Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Who likes GDPR? @xeraa

Slide 5

Slide 5 text

Who is afraid of GDPR? @xeraa

Slide 6

Slide 6 text

“Can you recommend a GDPR expert? Yes! Great, can you give me their email address so I can contact them? No.” https://twitter.com/wardrox/status/988363811479572483 @xeraa

Slide 7

Slide 7 text

Questions: https://sli.do/xeraa Answers: https://twitter.com/xeraa @xeraa

Slide 8

Slide 8 text

General Data Protection Regulation Adopted 2016/04/14 Enforceable 2018/05/25 @xeraa

Slide 9

Slide 9 text

Datenschutz- Grundverordnung Fines up to 4% of global revenues or €20m @xeraa

Slide 10

Slide 10 text

Where & Who? EU organizations Services or goods for / monitoring of EU citizens @xeraa

Slide 11

Slide 11 text

What? Personal Data Any information relating to an identified or identifiable natural person @xeraa

Slide 12

Slide 12 text

Rights? to be informed access rectification @xeraa

Slide 13

Slide 13 text

Rights? erasure (to be forgotten) restrict processing data portability @xeraa

Slide 14

Slide 14 text

Rights? object automatic decision making @xeraa

Slide 15

Slide 15 text

PS: Personal data in a blockchain is an issue @xeraa

Slide 16

Slide 16 text

Lawful use of data? Informed consent Contractual obligation Legitimate interest @xeraa

Slide 17

Slide 17 text

Lawful use of data? Legal obligation Vital interests Public task @xeraa

Slide 18

Slide 18 text

Proof Required Right to collect and legally use @xeraa

Slide 19

Slide 19 text

Disclosure Within 72 hours to a member state’s "supervisory body" @xeraa

Slide 20

Slide 20 text

Legacy Data Stop, Check, Delete @xeraa

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

What if no legal grounds? @xeraa

Slide 23

Slide 23 text

“More GDPR bizarro world logic. Log nothing, but also make sure to have a complete understanding of all your security breaches, track them down, patch them up…. with no logs.” https://twitter.com/ianlandsman/status/997561351009599488 @xeraa

Slide 24

Slide 24 text

1. Stop Your Service @xeraa

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

@xeraa

Slide 28

Slide 28 text

@xeraa

Slide 29

Slide 29 text

@xeraa

Slide 30

Slide 30 text

@xeraa

Slide 31

Slide 31 text

2. Drown them in forms @xeraa

Slide 32

Slide 32 text

https://twitter.com/rianjohnson/status/999730569641525248

Slide 33

Slide 33 text

3. Pseudonymization @xeraa

Slide 34

Slide 34 text

Anonymous No information that could potentially identify an individual Not considered Personal Data by GDPR @xeraa

Slide 35

Slide 35 text

Pseudonymous Re-identification possible if combined with additional information Without this information, re- identification practically impossible @xeraa

Slide 36

Slide 36 text

When? Ingestion time Search time @xeraa

Slide 37

Slide 37 text

Developer @xeraa

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

@xeraa

Slide 40

Slide 40 text

@xeraa

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

fingerprint { method => "SHA256" source => ["ip"] key => "${FINGERPRINT_KEY}" } mutate { add_field => { '[identities][0][key]' => "%{fingerprint}" '[identities][0][value]' => "%{ip}" } } mutate { replace => { "ip" => "%{fingerprint}" } } @xeraa

Slide 43

Slide 43 text

How Secure Are Hashes? Without salting @xeraa

Slide 44

Slide 44 text

“You might think it would take a long time to run through all of the possible SSNs, but computers are very fast — there are "only" one billion possible SSNs, so your laptop can hash all of them in less time than it takes you to get a cup of coffee.” https://www.ftc.gov/news-events/blogs/techftc/2012/04/does-hashing-make-data- anonymous @xeraa

Slide 45

Slide 45 text

“Datafinder – Reverse email hashes for $0.04 per email” https://freedom-to-tinker.com/2018/04/09/four- cents-to-deanonymize-companies-reverse-hashed- email-addresses/ @xeraa

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

Access Control & Encryption @xeraa

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

Deletion @xeraa

Slide 50

Slide 50 text

“Interesting #GDPR solution for the "right to erasure" : Encrypt all user's data and when you have to delete it you just get rid of the private key. Will this become the norm?” https://twitter.com/Stephan007/status/985103374118014976 @xeraa

Slide 51

Slide 51 text

“[...] personal data of our users can only be persisted when it is encrypted. Each user has their own set of keys [...] it reduces the impact of leaking a dataset, since the dataset by itself is useless — attackers also need the decryption keys. [...] it allows us to control the lifecycle of data for individual users centrally.” https://labs.spotify.com/2018/09/18/scalable-user-privacy/ @xeraa

Slide 52

Slide 52 text

Conclusion @xeraa

Slide 53

Slide 53 text

Data Protection The new standard and norm of approaching personal data @xeraa

Slide 54

Slide 54 text

No content

Slide 55

Slide 55 text

I am not a lawyer @xeraa

Slide 56

Slide 56 text

❤ GDPR and carry on @xeraa

Slide 57

Slide 57 text

@xeraa

Slide 58

Slide 58 text

Questions? Philipp Krenn̴̴̴̴̴̴@xeraa @xeraa