Practical Privacy - GDPR Explained

Practical Privacy - GDPR Explained

In recent years we've seen a growing awareness of privacy issues, particularly in the wake of Edward Snowden's revelations. The 2015 collapse of the safe harbour agreement (making it illegal to store data on EU citizens in the US) was patched up with Privacy Shield in 2016, but that's on shaky ground too. The EU's tough new General Data Protection Regulations (GDPR) come into force in May 2018, raising privacy & data protection standards enormously, and massively increasing exposure for companies on both sides of the Atlantic.

All too often legal departments have no contact with developers, and the only time the right conversations happen is when something has gone horribly wrong and it's too late. We need to fix this - developers need to be aware of legal responsibilities because it's implementation details that matter, and that's what this talk is all about.

We will cover what makes the GDPR different, how it changes what happens at the developer and sysadmin level, and what steps you will need to take to conform to the standards.

This talk was given at the Dutch PHP conference 2017.

B4814d6790e91f01c77cac9d25db12b6?s=128

Marcus Bointon

June 30, 2017
Tweet

Transcript

  1. Practical Privacy – GDPR Explained By Marcus Bointon Technical director,

    Synchromedia Limited & Smartmessages.net Maintainer of PHPMailer
  2. Data protection history EU Directive 95/46/EC 1995 Implemented by each

    EU member UK Data Protection Act 1998 French CNIL Data Processing Act 78-18, amended by 2004-801 Safe Harbour: 2000 - October 2015 RIP Privacy Shield: July 2016
  3. General Data Protection Regulation – GDPR New EU Regulation 2016/679;

    Replaces old Directive Adopted April 2016, enforced from 25th May 2018 UK government has said they will support it, Brexit or not Largely about protecting individual rights Massively increased fines up to 4% of global turnover Under GDPR, Tesco bank’s fine would be around £1.9Bn!
  4. – Tim Walters, Ph.D. (via LinkedIn) “Why is the GDPR

    so disruptive? Because it requires firms to follow principles that are in many cases the exact opposite of prevailing practices around data collection and processing” “The heart and soul of data-driven marketing – mass data aggregation, algorithmic processing, profile building – is fundamentally challenged – and, to be frank, largely banned – by the GDPR.”
  5. By i — happy!! from NY, NY (Flickr) CC BY

    2.0
  6. Data protection principles Processing must be lawful, fair, and transparent

    Data collected & processed for specific, explicit, and legitimate purposes Adequate, relevant, and limited to the stated purposes Stores identifiable subjects no longer than necessary Data processed in a way that protects accuracy, integrity, and access
  7. Access Confidentiality Notice Choice Use Availability Integrity IT concerns Privacy

    concerns
  8. GDPR transition Rights are largely the same, but better defined

    Biggest change: Accountability - must be able to demonstrate compliance Tries to address information asymmetry Requires ISO-style defined procedures - e.g. data breach plan
  9. Privacy by design Put yourself in the user’s position Retain

    records of changes in personal data processing - facilitates accountability Privacy Impact Assessments “PIA” Data Protection Impact Assessments “DPIA” Possible need for a Data Protection Officer “DPO”
  10. Data flavours Pseudonymous Personal Sensitive Hashed email Truncated IP “Anonymised”

    data Name, address, phone number, email address Any unique identifiers - includes IP address, location, cookie values, mobile IMEI, browser fingerprinting Ethnicity, political affiliation, religion, sexual orientation, credit cards, criminal record, trade union membership, biometric, genetic
  11. e-Privacy Regulation Not just GDPR… The end of the cookie

    law! Third party cookies blocked by default (as Safari has always done) “Do Not Track” becomes enforceable
  12. Personal Privacy Rights Consent not always required Subject access Correct

    inaccuracies Erase data Object to marketing use To restrict processing – how, where, for what purpose To be able to move data (portability)
  13. Reporting Data Breaches Report to your country’s data protection commissioner

    Within 72 hours Unless data was encrypted Breaches of sensitive data must also notify the subjects Fines for breaches - also for not reporting!
  14. Examples with implications Create an account, also post to a

    CRM Facebook “Like” buttons Google analytics OAuth / social logins Buying a mailing list (don’t!)
  15. Ironic counter example Requiring unnecessary data Requiring personal data Handling

    data inappropriately Requiring pointless data! From a law firm specialising in privacy?
  16. GDPR Resources Full GDPR text for reference https://gdpr-info.eu UK Information

    Commissioner: https://ico.org.uk http://www.eudataprotectionlaw.com/ http://privacylawblog.fieldfisher.com/ http://www.out-law.com/ https://www.privacyshield.gov/list Twitter: @1DavidClarke, @CILCONSULTING, @PrivacyMatters, @WebDevLaw, @MissIG_Geek
  17. Thank you! Marcus Bointon marcus@synchromedia.co.uk @SynchroM Synchro on GitHub &

    StackExchange Feedback please! joind.in/talk/8cf69