I gave this talk at Isle of Ruby conference in Exeter, England on April 14th 2018.
My goal was to explain some fundamental ideas of GDPR but also show what developers face when trying to comply with this regulation
10. The history
☞ Approved and adopted by the EU
Parliament in April 2016.
☞ Will take effect and be in force
from May 25th 2018.
☞ OECD guidelines from the 1980s
and a Data Protection Directive
from 1995
Holger Frohloff 10
12. Who does it apply to
☞ Organizations located within
the EU
☞ Organizations outside of the
EU (if they offer goods or
services to, or monitor the
behavior of, EU data
subjects)
☞ Processing & holding the
personal data of data
subjects residing in the
European Union
Holger Frohloff 12
16. Personal data
☞ Any information related to a
natural person or ‘Data
Subject’
☞ used to directly or indirectly
identify the person.
☞ name, a photo, an email
address, bank details, posts
on social networking
websites, medical
information, or a computer
IP address.
Holger Frohloff 16
17. Key points
Consent
Right to Access
Data Portability
Right to be Forgotten
Privacy by design
Privacy by default
Holger Frohloff 17
19. Consent
Article 7
❝Any part of such a declaration
which constitutes an infringement of
this Regulation shall not be binding.❞
Holger Frohloff 19
20. Right of Access
Article 15
☞ Confirmation whether or not
personal data concerning them is
being processed, where and for
what purpose.
☞ Receive their data, free of charge,
in a machine-readable format
☞ At any time
Holger Frohloff 20
21. Data Portability
Article 20
☞ Data controller transmit their
data to another controller
☞ Without hindrance
☞ Free of charge
Holger Frohloff 21
22. Right to be forgotten
Article 17
☞ Erasure of personal data
☞ Without undue delay
☞ Halt processing with third parties
☞ A little respect
Photo by Andwhatsnext on Wikipedia (CC-BY-
SA-3.0)
Holger Frohloff 22
23. Privacy by design & Privacy by default
Article 25
☞ Optimal data protection to be
provided as standard
☞ Security of data and the
proper steps to ensure
privacy should be the default
Holger Frohloff 23
25. Data Protection Impact
Assessments (DPIA)
☞ Required for data-intensive
projects, make sense for
almost every (bigger) project
☞ Results accessible for all
parties involved
☞ Describe processes related to
data and privacy risks
Holger Frohloff 25
26. Data Collection and Retention
☞ Data collection & processing?
Retention, storage location (cloud?)
☞ How long? When deleted?
☞ Consent? Verifiable? Explicit? Legal
basis?
☞ Controls about retention for users?
Holger Frohloff 26
27. Technical and Security
Measures
☞ Do you use encryption,
anonymization,
pseudonymization?
☞ Backups? How? When?
☞ What TSM exist at host (AWS
etc.)?
Holger Frohloff 27
28. Personnel
☞ Who has access?
☞ Data protection training?
☞ Security measures people work
with?
☞ Process for handling data breach
notifications?
☞ Process for government requests?
Holger Frohloff 28
29. Data subject (access) rights
☞ How can they access their
rights (erasure, portability,
access, be forgotten)
☞ How can they restrict their
data? How object?
☞ How can they withdraw
consent?
Holger Frohloff 29
30. Legal
☞ Contracts for all data processors,
including subcontractors?
☞ Is data transferred outside of the
EU?
☞ If yes, what safeguards and
protective measures do exist?
Holger Frohloff 30
31. Risks
☞ Risks for data subject exist
(in case of misuse, breach,
mis-access, loss)?
☞ Risks in case of modification?
☞ Main sources of risk?
☞ Steps for mitigation? Which
possible? Which taken?
Holger Frohloff 31
33. Document it all
☞ Libraries
☞ Tools
☞ Frameworks
☞ Workflows
☞ Document how you write, test,
review, document & deploy it
Holger Frohloff 33
34. External libraries
☞ Are they safe? (Look for
DPIAs / documentation
about GDPR compliance)
☞ Handling of security
vulnerabilities
☞ Data collection & retention?
☞ => Opportunity for OSS
authors to increase adoption
by EU devs
Holger Frohloff 34
35. Code Reviews
☞ Code quality doesn’t cut it
anymore
☞ Look for handling of data,
adherence to PbD, possibilities of
encryption/sandboxing etc.
Holger Frohloff 35
38. Thank you☞ https://idiomaticrails.com/gdpr: My newsletter about privacy
and technology (With double opt-in & 100% less tracking 😉)
☞ Twitter: 5minpause (rarely used)
☞ https://gdpr-info.eu/ A comprehensive website about the
regulation
Holger Frohloff 38
39. Sources #1:
☞ Bundestag - Thomas Quine - https://flic.kr/p/d9bCDd
☞ Panama City - Falco Emert - https://flic.kr/p/FgbicY
☞ Estimated Cash Value: $496,000,000 - Wil C. Fry - https://flic.kr/
p/C1wPYR
☞ Bend man - Marten Newhall on Unsplash - https://
unsplash.com/photos/uAFjFsMS3YY
☞ TVintage - Ajeet Mestry on Unsplasg - https://unsplash.com/
photos/UBhpOIHnazM
Holger Frohloff 39