SlideShare a Scribd company logo

GDPR for developers

Download as PPTX, PDF
Bozhidar Bozhanov
Bozhidar Bozhanov

GDPR for developers is a document about the General Data Protection Regulation (GDPR) and what software developers need to do to comply. It discusses key GDPR concepts like the rights of data subjects, lawful processing of personal data, and security measures. It provides practical advice for implementing GDPR principles in software like obtaining consent, handling data subject requests, and responding to data breaches. The overall message is that GDPR compliance requires changes to protect personal data but many can be done incrementally without a full rewrite.

1 of 26
Downloaded 143 times
GDPR for developers Bozhidar Bozhanov
About me • Founder and CEO of LogSentinel • Former IT advisor to the deputy prime minister of Bulgaria • Software engineer • Privacy advocate • Top 50 stackoverflow contributor • https://techblog.bozho.net • @bozhobg
What is GDPR? Regulation Panic! Opportunity • a.k.a. direct common EU law • overrides / supercedes national data protection laws • extends the existing directive • Huge fines for non-compliance (4% of turnover or 20 million euro) • Insufficient understanding on what has to be done (consultants, regulators, companies) • To really protect your customers’ data • To get your systems secure
Pros and cons of GDPR • Cons: • Bureaucratic • Not always clear • Requires most systems to be upgraded (burden) • Doesn’t solve all data protection issues • Leaves issues at the discretion of local regulators • Pros: • Unifies data protection in Europe • Mandates best practices • Requires consciousness about personal data processing
Why do YOU care? • You may be: • implementing GDPR-related upgrades • be designated as a DPO (data protection officer) • implementing anything that handles data • conscious about personal data in your organization
Terminology Data subject Personal data Data processing • a.k.a. User (person whose personal data is processed) • Any data about an identifiable or identified person • Any operation (manual or automated) on personal data Controller • The entity (company) that requests and uses the data Processor • Any entity that processes data on behalf of a controller (e.g. cloud service providers)
GDPR principles Lawfulness Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality …magic
What about cookies? • ePrivacy directive -> ePrivacy regulation • Somehow different than GDPR • Answers some questions unanswered by GDPR: • Tracking cookies • Traffic data • Direct marketing • Opinion – should have been a unified regulation • With the upcoming ePrivacy regulation – no more useless cookie warnings • Also: directive for processing personal data by law enforcement
When to process personal data • User’s consent • Performance of a contract • If required by law • Legitimate interest of the controller (including direct marketing) • Combination of the above
GDPR functionalities • Functionalities are only part of it – processes/procedures/rules must also exist • “Forget me” (the right to erasure) • Mark profile as restricted (right to restriction of processing) • Export data (right to portability) • Allow profile editing (right to rectification) • “See all my data” (right to access) • Consent checkboxes • Age checks • Data destruction (data minimization principle)
“Forget me” • Delete all data relating to a user • void forgetUser(UUID userId); • Useful for integration tests • What about foreign keys? • Allow nullable foreign keys • Anonymize user (leave only ID) • Cascade delete • Option: mark for deletion (+user cleanup job)
“Forget me” • Event-sourcing? • Crypto-shredding • Blockchain? • Notify 3rd parties / call 3rd parties APIs: • CRMs, Payment gateways, etc. • Return 404 for indexable pages • Backups – store anonymized IDs separately • “My data model doesn’t allow for it” is no excuse
Restrict processing • Mark user as “restricted” • Boolean database column • Button on profile page “restrict processing of personal data” • Button on admin page • Don’t show in searches, don’t send emails, don’t include in automated processing • Mark as restricted in 3rd party systems (e.g. with a custom field) • Don’t show on public pages / 404 • Why? • Edge cases: user objects to erasure;
Export data • Right to data portability (no vendor lock-in; in theory) • Formats: JSON, XML, CSV or other standards • Schema: prefer schema.org • Could be a background process that sends email when done • Could be a manual process (easier to get compliant) • All personal data + all data, associated with the user (orders, messages, etc.) • Logs? No • Data from 3rd party systems? Yes • they should have that functionality as well
