How to handle localization and privacy (GDPR) when working on regional expansion?

As part of an initiative at work, I want to localize the app and website to a couple of regions. I want to plan out how to go about this but also thought of reaching out to the community for your ideas.

Copying from my notes, the things I wanted to check off are:

  1. Default language, prompt on app first open, notifications, other server-side strings
  2. Countries like India - can’t assume Tamil/Hindi. Same for the Middle East.
  3. Iconography in case language is not understood. Similar for accessibility (color blind, screen readers, etc)
  4. GDPR, PDPA (SG/TH/ID/MY) etc.
  5. Font and “density” of language. The grammatical structure of language. RTL.
  6. how to deliver incrementally?

You have a good list. Good luck. It’s an endless pursuit of perfection on which you’ll never realize fully. My best tip: be vigilant in including a local resource in your discovery, and implementation (minimally testing).

If you/your business decide not to afford local resources, you will pay for it one way or the other. Do it right, or don’t do it at all. Reputation and improperly implemented regulatory are two high-risk stakes/fronts you don’t want to lose on.


We want to attempt these for five countries. For three of them, we have local resources that we can rely on. For the other two, we do not (and can not thanks to complications from the pandemic) but their nationalities are represented in our company, so we can get some bit of help but not much.

How did you go about doing what you did? Any aha moments? And any traps that I should watch out for?


One lens to use when going about a major change like localization is to think about what your end product looks like. When all the pieces come together, what will this look like, and then break it out w/ a MoSCOW method so you can figure out what an MVP for one region looks like. It’s very tempting for this to go overboard and try to think of too many things. Ideally, you’ll be working with stakeholders to understand what a “successful” localization looks like.

What needs are you meeting for each region? When you understand the needs, you can figure out what features are required here. There are a million details you can have to localize a product, but it will help to look at a few regions and find commonalities, so you don’t over/under design. It also looks like you’re solutioning already… step back and figure out what the needs are because those will help you figure out the right solution. Look to engineering and design to guide your ideas well… I’ve met many engineers who knew details of localization I had overlooked.

On the GDPR front, you should think about it there is any content that will have to be localized that will be relevant to GDPR. Are you just translating non-private information? Or is it private? GDPR also has details that require users have to be able to request that their content be deleted within X amount of time… do you have such mechanisms? There’s a bunch to think about. I’d find a PM you trust had done something like this and have a solid 30-45 minute conversation.

Finally - culture, culture, culture - direct translation is a disaster waiting to happen - dig deep


For everything privacy-compliant related I only work together with a lawyer or our data privacy manager (which is mandatory to have for each company in the EU that falls under GDPR).

I have been involved in GDPR compliant setups, both product, marketing, and company-wide, since 2017 when we prepared for the 2018 GDPR launch with my company back then.

I’d say I gathered quite profound knowledge and know what to do, but I would still NEVER take responsibility for my actions. I either provide a process, user flow, data overview, and what I want to track and why, and then it is up to legal to define which is the appropriate way. Or I provide an approach that I think is in a compliant manner, but still, legal needs to sign it off.

Why? Privacy laws change, there are still many grey areas on how to be compliant, many lawyers have different interpretations. I am in no way classified as a legal expert and won’t be the one to be blamed if shit comes down.

What if there is no legal partner in the company? Been there and in that case, I make it clear to have written approval OR order from the CEO, or direct supervisor, that sth is implemented in a way where I am sure that it’s legally correct, but that I don’t cover for it without a correct legal audit or feedback.


This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.