localization is the combination of both data sovereignty and data residency. 

The EU’s General Data Protection Regulation (GDPR) prioritizes strong data protection practices and indirectly favors the storage of personal data within the EU. However, data localization is not a strict legal requirement therein. 

What is required to transfer data outside of the EEA?

The GDPR does specify the need for “appropriate safeguards” for transferring data outside the EU. Articles 44 to 50 of the GDPR detail the requirements for storing and transferring data outside of the EEA, including adequacy decisions, standard contractual clauses, certifications and binding corporate rules as well as when processing activities are exempt from these requirements. 

Standard contractual clauses as described in GDPR Art.46 are legally binding data protection clauses approved by the European Commission. Binding corporate rules (BCRs) as described in GDPR Art.47 internal rules adopted by multinational companies or groups of enterprises for transfers within a group. BCRs serve to ensure all members maintain appropriate levels of GDPR compliance regardless of their locations. If a company decides to rely on BCRs as a transfer mechanism, all its EU-based entities must adhere to the binding corporate rules when transferring data outside the Union. There are also certification mechanisms for transfers; however, these alone are not sufficient for data transfers outside of the EEA. 

An adequacy decision states that a country outside of the EEA provides adequate data protection measures. If an adequacy decision is in place, then no additional data protection safeguards are required. There are currently adequacy decisions with the following countries: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland , the United Kingdom under the GDPR and the LED, the United States (commercial organizations participating in the EU-US Data Privacy Framework) and Uruguay. 

Addressing the US

Many tech companies and third party service providers are located in the U.S. The Schrems II case, in July 2020 invalidated the U.S. Privacy shield, which allowed for U.S.-EU data transfers. This was due to concerns related to data sovereignty. Essentially, the personal data of EU data subjects that was located in the U.S. could be processed and subject to U.S. surveillance, meaning that US laws did not actually provide adequate privacy protection in accordance with the GDPR for EU data subjects. This case made data localization within Europe more common to avoid transfers to the U.S. when possible. 

The GDPR does not mandate data localization, but it outlines strict rules and requirements for processing data outside of the EEA. Storing and processing data of EU data subjects within the EU helps to make compliance with the GDPR easier; however, compliance is not just data localization, data security and minimization are also crucial to consider. 

Understanding Data Practices 

In recent years there has been a growing trend of organizations using third party services such as content distribution networks (CDNs) and cloud storage services. CDNs have become increasingly popular, serving a majority of web traffic, including traffic from major sites like Facebook, Netflix, and Amazon. Server location means where the servers physically are. Large service providers such as Amazon, Google or Cloudflare allow for companies to choose the location of the servers holding the information. While Amazon might be a US entity, information stored in an Amazon server located in Germany for example is subject to German legal requirements on data sovereignty.

In 2021, a report was published revealing that within the calendar year 44% of organizations experienced a data breach, and the majority of these data breaches were due to not properly assessing the risks of third party vendors. Many organizations see the use of third parties as a security risk, but not a high security risk leading to insecure and poor data management practices. It is important to utilize strong security practices such as always sending personal information using TLS and encryption as opposed to directly over HTTP. While location of the third parties utilized is important, arguably it is not as important as the data management practices or security practices implemented by said third parties.

The Global Landscape of Data Privacy and Data Localization

Some countries have stronger data localization laws. In 2017, there were 67 data localization laws; however, by 2021 that number had grown to 144. There is a growing trend towards regulating data localization. The most notable data localization laws effect: China, Brazil, Russia, and India. 

• China has the personal information protection law (PIPL) which has various localization requirements in regards to personal information. It requires companies to store and process data within China’s borders.
• Russia enforces the Federal Law on Personal Data No.152-ФЗ, dated 27 July 2006 (PDL), and updated it in March 2023 to include strict data localization requirements, mandating the maintenance of data within Russia.
• India’s Digital Personal Data Protection (DPDP) Act, 2023, authorizes the Central Government to impose localization restrictions on certain data categories and potentially require storing specific types of personal data within the country.

There are other countries that require data localization, and when processing information about data subjects located in specific countries it is important to be aware of any data localization requirements. Specific industries such as healthcare have regulations that deal with data residency requirements, such as UAE Health Data Law. 

