Four API trends in a GDPR world

Here is an exploration of how the GDPR regulations have impacted APIs and how things may pan out in the near future.

Abhinav Asthana Sep 14th 2018 A-A+

The EU Regulation 2016/679, popularly known as General Data Protection Regulation (GDPR) came into effect on May 25, 2018. Replacing the UK's 1984 Data Protection Act and the EU's 1995 Data Protection Directive, GDPR aims at protecting the personal data and privacy of people within the European Union (EU) and the European Economic Area (EEA). Introducing a unified regulation across Europe, GDPR moves a step ahead from the traditional understanding of user data privacy. It seeks to empower individuals with greater control over their personal data while holding organizations responsible for ensuring user-data privacy.

Considering that organizations will be obligated to act upon user demands of control over personal data, application programming interface (API) has emerged as the key technology to facilitate this compliance. Let’s examine how APIs are undergoing a change in the GDPR world.

1. Scope of APIs has grown
GDPR enforces a set of contracts across a host of entities starting with the individual, who signs up for a service offered by an organization. In order to provide the said service, the organization may be sharing the individual’s data with other service providers at the backend. For example, an e-commerce portal may share the data with payment gateway service provider.

Under GDPR, an individual can make a request to an organization inquiring about what data it has collected about her/him. Moreover, they can also specify that they want the ability to revoke the organization’s right to use that data—at any time. APIs will facilitate all such exchanges.

Let’s consider an example wherein a customer signs up for an online service. A set of APIs get activated upon sign-up to transfer the customer’s personal data to third parties (to provide that service). If this customer demands that the organization must share with her/him and then delete all the data collected, the site will then have to invoke a series of internal APIs to discover what information was collected and shared with third parties, and then collate it, send it back to the user, and delete it. The role of APIs, thus, has grown phenomenally under the GDPR regime with APIs being called at (and after) every point of user interaction.

2. APIs will need to be redesigned

There is another dimension to this. In the pre-GDPR time, data privacy was somewhat independently thought of. There would be concerns about protecting a user’s data from the leakage perspective. But the aspects pertaining to managing that data and its traceability attracted less attention. However, in GDPR regime, API designers will need to be aware of how and where all their APIs will touch a user’s data, and design them in such a way that GDPR compliances are fully met.

As seen earlier, API design must incorporate the abilities to trace, retrieve, dispatch and delete user data on demand. At a deeper level, GDPR may also impact the software system design itself. Going forward, developers might try to incorporate a few design elements in their software to make GDPR-compliance simpler.

3. Traceability gains prominence

This is another aspect mandated by GDPR. An organization collecting user data must be able to identify all parties it shares that data with and trace it upon user request. Such capability was not required earlier. Besides traceability, which calls for maintaining error-free and updated records of how data has changed hands, the retention and protection of that data too have become equally mandatory for organizations today.

4. API automation will become essential

At the moment, many organizations are carrying out data tracking, retrieval and dispatch functions manually by investing time and resources to fulfill their GDPR compliance obligations. Manual processes are fine up to the point when user requests are still limited and the wider awareness about expanded user-rights under GDPR has not set in. However, as the requests reach a critical mass, organizations will be forced to automate this entire process with new APIs that help in automation.

The legal contract provisions with respect to GDPR-compliance elements that various entities engage into are also employed largely manually. Even these will need to be automated with APIs being specifically designed (or modified) to incorporate GDPR specific legal clauses in the contracts.

A few grey areas remain

Even as GDPR gradually settles in, a few grey areas remain. At a time of sign-up, a user agrees to certain terms and conditions, providing consent to the organization to use her/his data. In a pre-GDPR time, this consent was primarily implicit. There exists a lack of clarity today about whether the user consent needs to be obtained explicitly or it can be implicit.

There also are questions pertaining to the right method to obtain the location details of a user. Location (read: region) was not an important criteria prior to GDPR becoming effective. However, under GDPR, an organization needs to identify whether a user is from Europe or elsewhere. While IP address may not be a foolproof method to detect user’s location, asking the user to provide location information can result in the user not signing up. API developers will have to live with these challenges till the picture becomes clearer.

Abhinav Asthana is CEO and Co-founder of Postman.

Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).