Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

General Data Protection Regulation, a developer's story

1,038 views

Published on

On May 25, 2018 all companies collecting and processing data of people from within the European Union must comply to the General Data Protection Regulation or GDPR. In this talk we'll cover what the GDPR is and how it will impact businesses within the EU and abroad, what can be done to comply to this regulation and how to proceed further.

This talk will not provide you legal answers, but will give you technology solutions that will make your applications compliant to these regulations. Even if you're not processing data from the EU, these solutions will offer you better protection to the data you currently keep and will ensure that in the case of a breach, the impact will be minimum.

Published in: Engineering
  • Be the first to comment

General Data Protection Regulation, a developer's story

  1. 1. GENERAL DATA PROTECTION REGULATION A developer’s story
  2. 2. DISCLAIMER This is not “legal advice” and all points made should be checked with your company’s legal department or consult a legal advisor for your specific situation!
  3. 3. GDPR What is it?
  4. 4. GENERAL DATA PROTECTION REGULATION (GDPR) ➤ More strict modification of already existing advisories (not rules) of best practices towards protecting privacy data in EU ➤ Become law in all 28 EU countries on May 25, 2018 ➤ Impact all businesses that collect and process privacy related data of EU data subjects (even outside of EU)
  5. 5. “GDPR is a risk based approach -Cindy E. Compert - IBM Security
  6. 6. WHAT GDPR WANTS TO PROTECT Religion & Beliefs Physical Appearance Cultural Background Sexual Orientation Social Status Financial Strength Mental State Medical Conditions Studies & Education Memberships Loyalty Programs Identity & Nationality
  7. 7. WHAT IS CONSIDERED “PRIVATE DATA”? ➤ Name, email address, home address, phone number ➤ Social security number, national identity number, passport number ➤ Medical data, social status, religion, political views, sexual orientation, nationality, financial balance ➤ Concert tickets, travel arrangements, library cards, loyalty programs ➤ IP addresses with timestamps ➤ and much more…
  8. 8. PII Personal Identifiable Information Information that can identify a single individual
  9. 9. RULE OF THUMB Any piece of information that can point to a single individual within the EU
  10. 10. WHY CARE ABOUT GDPR? Why do I need to invest so much in being ready?
  11. 11. PROTECT & SERVE ➤ Protect data of EU data subjects ➤ Secure the way you store data ➤ Audit access to data ➤ Know what data is kept in the company
  12. 12. FINES & PENALTIES ➤ up to 10 million Euro or 2% of annual global turnover ➤ up to 20 million Euro or 4% of annual global turnover for more severe infringements
  13. 13. IMPROVING KNOWLEDGE on the private data collected and processed by your company and who had access to it.
  14. 14. SERVICE BINGO
  15. 15. IMPROVE SECURITY GDPR is a risk based approach to protect privacy data. All measures to ensure this protection will improve your overal security.
  16. 16. GDPR COMPLIANCE The nitty-gritty
  17. 17. ASSESS
  18. 18. ASSESS AND PREPARE ➤ Assess all data across ➤ Clients ➤ Employees ➤ Suppliers ➤ Contacts ➤ Develop a GDPR readiness roadmap ➤ Identify personal data
  19. 19. LOOK OUT FOR KEY IDENTIFIERS ➤ When privacy data contains keys ➤ email address ➤ social security number ➤ national identity number ➤ …
  20. 20. DESIGN
  21. 21. DESIGN ➤ Governance (how are you going to protect the data?) ➤ Training (how are employees handling the data?) ➤ Communication (how is data communicated?) ➤ Processes (how is data processed?)
  22. 22. STANDARDS AND PROCEDURES ➤ Create a company wide standards to handle data ➤ Create procedures for ➤ Collecting data ➤ Processing data ➤ Exchanging data
  23. 23. TRANSFORM
  24. 24. AUTOMATION IS KEY ➤ Develop and implement ➤ Procedures ➤ Processes ➤ Tools ➤ Deliver GDPR training ➤ Adhere to ➤ Privacy by design ➤ Security by design