Editable user profile • Right to rectification • All personal data fields should be editable • Could be a manual support process: “please fix my name” • Data obtained from 3rd parties • If email/phone is included, user should be able to identify with that email/phone (“shadow accounts”) • If not – manual process
Ask for consent • No more “I accept the Terms and conditions and the privacy policy” • Unchecked checkbox for each processing purpose on registration • Data processing business processes to be listed in a register • User should be able to withdraw consent from the user profile page • If data is used for machine learning, get explicit consent for that • Store consent in a secure way • Boolean column may or may not be enough, depending on the regulator • Consents table? • Timestamping? • Re-request consent for existing users via email • Oral consent • Workarounds: consent vs contract with electronic signature?
“See my data” • Overlaps with “export data” • Allow non-registered users to check if you have data about them • Confirm email • Show the processing records from the register
Age check • On registration ask for age / date of birth / (checked) checkbox “I’m older than 16” • Ask parent for consent • How? • Nobody has a clue  • “The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.” • Proposal: ask for parent’s email, send a link and get the registration confirmed • Proposal: upload “parent selfie” • Proposal: eID
Limit data retention • Don’t store data for longer than “necessary” • Database column for “data retention deadline” • Scheduled job to delete/anonymize/pseudonymize data that past its deadline • Deadline vs confirmation event, e.g. “goods delivered” • Applicable to “purchase without registration” • Theoretically applicable to registered users • In practice: “I agree to having my address stored for the purpose of not entering it again on subsequent purchases”
Do’s (encryption) • Encrypt data in transit • between application and database • between application and 3rd parties • between application and database nodes (gossip) • between multiple applications / microservices • obviously: between user and application • between load balancer and application? • Encrypt data at rest • LUKS or database-specific encryption • Encryption key: ideally on HSM / AWS KMS / … • Encrypt backups
Do’s • Implement pseudonymization • replace personal data with bcrypt/PBKDF? • don’t use real production data for staging/test • pseudonymize for machine learning purposes • Protect data integrity • Simple solution: do nothing  Procedures should indicate integrity is guaranteed by the database via checksums • Other options: checksum column per record, enforced in the application layer, audit trail, 3rd party solutions like LogSentinel
Do’s • Have your GDPR register of processing activities in something other than Excel • Internal web app / microservice or a 3rd party service • Integrate with consent checkboxes and “right to access” • Correlate audit logs with processing activities • Audit log for the register itself • Backups, high availability • Log access to personal data • Implied from the accountability principles • Correlate with processing activity • Search results / lists? Log “User X did query Y” • Register all API consumers (no anonymous access)
Data breaches • Notify data protection regulator • Notify controllers (if you are a processor) • Notify users • Option: Configure your security incident system to report to the data protection regulator • Have proof of when the breach was discovered (timestamp emails/issues?) • Will it help? Questionable • (Dilbert)
Don’t’s • Don’t use data for purposes other than what he user has agreed with • Request consent via email for new purposes • Legitimate interests can be dynamically added • Don’t log personal data – just ID • Cleanup old log files • Don’t put unnecessary registration fields • Don’t assume 3rd parties are compliant • Don’t assume having ISO XXX makes you compliant • Don’t dump personal data on public servers/buckets  • …and other obvious stuff
Conclusion • GDPR would require changes, mostly • Best practices • Useful to customers • The majority of changes can be implemented within 2-3 sprints • GDPR forces better understanding of data flows • Compliance likely to be checklist-based • Beware of consultants claiming GDPR will require rewriting everything and asking for a lot of money • Regulators will need some teaching • The spirit of the regulation: be conscious about personal data
Thank you Bozhidar Bozhanov: bozhidar.bozhanov@logsentinel.com
Ad

