GENERAL DATA PROTECTION REGULATIONA developer’s story

DISCLAIMERThis is not “legal advice” and all points made should be checked with your company’s legal department or consult a legal advisor

for your specific situation!

GDPRWhat is it?

GENERAL DATA PROTECTION REGULATION (GDPR)

➤ More strict modification of already existing advisories (not rules) of best practices towards protecting privacy data in EU

➤ Become law in all 28 EU countries on May 25, 2018

➤ Impact all businesses that collect and process privacy related data of EU data subjects (even outside of EU)

“GDPR is a risk based approach

-Cindy E. Compert - IBM Security

WHAT GDPR WANTS TO PROTECT

Religion & Beliefs

Physical Appearance

Cultural Background

Sexual Orientation

Social Status

Financial Strength Mental State

Medical Conditions

Studies & Education

Memberships

Loyalty Programs

Identity & Nationality

WHAT IS CONSIDERED “PRIVATE DATA”?

➤ Name, email address, home address, phone number

➤ Social security number, national identity number, passport number

➤ Medical data, social status, religion, political views, sexual orientation, nationality, financial balance

➤ Concert tickets, travel arrangements, library cards, loyalty programs

➤ IP addresses with timestamps

➤ and much more…

PIIPersonal Identifiable Information

Information that can identify a single individual

RULE OF THUMBAny piece of information that can point to a single individual

within the EU

WHY CARE ABOUT GDPR?

Why do I need to invest so much in being ready?

PROTECT & SERVE➤ Protect data of EU data subjects

➤ Secure the way you store data

➤ Audit access to data

➤ Know what data is kept in the company

FINES & PENALTIES➤ up to 10 million Euro or 2% of annual

global turnover

➤ up to 20 million Euro or 4% of annual global turnover for more severe infringements

IMPROVING KNOWLEDGEon the private data collected and processed by your company and

who had access to it.

SERVICE BINGO

IMPROVE SECURITYGDPR is a risk based approach to protect privacy data. All measures to ensure this protection will improve your overal

security.

GDPR COMPLIANCE

The nitty-gritty

ASSESS

ASSESS AND PREPARE

➤ Assess all data across

➤ Clients

➤ Employees

➤ Suppliers

➤ Contacts

➤ Develop a GDPR readiness roadmap

➤ Identify personal data

LOOK OUT FOR KEY IDENTIFIERS

➤ When privacy data contains keys

➤ email address

➤ social security number

➤ national identity number

➤ …

DESIGN

DESIGN

➤ Governance (how are you going to protect the data?)

➤ Training (how are employees handling the data?)

➤ Communication (how is data communicated?)

➤ Processes (how is data processed?)

STANDARDS AND PROCEDURES

➤ Create a company wide standards to handle data

➤ Create procedures for

➤ Collecting data

➤ Processing data

➤ Exchanging data

TRANSFORM

AUTOMATION IS KEY

➤ Develop and implement

➤ Procedures

➤ Processes

➤ Tools

➤ Deliver GDPR training

➤ Adhere to

➤ Privacy by design

➤ Security by design

DATA MANAGEMENT POLICIES

➤ Data must be protected

➤ Collect the minimum amount of data

➤ Store the data safely (with encryption) and securely

➤ Anonymise the data before processing

➤ Ensure these policies are enforced

OPERATE

IN OPERATION

➤ Execute automated business processes

➤ Monitor security and privacy

➤ Manage data access and consent rights

RIGHT FOR DATA INSIGHT AND “BE FORGOTTEN”

➤ Data subjects

➤ Can request insight in data collected

➤ Can request to be forgotten

CONFORM

MAKE SURE YOU CONFORM TO YOUR POLICIES

➤ Assess that your procedures are implemented

➤ Monitor data access

➤ Report on data activity

➤ Audit on a regular basis the security of your data

➤ Evaluate continuously adherence to GDPR standards

PATH TO GDPR COMPLIANCY

ASSESS TRANSFORMDESIGN OPERATE CONFORM

PATH TO GDPR COMPLIANCY

ASSESS TRANSFORMDESIGN OPERATE CONFORM

PATH TO GDPR COMPLIANCY

ASSESS TRANSFORMDESIGN OPERATE CONFORM

PATH TO GDPR COMPLIANCY

ASSESS TRANSFORMDESIGN OPERATE CONFORM

PATH TO GDPR COMPLIANCY

ASSESS TRANSFORMDESIGN OPERATE CONFORM

PATH TO GDPR COMPLIANCY

ASSESS TRANSFORMDESIGN OPERATE CONFORM

SOME EXAMPLESSome technical tips

PASSWORD MANAGEMENT

➤ Don’t store data access passwords in common repository

➤ Don’t keep passwords in environment variables*

➤ Make use of an Identity Management System to manage

➤ SSH keys

➤ API keys

➤ DSN’s

➤ Public keys

(*) Why not use environment variables: diogomonica.com

USE A TEAM PASSWORD MANAGER

ENFORCE 2FA FOR EVERYONE!

AUDIT TRAILS WITH MIDDLEWARE

➤ Log access to data

➤ Automate anonymising of privacy data

➤ Automate encryption of privacy data

What’s wrong with this picture?

Why display full name details?

Why display email addresses?

Why display phone numbers?

REDUCE ACCESS TO DETAILSIf a user has other ways to communicate with your clients,

remove the visible display of common data elements like full names, email and shipment addresses and phone numbers.

Do you see the difference?

Not full name display

Integrated communication functionality

SAME FUNCTIONALITY, BUT KEEPS DATA HIDDEN

➤ Prevents accidentally exposing email and phone numbers (e.g. during a call)

➤ Hides details from end-user, but functionality is still provided

➤ Sending out an email uses build-in mail client

➤ Making calls uses a phone middleware used in the company

➤ Gives clear audit trail on who accessed what

NOT 100% PROTECTION, BUT…

➤ We remove the personal one-on-one communication with customers

➤ We add better access management on customer communication

➤ Full audit trail now possible as communication stays in-application

➤ Less chance for data loss as contact details are kept away from users

…AND DON’T FORGET TO ENCRYPT YOUR STORAGE & COMMUNICATIONS!

App

Data Storage

File Storage

Log Storage

Backup Storage

Public - private key exchange| encrypted data storage

EMAIL MARKETING

CONTACT DATAOpt-in , always

NOT OPT-IN/dev/null is the place to be

LIMIT EXPIRATIONDon’t keep longer than needed

AUTOMATE IT!

NEXT STEPSGet started now to be ready

GET STARTED NOW

DON’T START BLINDLY

KNOW WHAT TO PROTECT!

EVALUATE REGULARLY

GOAL: PROTECT PRIVACY

SOME RESOURCES

➤ European Commission: Protection of personal data

➤ EU GDPR Infograph

➤ Charting the Course to GDPR: Setting Sail

➤ Deloitte GDPR Series

➤ InfoSecurity Group GDPR Checklist

➤ Securing MongoDB

➤ Table and tablespace encryption on MariaDB 10.1

THE CLOCK IS TICKING…

Please leave feedback on joind.in to improve this talk

and grab the slides on your way out.

in it2PROFESSIONAL PHP SERVICES

Michelangelo van DamZend Certified Engineer

contact@in2it.be - www.in2it.be - T in2itvof - F in2itvof

Microsoft Azure Zend Framework Consulting

Quality Assurance & Disaster Recovery

JOIN THE DISCUSSIONhttps://in2.se/gdpr-updates