1. Prep Your App
For
GDPR Compliance
Asanka Nissanka
VP Technology at ShoutOUT Labs
AWS Certified Solutions Architect
2. Disclaimer
● The suggestions/approaches/implementations in this presentation are
subject to change as the court hearings on related cases continues.
● The information on this presentation is totally my interpretation of the
GDPR and contain no legal advices whatsoever
3. Agenda
1. Who is affected
2. Terminology
3. Key Principles
4. Natural Person
5. Organization
6. Case Study
4. Who is affected ?
Applies to people and organisations handling EU citizens personal data
Does not apply to certain activities including processing covered by the Law
Enforcement Directive, processing for national security purposes and processing
carried out by individuals purely for personal/household activities
5. Terminology
Supervisory Authority
An agency in each member state that could bring cases before the courts, or specify enforcement or remedial action in the
event an organisation acts outside of GDPR
Data Controller
The person who is responsible for how data is processed by an organisation
Data Processor
A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the
controller
ICO
Information Commissioner’s Office
6. Key Principles
Should lie at the heart of your approach to processing personal data
IMPORTANT: Failure to comply with the principles may leave you open to a fine of up to €20 million, or 4% of your total
worldwide annual turnover, whichever is higher
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality (security)
7. Accountability
7. Lawfulness, fairness and transparency
● Identify valid grounds for collecting and using personal data
● Ensure not to do anything with data in breach of any other laws
● Use personal data in a reasonable way
● Be clear, open and honest on how you will use the personal data
8. Purpose limitation
● Be clear about purposes for processing data
● Record the purposes of processing as a part of the documentation
● Can only use for a new purpose if that is compatible with your original purpose.
9. Data minimisation
● Adequate - sufficient to properly fulfill the stated purpose
○ Share pseudonymised data with third party where necessary
● Relevant - has a rational link to the purpose
● Limited to what is necessary - don’t hold on to more than you need
11. Storage limitation
● Must not keep personal data for longer than you need it
● Justify how long you keep personal data
● State retention period on the policies
● Periodically review to erase or anonymise data no longer needed
12. Integrity and confidentiality
● Provide appropriate measures and records to demonstrate the compliance
● Take responsibility for what you do with personal data
13. Natural Person
Legal bases for processing data
● Performance of a contract
● Legal obligation
● Performance of a task in the public interest
● Consent
● Legitimate interest
● Protect the vital interests of an individual
14. Natural Person
Legal bases for processing data
● Performance of a contract
● Legal obligation
● Performance of a task in the public interest
● Consent
● Legitimate interest
● Protect the vital interests of an individual
15. Consent
Collection
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed
and unambiguous indication of the data subject’s agreement to the processing of personal data
relating to him or her.”
Withdrawal
A data subject must be able to withdraw consent as easily as they gave it
16. Consent - Implementation
Implementation
1. Banner in the web site to collect cookie consent
2. Using checkboxes (unchecked) during signup
3. Attach as a requirement to the main action
4. Using checkboxes in the user account (profile) page to update the notification/news
preferences
5. Include a link to unsubscribe in the emails
6. Double opt-in using a confirmation link sent via email
17. Rights of Natural Person
1. The right of access
2. The right to rectification
3. The right to erasure
4. The right to restrict processing
5. Rights concerning automated processing and profiling
6. The right to data portability
7. The right to object
8. The right to be informed
18. Right to 1. Access, 2. Rectification, 3. Erasure and 6. Data portability
Making the request
● Sending an email to the DPO
● Application features to view,update and export user data
○ User profile with edit, export and account delete option
Processing the requests
● Update related records from the databases and/or storages
● Delete related records from the databases and all the storages (including backups)
● Export user privacy data to a readable format (Download as csv files)
● Anonymise related data (Pseudomise doesn’t count) (Ex:- Replace privacy data with random data)
● Manually by recording in a task management tool (Ex:- Trello, Asana, JIRA etc) and involve a human to perform the
action
19. Right to 4. Restrict processing 5. Consern automated profiling 7. Object
Making the request
● Sending an email to the DPO
● Application feature to update the user preferences for processing
○ Using checkboxes in a profile page to update the preferences
Processing the request
● Keep a record to skip/avoid processing of data (If the type of your processing permits)
● Involve human insteads of the automated processes to profile
20. 8. Right to be informed
On a data breach
● Report a Supervisory Authority and the Data Subject
