Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

„GDPR and kittens“ by Kirill Linnik from MOVE Guides/DevClub Estonia at Security focused 64th


Published on

Despite the new law affects all people, the most influence it has on us – IT crowd. Interestingly, if you check presentations regarding GDPR, they are mainly produced by lawyers and other people, who will not tell you what it means in practice. The reason is simple: GDPR is an 88-pages-long document and it is written in a language, not all IT people can understand. Therefore, DevClub does it for you. This is our translation of what GDPR means to IT, how it affects our development, business in general and how kittens are connected to all of that.

Kirill is the father of DevClub and Senior Software Architect at MOVE Guides, global mobility management company. He acts as technical visioner, designing future of people relocation solution using various technologies and stacks: AWS, GC, Kubernetes, Docker, Java, Go, .NET,…

Published in: Technology
  • Be the first to comment

  • Be the first to like this

„GDPR and kittens“ by Kirill Linnik from MOVE Guides/DevClub Estonia at Security focused 64th

  1. 1. 1 MOVEGUIDES.COM GDPR & kittens Kirill Linnik 4 DevClub
  2. 2. 2 MOVEGUIDES.COM Don’t think they are connected?
  3. 3. 3 MOVEGUIDES.COM What is GDPR? • Stands for Global Data Protection Regulation • Made for EU • Affects the whole world • Replaces old 30-years-old regulation • Took 4 years to compile • Effective from 25.05.2018 • Game changer for IT industry • While still can be interpreted in so many ways…
  4. 4. 4 MOVEGUIDES.COM Are you ready? • Gartner says 50% won’t be GDPR compliant by the end of 2018 • According to TrustArc: • 61% - not started the process of GDPR implementation • 23% - begun implementation • 11% - implementation is “well underway” • 4% claimed to be fully compliant with the GDPR
  5. 5. 5 MOVEGUIDES.COM GDPR in short (for users) my data? show it! fix it! transfer it! forget it!
  6. 6. 6 MOVEGUIDES.COM The main thing Data about you is your data and belongs to you!
  7. 7. 7 MOVEGUIDES.COM Consent • Your permission for data collection and processing • Should be clear and visible with no pre-defined acceptance • One processing = one consent • Recall is same easy as accept
  8. 8. 8 MOVEGUIDES.COM Why?
  9. 9. 9 MOVEGUIDES.COM Not all data is equal • Racial or ethnic origins • Political opinions • Religious or philosophical beliefs • Trade union membership • Uniquely identifiable genetic or biometric data • Data concerning health • Data concerning sex life or sexual orientation …is prohibited for collection and processing (unless you manifestly make it public or state allows collecting that!)
  10. 10. 10 MOVEGUIDES.COM This means two things & …doesn’t seem to be legal
  11. 11. 11 MOVEGUIDES.COM Check data they use! • Helps to prevent discrimination • Helps to reverse engineer processing algorithm! 
  12. 12. 12 MOVEGUIDES.COM Two types of data Manually inserted and should be easily accessible for review through user interface Automatically collected and should be provided on-demand in the machine-readable format free of charge! *
  13. 13. 13 MOVEGUIDES.COM * means “Business Idea”!
  14. 14. 14 MOVEGUIDES.COM OK, why we need data fix? • It is your right to influence the result of data processing! (be sure you still provide correct data ) • And don’t forget, you have right not to be subject to a decision based solely on automated processing which produces significant legal effects like: • Loans • E-Recruiting • Anything related to your performance at work, health, economic situation, personal preferences or interests and so on and so forth (if State or your contract didn’t allow that in advance)
  15. 15. 15 MOVEGUIDES.COM Hate tracking? Should be possible to opt out!
  16. 16. 16 MOVEGUIDES.COM Hate this company? • Ask them to transfer your data to competitors! • Well, they still can refuse!
  17. 17. 17 MOVEGUIDES.COM One more try… • Ask them to forget your data!
  18. 18. 18 MOVEGUIDES.COM IT reality • Right to be forgotten means your data should be detached from processing (including searching and displaying) and stays immutable • It is OK to have “soft delete”/pseudonymization and restrict data for further modification • Don’t forget to notify other third parties • Do it, if it doesn’t (significantly) affect your business!
  19. 19. 19 MOVEGUIDES.COM What shall I do with all of that?
  20. 20. 20 MOVEGUIDES.COM But should you comply at all? • “The right of protection of personal data is not an absolute right…” • “The Regulation does not apply to issues of protection of fundamental rights and freedom…” • “…such as activities concerning national security” • In other words, if State wants data from you, forget about GDPR (at least, for this dataset), you have other rules to comply
  21. 21. 21 MOVEGUIDES.COM Wait a minute, you said I can ignore that… • Even if you have to comply, for existing solution, in case you can prove that making it GDPR compliant has a (significant) impact to your business, adjustments „can be postponed“ with only one exception: consent • For new solutions, GDPR compliance is „by design and by default“
  22. 22. 22 MOVEGUIDES.COM GDPR in short (for IT) explain help to show data help to fix it export and import forget it!
  23. 23. 23 MOVEGUIDES.COM A good start • Data inventory • Data processing principles
  24. 24. 24 MOVEGUIDES.COM Wait, they say I need an officer! • DPO = Data Protection Officer, security and GDPR expert, reporting to the board, escalating (possible) breaches and helping to prevent them • But still not accountable (e.g. not financially responsible) for failures • You need it: • If you are public authority (except courts) • Large-scale (or sensitive) data processing is your core business • Can be outsourced
  25. 25. 25 MOVEGUIDES.COM Large-scale is… …processing “a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk” …feels so precise, right?
  26. 26. 26 MOVEGUIDES.COM Who will be checking all of that? • The European Data Protection Board is already established • Every State should have at least one supervisory authority • No certification process (yet) available, but it „shall be voluntary and available via a process that is transparent“ • Nevertheless, fines are in place: up to 4% of annual turnover or 20m€ (whichever is bigger) *
  27. 27. 27 MOVEGUIDES.COM Welcome to Estonia! „…in Estonia the fine is imposed by the supervisory authority in the framework of a misdemeanour procedure <…> Therefore the competent national courts should take into account the recommendation by the supervisory authority initiating the fine.“
  28. 28. 28 MOVEGUIDES.COM I don’t care, my site is in Russia! • GDPR is applied to any site/service able to serve EU residents • The Board/supervisory authority has the right to block/ban service providers, regions or whole countries if they won’t comply
  29. 29. 29 MOVEGUIDES.COM Solidarity principle The fact whenever you are compliant or not is dependent on compliance of third parties you are using (and third parties they are using (and third parties they are using (and…)))
  30. 30. 30 MOVEGUIDES.COM Should kittens comply? No. GDPR is only for „natural persons“ (e.g. people). It is (still) safe to use their pictures as they have no right to be forgotten.
  31. 31. 31 MOVEGUIDES.COM Not all animals are equal
  32. 32. 32 MOVEGUIDES.COM be like MOVE Guides: Hire engineers, not kittens! As you still have to comply
  33. 33. 33 MOVEGUIDES.COM Thank you! It’s time for Q&A!