software development • Head of technology at Burda Home and Burda Life covering roles such as team and tech lead, information security officer and data privacy manager • Certified Information Security Officer according to ISO 27001*1 • (Certified*2) Data Protection Officer (GDPR art. 37 #5) • Techie - not a lawyer! This presentation has not been reviewed by a lawyer. You should most def consult a lawyer. • Q & A at the end *1 took a formal test, got a certificate *2 there’s no test for this yet. But I got a nice certificate from a lawyer for attending a course
of individuals being in the European union • Maximum possible fines: 2-4% or 10-20 million EUR (based on the type of failure, whatever is higher) • One month time to react to consumer request • 72 hours for a qualified notice to authorities upon data breach • These possible fines make this an important topic for almost every company
Art. 12 -23) • Art. 15 Right of access by the data subject • Art. 16 Right to rectification • Art. 17 Right to erasure (‘right to be forgotten’) • Art. 18 Right to restriction of processing • Art. 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing • Art. 20 Right to data portability • Art. 21 Right to object
dpo (10+ employees, main opera:on of your business is processing of personal data) Art. 37 • Have someone or a team of capable people to setup a project group- treat this as a project. Needed skills: • Basic understanding of IT (really helps!) • Project management skills • Capability of reading and understand (boring) law texts- this is a really dry topic. Don't give this job to someone who easily gets distracted.
data protection affairs • Can be software driven but not mandatory • This is really about how you setup structure in your organization to deal with data protection tasks • Communication flows • Who‘s the go to person • Regular reviews of tasks and events • Risk assessments • Review your stack under the aspects of state of the art • Plan for the future – disaster plans, have contact lists and contracts with security specialiasts ready • If you are familiar with ISO 27001 this could be similar to an Information Security Management System (ISMS)
30) • Check each of them for their legal grounds • Evaluate if you can search, export, edit, lock and delete within the attached data stores in order to fulfill all of the consumer rights. • Check for their purpose - do you really need this? Can you avoid it? • Example: you are selling leads for holiday trip to a company, all you need for billing is a statistic about how many leads you generated – you do not need the list of attendees including all their personal details!
/ department title description contact person data categories amount of datasets legal basis example ltd online riddles provide platform for customers to participate in online riddles – they can win goods so we collect data on them Steve steve@exam ple.tld +123123123 • contact data • address data 10k+ contract fulfillment This is just an example – the actual list probably needs more details – contact a laywer J
of websites and apps and their use of personal data, including monitoring, analy9cs and tracking so;ware • Try to unify your web applica9on landscape (get rid of the stuﬀ you don't need) • Those crappy wordpress blogs know one cares about anyways. • That one online marke9ng gig back from 2012 that‘s s9ll online.
your staff and give them information and updates, create roles and hubs rather than one time goto persons and documents. Intranet, wiki, shared folder, fully fleged document management system • Train your staff (all of them) and provide them with tools they can use right away • ways to safely transfer personal data • encryption options, safe devices or a guideline to make their device safe • data protection 101 / SOS card / contact details of a team or person to reach out for when in doubt • ways to safely delete/ destroy unneeded personal data- shredding machines • password manager – seriously: get one for your team and make them use it.
worst! Assume a data breach will happen – it will. • Setup communication strategies (who needs to talk to whom when?) • Recovery plans, security specialists and contracts in place • Remember – you‘ve got 72 hours to provide authorities with a qualified notice!
users with their own accounts, make sure you grant access only if needed and revoke access ones need is gone. => Covered by drupal core • Have a process to manage your site updates in time (automated attacks within hours after release - this is the world we live in) => Be it a manual process, or use something like dropguard. Acquia has RA environments as well... • Do you got forms on your page in which personal data should/ can be entered? (Login form, newsletter, contact form, comment form, order form- right about any form) => enable https encryption! • Use ghostly to check your page for external assets and trackers • Google fonts, social media buttons, embedded social media items, external js files from libraries - get rid of them or gather consent first (eu cookie compliance module has ways for this), use 2+ click solutions to toggle them on such as shariff) => https://www.drupal.org/project/shariff * Can be applied to other systems as well
forms with already ticked checkboxes are a nono =>profile2, gdpr module • Use double opt in to verify email adresses and their consent for you to contact them • Update your data protection statement • Update any forms gathering personal data and provide information about the data subject rights => gpdr_form_compliance • Have dev, stage and prod environments. • Don't use live data with personal data on dev and stage - treat it as toxic information => modules: Gpdr, mask_user_data, scrambler
have facebook site owners be responsible together with facebook about the processing of personal data on those pages (this ruling can and will be applied to other (social media) platforms as well) • https://curia.europa.eu/jcms/jcms/p1_1094403 • „The administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of data of visitors to the page“
Berg h"ps://www.youtube.com/watch?v=WCg_iQinzfA • Fun and proﬁt from GDPR by Mikko Hämäläinen (Druid) - DrupalCamp Nordics 2017 h"ps://www.youtube.com/watch?v=uQ2d8qRg1WY&t=1s • New EU privacy legisla]on (GDPR) and Drupal by Kalle Varisvirta (Exove) - DrupalCamp Nordics 2017 h"ps://www.youtube.com/watch?v=bfOWTpY5_nw • Rob Humphries - Get ready for GDPR h"ps://www.youtube.com/watch?v=15aB8-wVg3I • GDPR Compliance with Google Analy]cs – Do You Need Cookie Consent h"ps://www.youtube.com/watch?v=G7KHJBsu2Yo