SlideShare a Scribd company logo
1 of 26
GDPR for developers
Bozhidar Bozhanov
About me
• Founder and CEO of LogSentinel
• Former IT advisor to the deputy prime minister of Bulgaria
• Software engineer
• Privacy advocate
• Top 50 stackoverflow contributor
• https://techblog.bozho.net
• @bozhobg
What is GDPR?
Regulation
Panic!
Opportunity
• a.k.a. direct common EU law
• overrides / supercedes national data protection laws
• extends the existing directive
• Huge fines for non-compliance (4% of turnover or 20 million euro)
• Insufficient understanding on what has to be done (consultants,
regulators, companies)
• To really protect your customers’ data
• To get your systems secure
Pros and cons of GDPR
• Cons:
• Bureaucratic
• Not always clear
• Requires most systems to be upgraded (burden)
• Doesn’t solve all data protection issues
• Leaves issues at the discretion of local regulators
• Pros:
• Unifies data protection in Europe
• Mandates best practices
• Requires consciousness about personal data processing
Why do YOU care?
• You may be:
• implementing GDPR-related upgrades
• be designated as a DPO (data protection officer)
• implementing anything that handles data
• conscious about personal data in your organization
Terminology
Data subject
Personal data
Data processing
• a.k.a. User (person whose personal data is processed)
• Any data about an identifiable or identified person
• Any operation (manual or automated) on personal data
Controller • The entity (company) that requests and uses the data
Processor
• Any entity that processes data on behalf of a controller (e.g. cloud
service providers)
GDPR principles
Lawfulness
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
…magic
What about cookies?
• ePrivacy directive -> ePrivacy regulation
• Somehow different than GDPR
• Answers some questions unanswered by GDPR:
• Tracking cookies
• Traffic data
• Direct marketing
• Opinion – should have been a unified regulation
• With the upcoming ePrivacy regulation – no more useless cookie warnings
• Also: directive for processing personal data by law enforcement
When to process personal data
• User’s consent
• Performance of a contract
• If required by law
• Legitimate interest of the controller (including direct marketing)
• Combination of the above
GDPR functionalities
• Functionalities are only part of it – processes/procedures/rules must also exist
• “Forget me” (the right to erasure)
• Mark profile as restricted (right to restriction of processing)
• Export data (right to portability)
• Allow profile editing (right to rectification)
• “See all my data” (right to access)
• Consent checkboxes
• Age checks
• Data destruction (data minimization principle)
“Forget me”
• Delete all data relating to a user
• void forgetUser(UUID userId);
• Useful for integration tests
• What about foreign keys?
• Allow nullable foreign keys
• Anonymize user (leave only ID)
• Cascade delete
• Option: mark for deletion (+user cleanup job)
“Forget me”
• Event-sourcing?
• Crypto-shredding
• Blockchain?
• Notify 3rd parties / call 3rd parties APIs:
• CRMs, Payment gateways, etc.
• Return 404 for indexable pages
• Backups – store anonymized IDs separately
• “My data model doesn’t allow for it” is no excuse
Restrict processing
• Mark user as “restricted”
• Boolean database column
• Button on profile page “restrict processing of personal data”
• Button on admin page
• Don’t show in searches, don’t send emails, don’t include in automated processing
• Mark as restricted in 3rd party systems (e.g. with a custom field)
• Don’t show on public pages / 404
• Why?
• Edge cases: user objects to erasure;
Export data
• Right to data portability (no vendor lock-in; in theory)
• Formats: JSON, XML, CSV or other standards
• Schema: prefer schema.org
• Could be a background process that sends email when done
• Could be a manual process (easier to get compliant)
• All personal data + all data, associated with the user (orders, messages, etc.)
• Logs? No
• Data from 3rd party systems? Yes
• they should have that functionality as well
Editable user profile
• Right to rectification
• All personal data fields should be editable
• Could be a manual support process: “please fix my name”
• Data obtained from 3rd parties
• If email/phone is included, user should be able to identify with that email/phone
(“shadow accounts”)
• If not – manual process
Ask for consent
