Some new data rules are in place in the EU, and by rules we mean a big regulation, that is, as opposed to a directive. Directives require individual country legislation; regulations apply to all EU countries. Perhaps you’ve heard a lot already about the GDPR (General Data Protection Regulation). Well, if you’re a tech company, you should already be instituting its policies, as the regulation becomes enforceable on May 25th, 2018. Anyway, the legislation isn’t so much revolutionary, as it’s an update of the preceding Data Protection Directive of…1995. About time. Big international companies like Facebook and Google have of course been taking heat, especially of late, for what would be considered breaches per this new legislation. The splashiest parts of what this law includes deal with protection of personal data, that is: data on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, and data concerning health, sex life, or sexual orientation. And if you’re a company dealing with user data, and you have even one user who’s an EU citizen, then you’ve got to enforce these standards internally. But there’s no certification for companies; absence of complying is when you get noticed.
Here at U+, we put together internal documentation to make sure we always comply with this regulation.
Some important boxes to check off. One of the things we (and probably you as well) have to make sure of is first and foremost transparency. What’s being done to user data should be expressed to the user in understandable language. The data used should be limited to what is needed for the given application to function. You also need to make sure your subprocessing partners are compliant. For example, at U+ we use AWS and Atlassian, both of which (as international businesses) comply with GDPR. All new products we develop need to have GDPR reflected in the design and estimates. Any data breach must be reported to all concerned. It’s good to have lawyers handy to make sure everything is tight legally.
A big part of the regulation involves ensuring lawfulness in the processing of one’s data. Some examples are when an app requires GPS services to function, or if a company wants to use your interaction with the app to advertise to you, or in the same vein, sharing your email or other personal data with other companies. In these arrangements, consent can be both given and revoked by the user.
While legal strictures are never comfortable, such regulations are well-thought-of on both sides of the equation — moreover, most people who develop applications are also users. For most companies these regulations won’t really hamper their processes. Everyone ultimately wants their data to be protected as much as possible and not misused. At this point it’s plain to see that GDPR compliance is actually a way to establish confidence with customers.
