Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. ▸ Enforcement date: 25 May 2018. ▸ Quite unclear and confusing. ▸ Huge ﬁnes for non-compliance: up to 20 million EUR or 4% of the total worldwide annual turnover. https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
‘personal data’ means any information relating to an identiﬁed or identiﬁable natural person (‘data subject’); an identiﬁable natural person is one who can be identiﬁed, directly or indirectly, in particular by reference to an identiﬁer such as a name, an identiﬁcation number, location data, an online identiﬁer or to one or more factors speciﬁc to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; ▸ …which is basically anything related to speciﬁc person.
Forces deep understanding of user data ﬂows and serious security approach (OWASP is your friend). ▸ New features required to be available for users. ▸ Data minimisation (you should not collect more data than necessary). Required data retention and deletion schedules. ▸ Existing users must be transferred to new policy, data audit must be performed. ▸ Data exchange with 3rd party services must be controlled.
CONTROL? ▸ What data is being collected? ▸ Where is data being collected? ▸ What happens to the data (why it’s being collected)? ▸ Who has access to the data? ▸ For how long will the data exist and be processed?
clear deﬁnition of what user data will be collected and how will it be used. ▸ Users will need to explicitly approve the policy for every data use case (including mechanisms like machine learning, proﬁling, automated decision making). ▸ Developers will have to implement a mechanism to obtain explicit consent and save it (giving right to change the decision later). Consider having separate DB table for consent history with timestamps, handle missing consent.
access to ABSOLUTELY ALL the data that we have related to that person. ▸ Developers will provide a way to show the data. It can be a manual process, request has to be addressed within 30 days. ▸ Data should be available in human readable format (GUI, PDF, etc). ▸ Data from external services must be included.
can request his/her data to be erased. ▸ Developers will have to provide a way to delete user proﬁle. ▸ Service to handle this by user ID. ▸ Strategy for foreign keys handling (nullify, anonymize, cascade erase). ▸ Marking users to be deleted async. ▸ Backups? Keep the forgetting history.
can request his/her data to be “frozen” for processing. ▸ Developers will have to provide a way to mark user proﬁle as restricted for processing. ▸ Allow setting ﬂag from both admin and user pages ▸ Similar to user proﬁle erasing, but temporary
require export a copy of ABSOLUTELY ALL the data that we have related to that person. ▸ Developers will provide a way to export the data (however it can also be a cumbersome manual process). ▸ The same data set as for the “Right to access” ▸ Machine-readable format: CSV, JSON, XML ▸ Large data set - use background processing ▸ Idea behind this - allow migrating to other apps and limit vendor locking
16 cannot give the ‘Explicit Consent’ ▸ Age checking is required for new users (checkbox) ▸ For younger users only parent / legal guardian can be asked for consent ▸ Totally unclear how to do that ▸ Email? Matches regulation needs, but remains a ﬁction
very expensive, protect it. ▸ Use data anonymisation/pseudonymisation whenever possible. ▸ Use approved tools and frameworks. Disable unsafe functions and modules. ▸ Static code analysis and code review. ▸ Test. Test a lot. ▸ Contact GDPR regulator as soon as you ﬁnd data breaches. Notify users and authorities. You only have 3 days for that!