Developers: Your GDPR Compliance Guidebook

Fifty million euros. Safe to say that’s a hefty chunk of change. It's also what you wager by not making all of your software GDPR-compliant. Don't believe us? It happened to Google.

The General Data Protection Regulation (GDPR) is a set of user-data privacy regulations established by the EU in 2016 and strictly enforced since 2018. As a developer, it’s critical to have an understanding of data privacy in relation to the GDPR, even if your company isn’t in the EU. You’re the one working to ensure that your app is compliant — not just to avoid those 50M EU in fees but also to respect the privacy and data rights of your users.
Understand what “personal data” means for GDPR complianceThe definition of “personal data,” according to the EU GDPR, is information that is “related to an . . . identifiable natural person.” You might think that sounds a lot like personally identifiable information (PII), but the GDPR personal data is a lot more complex than that.

GDPR personal data includes:

• Name, email, address, phone number, date of birth
• Race, ethnicity, religion, political preference
• Health data, sexual orientation, criminal record, biometric data, genetic data
• Location data, online identifiers (IP, MAC address, RFID, cookies, etc.)

Personal data, in regard to that GDPR, should be interpreted as broadly as possible in order to make sure you’re covered legally. If you have data that is generated by a customer and can be linked to them in any way, that counts as “personal data.”

It’s also important to understand what a “natural person” is, since the definition says that personal data is data that can be used to identify a “natural person.” A natural person just means that the data is linked to a human, not a company, corporation, or organization.

Now that we have a thorough understanding of what data and entities the GDPR covers, we will learn how to make software GDPR-compliant.

Shift your perspective on user data

Applications, websites, companies, and developers are not entitled to their users’ data. Because, you know, it’s the users’ data. The first step on your journey to GDPR compliance is to change your mindset about who the data you collect belongs to. Remember, you are being allowed to use something that doesn’t belong to you.

If you’re sitting there thinking, "Well, my company doesn’t do that," think again. Do any of the following sound familiar?

Your company has a thorough policy around user data that they share with the customer during sign-up. Only thing is, the user is automatically opted in. To opt out, the user must search for the checkbox and uncheck it.

Your company likes to make the user experience as customized to the user as possible. To do so, you collect every last shred of data that you can. Access the user’s contact list? Duh! Peep the user’s location? Sure! Collect audio from the user’s microphone? Why not! Your product managers want you to collect all the user data you can. You’ll figure out how to use it later.

A lot of your product is driven by how the users interact with it. To get more from the data and analytics, you use third-party applications. Your users don’t know that their data is not only being saved by your servers but also being bundled up, sent, and processed by another company. But why should they? They’re enjoying the experience, right?

Unfortunately, all of those scenarios are not GDPR-compliant and are also maybe a little questionable, ethically. Violating boundaries in the name of user experiences isn’t a good look. What is a good look is being transparent with your customers about what data you’re collecting, what you’re using it for, and who has access to it.

Actionable steps for developers to change how they view user data

Here is a list of ways you, as a developer, can help with GDPR compliance:

• Provide clear documentation. Clearly document all the ways that user data is collected and what it is used for. Tell the user how the data is stored and who has access to it, including third parties.
• Create clear opt-in opportunities. When sending your data-collection policy, let your users opt into the data-collection process. Don’t force your users to choose to opt out and go out of their way to do so.
• Only collect the data you need. Have a clear purpose for the data you collect from your users. This isn’t Pokemon. You don’t want to catch ’em all.

Changing your perspective on user data sounds mostly like a mental change, but taking these steps will help you be GDPR-compliant.

Be a good steward of your user’s data

Once a user has consented to let your app collect and use their data, you are responsible for taking good care of that data. Remember, it’s their data. You’re just borrowing it.

It’s unfortunate, but data breaches can and do happen, so you must be prepared. Be proactive with your security in order to mitigate risk. Up your security standards in your app by using only HTTPS for transferring personal data. Encrypt all data, including data at rest and data in transit, from end to end for your app. Pseudonymize data in storage, and anonymize data sent to third parties.  