• No more “I accept the Terms and conditions and the privacy policy”
• Unchecked checkbox for each processing purpose on registration
• Data processing business processes to be listed in a register
• User should be able to withdraw consent from the user profile page
• If data is used for machine learning, get explicit consent for that
• Store consent in a secure way
• Boolean column may or may not be enough, depending on the regulator
• Consents table?
• Timestamping?
• Re-request consent for existing users via email
• Oral consent
• Workarounds: consent vs contract with electronic signature?
“See my data”
• Overlaps with “export data”
• Allow non-registered users to check if you have data about them
• Confirm email
• Show the processing records from the register
Age check
• On registration ask for age / date of birth / (checked) checkbox “I’m older than 16”
• Ask parent for consent
• How?
• Nobody has a clue 
• “The controller shall make reasonable efforts to verify in such cases that consent is
given or authorised by the holder of parental responsibility over the child, taking into
consideration available technology.”
• Proposal: ask for parent’s email, send a link and get the registration confirmed
• Proposal: upload “parent selfie”
• Proposal: eID
Limit data retention
• Don’t store data for longer than “necessary”
• Database column for “data retention deadline”
• Scheduled job to delete/anonymize/pseudonymize data that past its deadline
• Deadline vs confirmation event, e.g. “goods delivered”
• Applicable to “purchase without registration”
• Theoretically applicable to registered users
• In practice: “I agree to having my address stored for the purpose of not entering it
again on subsequent purchases”
Do’s (encryption)
• Encrypt data in transit
• between application and database
• between application and 3rd parties
• between application and database nodes (gossip)
• between multiple applications / microservices
• obviously: between user and application
• between load balancer and application?
• Encrypt data at rest
• LUKS or database-specific encryption
• Encryption key: ideally on HSM / AWS KMS / …
• Encrypt backups
Do’s
• Implement pseudonymization
• replace personal data with bcrypt/PBKDF?
• don’t use real production data for staging/test
• pseudonymize for machine learning purposes
• Protect data integrity
• Simple solution: do nothing  Procedures should indicate integrity is guaranteed by
the database via checksums
• Other options: checksum column per record, enforced in the application layer, audit
trail, 3rd party solutions like LogSentinel
Do’s
• Have your GDPR register of processing activities in something other than Excel
• Internal web app / microservice or a 3rd party service
• Integrate with consent checkboxes and “right to access”
• Correlate audit logs with processing activities
• Audit log for the register itself
• Backups, high availability
• Log access to personal data
• Implied from the accountability principles
• Correlate with processing activity
• Search results / lists? Log “User X did query Y”
• Register all API consumers (no anonymous access)
Data breaches
• Notify data protection regulator
• Notify controllers (if you are a processor)
• Notify users
• Option: Configure your security incident system to report to the data protection regulator
• Have proof of when the breach was discovered (timestamp emails/issues?)
• Will it help? Questionable
• (Dilbert)
Don’t’s
• Don’t use data for purposes other than what he user has agreed with
• Request consent via email for new purposes
• Legitimate interests can be dynamically added
• Don’t log personal data – just ID
• Cleanup old log files
• Don’t put unnecessary registration fields
• Don’t assume 3rd parties are compliant
• Don’t assume having ISO XXX makes you compliant
• Don’t dump personal data on public servers/buckets 
• …and other obvious stuff
Conclusion
• GDPR would require changes, mostly
• Best practices
• Useful to customers
• The majority of changes can be implemented within 2-3 sprints
• GDPR forces better understanding of data flows
• Compliance likely to be checklist-based
• Beware of consultants claiming GDPR will require rewriting everything and asking for a
lot of money
• Regulators will need some teaching
• The spirit of the regulation: be conscious about personal data
Thank you
Bozhidar Bozhanov: bozhidar.bozhanov@logsentinel.com

