The document outlines the General Data Protection Regulation (GDPR), which enforces strict rules on how businesses must handle personal data of EU data subjects, effective from May 25, 2018. It emphasizes the need for compliance to avoid substantial fines and highlights a risk-based approach to data protection that involves assessing, designing, transforming, operating, and conforming to GDPR standards. Additionally, it provides practical tips for implementing security measures and protecting privacy data.

1. GENERAL DATA PROTECTION REGULATION
A developer’s story

3. DISCLAIMER
This is not “legal advice” and all points made should be checked
with your company’s legal department or consult a legal advisor
for your specific situation!

4. GDPR
What is it?

5. GENERAL DATA PROTECTION REGULATION (GDPR)
➤ More strict modification of already existing advisories (not rules) of best practices
towards protecting privacy data in EU
➤ Become law in all 28 EU countries on May 25, 2018
➤ Impact all businesses that collect and process privacy related data of EU data
subjects (even outside of EU)

6. “GDPR is a risk based approach
-Cindy E. Compert - IBM Security

8. WHAT GDPR WANTS TO PROTECT
Religion & Beliefs
Physical Appearance
Cultural Background
Sexual Orientation
Social Status
Financial Strength Mental State
Medical Conditions
Studies & Education
Memberships
Loyalty Programs
Identity & Nationality

9. WHAT IS CONSIDERED “PRIVATE DATA”?
➤ Name, email address, home address, phone number
➤ Social security number, national identity number, passport number
➤ Medical data, social status, religion, political views, sexual orientation, nationality,
financial balance
➤ Concert tickets, travel arrangements, library cards, loyalty programs
➤ IP addresses with timestamps
➤ and much more…

10. PII
Personal Identifiable Information
Information that can identify a single individual

11. RULE OF THUMB
Any piece of information that can point to a single individual
within the EU

12. WHY CARE ABOUT
GDPR?
Why do I need to invest so much in
being ready?

13. PROTECT & SERVE
➤ Protect data of EU data subjects
➤ Secure the way you store data
➤ Audit access to data
➤ Know what data is kept in the company

14. FINES & PENALTIES
➤ up to 10 million Euro or 2% of annual
global turnover
➤ up to 20 million Euro or 4% of annual
global turnover for more severe
infringements

15. IMPROVING KNOWLEDGE
on the private data collected and processed by your company and
who had access to it.

16. SERVICE BINGO

18. IMPROVE SECURITY
GDPR is a risk based approach to protect privacy data. All
measures to ensure this protection will improve your overal
security.

19. GDPR
COMPLIANCE
The nitty-gritty

20. ASSESS

21. ASSESS AND PREPARE
➤ Assess all data across
➤ Clients
➤ Employees
➤ Suppliers
➤ Contacts
➤ Develop a GDPR readiness roadmap
➤ Identify personal data

22. LOOK OUT FOR KEY IDENTIFIERS
➤ When privacy data contains keys
➤ email address
➤ social security number
➤ national identity number
➤ …

23. DESIGN

24. DESIGN
➤ Governance (how are you going to protect the data?)
➤ Training (how are employees handling the data?)
➤ Communication (how is data communicated?)
➤ Processes (how is data processed?)

25. STANDARDS AND PROCEDURES
➤ Create a company wide standards to handle data
➤ Create procedures for
➤ Collecting data
➤ Processing data
➤ Exchanging data

26. TRANSFORM

27. AUTOMATION IS KEY
➤ Develop and implement
➤ Procedures
➤ Processes
➤ Tools
➤ Deliver GDPR training
➤ Adhere to
➤ Privacy by design
➤ Security by design

28. DATA MANAGEMENT POLICIES
➤ Data must be protected
➤ Collect the minimum amount of data
➤ Store the data safely (with encryption) and securely
➤ Anonymise the data before processing
➤ Ensure these policies are enforced

29. OPERATE

30. IN OPERATION
➤ Execute automated business processes
➤ Monitor security and privacy
➤ Manage data access and consent rights

31. RIGHT FOR DATA INSIGHT AND “BE FORGOTTEN”
➤ Data subjects
➤ Can request insight in data collected
➤ Can request to be forgotten