Recommended

GDPR
GDPRGDPR
GDPR
Younes Boukamher
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
GDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratgGDPR most actionable cheatsheet and checklist by cyberstratg
GDPR most actionable cheatsheet and checklist by cyberstratg
Tabish Asifi
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
Schellman & Company
 
Master Data Management (MDM) for Mid-Market
Master Data Management (MDM) for Mid-MarketMaster Data Management (MDM) for Mid-Market
Master Data Management (MDM) for Mid-Market
Vivek Mishra
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
Priyab Satoshi
 
Data privacy impact assessment
Data privacy impact assessmentData privacy impact assessment
Data privacy impact assessment
Stephen Owen
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
Randy Bowman
 
Personal Data Protection Act (PDPA) and Enterprise Risk Management (February ...
Personal Data Protection Act (PDPA) and Enterprise Risk Management (February ...Personal Data Protection Act (PDPA) and Enterprise Risk Management (February ...
Personal Data Protection Act (PDPA) and Enterprise Risk Management (February ...
Nawanan Theera-Ampornpunt
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands
Secure Islands - Data Security Policy
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Data Privacy and consent management .. .
Data Privacy and consent management .. .Data Privacy and consent management .. .
Data Privacy and consent management .. .
ClinosolIndia
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
Cisco Canada
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Data Strategy for Telcos : Preparedness and Management
Data Strategy for Telcos : Preparedness and ManagementData Strategy for Telcos : Preparedness and Management
Data Strategy for Telcos : Preparedness and Management
SouravRout
 
DPIA
DPIADPIA
DPIA
Martyn Ripley
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
Craig Clark ITIL, CIS LI,EU GDPR P
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
grahamwell
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
Data protection regulations in Nigeria
Data protection regulations in NigeriaData protection regulations in Nigeria
Data protection regulations in Nigeria
Mercy Akinseinde
 
SOC Certification Runbook Template
SOC Certification Runbook TemplateSOC Certification Runbook Template
SOC Certification Runbook Template
Mark S. Mahre
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
Directorate of Information Security | Ditjen Aptika
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
Kwanzoo Inc
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
TechSoup
 
Ad

More Related Content

What's hot (20)

General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
Randy Bowman
 
Personal Data Protection Act (PDPA) and Enterprise Risk Management (February ...
Personal Data Protection Act (PDPA) and Enterprise Risk Management (February ...Personal Data Protection Act (PDPA) and Enterprise Risk Management (February ...
Personal Data Protection Act (PDPA) and Enterprise Risk Management (February ...
Nawanan Theera-Ampornpunt
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands
Secure Islands - Data Security Policy
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Data Privacy and consent management .. .
Data Privacy and consent management .. .Data Privacy and consent management .. .
Data Privacy and consent management .. .
ClinosolIndia
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
Cisco Canada
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Data Strategy for Telcos : Preparedness and Management
Data Strategy for Telcos : Preparedness and ManagementData Strategy for Telcos : Preparedness and Management
Data Strategy for Telcos : Preparedness and Management
SouravRout
 
DPIA
DPIADPIA
DPIA
Martyn Ripley
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
Craig Clark ITIL, CIS LI,EU GDPR P
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
grahamwell
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
Data protection regulations in Nigeria
Data protection regulations in NigeriaData protection regulations in Nigeria
Data protection regulations in Nigeria
Mercy Akinseinde
 
SOC Certification Runbook Template
SOC Certification Runbook TemplateSOC Certification Runbook Template
SOC Certification Runbook Template
Mark S. Mahre
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
Directorate of Information Security | Ditjen Aptika
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
Randy Bowman
 