More Related Content

What's hot

ΣΕΝΑΡΙΟ Α2.1 ΤΕΤΡΑΓΩΝΙΚΗ ΡΙΖΑ ΘΕΤΙΚΟΥ ΑΡΙΘΜΟΥ
ΣΕΝΑΡΙΟ Α2.1 ΤΕΤΡΑΓΩΝΙΚΗ ΡΙΖΑ ΘΕΤΙΚΟΥ ΑΡΙΘΜΟΥΣΕΝΑΡΙΟ Α2.1 ΤΕΤΡΑΓΩΝΙΚΗ ΡΙΖΑ ΘΕΤΙΚΟΥ ΑΡΙΘΜΟΥ
ΣΕΝΑΡΙΟ Α2.1 ΤΕΤΡΑΓΩΝΙΚΗ ΡΙΖΑ ΘΕΤΙΚΟΥ ΑΡΙΘΜΟΥpliakas
 
Φυτοφάρμακα και Οικολογία
Φυτοφάρμακα και ΟικολογίαΦυτοφάρμακα και Οικολογία
Φυτοφάρμακα και ΟικολογίαTheSoFGr
 
ερευνητικές εργασίες
ερευνητικές εργασίεςερευνητικές εργασίες
ερευνητικές εργασίεςpantazi
 
Διαδικτυακός Εκφοβισμός.pptx
Διαδικτυακός Εκφοβισμός.pptxΔιαδικτυακός Εκφοβισμός.pptx
Διαδικτυακός Εκφοβισμός.pptxEleni Psara
 
Οδηγός Dropbox για εκπαιδευτικούς
Οδηγός Dropbox για εκπαιδευτικούςΟδηγός Dropbox για εκπαιδευτικούς
Οδηγός Dropbox για εκπαιδευτικούςNikos Kaklamanos
 
διδακτικο σεναριο τάξη δ-οργάνωση αρχείων φακέλων
διδακτικο σεναριο  τάξη δ-οργάνωση αρχείων φακέλωνδιδακτικο σεναριο  τάξη δ-οργάνωση αρχείων φακέλων
διδακτικο σεναριο τάξη δ-οργάνωση αρχείων φακέλωνMaria Deliopoulou
 
Ελληνική χλωρίδα -πανίδα
Ελληνική χλωρίδα -πανίδαΕλληνική χλωρίδα -πανίδα
Ελληνική χλωρίδα -πανίδαPavlidou Sofia
 
Tι είναι το τμήμα ένταξης
Tι είναι το τμήμα ένταξηςTι είναι το τμήμα ένταξης
Tι είναι το τμήμα ένταξηςEllh
 
Ονοματικές και Ρηματικές Φράσεις
Ονοματικές και Ρηματικές ΦράσειςΟνοματικές και Ρηματικές Φράσεις
Ονοματικές και Ρηματικές ΦράσειςChristos Skarkos
 
Οδηγός δημοσίευσης επιστημονικών εργασιών
Οδηγός δημοσίευσης επιστημονικών εργασιώνΟδηγός δημοσίευσης επιστημονικών εργασιών
Οδηγός δημοσίευσης επιστημονικών εργασιώνDr Stylianos Mystakidis
 
ΘΡΗΣΚΕΙΕΣ - βουδισμός, ινδουισμός, ιουδαϊσμός, μουσουλμανισμός
 ΘΡΗΣΚΕΙΕΣ - βουδισμός, ινδουισμός, ιουδαϊσμός, μουσουλμανισμός ΘΡΗΣΚΕΙΕΣ - βουδισμός, ινδουισμός, ιουδαϊσμός, μουσουλμανισμός
ΘΡΗΣΚΕΙΕΣ - βουδισμός, ινδουισμός, ιουδαϊσμός, μουσουλμανισμός2ο Δημοτικό Σχολείο Ξάνθης
 
Κεφάλαιο 16.2: Θέματα Ασφάλειας και Προστασίας στο Διαδίκτυο
Κεφάλαιο 16.2: Θέματα Ασφάλειας και Προστασίας στο Διαδίκτυο Κεφάλαιο 16.2: Θέματα Ασφάλειας και Προστασίας στο Διαδίκτυο
Κεφάλαιο 16.2: Θέματα Ασφάλειας και Προστασίας στο Διαδίκτυο Evangelia Anastasaki
 
Μαθηματικά Δ΄ 9. 55. ΄΄Μοτίβα΄΄
Μαθηματικά Δ΄  9. 55. ΄΄Μοτίβα΄΄Μαθηματικά Δ΄  9. 55. ΄΄Μοτίβα΄΄
Μαθηματικά Δ΄ 9. 55. ΄΄Μοτίβα΄΄Χρήστος Χαρμπής
 
Δημιουργία Φόρμας στο Google Drive
Δημιουργία Φόρμας στο Google DriveΔημιουργία Φόρμας στο Google Drive
Δημιουργία Φόρμας στο Google DriveMarianthi Athanasiadou
 
συγχρονες μεθοδοι διδασκαλιας - η ομαδοσυνεργατικη μεθοδος
συγχρονες μεθοδοι διδασκαλιας -  η ομαδοσυνεργατικη μεθοδοςσυγχρονες μεθοδοι διδασκαλιας -  η ομαδοσυνεργατικη μεθοδος
συγχρονες μεθοδοι διδασκαλιας - η ομαδοσυνεργατικη μεθοδοςΔιαμαντόπουλος Κωνσταντίνος
 