  25. 25. DATA MANAGEMENT POLICIES ➤ Data must be protected ➤ Collect the minimum amount of data ➤ Store the data safely (with encryption) and securely ➤ Anonymise the data before processing ➤ Ensure these policies are enforced
  26. 26. OPERATE
  27. 27. IN OPERATION ➤ Execute automated business processes ➤ Monitor security and privacy ➤ Manage data access and consent rights
  28. 28. RIGHT FOR DATA INSIGHT AND “BE FORGOTTEN” ➤ Data subjects ➤ Can request insight in data collected ➤ Can request to be forgotten
  29. 29. CONFORM
  30. 30. MAKE SURE YOU CONFORM TO YOUR POLICIES ➤ Assess that your procedures are implemented ➤ Monitor data access ➤ Report on data activity ➤ Audit on a regular basis the security of your data ➤ Evaluate continuously adherence to GDPR standards
  31. 31. PATH TO GDPR COMPLIANCY ASSESS TRANSFORMDESIGN OPERATE CONFORM
  32. 32. PATH TO GDPR COMPLIANCY ASSESS TRANSFORMDESIGN OPERATE CONFORM
  33. 33. PATH TO GDPR COMPLIANCY ASSESS TRANSFORMDESIGN OPERATE CONFORM
  34. 34. PATH TO GDPR COMPLIANCY ASSESS TRANSFORMDESIGN OPERATE CONFORM
  35. 35. PATH TO GDPR COMPLIANCY ASSESS TRANSFORMDESIGN OPERATE CONFORM
  36. 36. PATH TO GDPR COMPLIANCY ASSESS TRANSFORMDESIGN OPERATE CONFORM
  37. 37. SOME EXAMPLES Some technical tips
  38. 38. PASSWORD MANAGEMENT ➤ Don’t store data access passwords in common repository ➤ Don’t keep passwords in environment variables* ➤ Make use of an Identity Management System to manage ➤ SSH keys ➤ API keys ➤ DSN’s ➤ Public keys (*) Why not use environment variables: diogomonica.com
  39. 39. USE A TEAM PASSWORD MANAGER
  40. 40. ENFORCE 2FA FOR EVERYONE!
  41. 41. AUDIT TRAILS WITH MIDDLEWARE ➤ Log access to data ➤ Automate anonymising of privacy data ➤ Automate encryption of privacy data
  42. 42. What’s wrong with this picture?
  43. 43. Why display full name details?
  44. 44. Why display email addresses?
  45. 45. Why display phone numbers?
  46. 46. REDUCE ACCESS TO DETAILS If a user has other ways to communicate with your clients, remove the visible display of common data elements like full names, email and shipment addresses and phone numbers.
  47. 47. Do you see the difference?
  48. 48. Not full name display
  49. 49. Integrated communication functionality
  50. 50. SAME FUNCTIONALITY, BUT KEEPS DATA HIDDEN ➤ Prevents accidentally exposing email and phone numbers (e.g. during a call) ➤ Hides details from end-user, but functionality is still provided ➤ Sending out an email uses build-in mail client ➤ Making calls uses a phone middleware used in the company ➤ Gives clear audit trail on who accessed what
  51. 51. NOT 100% PROTECTION, BUT… ➤ We remove the personal one-on-one communication with customers ➤ We add better access management on customer communication ➤ Full audit trail now possible as communication stays in-application ➤ Less chance for data loss as contact details are kept away from users
  52. 52. …AND DON’T FORGET TO ENCRYPT YOUR STORAGE & COMMUNICATIONS! App Data Storage File Storage Log Storage Backup Storage Public - private key exchange| encrypted data storage
  53. 53. EMAIL MARKETING
  54. 54. CONTACT DATA Opt-in , always
  55. 55. NOT OPT-IN /dev/null is the place to be
  56. 56. LIMIT EXPIRATION Don’t keep longer than needed
  57. 57. AUTOMATE IT!
  58. 58. NEXT STEPS Get started now to be ready
  59. 59. GET STARTED NOW
  60. 60. DON’T START BLINDLY KNOW WHAT TO PROTECT!
  61. 61. EVALUATE REGULARLY
  62. 62. GOAL: PROTECT PRIVACY
  63. 63. SOME RESOURCES ➤ European Commission: Protection of personal data ➤ EU GDPR Infograph ➤ Charting the Course to GDPR: Setting Sail ➤ Deloitte GDPR Series ➤ InfoSecurity Group GDPR Checklist ➤ Securing MongoDB ➤ Table and tablespace encryption on MariaDB 10.1
  64. 64. THE CLOCK IS TICKING…
  65. 65. Please leave feedback on joind.in to improve this talk and grab the slides on your way out.
  66. 66. in it2PROFESSIONAL PHP SERVICES Michelangelo van Dam Zend Certified Engineer contact@in2it.be - www.in2it.be - T in2itvof - F in2itvof Microsoft Azure Zend Framework Consulting Quality Assurance & Disaster Recovery
  67. 67. JOIN THE DISCUSSION https://in2.se/gdpr-updates

×