Personal Data Protection Act (PDPA) and Enterprise Risk Management (February ...
Personal Data Protection Act (PDPA) and Enterprise Risk Management (February ...Personal Data Protection Act (PDPA) and Enterprise Risk Management (February ...
Personal Data Protection Act (PDPA) and Enterprise Risk Management (February ...
Nawanan Theera-Ampornpunt
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands18 Tips for Data Classification - Data Sheet by Secure Islands
18 Tips for Data Classification - Data Sheet by Secure Islands
Secure Islands - Data Security Policy
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Data Privacy and consent management .. .
Data Privacy and consent management .. .Data Privacy and consent management .. .
Data Privacy and consent management .. .
ClinosolIndia
 
Cisco umbrella overview
Cisco umbrella overviewCisco umbrella overview
Cisco umbrella overview
Cisco Canada
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Data Strategy for Telcos : Preparedness and Management
Data Strategy for Telcos : Preparedness and ManagementData Strategy for Telcos : Preparedness and Management
Data Strategy for Telcos : Preparedness and Management
SouravRout
 
DPIA
DPIADPIA
DPIA
Martyn Ripley
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
Craig Clark ITIL, CIS LI,EU GDPR P
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
grahamwell
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
Data protection regulations in Nigeria
Data protection regulations in NigeriaData protection regulations in Nigeria
Data protection regulations in Nigeria
Mercy Akinseinde
 
SOC Certification Runbook Template
SOC Certification Runbook TemplateSOC Certification Runbook Template
SOC Certification Runbook Template
Mark S. Mahre
 
Privacy and Data Protection
Privacy and Data ProtectionPrivacy and Data Protection
Privacy and Data Protection
Directorate of Information Security | Ditjen Aptika
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 

Similar to GDPR for developers (20)

ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
Kwanzoo Inc
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
TechSoup
 
Ease out the GDPR adoption with ManageEngine
Ease out the GDPR adoption with ManageEngineEase out the GDPR adoption with ManageEngine
Ease out the GDPR adoption with ManageEngine
ManageEngine
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration Solutions
Gabriella Davis
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QAFest
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
One North
 
Web analytics: Practical steps to GDPR compliance
Web analytics: Practical steps to GDPR complianceWeb analytics: Practical steps to GDPR compliance
Web analytics: Practical steps to GDPR compliance
Panagiotis Tzamtzis
 
GDPR- The Buck Stops Here
GDPR- The Buck Stops HereGDPR- The Buck Stops Here
GDPR- The Buck Stops Here
Kellyn Pot'Vin-Gorman
 
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
Jadu
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Precisely
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.ppt
DrBasemMohamedElomda
 
Law Practice Management - Organization, Cloud, Social Media and Ethics
Law Practice Management - Organization, Cloud, Social Media and EthicsLaw Practice Management - Organization, Cloud, Social Media and Ethics
Law Practice Management - Organization, Cloud, Social Media and Ethics
Jennifer Ellis, JD, LLC
 
How to leverage Enterprise Architecture in a regulated environment
How to leverage Enterprise Architecture in a regulated environmentHow to leverage Enterprise Architecture in a regulated environment
How to leverage Enterprise Architecture in a regulated environment
LeanIX GmbH
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulation
James Mulhern
 
GDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptxGDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptx
TimBee1
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
GrittyCC
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
Rebecca Leitch
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
Security Innovation
 
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
nasirmehmood929552
 
ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
Kwanzoo Inc
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
TechSoup
 
Ease out the GDPR adoption with ManageEngine
Ease out the GDPR adoption with ManageEngineEase out the GDPR adoption with ManageEngine
Ease out the GDPR adoption with ManageEngine
ManageEngine
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration Solutions
Gabriella Davis
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QAFest
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
One North
 
Web analytics: Practical steps to GDPR compliance
Web analytics: Practical steps to GDPR complianceWeb analytics: Practical steps to GDPR compliance
Web analytics: Practical steps to GDPR compliance
Panagiotis Tzamtzis
 
GDPR- The Buck Stops Here
GDPR- The Buck Stops HereGDPR- The Buck Stops Here
GDPR- The Buck Stops Here
Kellyn Pot'Vin-Gorman
 
