The EU General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. This regulation package for the European Union affects not just companies based in Europe but any company that does business in Europe. As such, many Backtrace customers are thinking through data collection and destruction policies.
A common path many Backtrace customers follow to adhere to GDPR when their users or players are in the EU is to include a click-through approval (consent) for capturing diagnostic data for the purpose of fixing bugs and crashes when they start using the app or game and as a configuration option.
Our customers consider the data they collect with Backtrace as necessary for the purposes of debugging.
This article assumes the reader is familiar with GDPR and already understands how it affects them.
Backtrace's Role
In the terms being used in the GDPR, Backtrace is a processor. That is, a third party company receiving data from what GDPR calls controllers of data, which are on the front lines collecting, managing and housing data.
As a processor, Backtrace ensures end user data collected during the crash reporting process is protected, managed properly and destroyed appropriately throughout the chain of development. Backtrace customers have a host of controls to help ensure compliance with GDPR and corporate data protection policies.
Backtrace has provided a Data Processing Addendum (DPA) as part of an update to it's Privacy Policy and as an amendment of it's Terms of Service. The DPA defines the agreement between Backtrace as the data processor and our customer as the Data Controller with regard to the processing of personal data.
Control
Before any information is collected from your users, you may want to ensure they have opted in to provide crash reports, which may contain some personal identifiable information. Developers control when to send data to Backtrace in their applications, so they are in a good position to ensure proper approvals are in place.
Scrub
With crash dump files, systems sometimes send sensitive PII that reside in the target's application memory. Backtrace provides a data scrubbing tool that will scrub submitted dump files, including execution path, memory regions, environment variables, register values and user-defined attributes. After scrubbing, PII data will be replaced with alternate characters before being stored on disk.
Backtrace provides built-in scrubbers for credit cards, social security numbers, encryption key or environment variables. New scrubbers can be created using regular expressions to identify patterns of text to remove (i.e. IP Address can be scrubbed with regexp='[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+’)
Read the documentation about Backtrace Data scrubbers for minidump to learn more.
Discover and Export
Some of the GDPR requirements require you to discover and export any personal information on-demand. Backtrace comes with a suite of tools to query for and retrieve data using regular expressions and other powerful operators. See our morgue list command for more information, and feel free to reach out to us if you need any help.
Retention Policies
A cornerstone of GDPR is that PII is not to be kept any longer than is necessary for the purposes it was collected. With Backtrace, developers can implement policies the company requires, such as destroying certain data on a monthly basis. Backtrace provides flexibility to be able to retain normal metadata while removing dump files that may contain PII data. Read the documentation about configuring retention policies to learn more.
Questions?
Feel free to reach out to us if you have additional questions.