With technological development in crisis management reaching a point at which there is wide-scale aggregation of data, including social media, there is a need to focus strongly upon the position of end users in order to uphold data protection principles. Recent wide-ranging European Union legal reforms, finalized in 2016, have enshrined the concept of data protection by design and paved the way for certification schemes to validate compliance. There is a need for those involved with the practical development of information systems for crisis management to understand these new developments and determine their practical implications. This paper presents a critical analysis of the reforms, focusing on the interplay between the law and technological design and predicting their impact on crisis management system development.