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
Jadu
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Precisely
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.ppt
DrBasemMohamedElomda
 
Law Practice Management - Organization, Cloud, Social Media and Ethics
Law Practice Management - Organization, Cloud, Social Media and EthicsLaw Practice Management - Organization, Cloud, Social Media and Ethics
Law Practice Management - Organization, Cloud, Social Media and Ethics
Jennifer Ellis, JD, LLC
 
How to leverage Enterprise Architecture in a regulated environment
How to leverage Enterprise Architecture in a regulated environmentHow to leverage Enterprise Architecture in a regulated environment
How to leverage Enterprise Architecture in a regulated environment
LeanIX GmbH
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulation
James Mulhern
 
GDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptxGDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptx
TimBee1
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
GrittyCC
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
Rebecca Leitch
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
Security Innovation
 
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
nasirmehmood929552
 
Ad

More from Bozhidar Bozhanov (20)

Откриване на фалшиви клетки за подслушване
Откриване на фалшиви клетки за подслушванеОткриване на фалшиви клетки за подслушване
Откриване на фалшиви клетки за подслушване
Bozhidar Bozhanov
 
Wiretap Detector - detecting cell-site simulators
Wiretap Detector - detecting cell-site simulatorsWiretap Detector - detecting cell-site simulators
Wiretap Detector - detecting cell-site simulators
Bozhidar Bozhanov
 
Антикорупционен софтуер
Антикорупционен софтуерАнтикорупционен софтуер
Антикорупционен софтуер
Bozhidar Bozhanov
 
Nothing is secure.pdf
Nothing is secure.pdfNothing is secure.pdf
Nothing is secure.pdf
Bozhidar Bozhanov
 
Elasticsearch - Scalability and Multitenancy
Elasticsearch - Scalability and MultitenancyElasticsearch - Scalability and Multitenancy
Elasticsearch - Scalability and Multitenancy
Bozhidar Bozhanov
 
Encryption in the enterprise
Encryption in the enterpriseEncryption in the enterprise
Encryption in the enterprise
Bozhidar Bozhanov
 
Blockchain overview - types, use-cases, security and usabilty
Blockchain overview - types, use-cases, security and usabiltyBlockchain overview - types, use-cases, security and usabilty
Blockchain overview - types, use-cases, security and usabilty
Bozhidar Bozhanov
 
Електронна държава
Електронна държаваЕлектронна държава
Електронна държава
Bozhidar Bozhanov
 
Blockchain - what is it good for?
Blockchain - what is it good for?Blockchain - what is it good for?
Blockchain - what is it good for?
Bozhidar Bozhanov
 
Algorithmic and technological transparency
Algorithmic and technological transparencyAlgorithmic and technological transparency
Algorithmic and technological transparency
Bozhidar Bozhanov
 
Scaling horizontally on AWS
Scaling horizontally on AWSScaling horizontally on AWS
Scaling horizontally on AWS
Bozhidar Bozhanov
 
Alternatives for copyright protection online
Alternatives for copyright protection onlineAlternatives for copyright protection online
Alternatives for copyright protection online
Bozhidar Bozhanov
 
Политики, основани на данни
Политики, основани на данниПолитики, основани на данни
Политики, основани на данни
Bozhidar Bozhanov
 
Отворено законодателство
Отворено законодателствоОтворено законодателство
Отворено законодателство
Bozhidar Bozhanov
 
Overview of Message Queues
Overview of Message QueuesOverview of Message Queues
Overview of Message Queues
Bozhidar Bozhanov
 
Electronic governance steps in the right direction?
Electronic governance steps in the right direction?Electronic governance steps in the right direction?
Electronic governance steps in the right direction?
Bozhidar Bozhanov
 
Сигурност на електронното управление
Сигурност на електронното управлениеСигурност на електронното управление
Сигурност на електронното управление
Bozhidar Bozhanov
 
