Why I, as a software developer, love the GDPR

by Philipp Stiefel, originally published February 28th, 2020, last updated February 28th, 2020

Based on images by John Salvino and Chickenonline, used here under CC0 licensing

It’s almost two years since the Regulation (EU) 2016/679, better known as GDPR (General Data Protection Regulation) has come into effect.

The anxiety the GDPR caused with people handling personal data, any personal data, has been unprecedented in my experience. Small organizations were close to panic in the weeks and months leading up to the GDPR becoming enforceable on 25 May 2018. Some small clubs and other non-profit organizations decided to rather close down than putting in the effort to be GDPR compliant or to run the risk of violating the GDPR and face the huge fines that circulated at that time.

In the developer community, I am part of, many people complained about the additional bureaucratic and technical burden this would impose on their business and their clients. They were afraid that this would create more work for them, work that clients would be reluctant to pay for. They were afraid that the regulation would require them to implement legal requirements that are difficult if not impossible to implement technologically.

All Quiet on the Western Front

Due to me living in Germany, all the above mostly applies to people in Germany. – That is something that should strike you as very odd if you are aware of German data protection rules. Germany had a very strong data protection law (BDSG = Bundesdatenschutzgesetz) already before the GDPR came into effect. Actually, there weren’t that many changes from the previous legal situation with the GDPR. The most significant change was the severity of the potential fines for violations, which massively increased.

So, what does this tell us? - People in Germany were not aware of the existing legal requirements, before the GDPR put those requirements into the spotlight of public discussion. The persons in charge of their organizations did not care too much about those regulations because the consequences of ignoring them would not mean significant harm to them and their business.

This has changed with the GDPR. – A huge improvement!

I’m a Person

Obviously, I am a person. As a private person I love the GDPR. It gives me more control over who stores and processes my data. Now, with the significant increase of fines and a much easier ways to complaint about non-compliant companies to the data protection authorities, all businesses, including big corporations such as Facebook and Google, are much more receptive to data protection concerns of their users and customers.

The central point of the GDPR is willful and explicit consent to the types of data processing at the time I entrust my data to a third party. This requires the third party to provide information on how they intend to process the data. – This requirement is a huge gain for every consumer.

I’m a developer

So, while the benefits of the GDPR for private persons are obvious, what about us developers? Even as a developer, I love the GDPR!

I take pride in developing applications that keep the data stored in them secure. I always did, but in the past, I had to wrangle with customers who did not want to spend the extra money or shunned the extra complexity in their processes required to make their applications secure and GDPR compliant. This discussion has mainly evaporated with the GDPR in effect. Now, customers are willing to set aside a budget for data security. Now, they are willing to (re-)design their processes with data security in mind.

Yes, there is a bit of bureaucracy involved with being GDPR compliant. However, the documentation you are required or encouraged (depending on your business and the data processed) to create and maintain is also helping you to make your business data security aware, GDPR compliant and subsequently more trustworthy for your clients.

Would you work with partners who do not care about data security? Would you run the risk to have your business data, like business contracts, source code, process descriptions, client and customer data, or financial transactions spread over the internet? Certainly not! – And yes, some of the above-mentioned data is not personal data covered by the GDPR. Nonetheless, don’t expect a business to protect some data well while ignoring the security of other data. Data security needs to be baked in into the very core of your business and its processes.

Putting yourself and your business in a position to be positive about GDPR requirements and compliance to them is a huge business advantage. You can sell data security to your clients. It is also something that will be expected of you and it will hurt your business if you ignore it.

Small software business – Not affected?

So, if you own a small software development shop, working with Microsoft Access and SQL Server, you might think you are not really affected by the GDPR. You just build solutions, but you don’t process any data, are you? – I bet you do! I run such a business myself.

But before we get to the matter of data processing, let look at your core business first.

You develop database software that stores and processes personal data? Your software should be GDPR compliant! There is no way around that.  Privacy by design and privacy by default for software systems are explicit requirements for software systems. You need to consider that when building software for clients, otherwise your software might be unsellable and unusable, not technically but legally.

