Developer view on new EU privacy legislation (GDPR)
EU adopted a new regulation concerning privacy called General Data Protection Regulation (GDPR) in spring 2016. It enters to full application during spring 2018 and it adds a lot of new requirements to handling personal data. It also introduces very high fines, up to 20 million euros or 4% of global turnover, so it's to be taken seriously.
It's a complicated piece of legislation, built together after fierce lobbying and a lot of compromises. The end result leaves a lot of things open. One of the new things in the legislation are the direct requirements for the processors of the data. If you're a maintainer of your client's Drupal site, you used to not have any direct requirements set by law, but everything was the burden of the controller. This changes in 2018.
And leaving the EU doesn't help if you're still maintaining EU citizens' personal data.
In this session we'll go through the main items on the legislation from a Drupal developer point-of-view. The speaker is not a lawyer, and the session will not contain any legal advice, but a view on what a Drupal developer might expect coming to her table during the next couple of years. Please remember that there's a lot to interpret in the legislation and the interpretations as well as the upcoming supplementary local legislation could vary a lot between EU countries.
The key items of the presentation are:
- A brief introduction to the GDPR
- What are the requirements for the processors (Drupal maintainers in this view)?
- What technical challenges complying with the law might bring to a Drupal developer?
- What are the open questions in the legislation from a technical point of view right now?
This is an updated version of the presentation held in DrupalCamp Baltics in October 2016.