Opensource government
Opensource governmentOpensource government
Opensource government
Bozhidar Bozhanov
 
Биометрична идентификация
Биометрична идентификацияБиометрична идентификация
Биометрична идентификация
Bozhidar Bozhanov
 
Biometric identification
Biometric identificationBiometric identification
Biometric identification
Bozhidar Bozhanov
 
Откриване на фалшиви клетки за подслушване
Откриване на фалшиви клетки за подслушванеОткриване на фалшиви клетки за подслушване
Откриване на фалшиви клетки за подслушване
Bozhidar Bozhanov
 
Wiretap Detector - detecting cell-site simulators
Wiretap Detector - detecting cell-site simulatorsWiretap Detector - detecting cell-site simulators
Wiretap Detector - detecting cell-site simulators
Bozhidar Bozhanov
 
Антикорупционен софтуер
Антикорупционен софтуерАнтикорупционен софтуер
Антикорупционен софтуер
Bozhidar Bozhanov
 
Nothing is secure.pdf
Nothing is secure.pdfNothing is secure.pdf
Nothing is secure.pdf
Bozhidar Bozhanov
 
Elasticsearch - Scalability and Multitenancy
Elasticsearch - Scalability and MultitenancyElasticsearch - Scalability and Multitenancy
Elasticsearch - Scalability and Multitenancy
Bozhidar Bozhanov
 
Encryption in the enterprise
Encryption in the enterpriseEncryption in the enterprise
Encryption in the enterprise
Bozhidar Bozhanov
 
Blockchain overview - types, use-cases, security and usabilty
Blockchain overview - types, use-cases, security and usabiltyBlockchain overview - types, use-cases, security and usabilty
Blockchain overview - types, use-cases, security and usabilty
Bozhidar Bozhanov
 
Електронна държава
Електронна държаваЕлектронна държава
Електронна държава
Bozhidar Bozhanov
 
Blockchain - what is it good for?
Blockchain - what is it good for?Blockchain - what is it good for?
Blockchain - what is it good for?
Bozhidar Bozhanov
 
Algorithmic and technological transparency
Algorithmic and technological transparencyAlgorithmic and technological transparency
Algorithmic and technological transparency
Bozhidar Bozhanov
 
Scaling horizontally on AWS
Scaling horizontally on AWSScaling horizontally on AWS
Scaling horizontally on AWS
Bozhidar Bozhanov
 
Alternatives for copyright protection online
Alternatives for copyright protection onlineAlternatives for copyright protection online
Alternatives for copyright protection online
Bozhidar Bozhanov
 
Политики, основани на данни
Политики, основани на данниПолитики, основани на данни
Политики, основани на данни
Bozhidar Bozhanov
 
Отворено законодателство
Отворено законодателствоОтворено законодателство
Отворено законодателство
Bozhidar Bozhanov
 
Overview of Message Queues
Overview of Message QueuesOverview of Message Queues
Overview of Message Queues
Bozhidar Bozhanov
 
Electronic governance steps in the right direction?
Electronic governance steps in the right direction?Electronic governance steps in the right direction?
Electronic governance steps in the right direction?
Bozhidar Bozhanov
 
Сигурност на електронното управление
Сигурност на електронното управлениеСигурност на електронното управление
Сигурност на електронното управление
Bozhidar Bozhanov
 
Opensource government
Opensource governmentOpensource government
Opensource government
Bozhidar Bozhanov
 
Биометрична идентификация
Биометрична идентификацияБиометрична идентификация
Биометрична идентификация
Bozhidar Bozhanov
 
Biometric identification
Biometric identificationBiometric identification
Biometric identification
Bozhidar Bozhanov
 
Ad

Recently uploaded (20)

