How to comply with GDPR in a serverless world

Two of the biggest buzzwords of 2018 are Serverless and GDPR. So, when I saw a talk titled “How to go serverless and not violate the GDPR”, I was hooked!

There are good reasons why everyone is talking about Serverless and GDPR. Serverless technology transforms app development. Getting rid of the backend servers and connecting directly to service APIs simplifies development significantly. Meanwhile, the adoption of GDPR on May 25th, 2018 saw a radical change in emphasis for data protection. Suddenly, developers and app providers became responsible not just for protecting user data, but also for providing mechanisms to allow users to access and delete their data and provide consent about how it is used. All this backed up by the threat of some of the toughest fines in the world.

For many people, GDPR threatens to kill off the serverless dream. In a serverless architecture, how on earth do you know where your data is being stored, how do you ensure it’s deleted and how do you control access to it? Surely, that makes it totally incompatible with the aims of GDPR?

In the talk, Sebastian Schmidt and Rachel Myers, both engineers on Google’s Firebase team, showed how Firebase can solve these issues using its security, logging and record deletion APIs. They gave some great advice on how to design a GDPR-compliant serverless app:

1. Reduce the amount of data your store. If your app needs to check users are over 18 and EU citizens, don’t store their DOB and country of origin, just use flags for is_adult and is_EU.
2. Analyse exactly what data you need to store. Move away from “store all the things”. Do a proper audit of your app and be prepared to repeat this as your design evolves.
3. Make it easy for the customer to delete their data if they no longer want it stored.
4. Don’t rely on customers deleting stuff – if data becomes obsolete, you should proactively delete it.
5. Ensure you get clear consent from your users and, importantly, make sure you log this in an append-only log.
6. You need a plan for how to deal with existing data if your customer withdraws or alters their consent. The right plan may depend on the type data and the app.
7. Use good access controls to make sure private data can’t be seen by anyone other than the user. Make sure any privacy settings are persisted properly.
8. Log everything! Audit logs are essential to show you are being compliant with GDPR.

 
During the talk at Codemotion Berlin 2018, we were shown how Rachel used Firebase to create the Friendly Pix application. Following the advice above to ensure GDPR compliance.

After the talk, I caught up with Rachel and asked how to apply this to an existing app. Her advice was “It’s possible, but it will be harder!” As with building an app from scratch, the first step is to understand exactly what data your app stores and then check if it is needed, or can be simplified/removed. You can then apply the guidelines above and hopefully make your app GDPR compliant without too much pain!

So, GDPR doesn’t mean the end of the serverless dream. You just have to make data protection one of your key design considerations.