GDPR, the new General Data Protection Regulation coming into force in 10 days, isn’t just another regulation. Despite its lacklustre name, GDPR is easily the worst four-letter word any business owner or developer can think of right now — the end of digital world as we know it.
“Even a quick glance at the 99-article document got my heart rate up,” says Kentico‘s Jarkovsky. “Maybe this one is worthy of the sweat, tears and sleepless nights (or months) that developers worldwide are suffering. No matter the business type or vertical, if a company stores any information about European visitors, GPDR is likely to be the only topic of conversation had for the considerable future.”
GDPR recap
Most developers are already up to their eyeballs in GDPR compliance meetings, issues, consent requests, privacy policy updates and procedure overhauls, but for those who aren’t sure why this is (or what is being talking bout), here’s the deal:
GDPR is about privacy and protecting people’s personal information—the stuff companies so frivolously (and somewhat excessively) collect in order to deliver meaningful customer experiences. It takes much less information than one would like to think to steal an identity and wreak havoc. So, though consumers are benefiting from the collected data in the form of tailored interactions and joined-up journeys across devices, it’s clear that stricter control is required. And since the last laws covering online data were penned in the 90’s (probably with a quill)…it’s long overdue. Back then, we had no idea how integrated our on- and offline lives would be nor that we’d all be sharing most details of both on social media—inadvertently opening ourselves up to vulnerabilities.
>See also: The hidden opportunities in GDPR
So GDPR is about helping people take back control of their personal data — their property — by having strict regulations for how companies collect, store, transfer and use the data they have.
GDPR comes with a lot of implications for all businesses in all industries, and they run very deep. Developers especially need to start educating themselves about the regulations, the areas of their work that will be affected, and the adjustments and updates required for compliance.
Jarkovsky’s GDPR action plan for developers
The new GDPR regulation affects developers in all businesses in a big way. And with the size of fines threatened, it’s no wonder. A little panic is warranted. A small heart attack might not be uncalled for.
But, the alternative is to take things one step at a time. If you’ve been propping your eyes open with toothpicks through GDPR presentations, it’s time to sit up and pay attention. Do your homework. Find out all the different areas of your work that will be affected. Get as much time as you can with your legal advisors and know what questions to ask.
>See also: GDPR compliance: what organisations need to know
Make sure everyone in the team understands the regulation, their personal role in compliance, and what the implications of non-compliance are.
Get a sense of what new capabilities you’re going to need. Essential things like being able to control data at a much more granular level can have a pretty hefty impact on development costs.
Data detection
When you think you’ve understood the laws, it’ll be time to organise a thorough check of your entire data catalogue, detecting everything the new law applies to. This is a massive undertaking. Start early. Get out a tooth comb and go through every single table on every system in the company looking for personal details belonging to users. Keep logs.
There’s some nifty software out there with sophisticated reporting capabilities that will help you do this, so if you’re running out of time (hint: you are), these could be a good option for you.
Spring cleaning
GDPR is in place to help people control what data you hold about them, so the less, the better. So databases should be clean and clutter free. If a user’s date of birth, their family tree, or what Disney character they most look like isn’t essential, it should be deleted. The less personal data companies are holding, the smoother their transition into a GDPR world will be.
>See also: Open Banking: moving forward securely in this bold new world
You will have to be prepared for people invoking their right to be forgotten, too. This will have a huge impact on how you create data-centric applications. You’ll need to consider all the various data touchpoints and starting thinking about how they’ll need to be updated
Have a plan
Define a comprehensive and detailed implementation plan to help you track your progress and stay on top of the schedule. Don’t panic looking at your discovery phase log. Break it into small, logical segments and divvy them out to your team. Then start on acquiring the additional resources you’ll need.
Your action plan should also include a close examination of who in the company can access the stored data. Interview staff, dig out those Disaster Recovery (DR) checklists and limit access to just the essential people. You won’t regret this step when audit time comes round.
>See also: Businesses need to think differently about data management
And it will. Maybe not today, or tomorrow, but on a day you’re least expecting it and deep in a seemingly more important meeting. But no fear; full prep now brings peace as you go forward and makes your audit interview a doddle (complete with logs and multi-coloured reports about how well you comply).
The most important thing
“You’re a developer. You’re already amazing. The impossible is just something you’re raring to prove otherwise. Be confident. Never admit defeat. GDPR will most likely test you. But, manage yourself with the same level of integrity you always do, and you’ll be fine,” concludes Jarkovsky.