F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
University of Hawai‘i at Mānoa
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
Exploring Code Comprehension in Scientific Programming: Preliminary Insight...
University of Hawai‘i at Mānoa
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
Kubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptxKubernetes_101_Zero_to_Platform_Engineer.pptx
Kubernetes_101_Zero_to_Platform_Engineer.pptx
CloudScouts
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Automation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath CertificateAutomation Techniques in RPA - UiPath Certificate
Automation Techniques in RPA - UiPath Certificate
VICTOR MAESTRE RAMIREZ
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 

GDPR for developers

  • 2. About me • Founder and CEO of LogSentinel • Former IT advisor to the deputy prime minister of Bulgaria • Software engineer • Privacy advocate • Top 50 stackoverflow contributor • https://techblog.bozho.net • @bozhobg
  • 3. What is GDPR? Regulation Panic! Opportunity • a.k.a. direct common EU law • overrides / supercedes national data protection laws • extends the existing directive • Huge fines for non-compliance (4% of turnover or 20 million euro) • Insufficient understanding on what has to be done (consultants, regulators, companies) • To really protect your customers’ data • To get your systems secure
  • 4. Pros and cons of GDPR • Cons: • Bureaucratic • Not always clear • Requires most systems to be upgraded (burden) • Doesn’t solve all data protection issues • Leaves issues at the discretion of local regulators • Pros: • Unifies data protection in Europe • Mandates best practices • Requires consciousness about personal data processing
  • 5. Why do YOU care? • You may be: • implementing GDPR-related upgrades • be designated as a DPO (data protection officer) • implementing anything that handles data • conscious about personal data in your organization
  • 6. Terminology Data subject Personal data Data processing • a.k.a. User (person whose personal data is processed) • Any data about an identifiable or identified person • Any operation (manual or automated) on personal data Controller • The entity (company) that requests and uses the data Processor • Any entity that processes data on behalf of a controller (e.g. cloud service providers)
  • 7. GDPR principles Lawfulness Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality …magic
  • 8. What about cookies? • ePrivacy directive -> ePrivacy regulation • Somehow different than GDPR • Answers some questions unanswered by GDPR: • Tracking cookies • Traffic data • Direct marketing • Opinion – should have been a unified regulation • With the upcoming ePrivacy regulation – no more useless cookie warnings • Also: directive for processing personal data by law enforcement
  • 9. When to process personal data • User’s consent • Performance of a contract • If required by law • Legitimate interest of the controller (including direct marketing) • Combination of the above
  • 10. GDPR functionalities • Functionalities are only part of it – processes/procedures/rules must also exist • “Forget me” (the right to erasure) • Mark profile as restricted (right to restriction of processing) • Export data (right to portability) • Allow profile editing (right to rectification) • “See all my data” (right to access) • Consent checkboxes • Age checks • Data destruction (data minimization principle)
  • 11. “Forget me” • Delete all data relating to a user • void forgetUser(UUID userId); • Useful for integration tests • What about foreign keys? • Allow nullable foreign keys • Anonymize user (leave only ID) • Cascade delete • Option: mark for deletion (+user cleanup job)
  • 12. “Forget me” • Event-sourcing? • Crypto-shredding • Blockchain? • Notify 3rd parties / call 3rd parties APIs: • CRMs, Payment gateways, etc. • Return 404 for indexable pages • Backups – store anonymized IDs separately • “My data model doesn’t allow for it” is no excuse
  • 13. Restrict processing • Mark user as “restricted” • Boolean database column • Button on profile page “restrict processing of personal data” • Button on admin page • Don’t show in searches, don’t send emails, don’t include in automated processing • Mark as restricted in 3rd party systems (e.g. with a custom field) • Don’t show on public pages / 404 • Why? • Edge cases: user objects to erasure;
  • 14. Export data • Right to data portability (no vendor lock-in; in theory) • Formats: JSON, XML, CSV or other standards • Schema: prefer schema.org • Could be a background process that sends email when done • Could be a manual process (easier to get compliant) • All personal data + all data, associated with the user (orders, messages, etc.) • Logs? No • Data from 3rd party systems? Yes • they should have that functionality as well
