Successfully reported this slideshow.
Your SlideShare is downloading. ×

QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Gdpr
Gdpr
Loading in …3
×

Check these out next

1 of 17 Ad

QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA

This talk will give you a quick overview of the General Data Protection Regulation (GDPR), that goes into law in Europe starting May 25, 2018. Additionally the talk will primarily focus on the parts that are especially important for people working with testing & quality assurance. Organisations outside EU will also be heavily affected by this, as european organisations will require "GDPR compliance" from service providers, no matter their location.

This talk will give you a quick overview of the General Data Protection Regulation (GDPR), that goes into law in Europe starting May 25, 2018. Additionally the talk will primarily focus on the parts that are especially important for people working with testing & quality assurance. Organisations outside EU will also be heavily affected by this, as european organisations will require "GDPR compliance" from service providers, no matter their location.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Similar to QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA (20)

Advertisement

More from QAFest (20)

Recently uploaded (20)

Advertisement

QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA

  1. 1. GDPR An overview and its relevance for QA Per Thorsheim Twitter: @thorsheim +47 90 99 92 59 (Signal|Wire|Whatsapp)
  2. 2. General Data Protection Regulation (GDPR) • Becomes law in all of EU on May 25, 2018 • Replaces lots of individual laws in every EU country • Individual countries may add specific additions or exceptions • GDPR IS APPLICABLE TO ANY BUSINESS WORLDWIDE WORKING WITH PERSONAL DATA FOR ANY EU CITIZEN IN ANY EU COUNTRY
  3. 3. Data subject’s rights • the need for the individual's clear consent to the processing of personal data • easier access by the subject to his or her personal data • the rights to rectification, to erasure and 'to be forgotten' • the right to object, including to the use of personal data for the purposes of 'profiling' • the right to data portability from one service provider to another
  4. 4. 20M € Or: 4% of global annual turnover GDPR maximum penalty:
  5. 5. Privacy By Design • Your right to privacy • Built-in privacy • Privacy by default • Transparency • Executive management support
  6. 6. Training • The need for privacy • Internal & external requirements • Organisation & responsibilities • Governance, regulatory requirements, standards, procedures • Methodology for development etc • Tools, standards, best practices • OWASP • Microsoft SDL
  7. 7. Requirements • Privacy & Security • User & ownership of information • Processer of information, recipients of information • Collection & processing of information must be necessary • Collection, storing, processing, display, communicating & deletion. • Encryption & access control • Risk analysis • Consequences for privacy
  8. 8. Design • Data oriented design: • Limit amount of information collected • Hide connections between data (pseudo-anonymization, encryption) • Data separation • Aggregate data – remove details about data subjects • Privacy by default • Process oriented design • Information to the user • User has access to control personal information • Enforcement of privacy; responsibilities and processes • Vulnerability minimization & threat modeling
  9. 9. Coding • Generally accepted tools & frameworks • Control of API’s, third-party libraries etc • Static code analysis (secure coding principles) • Source code review
  10. 10. Testing • Checklist from design phase should be verified • Security testing (vulnerability scans) • Dynamic testing (user access, security errors) • Fuzzing • Penetration testing / vulnerability analysis • Threat model analysis / attack surface review
  11. 11. Release to production • Incident handling procedures • Internal • External • Governance reporting • Customer reporting • Doc review of previous steps for consistency & completeness • Head of security/privacy final approval before push to production
  12. 12. Maintenance • Incident management & error handling • Operations, maintenance & development of software
  13. 13. I am not going to waste any more of your time, but the potential of additional user damages due to «Impact Team» being provoked by the slow legal process etc may keep the story in the media. Tell the audience and others and warn them about the psychological hell a little bit of rashness online can lead to. I am almost a completely broken man, and I don’t know if I will ever be able to stand up again. And I had a life full of great qualities. Not as whining, but as a «matter of fact» and a strong warning.
  14. 14. per@thorsheim.net +47 90 99 92 59 (Signal|Wire|Whatsapp) @thorsheim

×