What is GDPR – Things a developer should know about GDPR.
If you are looking to develop new software and applications in 2018, there’s a good chance that you’ve already heard about GDPR. The General Data Protection Regulation is a set of rules established by the European Union, which is concerned with protecting people’s private information. It basically aims at controlling how organizations, developers, and tech giants use the data of their users and customers, as private information can possibly be used in a very detrimental manner. GDPR is all about controlling and regulating the flow of this personal data and making sure that people know what companies are doing with their information.
The GDPR does not only apply to companies and developers in Europe. If your platform has users in the EU, then you must comply with the GDPR. It is not concerned with the size of the organization; if a company is only 10-people strong, but houses personal data of its users, then it must follow the GDPR. Therefore, the regulations aren’t bound by company or user base size. Before getting into the things a developer should know about GDPR, let us throw some light on what constitutes personal data.
What is personal data?
In this piece on things a developer should know about GDPR, we begin with personal data.
As per the European data protection framework, personal data is “any information relating to an identified or identifiable natural person.” This also includes sensitive personal data, such as information about someone-
- Political opinions
- Racial or cultural beliefs
- Sexual preferences or sex life
- Criminal data
The GDPR expands the definition of personal data to also incorporate biometric and genetic data, online identifiers, pseudonymized data and location data. As for developers, personal data also includes things like MAC addresses, RFID tags, fingerprints, cookies and IP addresses. Data controllers and processors are the ones using personal data. Developers may be either one of the two or both, and all these constitute topics under things a developer should know about GDPR.
Personal data also includes any info that third parties provide about a user, in addition to info directly provided by the user. Data minimization, integrity, and confidentiality are all principles that concern personal data and are a part of things a developer should know about GDPR.
Why is GDPR such a big deal? What can be the effects?
Prior to the adoption of GDPR, users’ personal data was at risk of being misused by companies. The regulations have now made it possible for customers to breathe freely about their personal data not being at risk. How has this changed the gameplan of companies? When it comes to firms, what are the things a developer should know about GDPR? Let’s have a look.
- Different approaches to advertising. Due to the necessity of consent from users to show advertisements or market products, native advertising might just be the go-to option. If customers notice that firms improve their online experiences are more likely to give consent for data sharing.
- Content Recommendation. Brands can now utilize content recommendation features to extend their reach further than what they are currently capable of. The advent of GDPR will ensure that users only receive relevant updates and recommendations under this feature.
- Usage of data for targeting purposes. Rather than using people’s personal data for recommending ads and content to them, brands are now forced to look for alternative sources of targeting material. The mining of personal user data is now no longer feasible, as companies must collect only the data which they need. Google has already initiated efforts towards this, by using non-personalized ad targeting. Therefore, GDPR now requires firms and brands to put a bit more effort in their targeting and outreach strategies.
All these are important things a developer should know about GDPR since one must be aware of all plans adopted by his/her company.
Now, what are the technical aspects of things a developer should know about GDPR?
Tech talk of GDPR
GDPR concerns the handling of personal data by firms and organizations. But there is more to it. Here are some key technical areas related to things a developer should know about GDPR.
- Data flow. The path that data takes through an organization or company is called the data flow. Since GDPR is all about data, firms are obligated to provide information about each and every step or action that they perform with a user’s data. Therefore, developers will need to keep a watch on who accesses their customer’s data, in what manner, and when.
- Right to access. GDPR dictates the access permissions for all personal data of users. The right to access means that users have the right to decide who can access their private information. Thus, developers need to manage what all third parties have access to their customer’s data. Also, the new laws state that developers must present a detailed list of all information they possess about a certain user on request. This must be done within 30 days of requesting.
- Explicit consent. Developers will now need to present users with a clear oversight on how their data will be used, who will access their data and in what manner. Only after the user gives his/her explicit consent can the company use their data. For years upon years, companies have exploited this lack of enforcement to maim users into providing all their data, without knowing the consequences. GDPR aims to stop this.
Features developers must integrate
With the advent of GDPR, it becomes necessary for developers to integrate some essential features into their platforms. These ensure that all GDPR regulations are adhered to, and the user’s personal data remains protected. Here are the features which can incorporate all things a developer should know about GDPR.
- There must be a feature that deletes all user data present in the system. Forgetting a user upon request is something that must be implemented in order to adhere to GDPR regulations. Also, required steps need to be taken to ensure that there is no foreign key violation, with nullable foreign keys and cascaded deletions viable options. When the data is deleted from the system, third parties that were using the user’s data must be notified of the respective deletion, so that they can remove data from their systems as well. The servers should return a ‘not found’ error when attempting to reference the deleted data.
- Export data. This feature allows the user to obtain a file with all of his/her private data which is stored in the system. This typically includes, but is not limited to, the ‘forgetting’ data that gets deleted upon a ‘forget me’ request. Simple CSV/XLS exports may be enough if the data to be processed is easy to comprehend. The structure of the data dump may not be strictly defined.
- See all my data. This feature is close to the export feature, the main difference being that the data is displayed in the UI of the platform rather than a dump file. This may or may not be mandatory, although having this feature would certainly leave a good impression among users. For instance, Google Maps shows location history of the user, which contains all locations he/she has visited.
- Although this seems very obvious, it is not implemented everywhere. All the fields in your user data should be editable, via the UI. The scenarios where this is not usually implemented is when companies import user data from third parties, for instance, logging in with Google. GDPR would dictate that users be able to edit their data whenever they want to.
How is your consumer benefitted when it comes to the GDPR?
As a developer, it is crucial to know what rights your users have when it comes to implementation of GDPR features. Again a crucial part of things a developer should know about GDPR, this can already be gauged to some extent from the previous section, but for clarity purposes, let us go through the following.
- Broadening of jurisdiction. As discussed, the GDPR applies to all EU firms and those firms which have users from the EU.
- Breach notifications. Users must be notified when a data breach occurs. This must be done within 72 hours of the breach.
- Special protection for minors. Since they are more vulnerable, GDPR includes guidelines for parental consent for kids under 16.
- High penalties. GDPR breaches can cost companies about 4% of their annual global turnover, or EUR20 million.
Some do’s and don’ts when it comes to following the GDPR
Now that you know all about what developers should know regarding the GDPR, here are a few tips and tricks to help you stay in the loop.
- Encryption of user data is extremely important.
- Pseudonymisation is crucial when it comes to protecting people’s identity.
- Companies should keep a log of all accesses made to the personal data of a user.
- Firms should refrain from using data for purposes the user hasn’t agreed to.
- Developers should check that the third parties they work with are also GDPR compliant.
- Do not collect data about users that you would not necessarily need.
GDPR aims to put power back into the user’s hand when it comes to access to personal data. Therefore, it has become extremely important for companies to comply with all GDPR regulations. We hope that developers and product managers alike could benefit from this article.
Get in touch for consultation regarding GDPR compliance.
Sodio being Sodio has managed to stay abreast with the GDPR. If you have any project which now needs an expert perspective on how you need to respond to the new GDPR regulations, feel free to get in touch with us.