Ever since the introduction of GDPR, it has gotten my interest. Nobody would deny that it is something very important for ICT. Yet almost no ICT person knows much about it. Courses are given about GDPR, yes. But those courses are given for employees in general, not for ICT teams. This combined with some trends in Agile and ICT surrounding legislations and standards, that worried me.
This blog can be used for every legislation and standard, but GDPR has two benefits for me. Benefit one: it relates to a lot of companies and their software. Benefit two: this year I finished a course to get the basic knowledge of GDPR because I wanted to have more knowledge as a tester about it.
So, how do we handle GDPR in an Agile project? Well, in my experience GDPR is most of the time not discussed within an Agile team. The Agile team doesn’t have the knowledge. GDPR is handled by experts, people who are trained for it. But they are not part of an Agile team. They sometimes don’t even know what Agile or a method like Scrum is and how it works. But why is that a problem?
Have you ever tried to read the GDPR legislation? Did you understand it? I followed a course and I still struggle to apply it in the situations I find in my job. You need to be an expert. But on the other end, you have the ICT part. Working with a method where not everything is known at the beginning, change is done all the time, and knowledge is most of the time in heads, not on paper. Even if you are an expert, how can you make sure the end solution complies with GDPR?
Of course, you can say: from now on ICT is responsible for GDPR compliance. This brings the next problem: most Agile people cannot handle big documents. I was trained in waterfall. Which meant I had to handle big documents with functional descriptions and technical descriptions. So, when I got legislation or standard it was just another big document to figure out. Now with Agile, big documents are not allowed. Information should be short and to the point. GDPR legislation certainly is not. Most people wouldn’t know how to translate that big document into small Agile changes. But neither do the GDPR experts.
When it comes to GDPR and Agile I am missing three things:
- Working together
- Tranlation from GDPR to Agile
- Knowledge sharing
Working together
In my opinion, GDPR in the software is not only the responsibility of the GDPR expert nor only the responsibility of the Agile team. To make the right decision you need at least two heads: one head filled with how you should interpret the GDPR in a certain situation and one head filled with how the software works now, can work, and might work in the future. Only if those two heads combine their knowledge very often, will you be able to comply with GDPR in your Agile process.
Translating from GDPR to Agile
GDPR must be translated to a way it can be used in an Agile project. And I see two important steps for that. First: what part of GDPR is important for your software? All the information about the register of processing needed for GDPR is not important for software building, no matter how important it is for GDPR. But ‘Privacy by default’ and ‘Privacy by design’ certainly are. (Google it, if you don’t know what it is). Second: can we make general rules for this, that we can check? An example of a rule is: when we ask permission, we should log this permission. These rules are already much easier to apply in Agile, than a law mentioned somewhere on page 3.
Knowledge sharing
I believe in having the right knowledge, but while I followed a course, I know not everyone can do the same. But I would promote companies (both software building companies and ICT education companies) to start giving the course ‘ICT and GDPR’. And also the other way around. GDPR experts should want to know more about Agile, Scrum, and testing. So they know when you can check on GDPR and when not. And how you can check on it. What do Agile, Scrum, and software testing offer to verify compliance to GDPR?
Opening eyes
My biggest hope with this blog is that people are starting to see the problem. And start talking about it. I believe that in the end, we can only solve this problem if we know what the other side can, but also cannot do. That we don’t expect miracles from someone. That we show interest to the other side and start listening to each other. I do not have the perfect solution yet, but if we work together, I believe we will find a way to make GDPR a perfect fit with an Agile project.