What's hot (18)

Ερ. Εργασία στην Τεχνολογία Α ΕΠΑΛ
Ερ. Εργασία στην Τεχνολογία Α ΕΠΑΛΕρ. Εργασία στην Τεχνολογία Α ΕΠΑΛ
Ερ. Εργασία στην Τεχνολογία Α ΕΠΑΛ
 
ΣΕΝΑΡΙΟ Α2.1 ΤΕΤΡΑΓΩΝΙΚΗ ΡΙΖΑ ΘΕΤΙΚΟΥ ΑΡΙΘΜΟΥ
ΣΕΝΑΡΙΟ Α2.1 ΤΕΤΡΑΓΩΝΙΚΗ ΡΙΖΑ ΘΕΤΙΚΟΥ ΑΡΙΘΜΟΥΣΕΝΑΡΙΟ Α2.1 ΤΕΤΡΑΓΩΝΙΚΗ ΡΙΖΑ ΘΕΤΙΚΟΥ ΑΡΙΘΜΟΥ
ΣΕΝΑΡΙΟ Α2.1 ΤΕΤΡΑΓΩΝΙΚΗ ΡΙΖΑ ΘΕΤΙΚΟΥ ΑΡΙΘΜΟΥ
 
Προστασία λογισμικού – Ιοί
Προστασία λογισμικού – ΙοίΠροστασία λογισμικού – Ιοί
Προστασία λογισμικού – Ιοί
 
Φυτοφάρμακα και Οικολογία
Φυτοφάρμακα και ΟικολογίαΦυτοφάρμακα και Οικολογία
Φυτοφάρμακα και Οικολογία
 
ερευνητικές εργασίες
ερευνητικές εργασίεςερευνητικές εργασίες
ερευνητικές εργασίες
 
Διαδικτυακός Εκφοβισμός.pptx
Διαδικτυακός Εκφοβισμός.pptxΔιαδικτυακός Εκφοβισμός.pptx
Διαδικτυακός Εκφοβισμός.pptx
 
Οδηγός Dropbox για εκπαιδευτικούς
Οδηγός Dropbox για εκπαιδευτικούςΟδηγός Dropbox για εκπαιδευτικούς
Οδηγός Dropbox για εκπαιδευτικούς
 
σχολικά εφόδια
σχολικά  εφόδιασχολικά  εφόδια
σχολικά εφόδια
 
διδακτικο σεναριο τάξη δ-οργάνωση αρχείων φακέλων
διδακτικο σεναριο  τάξη δ-οργάνωση αρχείων φακέλωνδιδακτικο σεναριο  τάξη δ-οργάνωση αρχείων φακέλων
διδακτικο σεναριο τάξη δ-οργάνωση αρχείων φακέλων
 
Ελληνική χλωρίδα -πανίδα
Ελληνική χλωρίδα -πανίδαΕλληνική χλωρίδα -πανίδα
Ελληνική χλωρίδα -πανίδα
 
Tι είναι το τμήμα ένταξης
Tι είναι το τμήμα ένταξηςTι είναι το τμήμα ένταξης
Tι είναι το τμήμα ένταξης
 
Ονοματικές και Ρηματικές Φράσεις
Ονοματικές και Ρηματικές ΦράσειςΟνοματικές και Ρηματικές Φράσεις
Ονοματικές και Ρηματικές Φράσεις
 
Οδηγός δημοσίευσης επιστημονικών εργασιών
Οδηγός δημοσίευσης επιστημονικών εργασιώνΟδηγός δημοσίευσης επιστημονικών εργασιών
Οδηγός δημοσίευσης επιστημονικών εργασιών
 
ΘΡΗΣΚΕΙΕΣ - βουδισμός, ινδουισμός, ιουδαϊσμός, μουσουλμανισμός
 ΘΡΗΣΚΕΙΕΣ - βουδισμός, ινδουισμός, ιουδαϊσμός, μουσουλμανισμός ΘΡΗΣΚΕΙΕΣ - βουδισμός, ινδουισμός, ιουδαϊσμός, μουσουλμανισμός
ΘΡΗΣΚΕΙΕΣ - βουδισμός, ινδουισμός, ιουδαϊσμός, μουσουλμανισμός
 
