General Data Protection Regulation is meant to secure personal data. For large organizations, meeting GDPR requirements is not an easy task, even in the scope of providing clients with access to their data and changing it.
In this project, we encountered two challenges. Firstly, GDPR regulations were a subject of emerging country-level legislation and legal interpretations. No approved code of conduct had been established, which made it unclear how to apply GDPR and secure the company. Secondly, the system is a public entry point to all kind of personal data that flows through a large-scale organization. We had to face the challenge of implementing the platform in rapidly changing conditions with strict requirements.
We provided a custom solution which integrates with many different data sources and services. The implementation was based on a modern JVM stack with Kotlin, Spring and Hibernate. After just three months, the core system was up and running and the clients were able to receive their personal data via email or migrate it.
Application security was achieved thanks to several solutions: encryption, limiting library dependencies, heavy sandboxing, deployed Java security, network zones with limited connection initiation permissions, proxy servers.