Conclusion

While data localization can facilitate compliance and potentially simplify certain regulatory aspects, based on the GDPR: the ultimate focus must remain on implementing strong, consistent data protection practices. The GDPR prioritizes securing data through comprehensive safeguards, regardless of physical location, and emphasizes mechanisms such as standard contractual clauses, binding corporate rules, and adequacy decisions to ensure protection across borders. There is an increase in a trend towards data localization as more regulations are requiring data residency, and this article does not take into account other possible local regulations. Furthermore, the evolution of global data privacy laws suggests a continuous shift towards balancing data sovereignty with international data flows, underscoring the importance of robust security practices over mere geographic constraints.

Therefore, when asking, “Does server location really matter under GDPR?”; the answer lies in balancing data security and compliance measures, regardless of geographical constraints. TechGDPR can help to better understand how to navigate data privacy regulations and ensure a high level of compliance. 

The post Does Server Location Really Matter Under GDPR? Understanding Data Localization in the Context of Data Protection Compliance appeared first on TechGDPR.

The EDPB audit tool can be installed directly from the source code or through pre-built releases. There is a version for easy installation on Linux, Windows, and MacOS machines. One can also download the official source code of the EDPB WAT tool rather than the pre-compiled application file. 

Capabilities of the EDPB Website Auditing Tool

With the tool, individuals are able to start new analyses of a website. There is the possibility to create multiple scenarios such as: 

• No cookies accepted; 
• Reject all;  
• Accept all; and
• Any other categorization of cookies available on the website for example:  performance, marketing, etc. 

For each of these scenarios, the cookies and external sources loaded are collected by the tool to form a report. The user of the tool is then able to test out different banner and consent box options. This allows for them to inspect how the user experience changes. In assessing various consent box options, the tool allows for easy verification that all the cookies are correctly categorized. This ensures that no non necessary cookie is loaded without permission from the user. 

By using the EDPB WAT, one is able to analyze different aspects of a website such as: 

• Which cookies are loaded for various consent scenarios; 
• Local storage that is being used; 
• Verifying the use of HTTPS or SSL to protect the flow of data to and from the website; 
• Traffic analysis to identify what requests are being made; 
• Identifying if any web forms on a website are being set with non-encrypted transmission to ensure that what could potentially be personal data is being sent securely; and 
• The presence of any web beacons. 

How to get started

The program can be installed through an application installer for Linux, Windows, and MacOS. One is also able to download the source code directly. For easy installation, using the pre-configured installers is recommended for simplicity. The EDPB also released official guidance to use in conjunction with the tool and that can be accessed here.

Testing out the EDPB WAT: An example

After installing EDPB WAT, one can easily test out the capabilities of the tool by requesting a specific URL for the tool to access. Consider the URL: website.com which is owned by CompX and has a cookie banner with “Accept All” and “Reject All” as the only two options for consent. 

Since there is a cookie banner present, there are three scenarios that we need to assess. 

1. Accept All → When the option to “Accept All” is chosen, review all of the scripts, resources and cookies that are loaded. 
2. Reject All → When the option to “Reject All” is chosen, it is important to review 
3. No consent given  → It is important to see if any cookies, resources or scripts are loaded even if one does not interact with the cookie banner.

The tool will then access that URL and data will be collected based on the consent option chosen. When assessing the website scenarios one can label each scenario as being: compliant, not compliant, or indeterminate. This ability also translates to the labeling of specific cookies that are set by a website as well. If website.com was found to be using third party advertising cookies when the option to Reject All is chosen, that would be in violation of the GDPR and ePrivacy directive. 

Regular use of this tool on one’s own website and other websites allows for an understanding of which technologies are used by competitors as well as potentially granting the upper hand in contract negotiations,  in order to  prove a higher level of compliance to EU regulations. The WAT tool also allows for the manual creation of a knowledge base for cookies which can be created over time through the assessment of various websites. 

Screenshot of EDPB Auditing Tool

How is the EDPB Website Auditing Tool helpful for businesses?

It is important to be aware of all of the resources used by a website in order to ensure compliance with the GDPR. This tool allows for a quick overview of what resources are called, and how these are placed, or utilized by a website. In order to maintain compliance with the GDPR, it is important to understand how a website might impact a visitor through potentially the setting of cookies, usage of local storage or calls to external resources. 

The performance of regular website audits by a business can help to ensure: 

• compliance with legal requirements such as the GDPR and the ePrivacy Directive; 
• a way of addressing potential unknown risks on a website such as unintentionally set cookies; 
• trust and transparency with website visitors; and 
• improved website performance. 

