Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GDPR for Nerds

GDPR for Nerds

"GDPR for Nerds": Intro to the GDPR with a focus on IT professionals. I gave this presentation at Loadays 2018 in Antwerp, Belgium

Db2ec14662bad7ff11c70c2d382107da?s=128

Frank Louwers

April 22, 2018
Tweet

Transcript

  1. GDPR FOR NERDS A NOT SO BORING (?) INTRO TO

    THE GDPR
  2. WHOAMI FRANK LOUWERS @FRANK_BE BUILT, GREW AND SOLD A HOSTING

    COMPANY (15+ YEARS) FREELANCE CONSULTANT STARTUP: GDPR-BUTLER.EU
  3. TINASP ! IANAL

  4. GDPR FOR NERDS

  5. GDPR … (BORING, BUT NEEDED) GDPR ▸ General ▸ Data

    ▸ Protection ▸ Regulation
  6. GDPR … GENERAL ▸ Applies to “processors” in Europe: ▸

    for all personal data they process, regardless of citizenship
 ▸ Applies to processors outside Europe: ▸ for all personal data they process for all EU inhabitants
  7. GDPR … PERSONAL DATA ▸ any information relating to an

    ▸ identified or identifiable natural person (‘data subject’). ▸ An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
  8. GDPR … PROTECTING INDIVIDUALS’ RIGHTS ‣ Processed lawfully, fairly, transparently

    ‣ Purpose limitation ‣ Data minimisation ‣ Accurate and up-to-date processing ‣ Limitation of storage ‣ Confidential and secure ‣ Accountability and liability
  9. GDPR … REGULATION ▸ EU “Regulation” ▸ effective without need

    to translate into local law
 ▸ All EU countries
 ▸ On May 25th 2018
  10. TWTBS! T4AQ

  11. DOES THE GDPR APPLY TO A US BANK, TARGETING US

    EXPATS LIVING IN EUROPE? SCOPE
  12. DOES THE GDPR APPLY TO A US BANK, TARGETING US

    EXPATS LIVING IN EUROPE? SCOPE YES!
  13. DOES THE GDPR APPLY TO FACEBOOK IRELAND, REGARDING JAPANESE CUSTOMERS?

    SCOPE
  14. DOES THE GDPR APPLY TO FACEBOOK IRELAND, REGARDING JAPANESE CUSTOMERS?

    SCOPE YES!
  15. “DATA” MEANS PII DATA?

  16. “DATA” MEANS PII DATA? NO !

  17. DATA PERSONAL DATA “The slightly-gray-haired-gentleman with glasses, at the Speakers

    Dinner, wearing a shirt that resembles the Slack logo” ‣ Not PII ‣ But is Personal Data Sorry Toshaan!
  18. YOU MUST HAVE CONSENT IF YOU WANT TO PROCESS PERSONAL

    DATA LAWFUL PROCESSING
  19. YOU MUST HAVE CONSENT IF YOU WANT TO PROCESS PERSONAL

    DATA LAWFUL PROCESSING NO !
  20. TEXT LAWFUL PROCESSING: CONSENT ▸ Consent ▸ freely given ▸

    specific ▸ informed ▸ unambiguous ▸ by a statement or by a clear affirmative action
  21. TEXT LAWFUL PROCESSING ▸ Consent ▸ Contract ▸ Legal obligation

    ▸ Vital interests (forget this one …) ▸ Public task (forget this one …) ▸ Legitimate Interests (intra-group transfers, IT security, fraud prevention, marketing …)
  22. I HAVE AN ABSOLUTE RIGHT TO BE FORGOTTEN! RIGHTS…

  23. I HAVE AN ABSOLUTE RIGHT TO BE FORGOTTEN! RIGHTS… NO

    *!
  24. I HAVE AN ABSOLUTE RIGHT TO BE FORGOTTEN! RIGHTS… NO

    *! *: it depends
  25. RIGHT TO BE FORGOTTEN THE RIGHT TO BE FORGOTTEN SHOULD

    BE HONOURED … UNLESS YOU CAN’T ▸ Other obligation that has priority: ▸ Contract ▸ Legal obligation ▸ Vital interests ▸ Public task ▸ Legitimate Interests (but be careful)
  26. RIGHTS OTHER RIGHTS… ▸ Right of access to data (“Subject

    Access Request” or SAR) ▸ Right to rectification ▸ Right to restrict processing ▸ Right to object ▸ Right to data-portability
  27. MY ORGANISATION NEEDS A DPO DPO…

  28. MY ORGANISATION NEEDS A DPO DPO… NO *!

  29. MY ORGANISATION NEEDS A DPO DPO… NO *! *: it

    depends
  30. DPO WHEN DO YOU NEED A DPO? ▸ Public Authority

    (even a tiny one) ▸ Core activities require regular and systematic processing at large scale ▸ Core activities involve processing on a large scale of “sensitive data”
  31. DPO SENSITIVE DATA? ▸ Data about a subject’s: ▸ Health

    ▸ Genetics ▸ Biometrics ▸ Sexual preferences, orientation or data about sex life ▸ Political, religious, philosophical beliefs ▸ Trade Union membership ▸ Criminal records
  32. GDPR FOR NERDS