● Report within 72 hours after the discovery of the incident
Notification must include
● Description of the personal data breach (kind of data, number of data subjects and records affected)
● Name and contact details of the Data Protection Officer
● Potential and likely consequences of the breach
● Measures to address the breach and measures to mitigate future incidents
Implementation
● Using a CRM tool to send an announcement to the users via email (Ex:- ShoutOUT, Intercom, Hubspot)
● Using Pub/Sub service (Ex:- AWS SNS, PubNub, One Signal, Firebase Cloud Messaging)
21. Organization
● Should be responsible for upholding, and being able to demonstrate compliance with the
principles
● Make awareness within the organization
● Have a clear understanding on where the data is collected and where it flows (Data Lifecycle)
● GDPR does not make specific law around cyber security, but it does require that data be
handled securely and gives some broad requirements on what that means
22. Accountability and Governance
● Contracts with data processors
○ Inform controller when adding new sub processors
● Documentation about processing activities
○ Privacy policy, Terms of Use
○ Internal technical documentations - Provide when supervisory authorities request
■ Wiki pages
● Data protection by design and default
○ Store passwords with strong encryption
● Data protection impact assessments (DPIA)
○ Use risk assessment tools
● Data protection officers (DPO)
○ Should be easily reachable
● Codes of conduct and certification
23. Data Protection by Design and Default
● Legal requirement
● Apply appropriate technical and organisational measures to implement the data protection
principles and safeguard individual rights
How to Practice
● Isolate infrastructure (Virtual Private Cloud)
● Encrypt data at transit (Use SSL)
● Encrypt data at rest
○ AWS S3 server side encryption
○ MongoDB encrypted storage engine
24. Data Protection by Design and Default Ctd.
● Automatically delete temporary data on intermediate storages
○ Expiration rules (AWS S3 object lifecycle rules)
● Use firewalls
○ Web application firewall (AWS WAF)
○ DDoS attack protection (AWS Shield)
● Connect distant resources using secure connections
○ Private links (VPN, VPC peering connections)
○ IP based access control
● Keep secrets away from code
○ Use key management service (AWS KMS)
25. Data Protection by Design and Default Ctd.
● Use two factor authentication
○ Secure your application users
○ Secure cloud service provider accounts with 2FA)
● Monitoring and logging
○ Avoid logging privacy data (Use user reference ids instead)
○ Centralize and archive logs (AWS cloud watch)
○ Asset management and configuration (AWS config)
○ Track API activity (AWS CloudTrail)
26. Data Protection Impact Assessments (DPIAs)
● Mandated under GDPR
● Process to support with identifying and minimising data protection risks of a project
● Consult ICO if you find a high risk
● Integrate measures that are identified into the project plan
How to Practice
● Carry out in major projects that involve use of personal data
● Use dedicated risk assessment tools or even excel
27. Data Protection Officer
● Assist to monitor internal compliance
● Act as a contact point for data subjects and the supervisory authority
● Advice on DPIAs
● Can be an existing employee or externally appointed
● Must be independent, an expert in data protection, adequately resourced, and report to the
highest management level
Implementation
Publish contact details of the DPO in the website (publicly accessible)
Ex:- dpo@mycompany.com
28. Codes of Conduct & Certification
Codes of Conduct
● Focusing on the exercising of the data subjects’ rights
● Details of information provided to the public and the data subjects
● Compliance with security requirements
● Notification of breaches
Certifications
● ISO 27001 - for technical measures
● ISO 27017 - for cloud security
● ISO 27018 - for cloud privacy
● SOC1, SOC 2 and SOC 3
● EU-US Privacy Shield
● PCI DSS
29. International Data Transfers
● The third country has an adequate level of protection for EU Citizens’ data when it leaves the
EU or EEA
● There must also be an independent supervisory authority operating in the third country to
protect data
● A controller or processor can still transfer data to a third country or international organisation
when the commission has not determined adequacy. This would only be the case if recipient
the has provided appropriate safeguards.
● If you are using cloud best option is to use a cloud provider who is GDPR compliant
31. Role of ShoutOUT
Data Controller
Collect personal data directly from the end users
who sign up with the application
Data Processor
Process personal data which are collected by the
organizations
32. Application User Lifecycle - Before
Web Site
Application
Analytics
CRM & Support
Backend
Application
Servers
Database
Servers
33. Application User Lifecycle - After
Privacy policy
Receive news,updates
Agree with terms
Web Site
Application
Analytics
CRM & Support
Backend
Application
Servers
Database
Servers
Firewall
DPA
Cookie
Consent
DPO
Risk Assessment
Tools
Documents
(Agreements,
Contracts)
34. Important
● Privacy and Data Protection should be on top in your list
● Design the systems from the beginning to support data protection
● Respect the data which matters to a living being
● Make it a collaborative effort of all within the organization