GDPR and How to Get Your Archived Information in a User-friendly Way
As the GDPR compliance deadline approaches, more and more companies started implementing different UI modules to cover for the directive’s requirements.
One of the main aspects of GDPR is to provide users full access to their data at any time, as well as the ability to export their data in a common electronic format.
While this is generally a good thing it may be tricky to handle in a big and busy environment. Of course that depends on the amount of user data your system keeps — it can be nearly instant or it can take unknown amount of time, so it’s best if this process is handled by a background worker.
Processing something on background means that your users won’t get immediate result after their interaction and since we don’t really know how long this process will continue we need to notify our users that something is going on. It’s really a personal preference on how this is going to be managed. Best would be to use on-screen notification and an email that says that their archive is on its way and the user will receive the result after the processing is finished.
The information archive process itself can gather the data and build a CSV file for example, then wire it over email if it’s small.
NOTE: Be careful with large email attachments, most email servers do have strict limits about attachments size and will cut your email off. In case your exports are bigger, you can create a simple page where the user can download the export. Compressing the data is a good idea as well, since this will cut off some bytes from it which will result in faster download and less used storage on your server.
Most of the modern programming languages used for the web already have wrappers that can help you with the compression:
- Ruby/Rails — https://github.com/rubyzip/rubyzip
Don’t forget to regularly clean up the archives. Best practice is to do it straight after the download happens. Otherwise this can become a problem since exported user information is being stored on your system without user consent and without clear retention policy. And this can possibly allow GDPR to bite you :).
Hopefully this post will help someone take the right decisions on time. Feel free to ask questions directly or in the comments below. I don’t claim to be a GDPR expert, but who can really. If you still feel unsure how to modify your existing systems to meet the regulation requirements, we at Evermore can surely help you make the right steps forward.