Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA


Published on

This talk will give you a quick overview of the General Data Protection Regulation (GDPR), that goes into law in Europe starting May 25, 2018. Additionally the talk will primarily focus on the parts that are especially important for people working with testing & quality assurance. Organisations outside EU will also be heavily affected by this, as european organisations will require "GDPR compliance" from service providers, no matter their location.

Published in: Education
  • Be the first to comment

  • Be the first to like this

QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QA

  1. 1. GDPR An overview and its relevance for QA Per Thorsheim Twitter: @thorsheim +47 90 99 92 59 (Signal|Wire|Whatsapp)
  2. 2. General Data Protection Regulation (GDPR) • Becomes law in all of EU on May 25, 2018 • Replaces lots of individual laws in every EU country • Individual countries may add specific additions or exceptions • GDPR IS APPLICABLE TO ANY BUSINESS WORLDWIDE WORKING WITH PERSONAL DATA FOR ANY EU CITIZEN IN ANY EU COUNTRY
  3. 3. Data subject’s rights • the need for the individual's clear consent to the processing of personal data • easier access by the subject to his or her personal data • the rights to rectification, to erasure and 'to be forgotten' • the right to object, including to the use of personal data for the purposes of 'profiling' • the right to data portability from one service provider to another
  4. 4. 20M € Or: 4% of global annual turnover GDPR maximum penalty:
  5. 5. Privacy By Design • Your right to privacy • Built-in privacy • Privacy by default • Transparency • Executive management support
  6. 6. Training • The need for privacy • Internal & external requirements • Organisation & responsibilities • Governance, regulatory requirements, standards, procedures • Methodology for development etc • Tools, standards, best practices • OWASP • Microsoft SDL
  7. 7. Requirements • Privacy & Security • User & ownership of information • Processer of information, recipients of information • Collection & processing of information must be necessary • Collection, storing, processing, display, communicating & deletion. • Encryption & access control • Risk analysis • Consequences for privacy
  8. 8. Design • Data oriented design: • Limit amount of information collected • Hide connections between data (pseudo-anonymization, encryption) • Data separation • Aggregate data – remove details about data subjects • Privacy by default • Process oriented design • Information to the user • User has access to control personal information • Enforcement of privacy; responsibilities and processes • Vulnerability minimization & threat modeling
  9. 9. Coding • Generally accepted tools & frameworks • Control of API’s, third-party libraries etc • Static code analysis (secure coding principles) • Source code review
  10. 10. Testing • Checklist from design phase should be verified • Security testing (vulnerability scans) • Dynamic testing (user access, security errors) • Fuzzing • Penetration testing / vulnerability analysis • Threat model analysis / attack surface review
  11. 11. Release to production • Incident handling procedures • Internal • External • Governance reporting • Customer reporting • Doc review of previous steps for consistency & completeness • Head of security/privacy final approval before push to production
  12. 12. Maintenance • Incident management & error handling • Operations, maintenance & development of software
  13. 13. I am not going to waste any more of your time, but the potential of additional user damages due to «Impact Team» being provoked by the slow legal process etc may keep the story in the media. Tell the audience and others and warn them about the psychological hell a little bit of rashness online can lead to. I am almost a completely broken man, and I don’t know if I will ever be able to stand up again. And I had a life full of great qualities. Not as whining, but as a «matter of fact» and a strong warning.
  14. 14. +47 90 99 92 59 (Signal|Wire|Whatsapp) @thorsheim