Two of the biggest buzzwords of 2018 are Serverless and GDPR. So, when I saw a talk titled “How to go serverless and not violate the GDPR”, I was hooked!
There are good reasons why everyone is talking about Serverless and GDPR. Serverless technology transforms app development. Getting rid of the backend servers and connecting directly to service APIs simplifies development significantly. Meanwhile, the adoption of GDPR on May 25th, 2018 saw a radical change in emphasis for data protection. Suddenly, developers and app providers became responsible not just for protecting user data, but also for providing mechanisms to allow users to access and delete their data and provide consent about how it is used. All this backed up by the threat of some of the toughest fines in the world.
For many people, GDPR threatens to kill off the serverless dream. In a serverless architecture, how on earth do you know where your data is being stored, how do you ensure it’s deleted and how do you control access to it? Surely, that makes it totally incompatible with the aims of GDPR?
In the talk, Sebastian Schmidt and Rachel Myers, both engineers on Google’s Firebase team, showed how Firebase can solve these issues using its security, logging and record deletion APIs. They gave some great advice on how to design a GDPR-compliant serverless app:
After the talk, I caught up with Rachel and asked how to apply this to an existing app. Her advice was “It’s possible, but it will be harder!” As with building an app from scratch, the first step is to understand exactly what data your app stores and then check if it is needed, or can be simplified/removed. You can then apply the guidelines above and hopefully make your app GDPR compliant without too much pain!
So, GDPR doesn’t mean the end of the serverless dream. You just have to make data protection one of your key design considerations.