  33. HOW TO BECOME GDPR COMPLIANT?

  34. GET GDPR- CERTIFIED!

  35. GET GDPR- CERTIFIED! NO !

  36. ADHERE TO A CODE OF CONDUCT

  37. ADHERE TO A CODE OF CONDUCT NO !

  38. BECOME ISO 27001 CERTIFIED

  39. BECOME ISO 27001 CERTIFIED NO *!

  40. BECOME ISO 27001 CERTIFIED NO *! *: it might help

  41. GDPR CERTIFICATION IN FIVE EASY STEPS GDPR COMPLIANCY? 1. Think

    about the data your organisation processes and map them ▸ Requirement: “Register” of processing activities (eg gdpr-butler.eu) ▸ Why / Whose / What / When / Where 2. Think about security and privacy of your systems: ‣ Adequate security (encryption, access control, …) ‣ “Privacy by design”: eg. dev-DB contains no real data ‣ “Privacy by default”. Default settings ‣ ISO 27001 could be a guidance but is not even mentioned in the GDPR
  42. GDPR CERTIFICATION IN FIVE EASY STEPS GDPR COMPLIANCY? 3. Be

    transparant and honest ‣ Privacy policy ‣ Mandatory: log Data breaches (gdpr-butler.eu) ‣ Have emergency plan in case of a breach ‣ Have a procedure to handle SARs (Subject Access Requests) 4. Third parties that proces your data? Contract needed (see next slide) 5. Open drawing app, design and print a nice GDPR Certified logo, frame it, hang it in your office and demand a pay raise!
  43. CONTROLLERS PROCESSORS, SUBPROCESSORS AND ON AND ON AND ON PROCESSORS

    ‣ Controller: the entity who “controls” (owns) the data ‣ Processor: party who “processes” data for a controller ‣ Sub-Processor: processor of a processor
  44. CONTROLLERS PROCESSORS, SUBPROCESSORS AND ON AND ON AND ON LEGAL

    CONTRACTS ‣ Needs to be a contract between controller and processor ‣ Most of it can be added to general T&C ‣ Important: shared liability, can not be shifted either way! ‣ Processor can use sub-processors, but must name them ‣ “It depends”: general description is enough in some cases ‣ In theory, controller can object to new sub-processor…
  45. CONTROLLERS PROCESSORS, SUBPROCESSORS AND ON AND ON AND ON WHAT

    IS PROCESSING? “operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
  46. CONTROLLERS PROCESSORS, SUBPROCESSORS AND ON AND ON AND ON WHAT

    IS PROCESSING? ‣ Hosting? Yes ‣ Backup services? Yes (unless client encrypts it before they hand it to you) ‣ Having R-O access to an analytics account and use that data to optimise site? Yes ‣ Having a root shell on the storage server of your customer? Yes ‣ Having access to the customer’s VPN router? Yes ➡ My advise. If in doubt, consider it is processing!
  47. I CAN ONLY USE SERVERS IN THE EU WHERE ARE

    MY SERVERS?
  48. I CAN ONLY USE SERVERS IN THE EU WHERE ARE

    MY SERVERS? NO *!
  49. I CAN ONLY USE SERVERS IN THE EU WHERE ARE

    MY SERVERS? NO *! *: but it might make things easier
  50. WHERE ARE THE SERVERS? WHERE THE FRAK ARE THE SERVERS?

    ‣ You can only use EEA (EU + Iceland + Norway + Lichtenstein) processors or subprocessors, unless: ‣ List of countries offering “equal protection” ‣ USA if Privacy Shield compliant ‣ most of Canada ‣ Switzerland, Argentina, Israel, New Zealand ‣ “Standard clauses”: model contract drafted by EU ‣ Binding Corporate Rules: international group of companies
  51. AFTER MARCH 2019, I NEED EXTRA CONTRACTS FOR THE UK

    WHERE ARE MY SERVERS?
  52. AFTER MARCH 2019, I NEED EXTRA CONTRACTS FOR THE UK

    WHERE ARE MY SERVERS? NO !
  53. AFTER MARCH 2019, I NEED EXTRA CONTRACTS FOR THE UK

    WHERE ARE MY SERVERS? NO ! YES!
  54. EVERY DATA BREACH NEEDS TO BE REPORTED PAPA DON’T BREACH

  55. EVERY DATA BREACH NEEDS TO BE REPORTED PAPA DON’T BREACH

    … NO *!
  56. EVERY DATA BREACH NEEDS TO BE REPORTED PAPA DON’T BREACH

    … NO *! *: it depends
  57. A DATA BREACH WILL RESULT IN A FINE PAPA DON’T

    BREACH …
  58. A DATA BREACH WILL RESULT IN A FINE PAPA DON’T

    BREACH … NO *!
  59. A DATA BREACH WILL RESULT IN A FINE PAPA DON’T

    BREACH … NO *! *: it depends
  60. PAPA DON’T DATA-BREACH … DATA BREACHES ▸ All Data Breaches

    need to be noted in a register ▸ Breach likely to result in a risk to people’s rights and freedoms? 
 ➡ report within 72 hours of becoming aware of the breach ▸ You won’t get fined if you have a data breach! ▸ “Tell it all, tell it fast, tell the truth”
  61. 5P2TA…

  62. 5P2TA TAKE AWAY FROM THIS PRESENTATION… ▸ The GPDR is

    real, your organisation is probably affected! ▸ All “GDPR Certification” programs are bullsh*t ▸ Be transparant, think about data, security ▸ Controller - Processor agreements ▸ Work in/for a larger organisation? Prepare for data-breach and SAR
  63. Q & A http://bit.ly/gdprfornerds (as of tomorrow) @FRANK_BE FRANK@LOUWERS.BE