The GDPR document outlines new data protection laws that will take effect in the European Union on May 25th, 2018. The key points are: 1) The GDPR aims to give citizens control over their personal data and simplify rules for businesses. 2) It establishes clear principles for data handling including lawfulness, transparency, storage limitation, and accountability. 3) Individuals are given new rights regarding their data, such as access, rectification, erasure, and objection to processing. 4) Businesses must comply with the single set of rules to reduce costs and protect EU citizen data.

1. General Data Protection Regulation
(GDPR)
Version: 1.0
27th March, 2018
A. R. W. M. M. D. Rohana Kumara
MBA (Aus), B.Sc CIS (SUSL), MBCS (UK), PMP (Reading)

2. GDPR – General Data Protection Regulation
Effective Date – 25th May 2018
Effective Countries – European Union and IT service provides to EU companies
Reason – Protect user data from Hackers and third party individuals and organizations.
EU Data Protection Reform in 2012 to make
Europe fit for the digital age (IP/12/46)
The Reform consists of two instruments:
● The General Data Protection Regulation will enable people to better control their personal data.
At the same time modernised and unified rules will allow businesses to make the most of the
opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced
consumer trust.
● The Data Protection Directive for the police and criminal justice sector will ensure that the data of
victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal
investigation or a law enforcement action. At the same time more harmonised laws will also
facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more
effectively across Europe.
A fundamental right for citizens
The reform will allow people to regain control of their personal data. Two-thirds of Europeans
(67%), according to a recent Eurobarometer survey, stated they are concerned about not having
complete control over the information they provide online.
The new rules address these concerns by strengthening the existing rights and empowering
individuals with more control over their personal data. Most notably, these include:
● Easier access to your own data: individuals will have more information on how their data is
processed and this information should be available in a clear and understandable way;
● A right to data portability: it will be easier to transfer your personal data between service
providers;

3. ● A clarified "right to be forgotten": when you no longer want your data to be processed, and
provided that there are no legitimate grounds for retaining it, the data will be deleted;
● the right to know when your data has been hacked: For example, companies and organisations
must notify the national supervisory authority of serious data breaches as soon as possible so that
users can take appropriate measures.
Clear modern rules for businesses
In today's digital economy, personal data has acquired enormous economic significance, in particular
in the area of big data. By unifying Europe's rules on data protection, lawmakers are creating a
business opportunity and encouraging innovation.
● One continent, one law: The regulation will establish one single set of rules which will make it
simpler and cheaper for companies to do business in the EU.
● One-stop-shop: businesses will only have to deal with one single supervisory authority. This is
estimated to save €2.3 billion per year.
● European rules on European soil– companies based outside of Europe will have to apply the
same rules when offering services in the EU.
● Risk-based approach: the rules will avoid a burdensome one-size-fits-all obligation and rather
tailor them to the respective risks.
● Rules fit for innovation: the regulation will guarantee that data protection safeguards are built into
products and services from the earliest stage of development (Data protection by design). Privacy-
friendly techniques such as pseudonymisation will be encouraged, to reap the benefits of big data
innovation while protecting privacy.
GDPR Principles
The GDPR establishes a number of principles that underpin the legislation and are outlined using
the following terms
1. Lawfulness, fairness and transparency – keep it legal and fair; say what you’re going to do with
the data in clear terms
2. Purpose limitation – don’t do more with the data than you said you would
3. Data minimisation – don’t collect more data than you need
4. Accuracy – keep it up to date and deal with inaccuracies as soon as possible
5. Storage limitation – don’t keep the data for longer than necessary
6. Integrity and confidentiality – keep the data safe while you have them
7. Accountability – be able to show that you’re complying with the principles above

4. Rights of the data subject
The GDPR establishes a set of rights that the data subject can exercise and which the controller
holding their personal data must react and respond to, generally within a month.
1. The right to be informed being told what data will be collected, why, by whom, for what purpose
and where the data will go
2. The right of access being able to see personal data that are being held about the data subject
3. The right to rectification getting the data corrected if they are wrong or inaccurate 4. The right to
erasure having personal data removed when they are no longer necessary
5. The right to restrict processing pausing the processing of the data if there are grounds to do so
6. The right to data portability obtaining the data in a transportable form and moving it to an
alternative processor
7. The right to object stopping the data from being processed
8. Automated decision making and profiling having a human involved in important decisions
18 steps to developing GDPR - compliant
apps
1. Determine whether the app really needs all the requested personal data
- Consent document to capture document (referring to point 11) from the client
- Consent from the end user for gathering their personal info
2. Encrypt all personal data and inform users about it
- Vendor has to encrypt all the data, but it is based on the business requirement and if
some search function (through SSN or name) is there then we won’t be able to implement
3. Think OAUTH for data portability
- Vendor could possible to do but depending on the single sign in requirements of the other
systems.
4. Enforce secure communications through HTTPS
- Vendor network communication should happens through HTTPS
5. Inform users about and encrypt personal data from ‘contact us' forms
- Vendor has to practice, but differ based on the client requirement.
6. Make sure sessions and cookies expire and are destroyed after logout
- Vendor has to practice, but differ based on the client requirement.
7. Do not track user activity for business intelligence

5. - Vendor should not track any user activity unless client requested to do so with the client
consent.
8. Tell users about logs that save location or IP addresses
- Vendor supposed to save IP and location, vendor has to inform the client and get the
client consent.
9. Store logs in a safe place, preferably encrypted
- In development vendor should ensure PII will not include in the logs.
10. Security questions should not turn on users' personal data
- Only through email address to recover the user account no PII needed for this
11. Create clear terms and conditions and make sure users read them
- Vendor should Implement
12. Inform users about any data sharing with third parties
- Client has to request (in written) from the development team to share PII with third parties
13. Create clear policies for data breaches
- Vendor has to encrypting data on transit and data at rest (stored data).
14. Delete data of users who cancel their service
- This could possible for the vendor, but with certain limitations (data backups won’t be able
to delete) this has to request by client from the vendor to proceed with.
15. Patch web vulnerabilities
Vendor has to practice
16. Implementation of firewalls
- Vendor has to use GDPR certified software and hardware tools
17. Log monitoring
- Vendor has to use GDPR certified software and hardware tools
18. IP monitoring
- Vendor should not be gathering IP data related with end user personal information