Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GDPR for developers

GDPR for developers

Paweł Cyło

May 21, 2018
Tweet

More Decks by Paweł Cyło

Other Decks in Programming

Transcript

  1. GENERAL DATA PROTECTION REGULATION
    FOR DEVELOPERS
    PAWEŁ CYŁO, RRUG 21.05.2018

    View Slide

  2. GDPR FOR DEVELOPERS
    WHAT IS GDPR?
    ▸ The General Data Protection Regulation (GDPR) is a
    regulation in EU law on data protection and privacy for all
    individuals within the European Union. It also addresses the
    export of personal data outside the EU.

    ▸ Enforcement date: 25 May 2018.
    ▸ Quite unclear and confusing.
    ▸ Huge fines for non-compliance: up to 20 million EUR or 4%
    of the total worldwide annual turnover.
    https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

    View Slide

  3. GDPR FOR DEVELOPERS
    WHAT DATA IS TO BE PROTECTED?
    ▸ ‘personal data’ means any information relating to an
    identified or identifiable natural person (‘data subject’); an
    identifiable natural person is one who can be identified,
    directly or indirectly, in particular by reference to an
    identifier such as a name, an identification number,
    location data, an online identifier or to one or more factors
    specific to the physical, physiological, genetic, mental,
    economic, cultural or social identity of that natural person;
    ▸ …which is basically anything related to specific person.

    View Slide

  4. GDPR FOR DEVELOPERS
    WHAT DOES IT MEAN TO DEVELOPERS
    ▸ Forces deep understanding of user data flows and serious
    security approach (OWASP is your friend).
    ▸ New features required to be available for users.
    ▸ Data minimisation (you should not collect more data than
    necessary). Required data retention and deletion schedules.
    ▸ Existing users must be transferred to new policy, data audit
    must be performed.
    ▸ Data exchange with 3rd party services must be controlled.

    View Slide

  5. GDPR FOR DEVELOPERS
    WHAT DO WE NEED TO UNDERSTAND AND CONTROL?
    ▸ What data is being collected?
    ▸ Where is data being collected?
    ▸ What happens to the data (why it’s being collected)?
    ▸ Who has access to the data?
    ▸ For how long will the data exist and be processed?

    View Slide

  6. GDPR FOR DEVELOPERS
    DATA CONTROLLER VS. DATA PROCESSOR
    ▸ Data controller - a person/organisation/company that
    requests and uses the data
    ▸ Data processor - a person/organisation/company which
    processes personal data on behalf of the controller

    View Slide

  7. GDPR FOR DEVELOPERS
    WHEN CAN WE PROCESS PERSONAL DATA?
    ▸ Explicit user consent
    ▸ Legitimate interest of data controller (marketing etc)
    ▸ Requirement of law
    ▸ Improvement of contract performance

    View Slide

  8. GDPR FOR DEVELOPERS
    EXPLICIT CONSENT
    ▸ There must be a clear definition of what user data will
    be collected and how will it be used.
    ▸ Users will need to explicitly approve the policy for every
    data use case (including mechanisms like machine
    learning, profiling, automated decision making).
    ▸ Developers will have to implement a mechanism to obtain
    explicit consent and save it (giving right to change the
    decision later). Consider having separate DB table for
    consent history with timestamps, handle missing consent.

    View Slide

  9. GDPR FOR DEVELOPERS
    NEW USER RIGHTS
    ▸ Right of access by the data subject
    ▸ Right to rectification
    ▸ Right to erasure (‘right to be forgotten’)
    ▸ Right to restriction of processing
    ▸ Right to data portability

    View Slide

  10. GDPR FOR DEVELOPERS
    RIGHT TO ACCESS
    ▸ User can require access to ABSOLUTELY ALL the data that
    we have related to that person.
    ▸ Developers will provide a way to show the data. It can be a
    manual process, request has to be addressed within 30
    days.
    ▸ Data should be available in human readable format
    (GUI, PDF, etc).
    ▸ Data from external services must be included.

    View Slide

  11. GDPR FOR DEVELOPERS
    RIGHT TO RECTIFICATION
    ▸ User can request his/her data to be updated.
    ▸ Developers will provide a way to edit user profile.
    Alternatively this can also be a manual process. Third party
    services should also be concerned.

    View Slide

  12. GDPR FOR DEVELOPERS
    RIGHT TO BE FORGOTTEN 1/2
    ▸ User can request his/her data to be erased.
    ▸ Developers will have to provide a way to delete user
    profile.
    ▸ Service to handle this by user ID.
    ▸ Strategy for foreign keys handling (nullify, anonymize,
    cascade erase).
    ▸ Marking users to be deleted async.
    ▸ Backups? Keep the forgetting history.

    View Slide

  13. GDPR FOR DEVELOPERS
    RIGHT TO BE FORGOTTEN 2/2
    ▸ Challenges: event sourcing, blockchain.
    ▸ Search engines for public profiles (return 404 to trigger
    removal).
    ▸ 3rd party services (data processors) must be notified to
    complete the process .

    View Slide

  14. GDPR FOR DEVELOPERS
    RIGHT TO RESTRICTION OF PROCESSING
    ▸ User can request his/her data to be “frozen” for
    processing.
    ▸ Developers will have to provide a way to mark user profile
    as restricted for processing.
    ▸ Allow setting flag from both admin and user pages
    ▸ Similar to user profile erasing, but temporary

    View Slide

  15. GDPR FOR DEVELOPERS
    RIGHT TO DATA PORTABILITY
    ▸ User can require export a copy of ABSOLUTELY ALL the data
    that we have related to that person.
    ▸ Developers will provide a way to export the data (however it
    can also be a cumbersome manual process).
    ▸ The same data set as for the “Right to access”
    ▸ Machine-readable format: CSV, JSON, XML
    ▸ Large data set - use background processing
    ▸ Idea behind this - allow migrating to other apps and limit
    vendor locking

    View Slide

  16. GDPR FOR DEVELOPERS
    USER AGE CHECKING
    ▸ Users aged under 16 cannot give the ‘Explicit Consent’
    ▸ Age checking is required for new users (checkbox)
    ▸ For younger users only parent / legal guardian can be
    asked for consent
    ▸ Totally unclear how to do that
    ▸ Email? Matches regulation needs, but remains a fiction

    View Slide

  17. GDPR FOR DEVELOPERS
    WHAT ABOUT COOKIES?
    ▸ The new regulation overrides the ePrivacy directive.
    ▸ User behaviour on the website is a personal data.
    ▸ Website owner is a data controller, 3rd party service
    (Google, Facebook, …) is a data processor.
    ▸ The standard bar with “We use cookies” is no longer
    enough, explicit consent must be gained (checkbox).
    ▸ In future the consent can be moved to browser settings.
    ▸ Is it worth it…?

    View Slide

  18. GDPR FOR DEVELOPERS
    GENERAL TIPS
    ▸ Personal data is now very expensive, protect it.
    ▸ Use data anonymisation/pseudonymisation whenever possible.
    ▸ Use approved tools and frameworks. Disable unsafe functions
    and modules.
    ▸ Static code analysis and code review.
    ▸ Test. Test a lot.
    ▸ Contact GDPR regulator as soon as you find data breaches.
    Notify users and authorities. You only have 3 days for that!

    View Slide

  19. GDPR FOR DEVELOPERS

    View Slide

  20. GDPR FOR DEVELOPERS
    THANKS!
    @PawelCylo

    View Slide

  21. GDPR FOR DEVELOPERS
    THANKS!
    @PawelCylo Did I just data-breached myself?

    View Slide