$30 off During Our Annual Pro Sale. View Details »

Practical Privacy - GDPR Explained

Practical Privacy - GDPR Explained

In recent years we've seen a growing awareness of privacy issues, particularly in the wake of Edward Snowden's revelations. The 2015 collapse of the safe harbour agreement (making it illegal to store data on EU citizens in the US) was patched up with Privacy Shield in 2016, but that's on shaky ground too. The EU's tough new General Data Protection Regulations (GDPR) come into force in May 2018, raising privacy & data protection standards enormously, and massively increasing exposure for companies on both sides of the Atlantic.

All too often legal departments have no contact with developers, and the only time the right conversations happen is when something has gone horribly wrong and it's too late. We need to fix this - developers need to be aware of legal responsibilities because it's implementation details that matter, and that's what this talk is all about.

We will cover what makes the GDPR different, how it changes what happens at the developer and sysadmin level, and what steps you will need to take to conform to the standards.

This talk was given at the Dutch PHP conference 2017.

Marcus Bointon

June 30, 2017
Tweet

More Decks by Marcus Bointon

Other Decks in Technology

Transcript

  1. Practical Privacy –
    GDPR Explained
    By Marcus Bointon
    Technical director,
    Synchromedia Limited & Smartmessages.net
    Maintainer of PHPMailer

    View Slide

  2. Data protection history
    EU Directive 95/46/EC 1995
    Implemented by each EU member
    UK Data Protection Act 1998
    French CNIL Data Processing Act 78-18, amended
    by 2004-801
    Safe Harbour: 2000 - October 2015 RIP
    Privacy Shield: July 2016

    View Slide

  3. General Data Protection
    Regulation – GDPR
    New EU Regulation 2016/679; Replaces old Directive
    Adopted April 2016, enforced from 25th May 2018
    UK government has said they will support it, Brexit or
    not
    Largely about protecting individual rights
    Massively increased fines up to 4% of global turnover
    Under GDPR, Tesco bank’s fine would be around
    £1.9Bn!

    View Slide

  4. – Tim Walters, Ph.D. (via LinkedIn)
    “Why is the GDPR so disruptive? Because it
    requires firms to follow principles that are in
    many cases the exact opposite of prevailing
    practices around data collection and processing”
    “The heart and soul of data-driven marketing –
    mass data aggregation, algorithmic processing,
    profile building – is fundamentally challenged –
    and, to be frank, largely banned – by the GDPR.”

    View Slide

  5. By i — happy!! from NY, NY (Flickr) CC BY 2.0

    View Slide

  6. Data protection principles
    Processing must be lawful, fair, and transparent
    Data collected & processed for specific, explicit, and
    legitimate purposes
    Adequate, relevant, and limited to the stated purposes
    Stores identifiable subjects no longer than necessary
    Data processed in a way that protects accuracy,
    integrity, and access

    View Slide

  7. Access
    Confidentiality
    Notice
    Choice
    Use
    Availability
    Integrity
    IT concerns
    Privacy concerns

    View Slide

  8. GDPR transition
    Rights are largely the same, but better defined
    Biggest change: Accountability - must be able to
    demonstrate compliance
    Tries to address information asymmetry
    Requires ISO-style defined procedures - e.g. data
    breach plan

    View Slide

  9. Privacy by design
    Put yourself in the user’s position
    Retain records of changes in personal data processing -
    facilitates accountability
    Privacy Impact Assessments “PIA”
    Data Protection Impact Assessments “DPIA”
    Possible need for a Data Protection Officer “DPO”

    View Slide

  10. Data flavours
    Pseudonymous Personal Sensitive
    Hashed email
    Truncated IP
    “Anonymised”
    data
    Name, address,
    phone number, email
    address
    Any unique
    identifiers - includes
    IP address, location,
    cookie values,
    mobile IMEI, browser
    fingerprinting
    Ethnicity, political
    affiliation, religion,
    sexual
    orientation, credit
    cards, criminal
    record, trade
    union
    membership,
    biometric,
    genetic

    View Slide

  11. e-Privacy Regulation
    Not just GDPR…
    The end of the cookie law!
    Third party cookies blocked
    by default (as Safari has
    always done)
    “Do Not Track” becomes
    enforceable

    View Slide

  12. Personal Privacy Rights
    Consent not always required
    Subject access
    Correct inaccuracies
    Erase data
    Object to marketing use
    To restrict processing – how, where, for what purpose
    To be able to move data (portability)

    View Slide

  13. Reporting Data Breaches
    Report to your country’s data protection commissioner
    Within 72 hours
    Unless data was encrypted
    Breaches of sensitive data must also notify the subjects
    Fines for breaches - also for not reporting!

    View Slide

  14. Examples with implications
    Create an account, also post to a CRM
    Facebook “Like” buttons
    Google analytics
    OAuth / social logins
    Buying a mailing list (don’t!)

    View Slide

  15. Ironic counter example
    Requiring unnecessary data
    Requiring personal data
    Handling data
    inappropriately
    Requiring pointless data!
    From a law firm specialising
    in privacy?

    View Slide

  16. GDPR Resources
    Full GDPR text for reference https://gdpr-info.eu
    UK Information Commissioner: https://ico.org.uk
    http://www.eudataprotectionlaw.com/
    http://privacylawblog.fieldfisher.com/
    http://www.out-law.com/
    https://www.privacyshield.gov/list
    Twitter: @1DavidClarke, @CILCONSULTING,
    @PrivacyMatters, @WebDevLaw, @MissIG_Geek

    View Slide

  17. Thank you!
    Marcus Bointon
    [email protected]
    @SynchroM
    Synchro on GitHub & StackExchange
    Feedback please! joind.in/talk/8cf69

    View Slide