I’ve been a developer for nearly 20 years. Over that time, I have weathered my share of regulations and standards. I’ve seen PCI and HIPAA rush in like a gang of silverback gorillas and upheave a development team in a single blow. Y2K? Forget about it! I sat and prayed that planes didn’t fall out of the sky while updating SQL 6.5 databases to four-digit years. When I first learned of GDPR, naturally I wasn’t quivering in my boots too much. Maybe I should have been. And maybe you should, too.
General Data Protection Regulation (GDPR for the cool kids in the know). Not a very exciting sounding name, is it? If it was really serious, it would be something like “Tactical Obliteration of Information Initiative“(TOII — trademark pending), right? Style points aside, this little acronym is causing quite a stir in organizations around the world. From banking to education, companies are beginning to place their bets on just how much of an impact Europe’s new regulations are going to have on consumers, businesses, and what is surely to be some record-setting legal fees.
And if you thought it didn’t apply to your non-EU site, guess again! GDPR has a global reach, thanks to the whole “everything-connected-via-the-Internet” thing. If you store any information about European users, GDPR will apply to you. Data requests will need to be fulfilled in 30 days. And data breaches? Oh, man! You will have 3 days to get those reported. With 20M Euro fees on the line, everyone should be preparing themselves for the fun.
So, what is GDPR exactly?
If you haven’t had the joy of sitting through a presentation on the legal impact and ramifications of GDPR, then good for you! For those of you that have, bear with me as I summarize the new regulations for the other readers.
GDPR is all about protecting people’s information in the digital space. As our lives have become more influenced by the information someone has about us, the need for stricter control and oversight is key. With the right information, you can take over a person’s complete identity and wreak havoc on their career, relationships, and their eBay Seller profile.
Most of the laws currently in place for online data were drafted back in the mid-1990s. Sure, we had Windows 95, America Online (AOL), and some rocking 56K modem speeds! What we didn’t have is a clue about what the next 20 years would bring when it came to what (and how much) information people would be sharing. Over the past two decades, people have chronicled their entire lives on social media and other sites, setting the stage for some serious vulnerabilities.
GDPR is all about trying to control that data and making sure people know exactly how much information a site is storing about them. It’s about giving them control over their details and ensuring companies comply with “Right to be Forgotten ”, “Underage Consents”, and “Data Portability” requests. It’s about vulnerability for site owners, and regulating how they handle their users’ information.
Uhm, so that sounds like a big deal.
OK, maybe you’re like me and have started to sway from your throw-caution-to-the-wind and cook-bacon-without-a-shirt remarks. GDPR is no small thing and comes with a lot of implications for anyone in any industry (yes, especially developers!). The effects run very deep and will certainly not be contained only to EU audiences. Developers need to start educating themselves now to be prepared.
So, what do you need to know about? Of course, there are the basic of the new regulations that every developer should get familiar with. You should fully understand what data GDPR applies to, and what new functionality you need to provide consumers.
When it comes to the technical aspects, there are a few keys areas you will want to know.
Data flow
GDPR is all about data. This means understanding and reporting what data is being collected, where it’s being collected, what happens to the data, and who has access. How people’s personal info travels through your organization, is call data flow. With the regulations, companies will be required to provide a detailed history of every step a piece of information makes within the organization. This means developers will need to track their client’s data, who has access to it, and how the data is used to meet the new standards.
Explicit Consent
For far too long, companies have been able to analyze and leverage people’s information for targeted marketing communication, user profiling, or even nefarious reasons, with little to no oversight. GDPR changes all that with requiring companies to get Explicit Consent for their users when collecting and using their data. Business will have to present a clear definition of how much of a user’s information will be collected, and how it will be used. This regulation is aimed at stopping people’s data being used without their knowledge or consent. Developers will need to understand how data is being collected and how it will be used. This means developing a mechanism for obtaining that consent for any user of an application.
