GDPR for Nerds

GDPR FOR NERDS A NOT SO BORING (?) INTRO TO
THE GDPR

WHOAMI FRANK LOUWERS @FRANK_BE BUILT, GREW AND SOLD A HOSTING
COMPANY (15+ YEARS) FREELANCE CONSULTANT STARTUP: GDPR-BUTLER.EU

TINASP ! IANAL

GDPR FOR NERDS

GDPR … (BORING, BUT NEEDED) GDPR ▸ General ▸ Data
▸ Protection ▸ Regulation

GDPR … GENERAL ▸ Applies to “processors” in Europe: ▸
for all personal data they process, regardless of citizenship  ▸ Applies to processors outside Europe: ▸ for all personal data they process for all EU inhabitants

GDPR … PERSONAL DATA ▸ any information relating to an
▸ identified or identifiable natural person (‘data subject’). ▸ An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

GDPR … PROTECTING INDIVIDUALS’ RIGHTS ‣ Processed lawfully, fairly, transparently
‣ Purpose limitation ‣ Data minimisation ‣ Accurate and up-to-date processing ‣ Limitation of storage ‣ Conﬁdential and secure ‣ Accountability and liability

GDPR … REGULATION ▸ EU “Regulation” ▸ effective without need
to translate into local law  ▸ All EU countries  ▸ On May 25th 2018

TWTBS! T4AQ

DOES THE GDPR APPLY TO A US BANK, TARGETING US
EXPATS LIVING IN EUROPE? SCOPE

DOES THE GDPR APPLY TO A US BANK, TARGETING US
EXPATS LIVING IN EUROPE? SCOPE YES!

DOES THE GDPR APPLY TO FACEBOOK IRELAND, REGARDING JAPANESE CUSTOMERS?
SCOPE

DOES THE GDPR APPLY TO FACEBOOK IRELAND, REGARDING JAPANESE CUSTOMERS?
SCOPE YES!

“DATA” MEANS PII DATA?

“DATA” MEANS PII DATA? NO !

DATA PERSONAL DATA “The slightly-gray-haired-gentleman with glasses, at the Speakers
Dinner, wearing a shirt that resembles the Slack logo” ‣ Not PII ‣ But is Personal Data Sorry Toshaan!

YOU MUST HAVE CONSENT IF YOU WANT TO PROCESS PERSONAL
DATA LAWFUL PROCESSING

YOU MUST HAVE CONSENT IF YOU WANT TO PROCESS PERSONAL
DATA LAWFUL PROCESSING NO !

TEXT LAWFUL PROCESSING: CONSENT ▸ Consent ▸ freely given ▸
speciﬁc ▸ informed ▸ unambiguous ▸ by a statement or by a clear afﬁrmative action

TEXT LAWFUL PROCESSING ▸ Consent ▸ Contract ▸ Legal obligation
▸ Vital interests (forget this one …) ▸ Public task (forget this one …) ▸ Legitimate Interests (intra-group transfers, IT security, fraud prevention, marketing …)

I HAVE AN ABSOLUTE RIGHT TO BE FORGOTTEN! RIGHTS…

I HAVE AN ABSOLUTE RIGHT TO BE FORGOTTEN! RIGHTS… NO
*!

I HAVE AN ABSOLUTE RIGHT TO BE FORGOTTEN! RIGHTS… NO
*! *: it depends

RIGHT TO BE FORGOTTEN THE RIGHT TO BE FORGOTTEN SHOULD
BE HONOURED … UNLESS YOU CAN’T ▸ Other obligation that has priority: ▸ Contract ▸ Legal obligation ▸ Vital interests ▸ Public task ▸ Legitimate Interests (but be careful)

RIGHTS OTHER RIGHTS… ▸ Right of access to data (“Subject
Access Request” or SAR) ▸ Right to rectiﬁcation ▸ Right to restrict processing ▸ Right to object ▸ Right to data-portability

MY ORGANISATION NEEDS A DPO DPO…

MY ORGANISATION NEEDS A DPO DPO… NO *!

MY ORGANISATION NEEDS A DPO DPO… NO *! *: it
depends

DPO WHEN DO YOU NEED A DPO? ▸ Public Authority
(even a tiny one) ▸ Core activities require regular and systematic processing at large scale ▸ Core activities involve processing on a large scale of “sensitive data”

DPO SENSITIVE DATA? ▸ Data about a subject’s: ▸ Health
▸ Genetics ▸ Biometrics ▸ Sexual preferences, orientation or data about sex life ▸ Political, religious, philosophical beliefs ▸ Trade Union membership ▸ Criminal records

GDPR FOR NERDS

HOW TO BECOME GDPR COMPLIANT?

GET GDPR- CERTIFIED!

GET GDPR- CERTIFIED! NO !

