GDPR - May 26th Onward



May 27, 2018

Crowd on Canada DayThe GDPR is in effect. The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law that is now in effect. This affects all organizations that service European citizens. In North America, most organizations only became aware of it recently.

The policies of the GDPR are quite broad and establish a bold Privacy by Design framework. Ann Cavoukian published the 7 Foundational Principles of privacy nearly a decade ago. At the time she was the Information and Privacy Commissioner of Ontario. Since this time the amount of personally identifiable information (PII) has skyrocketed. The impact of corporate access to PII by firms like Cambridge Analytica is only now being understood.

The principles of privacy should be fundamental to how developers build software. Unfortunately, like security, accessibility, and sustainability, it often takes a back seat. Customers have been more motivated by convenience and "bling". Consistent application of best practices is something that is difficult to measure or check.

This is not just a concern for companies that produce proprietary software. Open source software (OSS) is driven by the same economic incentives as the rest of the tech sector. There is a solid understanding of the need for security, but not much incentive to care about privacy. The GDPR has changed that.

Now to be GDPR compliant you need to do more than alter your technology. Giving people control over their data will force organizations to re-evaluate many processes. This is a legal issue, and organizations should seek advice to reduce their risk.

There are things that we can do to build in privacy by default thinking into how we build our systems. In an evermore interconnected world, having privacy be respected will become critical. Living in a free, open democracy, requires that citizens are able to act autonomously.

The GDPR is global. The first targets of enforcement efforts will most likely be big corporations. The European Union is going to have to prioritize its efforts. So many small organizations outside of Europe probably will have limited risk.

A huge percentage of the internet is driven by OSS like Drupal & WordPress. At this point, there is very little software that is built with privacy by default. Mozilla has been working to build their browser with this principle. It takes a real conscious effort to do this. I looked at creating some good defaults for the GDPR early last year. Only in the last two months have there been real changes to popular modules used in the community. There is still no substantial changes to how PII is handled in Drupal Core.

I've been impressed by the efforts I've seen in the Typo3 & WordPress communities, but it is going to take a long time. Adjusting the software development practices so that PII is separated other data is huge. It will take a real investment in open source libraries to see that privacy best practices are just normal.

This is a big challenge though and is really best addressed by a vibrant community. A best practice for privacy needs to be adopted and replicated so that it can be cost-effectively implemented. Several software communities now have a GDPR team to help with implementation. These people need more resources to see that adoption can scale consistently.

Much of the GDPR will come down to how it is enforced. It seems clear that this policy is evolving and that other governments around the world are looking at this model. Privacy concerns are here to stay. We can all do more to see that our rights are protected.

About The Author

Mike Gifford is the founder of OpenConcept Consulting Inc, which he started in 1999. Since then, he has been particularly active in developing and extending open source content management systems to allow people to get closer to their content. Before starting OpenConcept, Mike had worked for a number of national NGOs including Oxfam Canada and Friends of the Earth.