Upgrade to Pro — share decks privately, control downloads, hide ads and more …

General Data Protection Regulation, a developer's story

October 26, 2017

General Data Protection Regulation, a developer's story

On May 25, 2018 all companies collecting and processing data of people from within the European Union must comply to the General Data Protection Regulation or GDPR. In this talk we'll cover what the GDPR is and how it will impact businesses within the EU and abroad, what can be done to comply to this regulation and how to proceed further. This talk will not provide you legal answers, but will give you technology solutions that will make your applications compliant to these regulations. Even if you're not processing data from the EU, these solutions will offer you better protection to the data you currently keep and will ensure that in the case of a breach, the impact will be minimum.


October 26, 2017

More Decks by DragonBe

Other Decks in Business



    accounts hacked financial exposure (credit), credit card data & personal information Ashley Madison (2015) 37 Million accounts hacked extorsion, divorces, suicides OPM (2015) 21 Million US government personnel foreign assets, informant data, addictions & relationship issues
  2. DISCLAIMER This is not “legal advice” and all points made

    should be checked with your company’s legal department or consult a legal advisor for your specific situation!
  3. GENERAL DATA PROTECTION REGULATION (GDPR) ➤ More strict modification of

    already existing advisories (not rules) of best practices towards protecting privacy data in EU ➤ Become law in all 28 EU countries on May 25, 2018 ➤ Impact all businesses that collect and process privacy related data of EU data subjects (even outside of EU)
  4. WHAT GDPR WANTS TO PROTECT Religion & Beliefs Physical Appearance

    Cultural Background Sexual Orientation Social Status Financial Strength Mental State Medical Conditions Studies & Education Memberships Loyalty Programs Identity & Nationality
  5. WHAT IS CONSIDERED “PRIVATE DATA”? ➤ Name, email address, home

    address, phone number ➤ Social security number, national identity number, passport number ➤ Medical data, social status, religion, political views, sexual orientation, nationality, financial balance ➤ Concert tickets, travel arrangements, library cards, loyalty programs ➤ IP addresses with timestamps ➤ and much more…
  6. RULE OF THUMB Any piece of information that can point

    to a single individual within the EU
  7. PROTECT & SERVE ➤ Protect data of EU data subjects

    ➤ Secure the way you store data ➤ Audit access to data ➤ Know what data is kept in the company
  8. FINES & PENALTIES ➤ up to 10 million Euro or

    2% of annual global turnover ➤ up to 20 million Euro or 4% of annual global turnover for more severe infringements
  9. IMPROVE SECURITY GDPR is a risk based approach to protect

    privacy data. All measures to ensure this protection will improve your overal security.
  10. IN2IT CASE STUDY - 25 external services - 2 continents

    (EU & NA) - No agreements with providers - No consent for data transfer - Limited encryption of data ✓ Automated deployment processes ✓ Signed code and releases ✓ Strict Access Control ✓ 5 external services ✓ 2 continents with Module Clause for US and Canadian services ✓ Contracts with all providers ✓ Consent for data transfer ✓ All data encrypted (in-transit and at rest) ✓ Automated deployment processes ✓ Signed code, release and documents ✓ Strict Access Control
  11. PASSWORD MANAGEMENT ➤ Don’t store data access passwords in common

    repository ➤ Don’t keep passwords in environment variables* ➤ Make use of an Identity Management System to manage ➤ SSH keys ➤ API keys ➤ DSN’s ➤ Public keys (*) Why not use environment variables: diogomonica.com
  12. HASHICORP VAULT ➤ Tool for managing secrets ➤ vaultproject.io ➤

    Secures, stores and controls ➤ access tokens ➤ passwords ➤ certificates ➤ API keys ➤ … others ➤ Access Control ➤ Key Rolling ➤ Configurable lease time ➤ Audit logs ➤ Open Source

    data ➤ Automate anonymising of privacy data ➤ Automate encryption of privacy data

    Data Storage File Storage Log Storage Backup Storage Public - private key exchange| encrypted data storage
  15. Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Encoding: gzip, deflate, br Accept-Language: en-GB,en;q=0.8,en-US;q=0.6,nl;q=0.4 Cache-Control: max-age=0

    Connection: keep-alive DNT: 1 Host: www.example.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (<script>alert(‘Filter Input, Escape Output’);</script>)

    1 !== (int) $_SERVER[‘HTTP_DNT’]): ?> <!-- show your Google Analytics Script Here --> <?php endif ?>
  17. REDUCE ACCESS TO DETAILS If a user has other ways

    to communicate with your clients, remove the visible display of common data elements like full names, email and shipment addresses and phone numbers.
  18. SAME FUNCTIONALITY, BUT KEEPS DATA HIDDEN ➤ Prevents accidentally exposing

    email and phone numbers (e.g. during a call) ➤ Hides details from end-user, but functionality is still provided ➤ Sending out an email uses build-in mail client ➤ Making calls uses a phone middleware used in the company ➤ Gives clear audit trail on who accessed what
  19. NOT 100% PROTECTION, BUT… ➤ We remove the personal one-on-one

    communication with customers ➤ We add better access management on customer communication ➤ Full audit trail now possible as communication stays in-application ➤ Less chance for data loss as contact details are kept away from users
  20. SOME RESOURCES ➤ European Commission: Protection of personal data ➤

    EU GDPR Infograph ➤ Charting the Course to GDPR: Setting Sail ➤ Deloitte GDPR Series ➤ InfoSecurity Group GDPR Checklist ➤ Securing MongoDB ➤ Table and tablespace encryption on MariaDB 10.1
  21. in it 2 PROFESSIONAL PHP SERVICES Michelangelo van Dam Zend

    Certified Engineer [email protected] - www.in2it.be - T in2itvof - F in2itvof Consulting Automation Training