General Data Protection Regulation [GDPR] is the largest shake-up in consumer data protection law in recent history. If you’re a developer, web admin, business owner, or user who operates/resides in the EU, GDPR will affect your digital life in one way or another. Even if you’re based in the U.S. or elsewhere, you’ll feel its shock waves in the news cycles in the coming months.
If you’re EU-based, you might have already seen the new Terms and Conditions from Facebook, Instagram, and other large corporations that handle your data. It’s a sign that they’re scrambling to adapt to the new regulations too. If you haven’t already looked into GDPR’s provisions, or have buried your head in the sand, now’s the time to get to know your responsibilities and rights as we come closer to the big switch on May 25.
What is GDPR?
GDPR is a piece of EU regulation to protect and empower individuals concerning the data that third parties hold about them. It’s a comprehensive refresh and re-hardening of Data Protection laws in the EU.
Every single business, from a large corporation to an indie app developer, based in the EU or operates with personal information of EU residents must conform to the regulation—or face the [very harsh] consequences.
Power to the people
The regulation enshrines your right to control how your data is used as a consumer. There are eight explicit rights provisioned in GDPR:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling.
You can read more at the UK ICO’s website as they have a pretty good summary of each right.
This is an unprecedented win for EU residents who will have a safety net against their data being used beyond what they deem appropriate. That’s great for the millions of end-users, but if you’re an app or web developer, or run any type of business that operates in the EU, you could be in a world of hurt. Not least because the risk of noncompliance is massive.
Procedures, policies, and paranoia for developers
If you run a business, from tech support to indie developer, you probably have what GDPR classifies as “personal information:”
If you hold a name, identification number, location data, or online identifier (including IP addresses) that may link to the “physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,” then you’re in scope for GDPR (Confusing wording, I know, that’s why “GDPR specialists” are in-vogue).
The good thing is, if you’re now panicking about GDPR, there are loads of resources on getting yourself compliant. The overall idea is to be paranoid. Imagine an auditor comes knocking and demands to see the technical controls, documented policies, and procedures that prove you’re handling personal information correctly. I’m not going to do a comprehensive guide because I’m by no means an expert—there’s plenty of that elsewhere. But here’s a few pointers to get you thinking in the right direction:
- List what types of personal data you hold and the reason you have that information. If you don’t have a good reason, should you keep that data?
- Do you ask for explicit consent to use data in the ways you do? Do your customers/users know that their data is being used or held by your company?
- Do you have to link personal data explicitly to unique identifiers, or can it be pseudonymised/anonymised?
- Map the flow of personal data through your systems so you understand what’s being held where.
- Have a repository of your operational procedures involving data. If you run a repair shop it might be helpful to have documentation on how you wipe a phone or laptop. If you have an app, you might have to show the auditor how long that data is retained and for what purpose.
- Think about how data at rest and in transit is encrypted (If it isn’t, shame on you!).
- Think about your old archived data too. Modern applications are designed to store logs and little footprints. Delete any personally identifiable information that you don’t need for your business from your databases and servers and—potentially the biggest culprit—email archives.
All of this might sound like a lot of work, and that’s because it is. GDPR is a much-needed wake-up call to every developer out there that runaway data collection is no longer an acceptable risk. Even existing practices like cookie consents might not be enough for GDPR compliance.
At the end of the day, it’s better to get your ducks in a row now than get pummelled by the sanction-hammer later.
To read more:
Rojenx is a leading concept artist who work appears in games and publications
Check out his personal gallery here