TL;DR: The European Union's General Data Protection Regulation (GDPR) establishes data privacy and security measures for EU citizens. Compliance requires regular data breach threat assessments, staff security training, and updates to platform infrastructure to protect these newly established rights.
The most comprehensive international data privacy and protection standard is the European Union's General Data Protection Regulation, which outlines protection policies for EU citizens. Even companies outside the EU choose to become GDPR compliant for various reasons.
Chief among them, data breaches are costly. Recovering platform integrity, loss of proprietary software, and the costs of rapidly expanding data security measures are one side of these costs, but there are also fines, lawsuits, loss of certifications, and reputation damage to contend with as well.
Maintaining a higher data security standard further improves platform response in the event of a breach and allows businesses to operate for a global audience.
Here, we'll cover who must be compliant under GDPR, how it might alter your development pipeline, and why you might care about GDPR standards regardless of the type of information collected and processed by your platform.
Before you continue: This isn't legal advice. You should consult with legal counsel to ensure you're implementing GDPR properly for your circumstances.
The GDPR covers data collected from citizens of any European Union Member State. Each member state has its own governing institution that cooperates with the others to prosecute institutions found to violate the GDPR.
While the GDPR does not explicitly cover international organizations, companies may only provide data from EU citizens to these organizations if the situation or organization is deemed acceptable under GDPR standards. As such, a French firm may only provide data to a U.S. firm if that U.S. firm demonstrates compliance with the relevant sections of the GDPR.
The GDPR is known as the strongest international data protection act for a good reason - its broad definition of personally identifiable information covers a large spread of information. However, the coverage and protection differ between data types. Some notable inclusions:
Compliance includes regular threat assessment and training that must be built into the development pipeline. The GDPR also established citizens’ rights to their data. Developers must design or adjust their platforms with these rights in mind.
Even if your platform doesn't fall directly under GDPR regulation, building compliance strategies into your workflow can still be beneficial. The practices recommended or required by the GDPR promote a more intentional, secure development pipeline.
Protecting customer data is essential for building and maintaining trust. Your data is one of the most valuable parts of your organization. Did you know Doppler can help protect your data by ensuring secure access to your application secrets? Learn more about how we can help manage your API keys, tokens, and more.
Stay up to date with new platform releases and get to know the team of experts behind them.
Trusted by the world’s best DevOps and security teams. Doppler is the secrets manager developers love.