Tag: regulations

Or how to avoid another GDPR meeting

I recently blogged about Regulations as bad. And how regulations help big corporate. However, also big corporate is being challenged, and the usual solution is to hire a team of lawyers and have them schedule endless meetings across the company.

Regulations are one thing. They demand the absolute minimum with an abolute maximum of bureaucracy. This is an opportunity to take an engineering approach. To find purpose. To do better than demanded. And also to do it right from a technical standpoint.

So, what can an engineer do?

Start with asking the question. Asking the question of the one person who is not at the meeting table. The customer. Your customer. What would she think if you’d discuss how to find a loophole in the regulation instead of taking care of her desire to treat her data with respect and the deserved respect and privacy?

I’m glad we agree. Let’s dive into simple technical solutions: End-to-end encryption (in transit and at rest). This might have been hard a few years ago (remember self-signed certificates in a local intranet?), but in todays world of cloud-computing there are no excuses of not using HTTPS with a free certificate or enable the option for encryption at rest of storage, backups or databases.

Use an external authentication provider to authenticate access to your systems. Don’t re-invent the wheel. Auth0, Facebook Connect, Azure AD and many more have long solved OAuth and SAML authentication and can be connected to directory services for federated logins. Most 3rd party systems support that, and custom services should leverage those systems and just deal the straight forward call of validating JWTs.

Encryption and authentication alone don’t solve the privacy problem, especially if everyone working in your company has access to the data. Tokenizing data containing personal information is moving it however to a next level, especially for central log or analytics systems. Those system often contain the full contact details of a customer. But why? Why do you want to expose your analytics system to data breaches that can be executed with a simple “select email from customers” query? Why isn’t it enough to just store the postal code and country, and potentially a token to assign a useful primary key without personal information to the customer address?

And finally, there are still regulatory requirements you need to meet, such as having a data protection officer assigned. But hopefully that’s just a small administrative overhead to everything you already do. All the things you do much better than regulation demands.

Disclaimer: Above is a simlification trying to make a point. There’s more you can and should do from a security and privacy standpoint. And there are a few more things you must do for aligning with regulatory authorities.

Or how they help big corporate. And how to navigate them as a small company.

I don’t think it comes to a surprise to anyone. But regulations are a hot topic recently. They are created with all the good intent. But in the end, they only help the largest corporations, and sometimes destroy the smallest companies.

So, let’s start with a popular example. GDPR. And there’s one very visible side-effect of it – the cookie consent banner that pops up on most websites these days. Adding this banner is relatively straight forward from a software engineering perspective, but it’s either mission impossible or an expensive exercise for small companies. Small companies (outside the tech world) don’t have much idea what a cookie is, what privacy implication it has, but they still run a website. Often leveraging WordPress or Shopify etc. It was easy to setup those websites self-service. But all of a sudden they have to choose between million of plugins that claim to have the best cookie consent banner for their small website. And once they activated the plugin, they won’t know whether it even complies. Or they contract a software engineer, and all their margins of the past month are gone for a few cookies. With all the good intents, the small can only lose.

Let’s move to food. Labels are popular. From sustainable fishing to organic food to socially responsible sourcing. Labels have good intent. They help to identify a standard quickly. Example fair trade. The fair trade price is meant to pay the world market price plus a premium. A premium that should reach the producer, or better the worker at the farm. The deal is, that the premium must first be used to improve work conditions so workers benefit in a way that can easily be audited. Sadly, the premium isn’t a lot, and often the certification process and keeping authorities happy for renewals is more expensive than the premium alone. So for the smaller ones it could actually mean less money for the workers. And the very small can’t even afford the certification in the first place. The small can only lose.

Big corporate love regulations, and their complexity. They have the lobby on their side so regulations are ending up being highly complicated, the lawyers to find the right loophole, and the money to actually work within those regulations. And they have independent lawyers on their side who try to find the small who don’t (or better can’t) comply, simply to make money from them. The small can only lose.

So, what’s your choice? Regulations cover the minimum only. Loopholes included. Then there’s ethics. It’s what should be done. It’s way above regulations. Write them down for yourself as your principles. Make decisions following these principles. Your customers will understand them when being consistent. And they’ll be loyal as long as you stay true to your principles.