The GDPR blog post

It was about 6 months that I was involved in my first GDPR meeting. Other people in our company had obviously been talking about it earlier. But this was the first one where I started to learn about it. And I learnt that it was a 4 letter acronym that I could no longer ignore.

Oh, here we go — this is going to be another ridiculous Cookie Law. We’re going to spend months making our product more annoying to use while still doing exactly the same stuff as before… SIGH. I spent a lot of that first meeting grimacing.

Since then I have had a lot more meetings. We engaged a dedicated GDPR consultant and we started examining our entire business from top to bottom.

We’ve had some pretty impressive looking project spreadsheets on the go for months. Any place where we collected or processed personally identifiable data had to be examined. Then we had to decide if changes were required.

I would be lying if I said this wasn’t a pain. We have an infinite list of things we want to build or experiment with. Doing a full review of our products and implementing all the changes that we required was not exciting or fun. It is very easy to view this process as a huge distraction from what we are really trying to do. Which is to deliver safe surgical care for everyone. In case you didn’t know.

On the other hand it also was not very hard for us. We are not a creepy company. We’ve gone out of our way to only collect information that we need to make our products work. Our business model isn’t built on invading your privacy. But that doesn’t mean that we’ve always thought carefully about this stuff. There have been cases where personally identifiable information (PII) has just been collected without any consideration.

The more I worked with GDPR the more I appreciated it. The effect of this legislation was never pushing us to do things that felt wrong. Quite the opposite. It was forcing us to think more about our interactions with people and to be careful about how we treated them.

I would be very wary of a company who claims this legislation is onerous. It is potentially life threatening to companies who do very shady things without your consent. That much is true. That is the entire point.

This is not to say that preparing for GDPR didn’t take us 100s of hours. It did. But the upside of that is that we are now a better company.


I’ll give you an example of how this law has changed our product. At Touch Surgery we have groups of users. Think the members of a teaching hospital or all the sales reps for a medical device company. The administrators of a group can invite people to join it.

The old flow went like this. The group administrator enters the email address of someone they want to invite. If they already had a Touch Surgery account we would add them to the group and send them a welcome to the group email. If they didn’t we would create an account for that email address, add them to the group, and invite them to activate it. Basically just setting a password and giving us more details about themselves.

We didn’t build this flow with any ill intentions. It was just the easiest way to achieve our goals. We didn’t really think too much about it. But it contains some unfortunate assumptions.

  • We assumed that the administrator had this person’s permission to add them to the group
  • We assumed that this person was interested in using our service
  • We assumed that we could keep the persons information

The new, post GDPR, flow works like this. The group administrator enters an email address. We warn them that they must have the explicit or implied consent of the owner of this email address. Implied consent in this case would be that yes, the owner of this email address is a member of teaching program and being included in this Touch Surgery group is an important part of that program.

We then use the email address to create an invitation. Inviting the owner of the email to create an account and become a member of the group. If the user accepts then all is good.

But now we also give them an option to decline.

If they decline then they have removed their implied consent. And we shouldn’t be holding their email address. So we don’t. We delete it.

We still keep a record of the invitation. And the reason we do that is so that the same group administrator cannot continue to spam them with invites. How do we delete their email address while making sure they cannot be re-invited? Through the magic of a one-way hash function. This means that if you give us an email address we can check if you’ve ever tried to invite that person before. But we can’t look at any of our declined invitations and know which email addresses were invited.

This is a relatively small change. It was slightly more complicated to implement. But more importantly I think it’s the right way to do it.

And that’s why the more we work through the changes that GDPR is forcing upon us. The more confidant I am that it will be a successful piece of legislation. Unlike that stupid cookie law (nothing is more frustrating to a developer than baking stupidity into our products) it is forcing us to think deeply about our relationship with users, and the people who are not users. But merely brushed up against our products.

Who we still have responsibilities to.

So thank you GDPR! And thanks to all the responsible companies out there currently deleting my personal data. Which you collected without my knowledge or consent. May we all strive to build businesses that are at least 50% less creepy.

Touch Surgery make surgical simulations. And we let you use them for free. If you’re interested in finding more about what we do, try downloading our app.