GENERAL DATA PROTECTION REGULATION FOR DEVELOPERS PAWEŁ CYŁO, RRUG 21.05.2018

GDPR FOR DEVELOPERS WHAT IS GDPR? ▸ The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.
 ▸ Enforcement date: 25 May 2018. ▸ Quite unclear and confusing. ▸ Huge fines for non-compliance: up to 20 million EUR or 4% of the total worldwide annual turnover. https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

GDPR FOR DEVELOPERS WHAT DATA IS TO BE PROTECTED? ▸ ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; ▸ …which is basically anything related to specific person.

GDPR FOR DEVELOPERS WHAT DOES IT MEAN TO DEVELOPERS ▸ Forces deep understanding of user data flows and serious security approach (OWASP is your friend). ▸ New features required to be available for users. ▸ Data minimisation (you should not collect more data than necessary). Required data retention and deletion schedules. ▸ Existing users must be transferred to new policy, data audit must be performed. ▸ Data exchange with 3rd party services must be controlled.

GDPR FOR DEVELOPERS WHAT DO WE NEED TO UNDERSTAND AND CONTROL? ▸ What data is being collected? ▸ Where is data being collected? ▸ What happens to the data (why it’s being collected)? ▸ Who has access to the data? ▸ For how long will the data exist and be processed?

GDPR FOR DEVELOPERS DATA CONTROLLER VS. DATA PROCESSOR ▸ Data controller - a person/organisation/company that requests and uses the data ▸ Data processor - a person/organisation/company which processes personal data on behalf of the controller

GDPR FOR DEVELOPERS WHEN CAN WE PROCESS PERSONAL DATA? ▸ Explicit user consent ▸ Legitimate interest of data controller (marketing etc) ▸ Requirement of law ▸ Improvement of contract performance

GDPR FOR DEVELOPERS EXPLICIT CONSENT ▸ There must be a clear definition of what user data will be collected and how will it be used. ▸ Users will need to explicitly approve the policy for every data use case (including mechanisms like machine learning, profiling, automated decision making). ▸ Developers will have to implement a mechanism to obtain explicit consent and save it (giving right to change the decision later). Consider having separate DB table for consent history with timestamps, handle missing consent.

GDPR FOR DEVELOPERS NEW USER RIGHTS ▸ Right of access by the data subject ▸ Right to rectification ▸ Right to erasure (‘right to be forgotten’) ▸ Right to restriction of processing ▸ Right to data portability

GDPR FOR DEVELOPERS RIGHT TO ACCESS ▸ User can require access to ABSOLUTELY ALL the data that we have related to that person. ▸ Developers will provide a way to show the data. It can be a manual process, request has to be addressed within 30 days. ▸ Data should be available in human readable format (GUI, PDF, etc). ▸ Data from external services must be included.

GDPR FOR DEVELOPERS RIGHT TO RECTIFICATION ▸ User can request his/her data to be updated. ▸ Developers will provide a way to edit user profile. Alternatively this can also be a manual process. Third party services should also be concerned.

GDPR FOR DEVELOPERS RIGHT TO BE FORGOTTEN 1/2 ▸ User can request his/her data to be erased. ▸ Developers will have to provide a way to delete user profile. ▸ Service to handle this by user ID. ▸ Strategy for foreign keys handling (nullify, anonymize, cascade erase). ▸ Marking users to be deleted async. ▸ Backups? Keep the forgetting history.

GDPR FOR DEVELOPERS RIGHT TO BE FORGOTTEN 2/2 ▸ Challenges: event sourcing, blockchain. ▸ Search engines for public profiles (return 404 to trigger removal). ▸ 3rd party services (data processors) must be notified to complete the process .

GDPR FOR DEVELOPERS RIGHT TO RESTRICTION OF PROCESSING ▸ User can request his/her data to be “frozen” for processing. ▸ Developers will have to provide a way to mark user profile as restricted for processing. ▸ Allow setting flag from both admin and user pages ▸ Similar to user profile erasing, but temporary

GDPR FOR DEVELOPERS RIGHT TO DATA PORTABILITY ▸ User can require export a copy of ABSOLUTELY ALL the data that we have related to that person. ▸ Developers will provide a way to export the data (however it can also be a cumbersome manual process). ▸ The same data set as for the “Right to access” ▸ Machine-readable format: CSV, JSON, XML ▸ Large data set - use background processing ▸ Idea behind this - allow migrating to other apps and limit vendor locking

GDPR FOR DEVELOPERS USER AGE CHECKING ▸ Users aged under 16 cannot give the ‘Explicit Consent’ ▸ Age checking is required for new users (checkbox) ▸ For younger users only parent / legal guardian can be asked for consent ▸ Totally unclear how to do that ▸ Email? Matches regulation needs, but remains a fiction

GDPR FOR DEVELOPERS WHAT ABOUT COOKIES? ▸ The new regulation overrides the ePrivacy directive. ▸ User behaviour on the website is a personal data. ▸ Website owner is a data controller, 3rd party service (Google, Facebook, …) is a data processor. ▸ The standard bar with “We use cookies” is no longer enough, explicit consent must be gained (checkbox). ▸ In future the consent can be moved to browser settings. ▸ Is it worth it…?

GDPR FOR DEVELOPERS GENERAL TIPS ▸ Personal data is now very expensive, protect it. ▸ Use data anonymisation/pseudonymisation whenever possible. ▸ Use approved tools and frameworks. Disable unsafe functions and modules. ▸ Static code analysis and code review. ▸ Test. Test a lot. ▸ Contact GDPR regulator as soon as you find data breaches. Notify users and authorities. You only have 3 days for that!

GDPR FOR DEVELOPERS

GDPR FOR DEVELOPERS THANKS! @PawelCylo

GDPR FOR DEVELOPERS THANKS! @PawelCylo Did I just data-breached myself?