ADHERE TO A CODE OF CONDUCT

ADHERE TO A CODE OF CONDUCT NO !

BECOME ISO 27001 CERTIFIED

BECOME ISO 27001 CERTIFIED NO *!

BECOME ISO 27001 CERTIFIED NO *! *: it might help

GDPR CERTIFICATION IN FIVE EASY STEPS GDPR COMPLIANCY? 1. Think
about the data your organisation processes and map them ▸ Requirement: “Register” of processing activities (eg gdpr-butler.eu) ▸ Why / Whose / What / When / Where 2. Think about security and privacy of your systems: ‣ Adequate security (encryption, access control, …) ‣ “Privacy by design”: eg. dev-DB contains no real data ‣ “Privacy by default”. Default settings ‣ ISO 27001 could be a guidance but is not even mentioned in the GDPR

GDPR CERTIFICATION IN FIVE EASY STEPS GDPR COMPLIANCY? 3. Be
transparant and honest ‣ Privacy policy ‣ Mandatory: log Data breaches (gdpr-butler.eu) ‣ Have emergency plan in case of a breach ‣ Have a procedure to handle SARs (Subject Access Requests) 4. Third parties that proces your data? Contract needed (see next slide) 5. Open drawing app, design and print a nice GDPR Certiﬁed logo, frame it, hang it in your ofﬁce and demand a pay raise!

CONTROLLERS PROCESSORS, SUBPROCESSORS AND ON AND ON AND ON PROCESSORS
‣ Controller: the entity who “controls” (owns) the data ‣ Processor: party who “processes” data for a controller ‣ Sub-Processor: processor of a processor

CONTROLLERS PROCESSORS, SUBPROCESSORS AND ON AND ON AND ON LEGAL
CONTRACTS ‣ Needs to be a contract between controller and processor ‣ Most of it can be added to general T&C ‣ Important: shared liability, can not be shifted either way! ‣ Processor can use sub-processors, but must name them ‣ “It depends”: general description is enough in some cases ‣ In theory, controller can object to new sub-processor…

CONTROLLERS PROCESSORS, SUBPROCESSORS AND ON AND ON AND ON WHAT
IS PROCESSING? “operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

CONTROLLERS PROCESSORS, SUBPROCESSORS AND ON AND ON AND ON WHAT
IS PROCESSING? ‣ Hosting? Yes ‣ Backup services? Yes (unless client encrypts it before they hand it to you) ‣ Having R-O access to an analytics account and use that data to optimise site? Yes ‣ Having a root shell on the storage server of your customer? Yes ‣ Having access to the customer’s VPN router? Yes ➡ My advise. If in doubt, consider it is processing!

I CAN ONLY USE SERVERS IN THE EU WHERE ARE
MY SERVERS?

MY SERVERS? NO *!

MY SERVERS? NO *! *: but it might make things easier

WHERE ARE THE SERVERS? WHERE THE FRAK ARE THE SERVERS?
‣ You can only use EEA (EU + Iceland + Norway + Lichtenstein) processors or subprocessors, unless: ‣ List of countries offering “equal protection” ‣ USA if Privacy Shield compliant ‣ most of Canada ‣ Switzerland, Argentina, Israel, New Zealand ‣ “Standard clauses”: model contract drafted by EU ‣ Binding Corporate Rules: international group of companies

AFTER MARCH 2019, I NEED EXTRA CONTRACTS FOR THE UK
WHERE ARE MY SERVERS?

WHERE ARE MY SERVERS? NO !

WHERE ARE MY SERVERS? NO ! YES!

EVERY DATA BREACH NEEDS TO BE REPORTED PAPA DON’T BREACH
…

… NO *!

… NO *! *: it depends

A DATA BREACH WILL RESULT IN A FINE PAPA DON’T
BREACH …

BREACH … NO *!

BREACH … NO *! *: it depends

PAPA DON’T DATA-BREACH … DATA BREACHES ▸ All Data Breaches
need to be noted in a register ▸ Breach likely to result in a risk to people’s rights and freedoms?   ➡ report within 72 hours of becoming aware of the breach ▸ You won’t get ﬁned if you have a data breach! ▸ “Tell it all, tell it fast, tell the truth”

5P2TA…

5P2TA TAKE AWAY FROM THIS PRESENTATION… ▸ The GPDR is
real, your organisation is probably affected! ▸ All “GDPR Certiﬁcation” programs are bullsh*t ▸ Be transparant, think about data, security ▸ Controller - Processor agreements ▸ Work in/for a larger organisation? Prepare for data-breach and SAR

Q & A http://bit.ly/gdprfornerds (as of tomorrow) @FRANK_BE [email protected]

GDPR for Nerds

GDPR for Nerds

More Decks by Frank Louwers

Other Decks in Technology

Featured

Transcript