GDPR for Developers
I have watched Andrew Norcross's GDPR for Developers talks.
I downloaded his slides and these are my notes:
GDPR stands for General Data Protection Regulation
- Right to be informed.
- Right to data access.
- Right to be forgotten.
Are users worried about Privacy?
- 92% worry about their privacy online
- 31% understand how companies collect and share their personal information.
- 74% have limited their online activity in the last year due to privacy concerns.
This is all about data. In specific, personal user data.
In specific, data defined as any information relating to an identified or identifiable natural person.
Data is worth Money.
The data does not belong to you anymore.
Because really, if you can't carry it on your back at a dead run, it never belong you anyway.
We have never really considered the ownership of the data that came through the software we built.
Why does this matter?
James Liang. he’s the engineer for Volkswagen who was sentences to 40 months in prison for their emissions scandal.
An important note from the case: While he was not the ‘mastermind’ he played a large role.
What should I do about it?
What defines Personal Data?
Any information relating to an identified or identifiable natural person. which is different than personally identifiable information.
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Health data
- Sex life or sexual orientation
- Past or spent criminal convictions
- Genetic data
- Biometric data
- Location data
- Pseudonymized data
- Online identifiers
- IP addresses
- Mobile device ids
- RFID tags
- MAC Addresses
- Cookies / telemetry data
- User ids and emails
Does it apply to me?
GDPR applies to everyone (who does business with the EU). GDPR applies to all businesses, organizations, sectors, situations, and scenarios, regardless of size, employees, or revenues.
How does it work?
Everything involving the entire data collection process basically falls under two baskets:
- Data Controllers - decides what data is collected, how it is used, and whom it is shared with.
- Data Processor - any entity other than the data controller who processes the data on their behalf.
Privacy by design
Its a seven-point development methodology which requires optimal data protection to be provided as standard, by default, across all uses and applications.
Need to know everything
- What / how you’re collecting
- Where / how you’re storing it
- Who can access it
Privacy impact assessment
This is a requirement for data-intensive projects and needs to be documented and made accessible for anyone involved with the project and can be requested by regulators in the event of a breach.
- Is this actually enforced? Yes. In January of 2019, France fines Google $57 million for GDPR violations.
- Will they really notice me? A German social media provider received an order to pay a €20,000 fine for a data breach that occurred in the summer of 2018. and they cooperated every step of the way.
- Ignorance is not an excuse.
- Privacy is paramount. User privacy (and security) is more important that anything marketing wants.