  • 15. Editable user profile • Right to rectification • All personal data fields should be editable • Could be a manual support process: “please fix my name” • Data obtained from 3rd parties • If email/phone is included, user should be able to identify with that email/phone (“shadow accounts”) • If not – manual process
  • 16. Ask for consent • No more “I accept the Terms and conditions and the privacy policy” • Unchecked checkbox for each processing purpose on registration • Data processing business processes to be listed in a register • User should be able to withdraw consent from the user profile page • If data is used for machine learning, get explicit consent for that • Store consent in a secure way • Boolean column may or may not be enough, depending on the regulator • Consents table? • Timestamping? • Re-request consent for existing users via email • Oral consent • Workarounds: consent vs contract with electronic signature?
  • 17. “See my data” • Overlaps with “export data” • Allow non-registered users to check if you have data about them • Confirm email • Show the processing records from the register
  • 18. Age check • On registration ask for age / date of birth / (checked) checkbox “I’m older than 16” • Ask parent for consent • How? • Nobody has a clue  • “The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.” • Proposal: ask for parent’s email, send a link and get the registration confirmed • Proposal: upload “parent selfie” • Proposal: eID
  • 19. Limit data retention • Don’t store data for longer than “necessary” • Database column for “data retention deadline” • Scheduled job to delete/anonymize/pseudonymize data that past its deadline • Deadline vs confirmation event, e.g. “goods delivered” • Applicable to “purchase without registration” • Theoretically applicable to registered users • In practice: “I agree to having my address stored for the purpose of not entering it again on subsequent purchases”
  • 20. Do’s (encryption) • Encrypt data in transit • between application and database • between application and 3rd parties • between application and database nodes (gossip) • between multiple applications / microservices • obviously: between user and application • between load balancer and application? • Encrypt data at rest • LUKS or database-specific encryption • Encryption key: ideally on HSM / AWS KMS / … • Encrypt backups
  • 21. Do’s • Implement pseudonymization • replace personal data with bcrypt/PBKDF? • don’t use real production data for staging/test • pseudonymize for machine learning purposes • Protect data integrity • Simple solution: do nothing  Procedures should indicate integrity is guaranteed by the database via checksums • Other options: checksum column per record, enforced in the application layer, audit trail, 3rd party solutions like LogSentinel
  • 22. Do’s • Have your GDPR register of processing activities in something other than Excel • Internal web app / microservice or a 3rd party service • Integrate with consent checkboxes and “right to access” • Correlate audit logs with processing activities • Audit log for the register itself • Backups, high availability • Log access to personal data • Implied from the accountability principles • Correlate with processing activity • Search results / lists? Log “User X did query Y” • Register all API consumers (no anonymous access)
  • 23. Data breaches • Notify data protection regulator • Notify controllers (if you are a processor) • Notify users • Option: Configure your security incident system to report to the data protection regulator • Have proof of when the breach was discovered (timestamp emails/issues?) • Will it help? Questionable • (Dilbert)
  • 24. Don’t’s • Don’t use data for purposes other than what he user has agreed with • Request consent via email for new purposes • Legitimate interests can be dynamically added • Don’t log personal data – just ID • Cleanup old log files • Don’t put unnecessary registration fields • Don’t assume 3rd parties are compliant • Don’t assume having ISO XXX makes you compliant • Don’t dump personal data on public servers/buckets  • …and other obvious stuff
  • 25. Conclusion • GDPR would require changes, mostly • Best practices • Useful to customers • The majority of changes can be implemented within 2-3 sprints • GDPR forces better understanding of data flows • Compliance likely to be checklist-based • Beware of consultants claiming GDPR will require rewriting everything and asking for a lot of money • Regulators will need some teaching • The spirit of the regulation: be conscious about personal data