About

GDPR Compliance for Developers

GDPR Compliance for Developers

On this page


Why the GDPR Affects Developers

The EU General Data Protection Regulation (GDPR) has had a substantial impact around the world.

Marketers have been hurriedly spamming their EU subscribers to ensure that they have legally-valid consent. Businesses running targeted ads in the EU have had to jump through a series of regulatory hoops. Some companies have even made their websites inaccessible to EU visitors out of fear that they might violate the law.

And within the EU itself, the GDPR has affected just about everyone.

Illustration: Why the GDPR Affects Developers

School teachers have been herded into classrooms and subjected to mandatory GDPR training sessions. Doctors' offices have appointed Data Protection Officers to oversee the handling of medical records. Even the local priest has lost sleep, worrying about how to anonymize the church choir sign-up sheet.

Every web developer should be aware of how the GDPR affects them. After all, if it weren't for the ubiquity of technology in modern life, there would be no need for such privacy laws.

Billions of people have an online identity, whether they know it or not. People transmit their private information over the web on a daily basis. They've invited intrusive data-processing devices into their homes.

At its heart, the GDPR is about security and control. It should make cybercrime a much less worthwhile endeavor. It aims to reduce the exploitation of people's online presence. And it ensures that individuals can maintain ownership of their personal data.

These are all admirable goals. And for the most part, it's developers that will actually make this stuff happen.

Developers at the Heart of GDPR Implementation

Let's consider a few examples of how crucial developers are to the implementation of this law.

Consent is a big deal under the GDPR. It's important that you ask a person whether you have their permission to send them direct marketing. And the way you ask them is also important.

With this in mind, many companies have been looking at the way they ask for consent. In many cases, their long-established methods are not compliant with the new law.

Here's a real example, taken from an archived version of Adoption UK's website back in 2015.

Adoption UK newsletter sign up form

Something like this would not be sufficient under the GDPR's requirements. Fortunately, Adoption UK's more current newsletter consent request looks much better now:

Adoption UK newsletter sign up form checkboxes

You can see the difference between these two methods.

The latter one allows the user to make real decisions about what correspondence they receive. They are invited to read the charity's Privacy Policy and told how to withdraw consent (by unsubscribing). A front-end developer made this happen.

There may be many people in a company who can spot areas where their data processing practices fall short of the law's requirements. But this is not enough. Developers are required to actually bring these changes about.

There are countless other examples where a developer would be required to put GDPR-mandated changes into practice.

For instance, if an app publisher decides to integrate new account controls into its software, so as to allow users to directly access their personal data - it's a developer that will have to create this function.

Or perhaps an instant messaging software company decides to employ a higher standard of encryption, to ensure compliance with the GDPR's enhanced security requirements. Who do you think would be called upon to implement this measure? You guessed it - developers.

This is a huge opportunity, but it's also a big responsibility. Privacy law is expanding, and the GDPR is the latest clear indication of this. It's incumbent on developers to cultivate an in-depth understanding of data protection and information security.

Developers on the Frontline of Enhancing Data Protection

High profile security incidents occur all the time. Every week we hear of another data breach where account credentials, payment card numbers or passport details are compromised. This can be devastating for a business and its customers. Developers play a crucial role in preventing these occurrences.

In the first eight months of the GDPR, there were nearly 60,000 data breaches reported. But a 2019 study revealed that GDPR-compliant companies are significantly less likely to suffer a data breach. This survey took place before the GDPR had been in force for even one year.

There are many possible reasons for this, including:

  • The GDPR demands that personal data is processed securely, and subject to technical measures such as anonymization, pseudonymization, and encryption. Data in these forms is far less likely to be useful to hackers.
  • Personal data is only to be stored for as long as it's needed. Less personal data in storage automatically means less risk.
  • Because of the controls that individuals can exercise over their personal data, transparency is required at every stage of processing. Personal data must be well-organized and accessible to those who require access.

These are just three examples of how the GDPR can improve a company's data protection practices, and developers are crucial in each case.

When ensuring that personal data is stored securely, a developer must choose a method that is GDPR-compliant, genuinely secure, and also functional according to the needs of the business.

To fulfill the GDPR's principle of storage limitation, a developer must implement a system that automatically deletes unneeded personal data. For example, by using logrotate to remove expired log files.

And in order to facilitate users' requests for access, rectification or erasure, developers must create and maintain secure and orderly databases. These databases should be easily accessible to those with permission, but they must remain impenetrable to those without it.

The GDPR: An Opportunity for Developers

This book is very much focused on the GDPR law that developers must know about, rather than the technical aspects of development. Whilst the book won't shy away from the technical implications of following the law, it isn't about coding.

Here are some of the things you'll be learning about:

  • What the GDPR says, and why it's important
  • Some of the myths and half-truths surrounding the GDPR
  • How the GDPR relates to developers
  • The practical steps developers can take to fulfill the GDPR's requirements
  • How you can turn this new challenge into an opportunity

The law is coming down hard on companies who do not treat their customers' personal data with respect. Those who fail to realize this are liable to be left behind. But opportunities await those who understand the law and can thrive in this new culture.

Next

Chapter 2: What is the GDPR?