The legislation completely changed the way companies could process, transfer, and store user data, and severely restricted what used to be ordinary business flows of data.
The GDPR states that individuals have the right to not have their information be shared; that individuals should not have to hand over their information in order to access goods or services; and that individuals have further rights to their information even once it's been handed over to another organization.
This caused developers to reconsider fundamental aspects of their data strategy, and many teams and organizations continue to determine the best ways to comply.
In this article, I’ll share the key components of GDPR that every developer should know about, and I’ll also preview another new directive to keep on your radar as it might change how you can work with data in the near future.
Developer’s Guide to GDPR and EU Regulations
For software professionals, GDPR means that a few things that used to be “nice-to-haves” are now requirements.
You must get explicit consent to collect data. If you're collecting data on people, you have to explicitly ask for it. You have to specify exactly what information you're collecting, the reason you're collecting it, how long you plan on storing it, and what you plan to do with it. (You can thank the latter for the proliferation of all those cookie banners a few years ago.) Furthermore, you must give your users the right to say no. You can't just leverage a full-screen non-dismissible modal that doesn't allow them to continue without accepting it.
You can only collect data for legitimate purposes. Just because someone's willing to give you data doesn't mean you're allowed to take it. One of the biggest headaches I got into with regard to GDPR was when a client wanted to gate some white papers behind an email signup. I explained multiple times that you can't require an email address for a good or service unless the email address was required to provide said good or service. No matter how many times the client insisted that he had seen someone else doing the same thing, I was unable to build the illegal interaction.
Users have the right to ask for the data you have stored, and to have it deleted. Users can ask to see what data you have stored on them, and you're required to provide it (including, again, why you have that data stored). And, unless it's being used for legitimate processing purposes, you have to delete that data if the user requests it (the "right to be forgotten").
And all of this applies to any organization or company that provides a good or service to any person in the EU. Not just paid, either – it explicitly says that you do not have to charge money to be covered under the GDPR. So if your organization has an app in the App Store that can be downloaded in Ireland, Italy, France, or other EU country, it, and likely a lot more of your company's services, falls under GDPR.
How Is GDPR Enforced?
As for enforcements, organizations can be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater. Amazon Europe got docked €746 million for what was alleged "[manipulation of] customers for commercial means by choosing what advertising and information they receive[d]" based on the processing of personal data. Meta has been fined a quarter of billion Euro a few different times.
But this isn’t just impacting big companies. A translation firm got hit with fines of €20K for "excessive video surveillance of employees" (a fine that's practically unthinkable in the US absent cameras in a private area such as a bathroom) and a retailer in Belgium had to pay €10K for forcing users to submit an ID card to create a loyalty account (since that information was not necessary to creating a loyalty account).
Digital Markets Act
The next wave of regulation to hit the tech world is the Digital Markets Act, which is aimed specifically at large corporations that serve a “gatekeeping functionality” in digital markets in at least three EU countries. Although it is not broadly applicable, it will change the way that several major platforms will work with their data.
The directive’s goal is to break up the over-sized share that some platforms have in digital sectors like search, e-commerce, travel, media streaming, and more. When a platform controls sufficient traffic in a sector, and facilitates sales between businesses and users, it must comply with new regulations about how data is provisioned and protected.
Specifically, those companies must:
Allow third parties to interoperate with their services.
Allow businesses to access the data generated on the platform.
Provide advertising partners with the tools and data necessary to independently verify claims.
Allow business users to promote and conduct business outside of the platform.
Additionally, the gatekeepers cannot:
Promote internal services and products over third parties.
Prevent consumers from linking up with businesses off of their platforms.
Prevent users from uninstalling preinstalled software.
Track end users for the purpose of targeted advertising without users’ consent.
If it seems like these are aimed at the Apple App Store and Google Play Store, well, congrats, you cracked the code. The DMA aims to help businesses have a fairer environment in which to operate (and not be completely beholden to the gatekeepers), and allow for smaller companies to innovate without being hampered or outright squashed by established interests.
Data compliance is critical, and the punitive aspects of GDPR’s enforcement means your team must have a solid strategy for compliance.
The most important aspect of dealing with any regulatory issue is first knowing what’s required for your business. Yes, you’re collecting emails, but to what end? If that data is necessary for your business to function, then you have your base-level requirements.
Matching those up against the relevant regulations will provide you with a starting point from which you can begin to develop the processes, procedures, and applications that will allow your business to thrive. Don’t rely on “that’s how we’ve always done it” or “we’ve seen other people do x” as a business strategy.
The regulatory environment is constantly shifting, and it’s important to both keep abreast of changes as well as always knowing what data and services are integral to your business’s success. Keeping up with the prevalent standards will aid you not only in not getting sued, but also ensuring your companies that you’re a trustworthy and reliable partner.