The EDPB WAT can be helpful to determine the current level of compliance for a website or an organization. It is important to remain cognizant of how a website changes over time. Through using this tool, a website owner can assess how the various technologies that make up the website impact the user e.g. WordPress, as the largest website content management system powering over 40% of websites on the Internet. Website developers might add plugins to their website that add cookies unknowingly. 

Through a quick scan using the EDPB WAT one is then able to easily find out about the oversight and fix the issue before it becomes a citable instance of noncompliance under the GDPR and/or ePrivacy Directive. 

How we use the EDPB Website Auditing Tool

TechGDPR performs website audits on behalf of organizations to analyze the current state of compliance for a website. With the release of this new tool by the EDPB, we will integrate the use of the EDPB WAT into the technical assessment methodology. By leveraging this tool, we at TechGDPR aim to enhance the effectiveness and efficiency of the website audit performed on behalf of our clients. When appointed as an organization’s DPO, TechGDPR performs annual website audits to work towards GDPR and/or ePrivacy compliance. Feel free to reach out to TechGDPR if you are interested in having an in-depth, independent audit carried out beyond the capabilities of the EDPB WAT tool. 

The post Improving GDPR compliance with the EDPB Website Auditing Tool appeared first on TechGDPR.

GDPR compliance as a market differentiator 

Companies serious about GDPR compliance understand its role in maintaining their market position. Those who are proactive are quicker at placing themselves on a purchaser’s list of adequate suppliers. When processing data from people in Europe, the GDPR applies. It forces an organization to implement measures and maintain records of compliance. Even if an organization is not currently processing that data, building in regulatory compliance early supports future collaborations and partnerships with larger organizations and ensures the trust of product users.

Regardless of whether a software developer operates in a B2C, B2B or B2B2C context is irrelevant. The processing of personal data anywhere on that chain of services needs to comply with GDPR requirements. Thus achieving and maintaining compliance allows an organisation to be a supplier that implementing clients consider. For instance, a software developer for a small start up is able to integrate fundamental privacy by design and default principles in their design. This includes practices such as implementing end-to-end security, hashing, and other cryptographic measures.

Transparency makes the product more competitive if it is to be implemented through partnerships or sold as a SaaS. Procurement negotiations might still bring up specific questions and feature requests to be added to the agreements your organization signs as a vendor. By prioritizing compliance, any solution developed is more likely to remain on the list of suppliers worth considering especially if the negotiation deals with business in the EU. Implementing privacy preserving design features allows an organization the competitive edge of transparency.

Major fines

Tech giants, Facebook, Google and Amazon, regularly face severe fines for non compliance. These fines are essentially caused by deliberate ambiguity in their data processing and the fulfillment of their transparency requirements. Worse, they disregard their data controller obligations and get fined for a combination of hidden processing practices and implemented dark patterns. In May 2023, Meta, was hit with a 1.3 billion euro fine for lack of GDPR compliance. This is the largest fine to date. Amazon was fined for 746 million in 2021 for lack of user consent collection when advertising. When companies get fined, several factors come into play. This could potentially include their willingness to cooperate and implement corrective actions. However, a constant factor includes lack of transparency, misleading patterns and a lack of legitimization of processing.

However, most businesses are small-to-medium-sized enterprises (SMEs). This term is technically defined by the European Commission as a company with less than 250 employees. For an SME, GDPR compliance is harder to achieve due to proportionally reduced resources or access to expertise. Therefore, if an SME is able to achieve compliance, they recover the competitive advantage over larger players lost on operational costs. Tech giants are consistently pressured to maintain compliance due to their increased visibility. Therefore, compliance, when managed efficiently, is a defining competitive advantage for smaller companies.

GDPR compliance as a political or social issue 

When tech-savvy individuals go online, they tend to protect their own privacy by using strong passwords. Some examples of this includes increasingly using MFA where available or using pseudonyms and single use email addresses where possible. With the help of a few high profile breaches and updates to app marketplace practices and communication strategies, the average user has become more aware of the online privacy risks. Software developers tend to implement best security practices in their own use of software and apps. As a result, they are particularly best suited to understand the need for security. They are also specifically instructed to implement strong security practices and privacy design patterns such as content security policies for websites. As creators of technology, software developers have an ethical responsibility to protect the privacy of individuals and empower them to use their software or services more privately. 

