25 May 2018 was one of those dates that concentrated the mind of anyone working in technology in Europe. The General Data Protection Regulation came into force, with fines of up to 4% of global annual turnover for serious violations. That is a number that makes board members pay attention.
I watched three different engineering teams prepare for GDPR that year. Their approaches were instructive.
The first team treated it as a compliance checkbox exercise. They updated their privacy policy, added cookie consent banners, and documented their data processing activities. They did the minimum required. In fairness, they were a small team with limited bandwidth, and their approach probably did get them past most regulatory scrutiny. But it missed an opportunity.
The second team panicked. They spent months in legal and engineering meetings, produced hundreds of pages of documentation, and ultimately delayed product launches because they could not get legal sign-off on features. The compliance tail wagged the product dog. This was also not a good outcome.
The third team did something more interesting. They treated GDPR as an engineering challenge and used it as an excuse to fix data practices that had been technical debt for years. They audited what data they actually collected (more than they had realised), stopped collecting data they could not justify, implemented proper data retention policies (they had data from five years ago they had never looked at), and built deletion capabilities that did not previously exist.
This third approach had practical benefits beyond compliance. Their data stores were smaller and therefore faster. Their data model was cleaner because they had removed fields that had accumulated without purpose. They had better documentation of what data existed and why. When they later had a data breach, the impact was smaller because they held less data.
The cookie consent situation became a collective failure of the industry. The regulation required consent for non-essential cookies. The implementation, with dark patterns designed to make users accept cookies, was widely criticised. Cookie banners became a running joke. This was not what the regulation intended but it was what the incentives produced.
GDPR also changed the architecture conversations I was part of. Previously, logging everything forever was default. After GDPR, you had to justify what you logged and for how long. Data residency became important for EU operations. Privacy by design became something architects actually had to address rather than defer.
The broader shift was that privacy stopped being a legal department problem and became an engineering problem. Whether that shift was sufficient is debatable. But the conversation happening at all was progress.