Κεφάλαιο 16.2: Θέματα Ασφάλειας και Προστασίας στο Διαδίκτυο
Κεφάλαιο 16.2: Θέματα Ασφάλειας και Προστασίας στο Διαδίκτυο Κεφάλαιο 16.2: Θέματα Ασφάλειας και Προστασίας στο Διαδίκτυο
Κεφάλαιο 16.2: Θέματα Ασφάλειας και Προστασίας στο Διαδίκτυο
 
Μαθηματικά Δ΄ 9. 55. ΄΄Μοτίβα΄΄
Μαθηματικά Δ΄  9. 55. ΄΄Μοτίβα΄΄Μαθηματικά Δ΄  9. 55. ΄΄Μοτίβα΄΄
Μαθηματικά Δ΄ 9. 55. ΄΄Μοτίβα΄΄
 
Δημιουργία Φόρμας στο Google Drive
Δημιουργία Φόρμας στο Google DriveΔημιουργία Φόρμας στο Google Drive
Δημιουργία Φόρμας στο Google Drive
 
συγχρονες μεθοδοι διδασκαλιας - η ομαδοσυνεργατικη μεθοδος
συγχρονες μεθοδοι διδασκαλιας -  η ομαδοσυνεργατικη μεθοδοςσυγχρονες μεθοδοι διδασκαλιας -  η ομαδοσυνεργατικη μεθοδος
συγχρονες μεθοδοι διδασκαλιας - η ομαδοσυνεργατικη μεθοδος
 

Similar to GDPR for developers

ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19TechSoup
 
Ease out the GDPR adoption with ManageEngine
Ease out the GDPR adoption with ManageEngineEase out the GDPR adoption with ManageEngine
Ease out the GDPR adoption with ManageEngineManageEngine
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsGabriella Davis
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQAFest
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance Dovetail Software
 
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
#1NWebinar: GDPR and Privacy Best Practices for Digital MarketersOne North
 
Web analytics: Practical steps to GDPR compliance
Web analytics: Practical steps to GDPR complianceWeb analytics: Practical steps to GDPR compliance
Web analytics: Practical steps to GDPR compliancePanagiotis Tzamtzis
 
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...Jadu
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationPrecisely
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptDrBasemMohamedElomda
 
Law Practice Management - Organization, Cloud, Social Media and Ethics
Law Practice Management - Organization, Cloud, Social Media and EthicsLaw Practice Management - Organization, Cloud, Social Media and Ethics
Law Practice Management - Organization, Cloud, Social Media and EthicsJennifer Ellis, JD, LLC
 
How to leverage Enterprise Architecture in a regulated environment
How to leverage Enterprise Architecture in a regulated environmentHow to leverage Enterprise Architecture in a regulated environment
How to leverage Enterprise Architecture in a regulated environmentLeanIX GmbH
 
Gdpr demystified - making sense of the regulation
Gdpr demystified  - making sense of the regulationGdpr demystified  - making sense of the regulation
Gdpr demystified - making sense of the regulationJames Mulhern
 
GDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptxGDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptxTimBee1
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationGrittyCC
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingSecurity Innovation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingRebecca Leitch
 
The Next Gen Auditor - Auditing through technological disruptions
The Next Gen Auditor - Auditing through technological disruptionsThe Next Gen Auditor - Auditing through technological disruptions
The Next Gen Auditor - Auditing through technological disruptionsBharath Rao
 

Similar to GDPR for developers (20)

ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]ABM Display Advertising Success in the World of GDPR [PPT]
ABM Display Advertising Success in the World of GDPR [PPT]
 
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19Webinar - Compliance with the Microsoft Cloud- 2017-04-19
Webinar - Compliance with the Microsoft Cloud- 2017-04-19
 
Ease out the GDPR adoption with ManageEngine
Ease out the GDPR adoption with ManageEngineEase out the GDPR adoption with ManageEngine
Ease out the GDPR adoption with ManageEngine
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration Solutions
 
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
 
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
#1NWebinar: GDPR and Privacy Best Practices for Digital Marketers
 
Web analytics: Practical steps to GDPR compliance
Web analytics: Practical steps to GDPR complianceWeb analytics: Practical steps to GDPR compliance
Web analytics: Practical steps to GDPR compliance
 
GDPR- The Buck Stops Here
GDPR-  The Buck Stops HereGDPR-  The Buck Stops Here
GDPR- The Buck Stops Here
 
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
Jadu GDPR guide: A easy to follow guide for Digital Service Managers and Webs...
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
 
Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.ppt
 
Law Practice Management - Organization, Cloud, Social Media and Ethics
Law Practice Management - Organization, Cloud, Social Media and EthicsLaw Practice Management - Organization, Cloud, Social Media and Ethics
Law Practice Management - Organization, Cloud, Social Media and Ethics
 
How to leverage Enterprise Architecture in a regulated environment
How to leverage Enterprise Architecture in a regulated environmentHow to leverage Enterprise Architecture in a regulated environment
How to leverage Enterprise Architecture in a regulated environment
 
Gdpr demystified - making sense of the regulation
Gdpr demystified  - making sense of the regulationGdpr demystified  - making sense of the regulation
Gdpr demystified - making sense of the regulation
 
GDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptxGDPR and Cyber Security LW.pptx
GDPR and Cyber Security LW.pptx
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
The Next Gen Auditor - Auditing through technological disruptions
The Next Gen Auditor - Auditing through technological disruptionsThe Next Gen Auditor - Auditing through technological disruptions
The Next Gen Auditor - Auditing through technological disruptions
 

More from Bozhidar Bozhanov

Антикорупционен софтуер
Антикорупционен софтуерАнтикорупционен софтуер
Антикорупционен софтуерBozhidar Bozhanov
 
Elasticsearch - Scalability and Multitenancy
Elasticsearch - Scalability and MultitenancyElasticsearch - Scalability and Multitenancy
Elasticsearch - Scalability and MultitenancyBozhidar Bozhanov
 
Encryption in the enterprise
Encryption in the enterpriseEncryption in the enterprise
Encryption in the enterpriseBozhidar Bozhanov
 
Blockchain overview - types, use-cases, security and usabilty
Blockchain overview - types, use-cases, security and usabiltyBlockchain overview - types, use-cases, security and usabilty
Blockchain overview - types, use-cases, security and usabiltyBozhidar Bozhanov
 
Електронна държава
Електронна държаваЕлектронна държава
Електронна държаваBozhidar Bozhanov
 
Blockchain - what is it good for?
Blockchain - what is it good for?Blockchain - what is it good for?
Blockchain - what is it good for?Bozhidar Bozhanov
 
Algorithmic and technological transparency
Algorithmic and technological transparencyAlgorithmic and technological transparency
Algorithmic and technological transparencyBozhidar Bozhanov
 
Alternatives for copyright protection online
Alternatives for copyright protection onlineAlternatives for copyright protection online
Alternatives for copyright protection onlineBozhidar Bozhanov
 
Политики, основани на данни
Политики, основани на данниПолитики, основани на данни
Политики, основани на данниBozhidar Bozhanov
 
Отворено законодателство
Отворено законодателствоОтворено законодателство
Отворено законодателствоBozhidar Bozhanov
 
Electronic governance steps in the right direction?
Electronic governance   steps in the right direction?Electronic governance   steps in the right direction?
Electronic governance steps in the right direction?Bozhidar Bozhanov
 
Сигурност на електронното управление
Сигурност на електронното управлениеСигурност на електронното управление
Сигурност на електронното управлениеBozhidar Bozhanov
 
Биометрична идентификация
Биометрична идентификацияБиометрична идентификация
Биометрична идентификацияBozhidar Bozhanov
 
Регулации и технологии
Регулации и технологииРегулации и технологии
Регулации и технологииBozhidar Bozhanov
 

More from Bozhidar Bozhanov (20)

Антикорупционен софтуер
Антикорупционен софтуерАнтикорупционен софтуер
Антикорупционен софтуер
 
Nothing is secure.pdf
Nothing is secure.pdfNothing is secure.pdf
Nothing is secure.pdf
 
Elasticsearch - Scalability and Multitenancy
Elasticsearch - Scalability and MultitenancyElasticsearch - Scalability and Multitenancy
Elasticsearch - Scalability and Multitenancy
 
Encryption in the enterprise
Encryption in the enterpriseEncryption in the enterprise
Encryption in the enterprise
 
Blockchain overview - types, use-cases, security and usabilty
Blockchain overview - types, use-cases, security and usabiltyBlockchain overview - types, use-cases, security and usabilty
Blockchain overview - types, use-cases, security and usabilty
 
Електронна държава
Електронна държаваЕлектронна държава
Електронна държава
 
Blockchain - what is it good for?
Blockchain - what is it good for?Blockchain - what is it good for?
Blockchain - what is it good for?
 