32. CONFORM

33. MAKE SURE YOU CONFORM TO YOUR POLICIES
➤ Assess that your procedures are implemented
➤ Monitor data access
➤ Report on data activity
➤ Audit on a regular basis the security of your data
➤ Evaluate continuously adherence to GDPR standards

34. PATH TO GDPR COMPLIANCY
ASSESS TRANSFORMDESIGN OPERATE CONFORM

35. PATH TO GDPR COMPLIANCY
ASSESS TRANSFORMDESIGN OPERATE CONFORM

36. PATH TO GDPR COMPLIANCY
ASSESS TRANSFORMDESIGN OPERATE CONFORM

37. PATH TO GDPR COMPLIANCY
ASSESS TRANSFORMDESIGN OPERATE CONFORM

38. PATH TO GDPR COMPLIANCY
ASSESS TRANSFORMDESIGN OPERATE CONFORM

39. PATH TO GDPR COMPLIANCY
ASSESS TRANSFORMDESIGN OPERATE CONFORM

40. SOME EXAMPLES
Some technical tips

41. PASSWORD MANAGEMENT
➤ Don’t store data access passwords in common repository
➤ Don’t keep passwords in environment variables*
➤ Make use of an Identity Management System to manage
➤ SSH keys
➤ API keys
➤ DSN’s
➤ Public keys
(*) Why not use environment variables: diogomonica.com

42. USE A TEAM PASSWORD
MANAGER

43. ENFORCE 2FA FOR EVERYONE!

44. AUDIT TRAILS WITH MIDDLEWARE
➤ Log access to data
➤ Automate anonymising of privacy data
➤ Automate encryption of privacy data

45. What’s wrong with this picture?

46. Why display full name details?

47. Why display email addresses?

48. Why display phone numbers?

49. REDUCE ACCESS TO DETAILS
If a user has other ways to communicate with your clients,
remove the visible display of common data elements like full
names, email and shipment addresses and phone numbers.

50. Do you see the difference?

51. Not full name display

52. Integrated communication functionality

54. SAME FUNCTIONALITY, BUT KEEPS DATA HIDDEN
➤ Prevents accidentally exposing email and phone numbers (e.g. during a call)
➤ Hides details from end-user, but functionality is still provided
➤ Sending out an email uses build-in mail client
➤ Making calls uses a phone middleware used in the company
➤ Gives clear audit trail on who accessed what

56. NOT 100% PROTECTION, BUT…
➤ We remove the personal one-on-one communication with customers
➤ We add better access management on customer communication
➤ Full audit trail now possible as communication stays in-application
➤ Less chance for data loss as contact details are kept away from users

57. …AND DON’T FORGET TO ENCRYPT YOUR STORAGE & COMMUNICATIONS!
App
Data Storage
File Storage
Log Storage
Backup Storage
Public - private key exchange| encrypted data storage

58. EMAIL MARKETING

59. CONTACT DATA
Opt-in , always

60. NOT OPT-IN
/dev/null is the place to be

61. LIMIT EXPIRATION
Don’t keep longer than needed

62. AUTOMATE IT!

63. NEXT STEPS
Get started now to be ready

64. GET STARTED NOW

65. DON’T START BLINDLY
KNOW WHAT TO PROTECT!

66. EVALUATE REGULARLY

67. GOAL: PROTECT PRIVACY

68. SOME RESOURCES
➤ European Commission: Protection of personal data
➤ EU GDPR Infograph
➤ Charting the Course to GDPR: Setting Sail
➤ Deloitte GDPR Series
➤ InfoSecurity Group GDPR Checklist
➤ Securing MongoDB
➤ Table and tablespace encryption on MariaDB 10.1

69. THE CLOCK IS TICKING…

71. Please leave feedback on joind.in to improve this talk
and grab the slides on your way out.

72. in it2PROFESSIONAL PHP SERVICES
Michelangelo van Dam
Zend Certified Engineer
contact@in2it.be - www.in2it.be - T in2itvof - F in2itvof
Microsoft Azure
Zend Framework
Consulting
Quality Assurance &
Disaster Recovery

73. JOIN THE DISCUSSION
https://in2.se/gdpr-updates