GDPR for developers

Transcript

1. GENERAL DATA PROTECTION REGULATION
   FOR DEVELOPERS
   PAWEŁ CYŁO, RRUG 21.05.2018
   

   View Slide

2. GDPR FOR DEVELOPERS
   WHAT IS GDPR?
   ▸ The General Data Protection Regulation (GDPR) is a
   regulation in EU law on data protection and privacy for all
   individuals within the European Union. It also addresses the
   export of personal data outside the EU.

   ▸ Enforcement date: 25 May 2018.
   ▸ Quite unclear and confusing.
   ▸ Huge fines for non-compliance: up to 20 million EUR or 4%
   of the total worldwide annual turnover.
   https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
   

   View Slide

3. GDPR FOR DEVELOPERS
   WHAT DATA IS TO BE PROTECTED?
   ▸ ‘personal data’ means any information relating to an
   identified or identifiable natural person (‘data subject’); an
   identifiable natural person is one who can be identified,
   directly or indirectly, in particular by reference to an
   identifier such as a name, an identification number,
   location data, an online identifier or to one or more factors
   specific to the physical, physiological, genetic, mental,
   economic, cultural or social identity of that natural person;
   ▸ …which is basically anything related to specific person.
   

   View Slide

4. GDPR FOR DEVELOPERS
   WHAT DOES IT MEAN TO DEVELOPERS
   ▸ Forces deep understanding of user data flows and serious
   security approach (OWASP is your friend).
   ▸ New features required to be available for users.
   ▸ Data minimisation (you should not collect more data than
   necessary). Required data retention and deletion schedules.
   ▸ Existing users must be transferred to new policy, data audit
   must be performed.
   ▸ Data exchange with 3rd party services must be controlled.
   

   View Slide

5. GDPR FOR DEVELOPERS
   WHAT DO WE NEED TO UNDERSTAND AND CONTROL?
   ▸ What data is being collected?
   ▸ Where is data being collected?
   ▸ What happens to the data (why it’s being collected)?
   ▸ Who has access to the data?
   ▸ For how long will the data exist and be processed?
   

   View Slide

6. GDPR FOR DEVELOPERS
   DATA CONTROLLER VS. DATA PROCESSOR
   ▸ Data controller - a person/organisation/company that
   requests and uses the data
   ▸ Data processor - a person/organisation/company which
   processes personal data on behalf of the controller
   

   View Slide

7. GDPR FOR DEVELOPERS
   WHEN CAN WE PROCESS PERSONAL DATA?
   ▸ Explicit user consent
   ▸ Legitimate interest of data controller (marketing etc)
   ▸ Requirement of law
   ▸ Improvement of contract performance
   

   View Slide

8. GDPR FOR DEVELOPERS
   EXPLICIT CONSENT
   ▸ There must be a clear definition of what user data will
   be collected and how will it be used.
   ▸ Users will need to explicitly approve the policy for every
   data use case (including mechanisms like machine
   learning, profiling, automated decision making).
   ▸ Developers will have to implement a mechanism to obtain
   explicit consent and save it (giving right to change the
   decision later). Consider having separate DB table for
   consent history with timestamps, handle missing consent.
   

   View Slide

9. GDPR FOR DEVELOPERS
   NEW USER RIGHTS
   ▸ Right of access by the data subject
   ▸ Right to rectification
   ▸ Right to erasure (‘right to be forgotten’)
   ▸ Right to restriction of processing
   ▸ Right to data portability
   

   View Slide

10. GDPR FOR DEVELOPERS
    RIGHT TO ACCESS
    ▸ User can require access to ABSOLUTELY ALL the data that
    we have related to that person.
    ▸ Developers will provide a way to show the data. It can be a
    manual process, request has to be addressed within 30
    days.
    ▸ Data should be available in human readable format
    (GUI, PDF, etc).
    ▸ Data from external services must be included.
    

    View Slide

11. GDPR FOR DEVELOPERS
    RIGHT TO RECTIFICATION
    ▸ User can request his/her data to be updated.
    ▸ Developers will provide a way to edit user profile.
    Alternatively this can also be a manual process. Third party
    services should also be concerned.
    

    View Slide

12. GDPR FOR DEVELOPERS
    RIGHT TO BE FORGOTTEN 1/2
    ▸ User can request his/her data to be erased.
    ▸ Developers will have to provide a way to delete user
    profile.
    ▸ Service to handle this by user ID.
    ▸ Strategy for foreign keys handling (nullify, anonymize,
    cascade erase).
    ▸ Marking users to be deleted async.
    ▸ Backups? Keep the forgetting history.
    

    View Slide

13. GDPR FOR DEVELOPERS
    RIGHT TO BE FORGOTTEN 2/2
    ▸ Challenges: event sourcing, blockchain.
    ▸ Search engines for public profiles (return 404 to trigger
    removal).
    ▸ 3rd party services (data processors) must be notified to
    complete the process .
    

    View Slide

14. GDPR FOR DEVELOPERS
    RIGHT TO RESTRICTION OF PROCESSING
    ▸ User can request his/her data to be “frozen” for
    processing.
    ▸ Developers will have to provide a way to mark user profile
    as restricted for processing.
    ▸ Allow setting flag from both admin and user pages
    ▸ Similar to user profile erasing, but temporary
    

    View Slide

15. GDPR FOR DEVELOPERS
    RIGHT TO DATA PORTABILITY
    ▸ User can require export a copy of ABSOLUTELY ALL the data
    that we have related to that person.
    ▸ Developers will provide a way to export the data (however it
    can also be a cumbersome manual process).
    ▸ The same data set as for the “Right to access”
    ▸ Machine-readable format: CSV, JSON, XML
    ▸ Large data set - use background processing
    ▸ Idea behind this - allow migrating to other apps and limit
    vendor locking
    

    View Slide

16. GDPR FOR DEVELOPERS
    USER AGE CHECKING
    ▸ Users aged under 16 cannot give the ‘Explicit Consent’
    ▸ Age checking is required for new users (checkbox)
    ▸ For younger users only parent / legal guardian can be
    asked for consent
    ▸ Totally unclear how to do that
    ▸ Email? Matches regulation needs, but remains a fiction
    

    View Slide

17. GDPR FOR DEVELOPERS
    WHAT ABOUT COOKIES?
    ▸ The new regulation overrides the ePrivacy directive.
    ▸ User behaviour on the website is a personal data.
    ▸ Website owner is a data controller, 3rd party service
    (Google, Facebook, …) is a data processor.
    ▸ The standard bar with “We use cookies” is no longer
    enough, explicit consent must be gained (checkbox).
    ▸ In future the consent can be moved to browser settings.
    ▸ Is it worth it…?
    

    View Slide

18. GDPR FOR DEVELOPERS
    GENERAL TIPS
    ▸ Personal data is now very expensive, protect it.
    ▸ Use data anonymisation/pseudonymisation whenever possible.
    ▸ Use approved tools and frameworks. Disable unsafe functions
    and modules.
    ▸ Static code analysis and code review.
    ▸ Test. Test a lot.
    ▸ Contact GDPR regulator as soon as you find data breaches.
    Notify users and authorities. You only have 3 days for that!
    

    View Slide

19. GDPR FOR DEVELOPERS
    

    View Slide

20. GDPR FOR DEVELOPERS
    THANKS!
    @PawelCylo
    

    View Slide

21. GDPR FOR DEVELOPERS
    THANKS!
    @PawelCylo Did I just data-breached myself?
    

    View Slide