What Every Developer Needs to Know About GDPR Compliance

When was the last time you went through a privacy policy update? When everyone, including the likes of Google and Twitter, starts sending you updates, it’s worth having a look. Because, we have a new rule in place, the General Data Protection Regulation or GDPR. It is going to affect the way we think about a project and the way we code!


What Every Developer Needs to Know About GDPR Compliance

The email notification from Google on its newly updated GDPR-compliant privacy policy.


We haven’t forgotten a gloomy Mark Zuckerberg struggling to answer questions from the senators. Well, “not knowing” about GDPR can put anyone in that spot!

Data security, data privacy, and data breach are words we’ve been hearing a lot over the past two months. Long before the recent scandals related to data protection and privacy broke out, in 2012, the European Union (EU) had proposed an update to their 17-year-old Data Protection Act to protect its citizens’ personal information. This has paved the way for General Data Protection Regulation, which will come into effect on May 25, 2018.

Who Will Be Affected by GDPR?

It’s a difficult question with a simple answer. GDPR revolves around security and privacy of EU citizens. If you collect the data of EU citizens, you are under this radar. It doesn’t matter if you are a small company, multinational, or a startup, you ought to make changes. One can say being a small company makes the transition easier. There’s less to change, less to worry.

As the GDPR aims at protecting people’s personal information, all applications that require user data will come under scrutiny. Let us suppose, for example, that you have a website with a Contact Us form that asks for users’ email ids. You store the email id in your database to contact them back and send them promotions. When GDPR comes into effect, you simply cannot send promotions to users other than what they have asked for. Users have to explicitly opt for a promotion before we send it to them.

Who Is Responsible for Ensuring GDPR Compliance?

A data controller can be termed the most important person when it comes to GDPR compliance. The controller decides which data to collect and he/she is obliged to answer any data-related question from the users of an application. The data controller can either be an organization or a consultant who is entrusted with the responsibility of data protection. But it’s up to you, the developer, to implement what’s there in theory.

What Are the Implications of GDPR for Developers?

Collecting User Data: GDPR is all about protecting users’ sensitive personal data. As a developer, you must ensure that your application collects only the relevant data required for the app to function properly, and nothing more. Personal information is anything that can identify a person in a physical or digital space. It can be the name, email address, or physical address. GDPR has expanded this definition to include biometric data, location data, and online identifiers. It means you should think twice before implementing a fingerprint login or saving the user’s IP address in your database. Yes, even an IP address has such relevance!

Keeping Users Informed: Consider a simple signup screen for a mobile/web application. According to GDPR, we must let the user know why their data is being collected, where it will be stored, and with whom it will be shared (if we intend to do so). For example, if we are collecting the user’s location, we must let the user know why we are collecting it and how it will be used. The user must explicitly allow the use of that information. Also, the user should have the ability to view and edit his/her personal information at any time. And, if we are going to process the data further for some purpose, that should be intimated to the user in plain language. This information should include which personal data will be processed, for what, and with whom it will be shared. Finally, the terms of use and privacy policy get some respect!

Erasing User Data: Users have the right to erase their data from the system when they wish to, without any delay. But the application can have some data related to the user, which doesn’t contain any person-identifying information for analytics or data management. Also, there should be some automated or manual set up for every application to delete unused user information with prior notice to the user. The erasure can be time-bound or activity-bound. For example, if a user hasn’t logged into the application for, say, the past one year, the user can be deleted from the system, but it should be done only after informing the user. If personal data is being shared with third parties, steps should be taken to delete data from those as well.

Viewing and Exporting User Data: GDPR gives users the right to obtain a copy of their data processed by the application and get inaccuracies in the data corrected without any delay. If any personal information has been processed without their express consent, this is an opportunity to bring it to the collector’s notice and have it rectified or even erased.

Securing User Data: Maximum security should be provided to users’ personal information, no matter whether it is stored somewhere or is being sent via a request. This calls for a “Privacy by Design” approach, which gives primary importance to data privacy and protection while designing an application workflow. Developers must devise the perfect data flow architecture to make sure that there is no data leak anywhere in the system and no one else can see the data. Cached user data? User data in browser cookies? Better be encrypted!

How Do We Ensure GDPR Compliance?

Go for User-Centered Design: Adopting a user-centered design, where users’ privacy is “present by default” can be considered as the first step for GDPR compliance.

Be Aware: Every developer should be aware of what data they collect from end users, their purpose of collecting the data, and how the data is used and stored.

Document Everything: Data flow and data storage in the application should be well documented so that when an end user complains about data loss, you will have something to refer to.

Follow Coding Standards: A well-designed application architecture and well-written code mean your application is half-GDPR compliant. Ample time and care must be taken for formulating the application architecture, with utmost importance given to secure data flow.

All said, GDPR simply aims at protecting user information. Be transparent, be ready to answer users’ questions, and you are safe. Otherwise be ready to pay hefty fines. If you ask me to define GDPR, I would say it’s all about being honest to your end users, the citizens!