GDPR (General Data Protection Regulation) has been all the rage for the last few weeks, but I've been sitting back until the dust settles a bit. For those that don't know what GDPR is, it's legislation passed by the EU that will change how data-centric companies like Facebook can store, use, transmit, and present our personal information.
First, I want to start with a simple picture that I shamelessly borrowed (source below - it's a good read too):
This short flow diagram makes it simple to read, but is missing some nuances concerning data that starts in the US and may be processed in the EU. For that sort of data, I'm pretty sure that you'd want to follow the GDPR guidelines anyways.
Why does my US company care about GDPR?
Very simply, GDPR is going to change the way:
- We use apps
- Apps get built
- We think about privacy
Before we get too far off topic, I want to be clear that I don't expect legislative action from the US to be the same as the EU, nor do I expect it to be as comprehensive. However, I do expect that it will impact US businesses who value ethics and integrity, and that's why I'm writing here.
GDPR Effect: How we use Apps
This can go both ways! First, it's clear that it's already making companies be more transparent with their data processing. We've already seen that, especially with the Facebook trials. However, we've also seen some example of companies "technically" following the rules while simultaneously making people mad. Check this Reddit post about Tumblr's terrible design choices for securing your data:
In case it isn't clear, Tumblr now currently allows you to prevent your data from going to its data partners, but you have to shut off each one individually AND it sometimes doesn't save your several-hundred-clicks. That's why there's a whole subreddit devoted to terrible design choices.
GDPR: How apps get built
In line with the UI design "features" of the Tumblr app above, GDPR is going to fundamentally change how good developers design their data structures. A large component to GDPR is anonymization and psuedo-anonymization of data. To the end users, this simply means:
Some level of anonymization has been happening for a long time, but GDPR makes it a requirement wherever possible for EU companies. Anonymization is quite complex and I won't dive in further here, but there's another perk to this change - how we think about it all.
GDPR: How we think about privacy
"Privacy as a default." This is now part of a legislative act that affects a large portion of the OECD countries. Think about that for a moment. Privacy rules, laws, and activities have become so diluted that a law had to be written to get companies to think about it again. That is huge.
"Privacy as a default" is one issue that I take very seriously - so seriously that I quit Facebook back before they went public. I'm sure that this standard will be fighting an uphill battle in the US, but it's important to let business know that users are paying attention.
I'm a Developer in the US - why do I care about GDPR?
In short, GDPR should change the way you're doing work today. You want your apps to be forward-thinking and future-proof? Great, read the guidelines and implement what you can. It will only make you a better developer and make your product stronger.
If you're a developer and want further reading, check out the links below. They dive into the details better!