Kalle Varisvirta's slides about developer view on the EU privacy legislation (GDPR) from DrupalCamp Baltics 2016 in Riga. The key items of the presentation are: What are the requirements for the processors (Drupal maintainers in this view)? What technical challenges complying with the law might bring to a Drupal developer? What are the open questions in the legislation from a technical point of view right now?

1. Developer view on new the
EU privacy legislation
(GDPR)
Kalle Varisvirta
@kvirta

2. Me
Kalle Varisvirta
Technology Director
Exove
Not a lawyer!

3. Point-of-view:
Developers
&
vendors
(processors of data)

4. In this presentation
Overview of the GDPR
Going technical with GDPR

5. General
Data
Protection
Regulation
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

6. What was before
GDPR?
We’ve had a directive since 1995 (Directive 95/46/EC)
Outdated and implemented in different member states
in different times and ways
There was a need to unify and modernize the legislation

7. GDPR is a regulation
GDPR is a regulation, not a directive, so
It’s taken automatically into use in all member states,
without local legislation
However, it needs local legislation to be whole and
compatible and allows a lot of locally adjusted details

8. When?
The regulation was adopted on 2016-04-27
Currently in a two-year transition period, it enters into
application 2018-05-25
Details of the regulation are scheduled to be released
by the end of 2017
Some local legislation may appear as late as May 2018

9. So, what’s new?
Responsibilities for the processors of data
Administrative fines directly to the processors of data
A bunch of technically tricky items

10. Why do we need to pay
attention?
Infringements of the
following provisions shall,
…, be subject to
administrative fines up to
20 000 000 EUR, or …, up to
4 % of the total worldwide
annual turnover

11. Broader definition for
personal data
Any information concerning an identified or identifiable
natural person
Pseudonymized data that can be reversed to
identifiable with additional data

12. Tighter conditions for
consent
Clear affirmative act
Specific and unambiguous and covering all purposes
No pre-ticked boxes, can’t happen from inaction
Can be reversed and this need to explained
A record of active consent
Consent can’t be required for a service that would work
without processing user data

13. Privacy policy
Privacy policy document is now significantly more
controlled
Data has to have a storage time, among a lot of other
things (or a criteria how this is set)
Also, any automatic decision-making needs to be
described, when it can have significant influence to the
data subject
Also needed for third party data

14. Access to the data
Access to the data has to be given, as before
If the request comes “by electronic means”, the
information needs to be provided in a “commonly used
electronic form”
Time limit is one month, but with some exceptions
when it can be extended
First copy needs to be free of charge

15. Restricting processing
A data subject has a right to restrict processing of their
data
Essentially this means temporarily removing the data
from the system, as it needs to be “clearly indicated”
and the data “cannot be changed”
The regulation specifically allows temporary removal of
data

16. Portability
Data subjects have the right to have their data ported
to them or a new service provider in “commonly used
and machine-readable format”
This only applies to data that “which he or she has
provided to a controller”
And with some limitations

17. Objecting
If personal data is processed for profiling, especially for
direct marketing purposes, there’s a right to object,
which stops the processing
Online services need to provide a method of objecting
by electronic means
Data subject has a right to contest automatic decision-
making is it has legal or significant consequences to
the data subject

18. Erasure
Data subject has a right to get his/her data removed
permanently from the system
Again, if an online service, requesting erasure should be
possible via electronic means
Controller should take “reasonable steps” to get the
data, links to it, copies or replications removed, too
Removal should be done “without undue delay”

19. Data breach
Processors need to inform the controller “without
undue delay after becoming aware of it”, without
exceptions
Controllers need to inform the authorities within 72
hours after becoming aware of the breach
In some cases, the controller will need to inform the
data subjects about the breach

20. Governance
Privacy Impact Assessments (PIA)
Data Privacy Officer
Records of processing activities
Processor using subcontractors needs a written
permission from the controller

21. Governance
Privacy by design, or “data protection by design and
data protection by default"

22. Transfers
Transfers outside EEA (European Economic Area) are
still restricted
Safe Harbor is now replaced with Privacy Shield, a
brand new deal to self-certify US companies to allow
hosting data regulated by the GDPR

23. Administrative fines
Unknown to many EU member states, GDPR defines
administrative fines of two categories
Up to 10 million euros, or 2% of the worldwide
turnover, or
Up to 20 million euros, or 4% of the worldwide
turnover

24. From regulation
to action
A lot of lobbying to leave things open
Quite a lot of leeway for derogations
Member states can define a lot of things locally
More information from the EU about interpreting GDPR
coming late 2017
Local legislation changes will be published in their own
schedules, varying per member state

25. What’s bothering
me about all this?

26. 90 / 10 %

27. Documentation
vs.
reality

30. Documentation
vs. reality
Privacy policies (as well as PIAs) are usually written by
interviewing Developers and Systems Engineers, but
unfortunately by non-technical people
We automatically simplify complex concepts when
talking with non-technical people
We try to help them understand the high-level and
we’ve been told not to go into technical details with
these people

31. SaaS services you
don’t think about

36. Residual data

37. Residual data
Data leaves a trace when going through a system

39. Varnish in the front
Web servers, Nginx, PHP-FPM
Memcache, Redis or disk
caches
User images
Backups of the servers

40. MySQL logs
Binary logs on all
servers
Backups of binary
logs
Random dumps
made by
developers
Production dumps
to staging
environment

41. Integration platform logs and local caches
Integration platform MongoDB oplogs
SaaS messaging platform logs and internal
database

42. All those lovely SaaS cloud services to ease
your life

43. Finally all the data
backups of your master
data system

44. Residual data
Data flows are complicated
Residual data is easily overlooked and forgotten
Removal of data becomes very problematic in the real
world
Removing from backups

45. What’s electronic
format?

46. Electronic format
There are a lot of requirements for providing data in an
electronic format
Most systems have the data spread out optimized for
the system, not aggregation
Automatic privacy panels with aggregated data need to
be built

47. What to do?

48. What to do?
Take the regulation seriously
Map out your systems, in full detail
Consider residual data
Consider the SaaS services you might be using

49. What to do?
For compliance, make sure technical personnel are
involved
To understand the regulation, not just answer
questions
This is a task not just for lawyers

50. What to do?
Make sure you protect yourself by contracts with your
clients

51. Recap

52. GDPR is coming
GDPR is coming in May 2018
It’s a law automatically in all member states
It regulates not only controllers of data, but processors,
too (you and me)
Fines are super-high, so you’ll want to comply

53. More rights for data subjects
Right to get data faster and in electronic format
Right to restrict processing (temporarily remove data)
Right to object profiling for direct advertising among
other things
Right to move their data to another vendor with certain
restrictions
Data needs to be easily collected in a widely used
electronic format

54. Consent and governance
Consent forms need to change, more regulated
content, needs to be separate and consent can be
withdrawn
Governance dictates PIAs and records of processing
Data breaches have to be informed in 72 hours of
notice to the authorities (or in some cases to the data
subjects), and without undue delay from processors to
controllers

55. Technical challenges
Documentation doesn’t reflect the details of the reality
Cloud and SaaS-heavy architectures are the norm
Residual data will become a problem for erasure
Data aggregation with self-service UIs for controlling it
will be the only solution for many systems

56. Thanks. Questions?