On one of my regular wanders down the rabbit hole of legislation, reports, and committee hearings, I found treasure. It was buried in the 2015 transcript of a Lords committee hearing on the Digital Single Market and online platforms. The subject was the UK’s implementation of GDPR. The witness was Giovanni Buttarelli, the European Data Protection Supervisor. He said:
As far as I know, a message has not been passed to designers and developers—those who are planning the future we will inhabit until 2025—that “privacy by design” and “privacy by default” are not simply recommendations but legal requirements.
The problem that this sentence describes has reshaped my life and drives everything I do.
That mission is not about GDPR or privacy or any specific issue per se; it’s about that gulf of knowledge and communication between those who make the rules and those who implement them.
Mr Buttarelli’s words, quickly spoken, are indicative of the root cause of all of our industry’s problems.
And we – both legislators and implementers – are equally at fault.
I was taught that when you have a problem in front of you, it’s not enough to fix it. You have to examine why the problem happened, determine what caused it, and do what you can to prevent it from happening again.
So let’s take this sentence down the rabbit hole.
As far as I know,
If the statement is as far as I know, the question is what determines what he knows as it concerns the implementation of digital legislation into code. Where does he get information from? What is the picture he is looking at? Who informs him? Is the picture he sees complete? Is it accurate? What is the norm that, in his view, we are deviating from? What is his fundamental understanding of how our industry works?
a message has not been passed to designers and developers –
To him, the message is clear – and it would be, as it’s his job. To “those who are planning the future” – the front- and back-end implementers – it is unknown. So we need to ask him: what is that message, what does it look like, and who delivers it? What is his presumption about how designers and developers receive that message, if indeed they receive it at all? How does he believe information flows from top to bottom, and what does it look like? Is he making the common mistake of presuming that designers and developers – so many of whom are self-employed and freelance – have a central channel of information through an employer? Is he making the equally common mistake of assuming that workers in this industry have an industry body?
Because if as far as he knows, a message has not been passed to designers and developers, there is fault on both sides – and that is the starting point for solving the problem.
those who are planning the future we will inhabit until 2025 –
He seems to grasp the importance of those who do the implementing, while oddly standing apart from them. He understands that the two sides, legislators and implementers, hold equal power, but views them as just that – sides – rather than allies who could work together. There is opportunity here, which both he and the Committee missed.
that “privacy by design” and “privacy by default” are not simply recommendations but legal requirements.
This sentiment continues the cognitive bias he indicated with “as far as I know.” The presumption is that designers, developers, and implementers are accustomed to working to clearly explained legal guidelines. They are not.
It also answers our earlier question of what, to him, “the message” looks like: this is the law and you must obey.
I have recently had the pleasure of running some brilliant GDPR and privacy training sessions with digital agencies, sessions which have included the developers and coders as well as the business owners and planners. My way of teaching is to portray GDPR as a damn good toolkit, a business opportunity, and a robust development framework. Because of that, it’s no exaggeration to say the sessions I’ve run have bordered on evangelical. Developers are beyond excited about this. They get it. They can’t wait to dig in and start using it.
But here’s the thing: the only time I devote to “this is the law” and “OMG fines” is in one brief slide of mythbusting. That’s perhaps one more slide than those things deserve.
If you go in to a group of implementers, or by extension into an industry, waving any rules around code as “a legal requirement”, you have failed at the first hurdle.
If you go in to listen, comprehend, inform, and inspire, trust me: you have total buy-in.
And that’s how we are all going to climb out of this rabbit hole.
If “as far as you know” is all you know, it is your responsibility to fix that – whether you’re a suit in a Brussels office or a developer in a Glasgow coffee shop.
If “a message has not been passed to designers and developers,” it is your responsibility to find out what that message looks like, who is passing it, and why it is not reaching its destination.
If you look as a group as “those who are planning the future we will inhabit until 2025”, you need to make sure that group is adequately supported and resourced. Even if that group is you, working alone, googling your legal advice.
If you look at any legislative issue – which in this particular example takes the form of “‘privacy by design’ and ‘privacy by default’ are not simply recommendations but legal requirements”, but which could be anything really – as a matter of coercive compliance, you need to take responsibility for shifting your mindset.
And above all, if you are encountering resistance – or being the resister – because the legal requirements are being rejected by the designers and developers who are having trouble receiving that message, you need to ask yourself why the relationship between legislators and implementers is so fundamentally dysfunctional and what role you play in that.
What I wrote about the root of this problem two years ago has not changed:
Our craft is lateral: we educate each other through informal channels, communities, and social media. Governments, however, are vertical: they distribute information downward through authority organizations. This mismatch in communication means unnecessary hassle on both sides: for web professionals, it means learning about digital laws and compliance obligations by chance on social media. For implementing bureaucracies, it means being bombarded with complaints from individuals who, as far as they are concerned, had their chance to contribute to the process in a formal consultation held years ago. That passive-aggressive cycle is every bit as dysfunctional as the laws themselves…. Our lack of a voice in digital law is no one’s fault but our own. We refuse to look past our personal differences, we do not show up for the political process regulating our own work, we squander our energies firefighting unhelpful interventions, and we disparage the legislators who made them—and they disparage us right back. If it seems as though politicians don’t take the web profession seriously, it’s because we have given them absolutely no reason to believe otherwise.
Nothing has changed since then, but the stakes are so much higher now.
Everyone, from legislators to politicians to business owners to coders, needs to look at what role they are playing in widening that gulf.
I truly believe that once everyone is willing to examine their own behavior, take responsibility for it, and commit to a different way forward, the bridge will begin to build itself.