What developers need to know about GDPR
6 June 2018
The implementation of GDPR is challenging for everyone storing and processing personal data. Yes – it concerns everyone, also the developers.
Last Friday, on May 25, GDPR went into effect in the entire European Union. There’s a good reason why it’s been stirring up a lot of emotions for months now as this regulation is quite a radical game changer when it comes to the rules of personal data processing that have been in place until now. It affects every single corner of companies’ operations regarding information; starting from the simplest formulas to the most complex processes in organizations.
What do you need to know?
- the concept behind the new law is about sorting out the rules of personal data processing, it is not intended to make anything more complicated or threaten companies with looming penalties;
- a client, an individual and his rights regarding his data are put into the spotlight, which imposes certain obligations onto the other side (the company which has this client-related data);
- in the new reality every company has a well-defined role to play; it can be either a Data Controller or a Data Processor (which necessitates concluding data processing agreements).
It might seem that the threat of high penalties and legal disputes has forced companies to prepare for the challenge and adapt their own procedures to the new conditions. Of course, we will see how it really works in the coming months, however the results of the surveys conducted recently among companies were not very optimistic. GDPR Compliance Report Crowd Research Partners and Cybersecurity Insiders showed that only 40% of businesses were ready to adopt processes for handling the new regulation the new regulations shortly before the deadline and 7% had already introduced the relevant procedures.
Therefore, it may well be that even though the new regulations have just gone into effect, a large number of companies still fail to fulfil the requirements. Google and Facebook are already facing formal complaints that they’re in violation of GDPR regulations, the penalty for which can be millions or even billions of euros. If your company belongs to this group, stay calm and don’t panic. Controllers won’t impose the highest penalty immediately, but you must implement the necessary changes asap.
GDPR also applies to small businesses
Let’s make it clear: GDPR does not apply solely to huge corporations and international players. It also concerns the SME sector as well as businesses operating in the B2B sphere by providing other organizations with software. For developers this means that every single application must now be fully compliant with GDPR if its mechanism collects personal data. And we all know perfectly well that this is the case with a vast majority of modern IT applications.
Let’s imagine how many applications require users to log in, which means that they have to register. This mechanism is inseparably connected with storing and processing this information. We must remember that GDPR refers to collecting the data necessary to ensure app’s smooth operation – only such data can be collected and processed.
Brutal market examples
The biggest digital market players have been getting ready for the change for a long time now. Even if they are overseas companies operating on the EU markets, they must adapt to GDPR.
Developers were outraged when in April, out of the blue, Instagram began to drastically limit access to its API for external applications. Both those that were already present on this social media platform as well as new ones – designed with Instagram in mind. Let us remind you that this platform belongs to Facebook, which has just announced its own changes: disabling access to every application if a user hasn’t logged into it for at least 3 months. Just think how many solutions you have now access to by logging in via Facebook and you will see just how big the scale of the problem is and all the new huge challenge that developers have to face. And all this out of a sudden without any time to adapt applications to suit the new Instagram and Facebook requirements.
Apple didn’t just sit back and wait either. For a few weeks now it has been browsing the resources of its app store offering applications created by external developers. All the applications offered through AppStore that fail to meet GDPR requirements are removed unconditionally and no longer available for Europeans. For an app to suddenly disappear from the AppStore it sufficed that an application was collecting localization data and passing it on (for instance for advertising purposes).
Another market giant – Google immediately followed in its counterparts’ footsteps and undertook the same measures regarding its Google Play (mobile app store).
Some surprising decisions were also made in Poland (Euvic has its headquarters here). Just before the regulation entered into force, the hosting provider – nazwa.pl disabled its e-store service, which caused a lot of hassle for many e-commerce businesses with the exception of those stores that had purchased a compliance audit with GDPR at nazwa.pl and agreed to pay a monthly subscription fee for provision of services in line with the new regulations.
Over the last weeks Internet has been buzzing with advice and suggestions, not always accurate or relevant for the given market (for instance IT).
To sum up, you cannot panic but you must remain patient in your efforts to ensure compliance with the new legal requirements. The coming months will show the scale of the problem. I will be closely watching the developments and keep you updated. Let’s stay in touch.
Euvic is one of Europe’s leading IT-companies with 1700 highly skilled system-engineers and system-developers. It provides a full range of IT-services like software development, application testing, integration projects, IT Service desk, cloud migrations and IT out-sourcing. We are expanding into the Swedish market thanks to the confidence from customers within the transportation industry, production industry and service industry.back