Right to Access
People are often willing to give their information to a trusted source. If the organization is reputable, and their intentions are true, most companies won’t have a problem with getting consent for data collection. But what happens when a third party of an unknown source gets access to that data? People lose their minds! GDPR is about giving that power back to the consumer and making sure they know every individual that can access their information, and why. This means developers need to start thinking of how to limit access to user’s information, unless there are essential to the business.
Another big part of the GDPR regulations is the requirement to provide individuals with information when requested. Under the new laws, companies will be required to provide a detailed list of all information they have collected and/or storing about a person. And I mean EVERYTHING! Developers should plan now for how they are going to report this information, as the laws require you to provide it within 30 days of the request!
Right to be forgotten
Oh, boy, this is a big one! Identifying and reporting on all the data you have about a person is one thing, but giving the user the ability to remove that data is a big deal. One of the most important pieces of GDPR is providing the people with the option to remove all the information a company is storing about them. This means deleting personal information, as well as other identifiable data, all within the required 30-day window once a request is made. For developers, this means you will need to handle this data removal within your application, supplementing dummy data where needed. This can be a big deal, especially if much of your application’s functionality is built around personalized, custom information for each user. Just think of a social media site with no personal details about someone!
One thing to note about this data removal is it’s not EVERYTHING. For some sites, like e-commerce applications, retaining personal data may be required for reporting and auditing. This means that some sites may need to scrub their data when a user makes a request, however, critical information may be retained to comply with financial regulations and laws. This is where understanding the GDPR laws becomes especially important! Developers need to know when it’s appropriate to remove data from their systems, and when it will be required to retain them. That means lots of fun talks with lawyers to hash out each bit of data in your sites!
What do you need to do?
OK, at this point you may be looking up “How to be a potato farmer” or other career changes. Don’t worry, it’s not that bad! You should have a solid idea of how GDPR will impact your applications. You should also know where in your application to update code and add new features. With that information, you can start to take action.
Develop a plan
You know what needs to happen. Now you need to make it happen! You should start by mapping out all the data you found in the discovery phase and break it into logical sections. Understand what areas of the application need to change to accommodate the modifications and start dividing them among your team. You need to recognize resources you may be lacking and work to secure those long before you start your changes. Defining a complete and thorough implementation plan not only looks great on a Kanban board, it also helps you stay on track and understand how long each piece will take.
Remove anything you don’t have to keep
You can save yourself a lot of future headache if you can reduce the amount of data you’re dealing with. Maybe during your research, you found out that your marketing team is storing complete family trees for every user of the site. If this data isn’t essential, get rid of it! Review every bit of information you’re storing, and see what you can live without. The less sensitive data about your users, the smoother sailing over to GDPRland you’ll have.
Limit access, if you can
GDPR has a lot of rules around the data, however, a big part is how that data is stored, backed up, and accessed. Part of your plan should include a long, hard look as to who within your organization has access to the information. You should conduct interviews with personnel, dust off your Disaster Recovery (DR) checklists, and start to limit access to the data where you can. If you find someone that isn’t essential, remove them from the list! You’ll thank yourself later when it comes to reporting information if you ever get audited.
Get ready to answer a lot of questions
Speaking of reporting information, new regulations are pointless if no one is enforcing them. Because of the impact GDPR is going to have around the globe, there will surely be an audit in your future at some point. Don’t sweat it! You should be well prepared to answer any questions you get, and have detailed logs and exciting reports to serve up to your legal team. The more you know about your system and the data, the easier this process will be, so start planning for it now.
Conclusion
As a developer, it’s great to be confident. Grit and determination allow you to overcome obstacles and challenges, refusing to admit defeat. When it comes to GDPR, your mettle may be tested. Have no fear, my friend. GDPR is the next evolution in a long line of standards that affect our development life. With proper education and preparation, any developer can handle GDPR with ease. Make sure you are storing data properly and always coding to standards, and you’ll be back to coding Easter Eggs in no time!
Still looking for more information? Check out our collection of GDPR articles to get answers!