Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GDPR Compliance for Your Datastore

Philipp Krenn
November 19, 2018
Programming
5
140

GDPR Compliance for Your Datastore

* What is the GDPR and what does it actually mean for your business?
* What are your options for storing data — including not storing information and securing it?
* What are some of the hands-on steps to take for example with logs that your applications are collecting?

The General Data Protection Regulation (GDPR) is changing how you can handle data in Europe. But what does this actually mean? The first part of this talk gives an overview of the implications of GDPR, which affects every software project with a European relation. That includes users' right to see, edit, and export their data, the right to be forgotten,... The second part takes a look at what this means for actual software projects with the specific use-case of logging. The main focus here is how to stay GDPR compliant while still being able to use the data for security and operation aspects.

Disclaimer: This talk does not replace legal advice or a deeper examination of the topic. It is just a general overview.

Philipp Krenn

November 19, 2018
Tweet

More Decks by Philipp Krenn

See All by Philipp Krenn
Full-Text Search Explained
xeraa
11
2k
360° Monitoring of Your Microservices
xeraa
7
3.3k
Scale Your Metrics with Elasticsearch
xeraa
4
130
YAML Considered Harmful
xeraa
0
2k
Scale Your Elasticsearch Cluster
xeraa
1
280
Hands-On ModSecurity and Logging
xeraa
2
140
Centralized Logging Patterns
xeraa
1
970
Dashboards for Your Management with Kibana Canvas
xeraa
1
450
Make Your Data FABulous
xeraa
3
810

Other Decks in Programming

See All in Programming
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
880
Quine, Polyglot, 良いコード
qnighy
4
640
C++でシェーダを書く
fadis
6
4.1k
.NET のための通信フレームワーク MagicOnion 入門 / Introduction to MagicOnion
mayuki
1
1.4k
Tauriでネイティブアプリを作りたい
tsucchinoko
0
370
Duckdb-Wasmでローカルダッシュボードを作ってみた
nkforwork
0
120
CSC509 Lecture 09
javiergs
PRO
0
140
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
100
Amazon Bedrock Agentsを用いてアプリ開発してみた!
har1101
0
330
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
250
Jakarta EE meets AI
ivargrimstad
0
590
イベント駆動で成長して委員会
happymana
1
320

Featured

See All Featured
Producing Creativity
orderedlist
PRO
341
39k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Writing Fast Ruby
sferik
627
61k
Music & Morning Musume
bryan
46
6.2k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Bash Introduction
62gerente
608
210k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Unsuck your backbone
ammeep
668
57k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Building Adaptive Systems
keathley
38
2.3k
Ruby is Unlike a Banana
tanoku
97
11k

Transcript

  1. None
  2. None
  3. None

  4. Who likes GDPR? @xeraa

  5. Who is afraid of GDPR? @xeraa

  6. “Can you recommend a GDPR expert? Yes! Great, can you

    give me their email address so I can contact them? No.” https://twitter.com/wardrox/status/988363811479572483 @xeraa

  7. Questions: https://sli.do/xeraa Answers: https://twitter.com/xeraa @xeraa

  8. General Data Protection Regulation Adopted 2016/04/14 Enforceable 2018/05/25 @xeraa

  9. Datenschutz- Grundverordnung Fines up to 4% of global revenues or

    €20m @xeraa

  10. Where & Who? EU organizations Services or goods for /

    monitoring of EU citizens @xeraa

  11. What? Personal Data Any information relating to an identified or

    identifiable natural person @xeraa

  12. Rights? to be informed access rectification @xeraa

  13. Rights? erasure (to be forgotten) restrict processing data portability @xeraa

  14. Rights? object automatic decision making @xeraa

  15. PS: Personal data in a blockchain is an issue @xeraa

  16. Lawful use of data? Informed consent Contractual obligation Legitimate interest

    @xeraa

  17. Lawful use of data? Legal obligation Vital interests Public task

    @xeraa

  18. Proof Required Right to collect and legally use @xeraa

  19. Disclosure Within 72 hours to a member state’s "supervisory body"

    @xeraa

  20. Legacy Data Stop, Check, Delete @xeraa

  21. None

  22. What if no legal grounds? @xeraa

  23. “More GDPR bizarro world logic. Log nothing, but also make

    sure to have a complete understanding of all your security breaches, track them down, patch them up…. with no logs.” https://twitter.com/ianlandsman/status/997561351009599488 @xeraa

  24. 1. Stop Your Service @xeraa

  25. None
  26. None

  27. @xeraa

  28. @xeraa

  29. @xeraa

  30. @xeraa

  31. 2. Drown them in forms @xeraa

  32. https://twitter.com/rianjohnson/status/999730569641525248

  33. 3. Pseudonymization @xeraa

  34. Anonymous No information that could potentially identify an individual Not

    considered Personal Data by GDPR @xeraa

  35. Pseudonymous Re-identification possible if combined with additional information Without this

    information, re- identification practically impossible @xeraa

  36. When? Ingestion time Search time @xeraa

  37. Developer @xeraa

  38. None

  39. @xeraa

  40. @xeraa

  41. None

  42. fingerprint { method => "SHA256" source => ["ip"] key =>

    "${FINGERPRINT_KEY}" } mutate { add_field => { '[identities][0][key]' => "%{fingerprint}" '[identities][0][value]' => "%{ip}" } } mutate { replace => { "ip" => "%{fingerprint}" } } @xeraa

  43. How Secure Are Hashes? Without salting @xeraa

  44. “You might think it would take a long time to

    run through all of the possible SSNs, but computers are very fast — there are "only" one billion possible SSNs, so your laptop can hash all of them in less time than it takes you to get a cup of coffee.” https://www.ftc.gov/news-events/blogs/techftc/2012/04/does-hashing-make-data- anonymous @xeraa

  45. “Datafinder – Reverse email hashes for $0.04 per email” https://freedom-to-tinker.com/2018/04/09/four-

    cents-to-deanonymize-companies-reverse-hashed- email-addresses/ @xeraa
  46. None

  47. Access Control & Encryption @xeraa

  48. None

  49. Deletion @xeraa

  50. “Interesting #GDPR solution for the "right to erasure" : Encrypt

    all user's data and when you have to delete it you just get rid of the private key. Will this become the norm?” https://twitter.com/Stephan007/status/985103374118014976 @xeraa

  51. “[...] personal data of our users can only be persisted

    when it is encrypted. Each user has their own set of keys [...] it reduces the impact of leaking a dataset, since the dataset by itself is useless — attackers also need the decryption keys. [...] it allows us to control the lifecycle of data for individual users centrally.” https://labs.spotify.com/2018/09/18/scalable-user-privacy/ @xeraa

  52. Conclusion @xeraa

  53. Data Protection The new standard and norm of approaching personal

    data @xeraa
  54. None

  55. I am not a lawyer @xeraa

  56. ❤ GDPR and carry on @xeraa

  57. @xeraa

  58. Questions? Philipp Krenn̴̴̴̴̴̴@xeraa @xeraa