Understanding GDPR and Privacy

On May 25, 2018, the General Data Protection Regulation (GDPR) becomes enforceable across Europe. According to Wikipedia:

The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Because these changes include data collected outside the EU, its impact is global. For example, if you store user data in the U.S. for someone in the EU, you’re subject to these laws. I think this is a good thing for users, but what does that mean for us as web builders?

I recently came across this article written by Heather Burns for Smashing Magazine. It contains an excellent breakdown of GDPR requirements, what data is protected, and tips for how to go about adapting. Some of my favorite bits:

Europe’s data protection regime stands in stark contrast to that of the U.S., which has no single overarching, cross-sector, or cross-situational data protection law. […] This cultural difference often sees American developers struggling with the concept of privacy as a fundamental human right enshrined in law, a situation which has no U.S. equivalent.

GDPR requires the adoption of the Privacy by Design framework, a seven-point development methodology which requires optimal data protection to be provided as standard, by default, across all uses and applications.

You can read more about PbD here.

A Privacy Impact Assessment (PIA), which is required under GDPR for data-intensive projects, is a living document which must be made accessible to all involved with a project. It is the process by which you discuss, audit, inventory, and mitigate the privacy risks inherent in the data you collect and process.

These items seem less like extra work and more like work that should be done from the beginning as a default. Just as we formalize accessibility, performance, and browser/device support standards, we should be doing the same for privacy and data protection.

But what about third-parties? If I have Google Analytics on my site (I don’t), who is responsible for that data?

As I understand it, according to GDPR, The site/app owner is the ‘data controller,’ and the third-party service (like Google Analytics) is the ‘data processor.’ It is up to Google to be sure the data they process is GDPR compliant, but it would also be up to me as the data controller to be sure that my third-party vendors and services are in compliance. These roles further reinforce the need for organizations to regularly audit and itemize the third-party scripts and services they include with their web pages.