Implementing GDPR in App Development: some thoughts & findings
A lot has already been said about the EU General Data Protection Regulation (GDPR) that will become enforceable on May 25th of this year.
I will not rant about Facebook here, but I’m quite curious to see what ‘enforceable’ will mean in practice.
As a CTO and consultant to startups, scaleups and solution providers, I’ve been quite busy providing advice as to how to get on the safe side of things, with a regulation so complex as this (working through 261 pages of legal text is not something I enjoy very much), it’s easy to get overwhelmed.
Luckily, after doing some research, it turns out that, from the App Development perspective, many people have been putting pieces of the puzzle together.
This blog is a reflection of the discovery I have been doing over the last few months.
Basics
First of all, we need to understand what this is all about. Well, in short, it’s about you being in control. Very important, in an era where profiling and microtargeting is big money and with the Facebook/Cambridge Analytica scandal fresh in our minds.
It’s about putting the end-user back in control over his/her personal data. The EU has taken a very rigorous approach to citizen privacy. A very courageous one if you ask me.
This well-written blog explains why there so much more to it than just the question of how to be compliant:
Companies that are courageous enough to embrace such mindset will develop strong competitive advantages. GDPR is not a mere compliance issue. It’s a long-term strategic trend driven by consumers needs. Leaders don’t mitigate issues. They transform them into opportunities.
Let’s get practical
Us software developers, we’re so spoiled because of sites like StackOverflow, that we tend to get frustrated the moment there is no copy/paste solution ready for us to implement ;-).
However, there are sources that come close to this, such as InfoQ’s article, and TechBeacon has a practical 15 step approach that certainly helps.
Although a bit less concise, one source I can highly recommend is the guide “Software development with Data Protection by Design and by Default” by the Norwegian Data Protection Authority. A lot of thought was put into this 10 chapter guide, from conceptual principles to design, coding and testing.
Personal Data
There is general agreement that in order to implement GDPR, you first need to create a complete inventory of the personal data your Apps collect, and annotate/tag every entity. Why? Because every next step in the process of getting compliant relies on this ‘catalog’.
I’m working with Microsoft-focused tech companies. In this ecosystem, we found Azure Data Catalog to be a valuable tool for this job. This blog series has helped in setting up a glossary/taxonomy for GDPR, which we then used to add metadata to their data sources. Reporting on this metadata then gives a rich insight in the relevant parts of the data:
- Software Development knows which sensitive data needs to be encrypted, anonimized or pseudonimized, or can be removed, for instance.
- Customer Support can create a process for the GDPR user rights.
- Legal can report on all relevant data to be included in an updated Privacy Policy.
Final thoughts
For developers, a key aspect of working under the GDPR is what we call ‘Privacy by Design’. Some argue that this should already be part of developers’ mindset. They may be right. Just consider things from your own perspective as an individual. You would probably want Apps that you work with to care about the personal data you provide…
It’s important to notice that the GDPR not only affects software developers: testing, customer support, legal, marketing all need to reassess their processes and literally everyone (especially including sales and management) need to be aware (high level) of the consequences of the GDPR (and the opportunities that come along with it).