Through implementing best design practices such as the minimization of cookies, the forced use of MFA, the encryption of user data, a privacy by default approach to design, designers create privacy-preserving environments. While the expectation might be that less tech-savvy individuals are likely to show relative indifference about their own privacy, one study entitled Caring is not enough: the importance of Internet skills for online privacy protection, argues that even if people do care they also need to be educated on how to protect their own privacy. It is not uncommon to feel helpless protecting one’s own data or safely using the internet. Typically, a lot of the burden for security falls, wrongfully, on the individual.

Should the average user be expected to know how to make use of encryption to feel safe online? 

For many, cookie banners are annoying interfaces, easily brushed away by clicking the “Accept all” button. Configuring a cookie banner to not set non-essential cookies by default, makes the organization compliant on that requirement. It also provides users with a choice. Amongst other principles, privacy by default also requires the developer to ensure the most private settings are set by default. Software designers, familiar with ePrivacy requirements, are able to notify the marketing team that silent opt-ins is illegal in the EU. This allows the organization to engage in discussions as to whether to design for compliance or to accept the risk. In accepting the risk, an organisation increasing user distrust for the benefit of tracking, profiling and advertising KPIs.

As digitization continues, there is a pervasive use of selling user data or mishandling personal information in the tech field. This trend occurs without much regard to the significance of this action. This has become regretfully normalized even though it is against the GDPR. This is likely due partially to many companies solely operating within the US. At the moment, the US does not have a federal governing law similar to the GDPR. Regardless, this precedent is pervasive.

People should have the right to use and access the internet and software related tools/services without being seen as a commodity. Through the use of tracking elements and abuse of consumer metrics, individuals are becoming commodified and sold as such. This should not be the case where individuals can be so easily manipulated and tracked through their actions online. When software developers prioritize GDPR compliance, they are able to help prevent the commodification of individuals by their company. 

GDPR compliance in software development as an intellectual challenge

It is easy to do things in a non secure manner. It would be easier to access one’s phone to text people if one didn’t have a password, but most individuals likely have a password on their phone to protect from strangers accessing the content on their device. Therefore, the easiest solution is not always the best solution. This stems from the common dilemma of convenience versus privacy that one is confronted with daily. Instead of seeing this as an issue, one should frame it a challenge. If one views compliance as an intellectual challenge of how to protect others, the issue becomes more intriguing and fun to solve. An issue bears the connotation of an obligation or nuisance. 

Individuals are motivated to do things either intrinsically or extrinsically. When a supervisor informs a developer that they must make the system compliant with the GDPR, that would be the definition of an extrinsic motivator as it is external; however, intrinsic motivation is a powerful and compelling motivator. Due to intrinsic motivation, this is part of the reason as to why computer games are fun to learn.

An intellectual challenge has a better and more enthralling connotation. This idea has been theorized since the 1950s and academics have postulated through research that intrinsic motivation is correlated with how challenging the activity is. Considering those who have a background in computer science are confronted with technical issues and problems to solve all the time, compliance is best viewed as an intellectual challenge to avoid the easiest solution but create the most secure solution. 

Concluding thoughts 

Compliance is the law. As a software developer, one will likely need to work to implement or maintain compliance with the GDPR. It is easy to see it as a tedious endeavor handed down to a higher up, who might not necessarily understand the ramifications of the technical assignment they are bestowing. Instead, one should view the GDPR through an intrinsically motivated lens as an intellectual challenge to protect the rights of individuals. There are other reasons as to why as a software developer one should care about the GDPR. This includes but is not limited to securing contracts and helping others with less knowledge of proper internet privacy practices.

The joy of the internet and technology should be able to benefit and be enjoyed by all individuals. Any individual regardless of their technical background and without the fear of loss of rights. The question should not be: “does one engage with technology and in doing so give up their right to privacy?” but rather the burden should fall less on the technically ignorant users and be built into technology inherently. 

If you are interested in taking your GDPR knowledge to the next level, dive into TechGDPR’s specialized training for developers. This course is designed to equip you with the skills and understanding needed to navigate GDPR compliance within your projects. It will help you ensure your software is up to standard and gain a competitive edge. Discover more and enroll today at GDPR for Developers – Online Course.

The post Why should software developers care about GDPR compliance? appeared first on TechGDPR.