GDPR IS LIVE
GDPR like any legislation has unforeseen consequences and impacts. Not for nothing have we learned how little Congress and the EU Parliament comprehend of Facebook or the underlying technologies of the Web, based on their questions when confronting Mark Zuckerberg.
Unless you are currently residing in a cave, your email inbox is probably swamped with mails from websites & apps you have signed up with in the past asking you to opt-in to their updated, GDPR compliant new ToS.
Last night I shared this video on Facebook Live with my take on GDPR and what might be some issues that did not get proper consideration.
GDPR & Software Development
Over the last 10 to 15 years, the development culture and lifecycle has been strongly influenced by Web 2.0 both for web / mobile apps and sites. Methodologies also evolved based on technology and platforms to ensure rapid product delivery. Agile & Lean replaced Waterfall methodologies and the culture included these interconnected practices: –
Ultimately MVP (Minimum Viable Product) and the ethos of let the customer test it were based on rapid delivery or a just ship it mentality. Some of this was based on fear of not being first to market, some on the fallacy that software testing was a bottleneck.
Beta testing also allowed release of an incomplete version of the software to a sample group of end users to evaluate customer satisfaction with the product and its features.
These fly in the face of GDPR compliance. De facto, data protection is something that should be baked in from the start and until this becomes habit, most will develop their apps and sites and tack-on data protection after the fact.
Where does MVP go from here?
The Warptest POV
GDPR and the just ship it mentality of MVP are in conflict. Apps and sites will comply because the alternatives are limited. There are companies already opting to block European users until they can be sure they are compliant. Just today, the Verge reported that Instapaper has done this temporarily. We can be certain that smaller developers and startups may opt to keep their apps out of the different European countries App Stores, Play Stores or Windows Stores as the scale of fines are greater than the accrued benefit of onboarding European users prior to compliance.
This leads to some serious questions. What are the geographical boundaries of this law?
- What if an EU citizen uses a VPN or some other method to bypass geo-blocking to download an app? Is the app still liable for any violation?
- What if an EU citizen is on vacation outside the EU and downloads an app or surfs to a site? Where does the EU see their jurisdiction ending regarding data protection of their citizens?
- Microsoft announced that they want to make GDPR the standard for their worldwide operations. Will we see GDPR compliance integrated into their, Apple, Google, Amazon and other app stores?
Big companies like Microsoft do offer GDPR guidance on how to make company IT compliant but the most important question is who in a company developing software, apps or websites should be the expert on GDPR compliance?
The simple answer is every employee involved in delivery must receive GDPR training but, logically the gatekeeper should be someone versed in compliance issues, how to verify and report on them. A smart company will ensure initial compliance by hiring an expert (possibly a consultant) but subsequently, the best person for the job is one of your testing / QA team.
A catastrophic mistake would be to have an employee brush up on GDPR by Googling it. Whoever the designated gatekeeper is should be sent on the appropriate certification course.
Getting back to MVP, it’s going to be up to founders, R&D heads, QA Managers to ensure that their processes evolve to ensure data protection is built-in from day 1. If this means an end to MVP and let the customer test it then this can only have a positive impact on customer satisfaction.
Personally, one of my bigger problems with GDPR is that the EU has repeatedly demonstrated a litigious attitude with anti-trust cases, often against companies like Apple, Google & Microsoft. Is GDPR just another EU kickstarter campaign?
Are you ready for GDPR or have you found a way to opt-out?