Algorithmic and technological transparency
Algorithmic and technological transparencyAlgorithmic and technological transparency
Algorithmic and technological transparency
 
Scaling horizontally on AWS
Scaling horizontally on AWSScaling horizontally on AWS
Scaling horizontally on AWS
 
Alternatives for copyright protection online
Alternatives for copyright protection onlineAlternatives for copyright protection online
Alternatives for copyright protection online
 
Политики, основани на данни
Политики, основани на данниПолитики, основани на данни
Политики, основани на данни
 
Отворено законодателство
Отворено законодателствоОтворено законодателство
Отворено законодателство
 
Overview of Message Queues
Overview of Message QueuesOverview of Message Queues
Overview of Message Queues
 
Electronic governance steps in the right direction?
Electronic governance   steps in the right direction?Electronic governance   steps in the right direction?
Electronic governance steps in the right direction?
 
Сигурност на електронното управление
Сигурност на електронното управлениеСигурност на електронното управление
Сигурност на електронното управление
 
Opensource government
Opensource governmentOpensource government
Opensource government
 
Биометрична идентификация
Биометрична идентификацияБиометрична идентификация
Биометрична идентификация
 
Biometric identification
Biometric identificationBiometric identification
Biometric identification
 
Регулации и технологии
Регулации и технологииРегулации и технологии
Регулации и технологии
 
Regulations and technology
Regulations and technologyRegulations and technology
Regulations and technology
 

Recently uploaded

Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROmotivationalword821
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...Akihiro Suda
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 

Recently uploaded (20)

Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTRO
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 

