apidays LIVE Paris 2021 - APIs and the Future of Software December 7, 8 & 9, 2021 The GDPR Developer Guide : Developping a Data protection culture for Developers Jerome Gorin, Technologist at CNIL (French National Commission for Informatics and Freedoms)

1. GDPR developer Guide
Developing a Data protection culture for
Developers
Jérôme Gorin – CNIL
09/12/2021

2. The CNIL’s Digital Innovation Lab
ü Explore
It explores the future of the digital society, to
better anticipate the impact of the use of
technological innovations on privacy and
freedoms.
ü Experiment
It is piloting experimental projects in
order to better comprehend emerging
digital uses.
ü Exchange
It creates links between the actors of the
digital society (companies, institutions,
associations, civil society…), to raise
awareness among new issues related to
ethics, freedoms and privacy.

3. Explorations
IP 2 : The body,
a new connected object
IP 3: Data,
muses of creation
IP 4: Share!
IP 5: A city’s platform
IP 6 : Shaping choices
IP 7 : Civic tech
IP 78: Digital life scenes
IP 1 : Privacy towards 2020

4. Experiments
CookieViz
Measure the impact of cookies and
other trackers on websites
navigation.
Mobilitics
Understand the smartphone
ecosystem and lift the veil on
these "black boxes" that are our
smartphones
Advertising and SSP
View the links between
advertising companies and
publishers.
https://github.com/LINCnil

5. Developers matter when dealing with privacy
!"#$%#&'()*+$*),$-#,./*+$,*0*$(1$*0$+#*'0$*$"2),&#,$%*0.#)0'$2'.)3$
%&#'/&.%0.()$,&23'$.)$0"#$4).0#,$50*0#'$"*6#$7##)$#8%('#,9$:$
/()1.32&*0.()$%&(7+#-$.)$*$;((3+#$<+(2,$50(&*3#$72/=#0$.'$0"#$/*2'#$(1$
0".'$%&(7+#-$>?@
A(&$(6#&$0B($C#*&'D$*$'.-%+#$/"*)3#$.)$0"#$6*+2#$(1$/#&0*.)$4EF'$
%&(6.,#,$*//#''$0($/()0&*/0'$*),$.)6(./#'$1(&$-.++.()'$(1$.)0#&)#0$
'#&6./#$%&(6.,#&G'$'27'/&.7#&'$>?@
!"#$*00*/=#&'$2'#,$0"#'#$/&#,#)0.*+'$0($+(3$.)0($0"#$;.0H27$%+*01(&-$
*),$1(2),$*)$*//#''$=#C$B&.00#)$.)$0"#$/+#*&$.)$*$'(2&/#$/(,#$1.+#9$!".'$
*//#''$=#C$&#+*0#,$0($*$'#&6./#$*//(2)0$*++(B.)3$*//#''$0($0"#$"('0.)3$
%+*01(&-$B"#&#$0"#$%#&'()*+$,*0*$(1$0"#$2'#&'$(1$0"#$'#&6./#'$.'$'0(&#,$
>?@ 5(-#()#$/*&&.#,$(20$*)$*00*/=$0($3*.)$*//#''$0($%*&0$(1$(2&$#I
/(--#&/#$*),$-*&=#0.)3$,*0*7*'#$0"&(23"$*$0".&,I%*&0C$:JK$=#C$0"*0$
B*'$-.'/()1.32&#,$()$(2&$B#7'.0#D$B"./"$*++(B#,$2)*20"(&.L#,$*//#''$
0($/2'0(-#&$/()0*/0$.)1(&-*0.()$*),$0"#.&$(&,#&'9
MC$+(33.)3$.)0($0"#.&$%#&'()*+$*//(2)0D$0"#C$/(-#$*/&(''$.)1(&-*0.()$
7#+()3.)3$0($(0"#&$7#)#1./.*&.#'$
N&()3$/()1.32&*0.()$(1$5O$72/=#0'
P)(B)$62+)#&*7.+.0.#'$)#6#&$%*0/"#,
M&#*/"$()$&#*+$,*0*$2'#,$,2&.)3$,#6#+(%-#)0
>?@

6. Writing good code is hard
Source : xkcd.com Source : https://stackoverflow.blog
CWE-754 Improper Check for Unusual or Exceptional Conditions
CWE-20 Improper input validation
CWE-252 Unchecked return value
CWE-477 Use of obsolete function
CWE-789 Uncontrolled memory allocation
CWE-158 Improper neutralization of null byte or null character
CWE-134 Use of externally controlled format string
CWE-476 Null pointer deference
(…)

7. GDPR Developer Guide

8. GDPR Developer Guide
1. Develop in compliance with the GDPR
2. Identify personal data
3. Prepare your development
4. Secure your development environment
5. Manage your source code
6. Make an informed choice of architecture
7. Secure your websites, applications and servers
8. Minimize the data collection
9. Manage user profiles
10.Control your libraries and SDKs
11.Ensure quality of the code and its documentation
12.Test your applications
13.Inform users
14.Prepare for the exercise of people’s rights
15.Define a data retention period
16.Take into account the legal basis in the technical implementation
17.Use analytics on your websites and applications

9. Develop in compliance with the GDPR
Be aware of
the GDPR
core
principles
Map and
categorize the
data and
processing in
your system
Prioritize the
required
actions
Manage the
risks
Put in place
internal
processes
Document
developments
compliance

10. The version 2.0 of this guide is out today!
Recommendations are now associated with sample code
New sections for collecting consents and measuring audience
New cloud recommendations
Sections on the most common vulnerabilities based on data breaches
General fixes from external contributions
…..

11. Any thoughts ?
OpenSource
License free
Available on GitHub
Contributions are welcomed!