Finally, remember that any third-party apps you use become a part of your responsibility. If a third-party app that you send data to doesn’t bother encrypting that data and then gets hacked, your customer’s data is now in the hands of a hacker. That means that part of your work to ensure GDPR compliance involves finding out how the third-party apps you use protect user data and also making sure they have a plan in place to notify you in case of a breach, so you can pass that info along to your customers.

Actionable steps for developers to protect user data

Here is a list of ways you, as a developer, can help with GDPR compliance:

• Stay up to date on the latest security standards. Security is a huge field in computer science. Hackers are constantly finding backdoors and loopholes in previously secure systems. As a developer, it’s now part of your job to stay on top of the latest security practices and then introduce them to your app.
• Write code with a security-first mindset. Adding security to your application should be a part of the plan from the beginning. Systems built from the ground up with security in mind are usually the most secure. Also, don’t do dumb stuff, like console.log personal data!
• Put someone in charge of security compliance. It’s a nice idea to think that every developer on your team will stay on top of security, but, in reality, it’s probably better to assign a person (or a team) to do that job. If there is someone at your company who can focus on keeping your systems and practices secure, everyone will be better off.
• Create a breach protocol. You know how we said that security breaches can and do happen? You need to have a plan in place for that scenario. Make sure you are able to tell what systems are hit and what data was compromised, and then form a communication protocol for alerting your customers.

Being a good caretaker of your customer’s data is key to not only achieving GDPR compliance but also gaining and keeping your customers’ trust.

Empower your users with tools to own their data

If the user really owns their data, they should be able to do what they want with it. After all, would you say that you really “owned” a book if you couldn’t write in it, lend it to someone, or rip it in half to show how beefy your biceps are?

Your users should be able to read, export, and delete their data from your application. Unfortunately, many apps are not built with this functionality in mind. Adding in a process to sweep a user’s data from the database can get messy when it’s built in after the fact. Especially if the database wasn’t designed with the best coding practices in mind.

On top of giving the user the ability to delete their data (also known as the “right to be forgotten”), these actions should be easy for the user to find. It’s not GDPR-compliant for a user to have to click into the shady, unvisited depths of your application to get their data out of your app. Finally, once their data is exported, it should be in an easy-to-read format. Normal people don’t gel with JSON.

Actionable steps for developers to create data tools

Here is a list of ways you, as a developer, can help with GDPR compliance:

• Design systems with GDPR in mind. Planning these tools as a key part of your app from the get-go is critical. Not only will they flow with the rest of the functionality better, but they’ll blend in with the rest of the app, too. Plus, adding the ability to export or delete data after the database is created can sometimes be difficult.
• Put GDPR tools in easy-to-find places. Don’t force your users to hunt for the tools they need to read, export, and delete their data. One easy way to do this is to collect their data in some kind of “user profile” or “account” page that is editable, exportable, and deletable.
• Know where to find customer data. In order to serve the user their data on request, you need to know where all that data is kept so it can be bundled and exported/deleted. This can be complicated with pseudonymized data, but it’s necessary for GDPR compliance.

Creating tools for your users to read, export, and delete their own data is a critical part of GDPR compliance. Really, these tools are the backbone of the GDPR. Without these tools, your app definitely won’t be GDPR-ready.

Getting to GDPR compliance

GDPR compliance isn’t always the most fun, but you know what is even less fun? A 50-million-euro fine fine from the EU.

Luckily, there isn’t just one way to get there. Most companies implement (admittedly annoying) banners that ask users for their consent to use non-essential cookies. Another path, which GitHub recently demonstrated, is to remove non-essential cookies entirely.

As a developer, your role in maintaining the safety and integrity of your users’ data is paramount. First, understand exactly what counts as personal data for your users. Then, change your perspective on user data so that you remember that the data you collect belongs to your customers. Next, take good care of your user’s data by enforcing good security standards. Finally, empower your users to own their own data by giving them tools to read, edit, export, and delete their data from your application if they want to.