Why Programmers Need to Know About General Data Protection Regulation (GDPR)
GDPR, or the General Data Protection Regulation, is a fairly new, European data protection regulation that applies not only to European citizens, but also just about every programmer and technology consumer in general.
While the regulation might stem from Europe, its effects will be felt globally as many companies have customers from the EU and, as such, have to be mindful of their data.
These regulations, which are concerned with consumer rights when it comes to data, are especially important if you’re a larger organization that collects data or personal details about your customers and audience. According to Gartner, over 50 percent of companies affected by the GDPR still won’t be in full compliance by the end of 2018.
For those prepared, there’s already a process in place for remaining compliant and loyal to the regulation. So long as you have customers in Europe, it doesn’t matter where your business is located—the law applies to you.
This is perhaps even more relevant today because of the entire scenario Facebook is experiencing regarding Cambridge Analytica.
Conversations about data transparency, security, and proper handling are all incredibly necessary in the wake of Facebook’s discretions—not that they haven’t always been a concern. People care about the way their data is collected and used, and will have a problem if things are under the table.
A lot of the talk surrounding data regulation and privacy has been centered on enterprise, organizations, and data-centric teams—and for a good reason.
What we haven’t seen, and need to see more of, are discussions addressing programmers, developers, and designers. Because even though you may not think so, anyone working with data is seemingly affected by regulations, especially GDPR.
What Is GDPR?
In layman’s terms, GDPR is a regulation that offers protection to all European citizens by maintaining their right to privacy and security when it comes to personal data. The law not only outlines user rights, which must be afforded under its protection, but also ways in which organizations, teams, developers, and data administrators can go about compliance.
Many of the key components of GDPR touch upon the rights of European citizens and their data privacy and security. Developers and programmers have to be mindful about implementing the correct features the regulation calls for while also avoiding putting their company at risk by leaving out a required feature.
These are the rights afforded by GDPR to European citizens that developers should be most concerned with:
- Restriction of Processing: Certain points of data may be kept by companies or organizations; however, users have the right to “restrict” processing, which means their data cannot be used or leveraged further without the user’s explicit consent.
- Erasure: All users must have the option to be forgotten or deleted from the system.
Data Portability: All collected data and information must be portable so users can export contents and view or read it in a proper format.
- Rectification: The option or ability to fix personal data that is inaccurate or incomplete.
- Staying Informed: Every user has the right to be informed about data collection and use, including information outside of standard terms and conditions.
- Access: Any data collected, processed, or stored should be visible to the relevant user at all times.
Of course, developers should also be concerned with the concept of data minimization as set forth in the GDPR. This means that no group, team, or organization should collect more data than necessary for the task at hand.
Integrity, privacy, and confidentiality are also important and factor into overall security for the system and any stored or processed data. You must ensure that data cannot be viewed by unauthorized parties, and that policies prevent inappropriate modification.
This will affect your work, tasks, and opportunities—particularly in regard to the features and functionality you deliver for projects.
What Features Does the GDPR Affect?
To comply with many of the rights listed above, you’ll need to ensure you have various features and functionality integrated with systems and platforms you develop. These new features are in addition to basic risk assessment and management protocols that GDPR states must be followed.
For example, you need a “forget me” or “cache delete” method that takes a user’s ID or account and deletes any and all personal information associated with it when a user wants to delete said information.
Some data models make this deletion more difficult, especially when dealing with integration or performance tests:in these scenarios, data is collected without much oversight and with few intentions.
Here are some features and how to include them in your systems and platforms:
Notify Third-Party Data Services for Erasure
If and when data is shared with another party or service, you must also reach out to notify said contact that the data has been deleted at the consumer’s request and must be cleaned. This includes platforms such as Hubspot, Salesforce, Twitter, Facebook, and anything with an API for data collection.
What You Can Do: Notify the third-party API about the deletion of the personal data. If the third party had public profile pages that have information that is crawled by Google, you’ll want to ensure that information is not appearing in search results.
You must include a feature that allows your users to download or export all data associated with their account and activity. More importantly, the exported dump or content is not strictly defined in regard to format, but you want to deliver something that users can actually make use of or read. JSON, XML, CSV, and XLS files are great for this, depending on the data content.
What You Can Do: Include a button—“export data”—that when clicked allows the user to receive all of the data that you currently hold about them. Since data export can take some time, it might be best to have your “export data” feature trigger a background process that can notify a user through email when their data is ready to be reviewed.
Create Editable Content and Personalization
Many data sources or collection methods tend to be inaccurate, which means they gather information about users and audiences that don’t quite match up. This puts the onus on you as a developer to create a system that allows them to edit or personalize content. They must fix data or observations made about them and their habits. It is a major form of rectification and protection afforded under GDPR.
What You Can Do: Allow users to edit any “users” fields via the user interface (UI).
This feature is an absolute must for any system that collates, aggregates, or processes data. You must allow users to “accept terms and conditions” or consent to data collection. Furthermore, you must also have users’ consent to process and leverage the data collected. Otherwise, you’ll need an additional request option. In some cases, you may have to re-request consent if terms are not clear, or if you change the systems or ways in which data is collected and used.
What You Can Do: Checkboxes are your friend. Keep them separated by each processing activity during the user’s registration process and make sure they are not preselected. If consent is deemed unclear, you will have to create a functionality that will mass email users, letting them know they must update their profile with the correct consent.
This is similar to the export feature, except it primarily deals with the view-ability of data being extracted from users. They have a right to access the personal database being built for them, and a right to see everything you have. This includes implementing a system that can filter and return the necessary information.
What You Can Do: Allow users to check for stored data by entering their email address or contact information.
Enforce Age Verification
Similar to the process for displaying mature content, you must implement an age check or verification process. This ensures that the user is of proper age to give consent for data use, and if they are not, you can interact with a guardian or parent on their behalf. Yes, there are instances where children and people may cheat, but as long as you have this feature and process in place, you’ve met the regulation requirements.
What You Can Do: Kids have a way of getting around age requirements online but you can create a flow into your system where a child has to give the email of a parent who can then confirm, making sure that you’re acting according to the regulation.
Educate Yourself on GDPR and Data Regulation
Ultimately, if you focus on the features and rights discussed here, you should have no problem complying with the GDPR and its many regulations on European consumer data protection and privacy.
The goal of GDPR is to ensure that any users interacting with your system or software—cloud-based or otherwise—have full control over the data being collected and processed about them specifically. There is a cultural shift taking place in the way that we think about data: no longer is it just a company asset, it’s something that users have the right to keep private and protected.
So long as you afford users the necessary measures and features, you’re meeting the restrictions set forth.