So, you’re a Developer and wondering what all this banging on about GDPR is? Don’t worry… you’re not alone. Unless you’re in one of the few companies that have been preparing for the General Data Protection Regulation (GDPR) for a while now, and you’ve had support from Director-level on down in planning for it, it’s likely coming on your radar through the increasing media and tech community coverage. From what you’ve heard of it you’re pretty sure that at some point (likely the Friday evening before it comes into force) your boss is going to saunter over to you holding a one-page spec with the lofty goal of making the company GDPR compliant … by Monday morning.
It’s a scene that to one extreme or another will play out in offices across Europe and beyond. Especially among small to medium businesses as they realise that much of what applies to big-enterprise with GDPR will apply to them as well.
With Data Protection Authorities across the EU ramping up their staffing and resources to start enforcing GDPR after 25th May 2018, you can be sure that it will not be business as usual for anyone — large or small, who handles personal identifiable information.
Research shows that less than half of companies as of mid-2017 had a plan to prepare for GDPR, while IT professionals in Europe who are informed about GDPR register their overwhelming support of it. And why wouldn’t they? We are professionals after all. We want to do what’s right for data and the people that own that data. It’s good for them and it’s good for business. A business that properly manages its data also minimises its risk.
What is GDPR and why should I care as a Developer?
The GDPR is the successor to the 1995 Data Protection Directive. The keyword here is that it’s a Regulation and not a Directive, which means that it becomes national law without needing to be adopted by each state like a Directive would. It is a risk-based approach to protect personal information. Measures taken to ensure protection from risk will improve your overall business security.
The GDPR creates a unified approach towards Data Protection across the European Union and affects any business that collects personal data to provide goods or services to individuals within the Union.
The goal for businesses will be to become accountable under GDPR. A commercial incentive for this is that if a business is found to be in breach of the regulation they can face fines of up to 4% of global turnover or €20M, whichever is higher. Have the smelling salts at the ready for your boss in case that day ever comes.
Developers when they hear the words “Data Protection” are likely to think security, storage and access restrictions.
But how does this far-reaching regulation filter down to the troops in the trenches? How does it affect the lines of code that dev’s churn out working toward their next deliverable — a new feature under development or a product launch rolling out?
Developers when they hear the words “Data Protection” are likely to think security, storage, and access restrictions. While that does form a part of what GDPR is aiming to achieve, it’s not the whole picture. Data Protection under GDPR encompasses the protection of the Data Subject’s (your customers) personal information and enabling their rights as conferred under GDPR.
It has implications from dev desks all the way up to the top levels of an organisation, from technical operations to business process. In this series of posts, I’m going to focus on how GDPR will filter down into a Developers day to day and how processes that will need to be in place to be accountable under GDPR can translate into practical implementations.
Let’s start by looking at the rights of what’s called the Data Subject but is for most businesses your customer or prospective customer. They are conferred several rights under GDPR. How these rights manifest themselves in your application and beyond will be threefold:
- Informational – You will need to be far more transparent with your customers than has been required in the past regarding how you collect and process their data and how they can exercise their rights under GDPR with your business.
- Technical –You will need to enable these rights via application features to be efficient, system processes, security and infrastructure will need to take account of a business’s obligations under the regulation.
- Business Process - There will need to be business processes and people in place to respond to rights being exercised or events occurring that require a business response to meet obligations under GDPR
Both the Informational and Technical aspects will require dev team planning and implementation to achieve. There will likely be UX challenges, new feature development, security and infrastructure enhancements required. Teams will need to have a new appreciation for the data that they collect and how it flows through the company’s systems.
I hope this has been a useful introduction to GDPR from a developer’s perspective. It’s a big subject and I don’t want to get too bogged down in the details in one post. In my next post I’ll get into the meat of Data Subject rights and explore how developers can start thinking about translating them into implementations.
The legal bit: I am not a solicitor and as such, what I say in this post should not be taken as legal advice.