GDPR for developers

  • 2. About me • Founder and CEO of LogSentinel • Former IT advisor to the deputy prime minister of Bulgaria • Software engineer • Privacy advocate • Top 50 stackoverflow contributor • https://techblog.bozho.net • @bozhobg
  • 3. What is GDPR? Regulation Panic! Opportunity • a.k.a. direct common EU law • overrides / supercedes national data protection laws • extends the existing directive • Huge fines for non-compliance (4% of turnover or 20 million euro) • Insufficient understanding on what has to be done (consultants, regulators, companies) • To really protect your customers’ data • To get your systems secure
  • 4. Pros and cons of GDPR • Cons: • Bureaucratic • Not always clear • Requires most systems to be upgraded (burden) • Doesn’t solve all data protection issues • Leaves issues at the discretion of local regulators • Pros: • Unifies data protection in Europe • Mandates best practices • Requires consciousness about personal data processing
  • 5. Why do YOU care? • You may be: • implementing GDPR-related upgrades • be designated as a DPO (data protection officer) • implementing anything that handles data • conscious about personal data in your organization
  • 6. Terminology Data subject Personal data Data processing • a.k.a. User (person whose personal data is processed) • Any data about an identifiable or identified person • Any operation (manual or automated) on personal data Controller • The entity (company) that requests and uses the data Processor • Any entity that processes data on behalf of a controller (e.g. cloud service providers)
  • 7. GDPR principles Lawfulness Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality …magic
  • 8. What about cookies? • ePrivacy directive -> ePrivacy regulation • Somehow different than GDPR • Answers some questions unanswered by GDPR: • Tracking cookies • Traffic data • Direct marketing • Opinion – should have been a unified regulation • With the upcoming ePrivacy regulation – no more useless cookie warnings • Also: directive for processing personal data by law enforcement
  • 9. When to process personal data • User’s consent • Performance of a contract • If required by law • Legitimate interest of the controller (including direct marketing) • Combination of the above
  • 10. GDPR functionalities • Functionalities are only part of it – processes/procedures/rules must also exist • “Forget me” (the right to erasure) • Mark profile as restricted (right to restriction of processing) • Export data (right to portability) • Allow profile editing (right to rectification) • “See all my data” (right to access) • Consent checkboxes • Age checks • Data destruction (data minimization principle)
  • 11. “Forget me” • Delete all data relating to a user • void forgetUser(UUID userId); • Useful for integration tests • What about foreign keys? • Allow nullable foreign keys • Anonymize user (leave only ID) • Cascade delete • Option: mark for deletion (+user cleanup job)
  • 12. “Forget me” • Event-sourcing? • Crypto-shredding • Blockchain? • Notify 3rd parties / call 3rd parties APIs: • CRMs, Payment gateways, etc. • Return 404 for indexable pages • Backups – store anonymized IDs separately • “My data model doesn’t allow for it” is no excuse
  • 13. Restrict processing • Mark user as “restricted” • Boolean database column • Button on profile page “restrict processing of personal data” • Button on admin page • Don’t show in searches, don’t send emails, don’t include in automated processing • Mark as restricted in 3rd party systems (e.g. with a custom field) • Don’t show on public pages / 404 • Why? • Edge cases: user objects to erasure;
  • 14. Export data • Right to data portability (no vendor lock-in; in theory) • Formats: JSON, XML, CSV or other standards • Schema: prefer schema.org • Could be a background process that sends email when done • Could be a manual process (easier to get compliant) • All personal data + all data, associated with the user (orders, messages, etc.) • Logs? No • Data from 3rd party systems? Yes • they should have that functionality as well
  • 15. Editable user profile • Right to rectification • All personal data fields should be editable • Could be a manual support process: “please fix my name” • Data obtained from 3rd parties • If email/phone is included, user should be able to identify with that email/phone (“shadow accounts”) • If not – manual process
  • 16. Ask for consent • No more “I accept the Terms and conditions and the privacy policy” • Unchecked checkbox for each processing purpose on registration • Data processing business processes to be listed in a register • User should be able to withdraw consent from the user profile page • If data is used for machine learning, get explicit consent for that • Store consent in a secure way • Boolean column may or may not be enough, depending on the regulator • Consents table? • Timestamping? • Re-request consent for existing users via email • Oral consent • Workarounds: consent vs contract with electronic signature?
  • 17. “See my data” • Overlaps with “export data” • Allow non-registered users to check if you have data about them • Confirm email • Show the processing records from the register
  • 18. Age check • On registration ask for age / date of birth / (checked) checkbox “I’m older than 16” • Ask parent for consent • How? • Nobody has a clue  • “The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.” • Proposal: ask for parent’s email, send a link and get the registration confirmed • Proposal: upload “parent selfie” • Proposal: eID
  • 19. Limit data retention • Don’t store data for longer than “necessary” • Database column for “data retention deadline” • Scheduled job to delete/anonymize/pseudonymize data that past its deadline • Deadline vs confirmation event, e.g. “goods delivered” • Applicable to “purchase without registration” • Theoretically applicable to registered users • In practice: “I agree to having my address stored for the purpose of not entering it again on subsequent purchases”
  • 20. Do’s (encryption) • Encrypt data in transit • between application and database • between application and 3rd parties • between application and database nodes (gossip) • between multiple applications / microservices • obviously: between user and application • between load balancer and application? • Encrypt data at rest • LUKS or database-specific encryption • Encryption key: ideally on HSM / AWS KMS / … • Encrypt backups
  • 21. Do’s • Implement pseudonymization • replace personal data with bcrypt/PBKDF? • don’t use real production data for staging/test • pseudonymize for machine learning purposes • Protect data integrity • Simple solution: do nothing  Procedures should indicate integrity is guaranteed by the database via checksums • Other options: checksum column per record, enforced in the application layer, audit trail, 3rd party solutions like LogSentinel
  • 22. Do’s • Have your GDPR register of processing activities in something other than Excel • Internal web app / microservice or a 3rd party service • Integrate with consent checkboxes and “right to access” • Correlate audit logs with processing activities • Audit log for the register itself • Backups, high availability • Log access to personal data • Implied from the accountability principles • Correlate with processing activity • Search results / lists? Log “User X did query Y” • Register all API consumers (no anonymous access)
  • 23. Data breaches • Notify data protection regulator • Notify controllers (if you are a processor) • Notify users • Option: Configure your security incident system to report to the data protection regulator • Have proof of when the breach was discovered (timestamp emails/issues?) • Will it help? Questionable • (Dilbert)
  • 24. Don’t’s • Don’t use data for purposes other than what he user has agreed with • Request consent via email for new purposes • Legitimate interests can be dynamically added • Don’t log personal data – just ID • Cleanup old log files • Don’t put unnecessary registration fields • Don’t assume 3rd parties are compliant • Don’t assume having ISO XXX makes you compliant • Don’t dump personal data on public servers/buckets  • …and other obvious stuff
  • 25. Conclusion • GDPR would require changes, mostly • Best practices • Useful to customers • The majority of changes can be implemented within 2-3 sprints • GDPR forces better understanding of data flows • Compliance likely to be checklist-based • Beware of consultants claiming GDPR will require rewriting everything and asking for a lot of money • Regulators will need some teaching • The spirit of the regulation: be conscious about personal data
  • 26. Thank you Bozhidar Bozhanov: bozhidar.bozhanov@logsentinel.com