GDPR introduction for Blogs & Small SaaS

Transcript

1. ! GDPR ! Li# the fog - explain what’s new

   - what do you need for your blog?

2. Disclaimer • I am not a lawyer, this is not

   legal advice • I have talked to some, listened to some • If you are a company and haven’t updated your data protecAon policies, try to get a data protecAon lawyer or specialist right now! They’re very scarce right now • What I’m gonna tell you is what I did for my side project, your mileage may vary

3. GDPR? why is everybody talking about it? why should I

   care? why do I get so many mails men<oning it? what happens on May 25th? will I s<ll be able to run a blog without geAng in trouble??
4. None

5. Are you processing PII? personally iden-fiable informa-on

6. What is PII?

7. Peronally Iden<fiable Informa<on • Everything that can be used to

   idenAfy a person • Regardless if you can do it • Especially protected: InformaAon about ethnicity, religion, sexuality, health, … • Change with GDPR: IP explicitly stated (previously based on court orders)

8. Is any of this PII?

9. It’s best to be a bit overeager and treat everything

   relatable to a person as PII.

10. What is processing?

11. „Processing“ • CollecAng • Storing • DistribuAng • ConnecAng Everything

    is processing also M ANUAL!

12. EXEMPTION If you only process data privately, then GDPR does

    not bother you („household exempGon“) You do something online? It’s not private!

13. General Rule: Everything is forbidden, unless it is allowed

14. When is it allowed to process PII? This is where

    we go into the law… Ar1cle 6, No. 1 a-f GDPR

15. Ar<cle 6, No 1, b • Require address & payment

    data for an online shop • This includes forwarding this data to a delivery company or a bank • Contractual obligaAon could be markeAng related (i.e. Payback) Processing is necessary to fulfill a contract

16. Ar<cle 6, No 1, c-e • Data retenAon („Vorratsdatenspeicherung“) by

    ISPs • Emergency care in a hospital • Taxes Processing is necessary for legal obliga1ons Processing is necessary for vital interests of the subject Processing is carried out in the public interest

17. Ar<cle 6, No 1, f • Weighing of your and

    the user’s interests • Example: Using Tracking like Google AnalyGcs • Your interest: reach measurement, know your audience, improvement of user experience • User’s interest: Not geXng profiled by Google • This will be finally decided by the courts. Processing is necessary for the purposes of the legi1mate interests of the controller

18. wait …

19. where was a?

20. Ar<cle 6, No 1, a • GeXng explicit consent is

    hard • You have to prove: • that the subject has given you consent (date, IP, …) • that the subject was able to give consent (minimum age: 16$, 14%, down to 12 is possible) Processing is allowed when the subject has given consent

21. Ar<cle 6, No 1, a • Users can revoke their

    consent. • You have to stop processing their data immediately • Is only valid for the future
 You have to stop sending them your NewsleHer, but you don’t have to delete everything from your history. Processing is allowed when the subject has given consent

22. Ar<cle 6, No 1, a • Consent is explicitly required

    for the following things: • Newsle_ers (if sign-up is part of another process like order checkout) • Processing of especially protected data: ethnicity, religion, sexuality, health, … Processing is allowed when the subject has given consent

23. Ar<cle 6, No 1, a • Informed consent is explicitly

    required for the following things: • In $ according to the „Datenschutzkonferenz“: For any global tracking cookie, before the first cookie is set. • Everybody (including GDD e.V.) expects that this will not hold, but courts might decide ¯\_(ツ)_/¯ Processing is allowed when the subject has given consent

24. Ar<cle 6, No 1, a • Consent can not be

    coupled to an unrelated business process • Example: You can only place an order if you consent to sign up for a Newsle_er • Consent cannot be „hidden“ in General Terms & CondiAons („AGB“) Processing is allowed when the subject has given consent

25. Can I share PII with 3rd par<es?

26. Yes, but …

27. • You have to make sure they comply with the

    same regulaAons • Contract Agreement („Au#ragsvereinbarung“) • You are responsible for data protecAon violaAons together with the 3rd party

28. Even to other contries?

29. Yes, but …

30. • All EU ! countries are ok • EEA countries

    are ok:
 &'( • Some countries are whitelisted by the EU: 
 )*+,-./0123 (4*) • Currently in Talks with:
 56

31. Your user’s rights

32. The right to access (Art. 15 & 20) • You

    have to provide all PII you collected from a user upon request. • You have to provide it immediately upon request (up to 1 month) • You have to make sure you are sending the data to the right person (Download in an account is be4er than sending out emails) • If you think a user is abusing his rights, you may deny his request

33. The right to correc<on (Art. 16) • User’s can request

    you to correct data

34. The right to be forgoWen (Art. 17) • Delete PII

    when the user requests so • You can decline if there are legal obligaAons to keep data (tax reasons, etc) • If possible you can anonymize data
 (i.e. blog comments - remove name & email, but keep the content if you cannot link it back to the person) • Art. 18: User can restrict what you do with data (stop processing, but keep for legal reasons)

35. Your obliga<ons

36. „Privacy By Design“

37. Enable data portability

38. Delete upon request

39. Ensure data integrity & protec<on

40. Inform users when you received data from others

41. Document & Report data breaches

42. What do you need to do?

43. Have a data protec*on policy • Generators are out there:

    • h_ps:/ /datenschutz-generator.de • h_ps:/ /www.e-recht24.de • h_ps:/ /www.iubenda.com • List all sorts of data you process, under which legal grounds, and why you give this data to a 3rd party and why you are allowed to do so (Privacy Shield, etc).

44. Have a data protec*on policy

45. Chose 3rd party services wisely • Do not throw in

    any tracker and plugin just because you can • Use Browser Plugins like Ghostery to check where your site is sending data (someAmes plugins bring trackers, that you don’t know about) • Look around if there are ! alternaAves for 4 services (Privacy Shield might not hold) • MailChimp 4 → CleverReach $ • Google AnalyAcs → self-hosted Matomo (prev. Piwik)

46. Chose 3rd party services wisely • When embedding youtube videos,

    use the non-tracking variant • 2-Click-Social-Share bu_ons: Sharrif (h_ps:/ /github.com/heiseonline/shariff)

47. ABMAHNUNG

48. up to 4% of global revenue* * or up to

    20 million € if you aren’t a corpora5on

49. Limited company? mgmt: 20m€ + upto 3 years of JAIL!

50. chill

51. Here’s the thing … • In data protecAon there is

    no right or wrong • You always work with risks • The people that can sue you are users, consumer protecGon centers and data protecGon authoriGes. • Users need to have real damages (idenBty theC, …) • And before they look at your blog, there are many many bigger fish to look at • Even if the authoriAes look into you, their punishment needs to be proporGonal ⚖

52. Compe<tors? • Again: • In data protecAon there is no

    right or wrong • You always work with risks • If a compeAtor sues you, guess where the authoriAes or your lawyers would look next. • Unlikely, if you ask me ¯\_(ツ)_/¯, if you do the basic things necessary you are already ahead of many many others

53. Resources • $ Rechtsbelehrung Podcast (ep. 54 + 55): h_ps:/

    /rechtsbelehrung.com/ • $ Datenschutz-Guru Podcast: h_ps:/ /www.datenschutz-guru.de/category/ podcast/ • $: EU GDRP by EU: h_ps:/ /ec.europa.eu/commission/prioriAes/jusAce- and-fundamental-rights/data-protecAon/2018-reform-eu-data-protecAon- rules