Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
GDPR and technology -
details matter
Kalle Varisvirta
@kvirta
Me
Kalle Varisvirta
Technology Director
Not a lawyer
Documentation 

vs. 

reality
Documentation 

vs. reality
Privacy policies (as well as PIAs) are usually written by
interviewing Developers and Systems ...
Cloud & 

SaaS services
Residual data
&
removing data
Residual data &

removing data
Data leaves a trace when going through a system
Mapping your data exactly is very difficult,...
Varnish or CDN in the front
Web server logs
Local caches
Uploaded binary files
Backups of the servers
MySQL logs
Binary logs on all
servers
Backups of
binary logs
Database dumps
made by
developers
Production
dumps to staging...
Integration platform logs and local caches
Integration platform document DB oplogs
SaaS messaging platform logs and intern...
All the SaaS services
Finally the actual data
master, its logs,
backups and
development
environment
Residual data
Data flows are complicated
Residual data is easily overlooked and forgotten
Removal of data becomes very prob...
Electronic format &

data aggregation
Electronic format
There are a lot of requirements for providing data in an
electronic format
Most systems have the data sp...
What to do?
What to do?
Take the regulation seriously
Map out your systems, in full detail
Consider data flow through the system
Consid...
What to do?
For compliance, make sure technical personnel (either
internal or from your vendors) are involved
To understan...
Thanks.
Questions?
GDPR and technology - details matter
GDPR and technology - details matter
GDPR and technology - details matter
GDPR and technology - details matter
GDPR and technology - details matter
GDPR and technology - details matter
GDPR and technology - details matter
Upcoming SlideShare
Loading in …5
×

GDPR and technology - details matter

1,839 views

Published on

GDPR and technology - details matter, Kalle Varisvirta, Exove

Exove and Bird & Bird seminar on Nov 23rd 2016: "GDPR - Practical Effects on Digital Business - juridical, technical, and customer point of view"

Published in: Technology
  • Login to see the comments

GDPR and technology - details matter

  1. 1. GDPR and technology - details matter Kalle Varisvirta @kvirta
  2. 2. Me Kalle Varisvirta Technology Director Not a lawyer
  3. 3. Documentation 
 vs. 
 reality
  4. 4. Documentation 
 vs. reality Privacy policies (as well as PIAs) are usually written by interviewing Developers and Systems Engineers, but unfortunately by non-technical people Technical people simplify things when asked about details by non-technical people - that’s what we’re told to do
  5. 5. Cloud & 
 SaaS services
  6. 6. Residual data & removing data
  7. 7. Residual data &
 removing data Data leaves a trace when going through a system Mapping your data exactly is very difficult, as is removing it
  8. 8. Varnish or CDN in the front Web server logs Local caches Uploaded binary files Backups of the servers
  9. 9. MySQL logs Binary logs on all servers Backups of binary logs Database dumps made by developers Production dumps to staging environment
  10. 10. Integration platform logs and local caches Integration platform document DB oplogs SaaS messaging platform logs and internal database
  11. 11. All the SaaS services
  12. 12. Finally the actual data master, its logs, backups and development environment
  13. 13. Residual data Data flows are complicated Residual data is easily overlooked and forgotten Removal of data becomes very problematic in the real world Removing from backups
  14. 14. Electronic format &
 data aggregation
  15. 15. Electronic format There are a lot of requirements for providing data in an electronic format Most systems have the data spread out optimized for the system, not aggregation Gathering data to a “single” electronic format would be a complicated and slow manual task for most environments
  16. 16. What to do?
  17. 17. What to do? Take the regulation seriously Map out your systems, in full detail Consider data flow through the system Consider the cloud / SaaS services you might be using Consider residual data
  18. 18. What to do? For compliance, make sure technical personnel (either internal or from your vendors) are involved To understand the regulation, not just to provide answers
  19. 19. Thanks. Questions?

×