But back to your own business and its processes. You get sample data from your customers to implement new features. – Is this really just sample data? More often than not, it is real data. Potentially personal data covered by the GDPR. As soon as it ends up in your mailbox it is personal data you are responsible to protect!

As a developer working with your client’s data you need to be aware that it is real persons data you are working with. These are not generic, fictitious names, addresses and information. It is the data of persons like you. I once encountered the record of a classmate from school in my client’s production database while diagnosing a technical problem. This was sensitive data he certainly would not want anybody to know. – I had a legitimate reason to see this data in this situation, but I will never ever mention anything about it to anybody else.

Always remember, somewhere else there might be someone looking at your personal data. – Behave the same you expect that person to behave regarding your data.

Not in Europe - Why would you care?

You are not based in Europe, so why would you care about the GDPR? The GDPR is a European regulation. So, it does not affect you if you are not in Europe, does it? – Wrong. The GDPR is Extraterritorial jurisdiction and applies to every company anywhere in the world processing personal data of EU-Citizens.

Of course, it is another question how this regulation could be enforced outside the EU. This is a much more difficult matter and it is hard to find any references explaining this in layman’s terms.

In any case, it is reasonable to assume that any company based in a country with close trade links to Europe will face legal repercussions for gross misconduct regarding the GDPR on a substantial scale.

In addition to this immediate effect of the GDPR outside Europe, there is also an indirect effect. Other jurisdictions implemented (or are planning to implement) data protection laws that are inspired by and have huge overlaps with the GDPR. – The California Consumer Privacy Act is a notable example of this.

GDPR Weaknesses

Of course, the GDPR is not perfect. It also has weaknesses.

One example we experience every day is the omnipresence of the annoying cookie consent notices on the most websites. Actually, these cookie notices are not new. They originally came into existence with the EU ePrivacy Directive 2009/136/EC (“EU Cookie Law”). – Other than an EU Regulation, an EU Directive is not a law by itself, but rather a guideline to the member states on how they should implement a national law.

In Austrian and German law before the GDPR, the technical configuration of the browser was considered sufficient to cover cookie consent. – If your browser accepted a cookie the site sending the cookie could assume consent. – This is a reasonable and easy approach. Unfortunately, as national legislation that had only very limited effect on the internet a whole.

With the GDPR requiring explicit consent to data processing the above technical solution is generally not considered compliant anymore. - It is clearly a weakness of the GDPR not to provision such technical solutions for everyday operations.

GDPR Whitepaper for Access and SQL Server developers

In general, the GDPR provides no practical implementation guidelines to data processing businesses and little advice on concrete technical measures. This makes it hard, particularly for small businesses, to change their processes to be GDPR compliant.

It’s even harder for software developers. There are plenty of resources available on data security but most of them target big corporations or sizeable software consulting businesses. If you work in a small software shop, developing solutions for small and mid-sized businesses, there is only very little information tailored to your particular requirements.

It gets worse, if you need to look beyond data security and need to advice the whole business on a GDPR compliant implementation of its processes. – Hardly any resources available.

To improve this situation, I joined Karl Donaubauer and Bernd Jungbluth, two certified data protection officers and experienced Microsoft Access and SQL Server developer respectively, to write a guide to GDPR implementation for database developers.

This whitepaper is intended for IT professionals and database developers. Other than the plethora of books in legalese written by non-technical lawyers, this whitepaper explains the EU-GDPR in an understandable language and condensed form. We focus on the essential information every software developer working for small businesses needs to know.

We draw from our rich experience working for our clients on practical implementations of GDPR compliant business processes and database applications. While we focus on Microsoft Access and Microsoft SQL Server in the sections about technical implementation, the content of this mini eBook can be easily adapted to other DBMS and development platforms.

Download: GDPR for Database Developers – Whitepaper (version 1.0.2, current as of 2020-01-27)

Share this article: