It was about 6 months ago that I was involved in my first GDPR meeting. Other people in our company had obviously been talking about it earlier. But this was the first one where I started to learn about it. And I learnt that it was a 4 letter acronym that I could no longer ignore.

Oh, here we go — this is going to be another ridiculous Cookie Law. We’re going to spend months making our product more annoying to use while still doing exactly the same stuff as before… SIGH. I spent a lot of that first meeting grimacing.

Since then I have had a lot more meetings. We engaged a dedicated GDPR consultant and we started examining our entire business from top to bottom.

We’ve had some pretty impressive looking project spreadsheets on the go for months. Any place where we collected or processed personally identifiable data had to be examined. Then we had to decide if changes were required.

I would be lying if I said this wasn’t a pain. We have an infinite list of things we want to build or experiment with. Doing a full review of our products and implementing all the changes that we required was not exciting or fun. It is very easy to view this process as a huge distraction from what we are really trying to do. Which is to deliver safe surgical care for everyone. In case you didn’t know.

On the other hand it also was not very hard for us. We are not a creepy company. We’ve gone out of our way to only collect information that we need to make our products work. Our business model isn’t built on invading your privacy. But that doesn’t mean that we’ve always thought carefully about this stuff. There have been cases where personally identifiable information (PII) has just been collected without any consideration.

The more I worked with GDPR the more I appreciated it. The effect of this legislation was never pushing us to do things that felt wrong. Quite the opposite. It was forcing us to think more about our interactions with people and to be careful about how we treated them.

I would be very wary of a company who claims this legislation is onerous. It is potentially life threatening to companies who do very shady things without your consent. That much is true. That is the entire point.

This is not to say that preparing for GDPR didn’t take us 100s of hours. It did. But the upside of that is that we are now a better company.