This talk will give you a quick overview of the General Data Protection Regulation (GDPR), that goes into law in Europe starting May 25, 2018. Additionally the talk will primarily focus on the parts that are especially important for people working with testing & quality assurance. Organisations outside EU will also be heavily affected by this, as european organisations will require "GDPR compliance" from service providers, no matter their location.

1. GDPR
An overview and its
relevance for QA
Per Thorsheim
Twitter: @thorsheim
+47 90 99 92 59 (Signal|Wire|Whatsapp)

4. General Data Protection Regulation (GDPR)
• Becomes law in all of EU on May 25, 2018
• Replaces lots of individual laws in every EU country
• Individual countries may add specific additions or exceptions
• GDPR IS APPLICABLE TO ANY BUSINESS WORLDWIDE WORKING
WITH PERSONAL DATA FOR ANY EU CITIZEN IN ANY EU COUNTRY

5. Data subject’s rights
• the need for the individual's clear consent to the processing of
personal data
• easier access by the subject to his or her personal data
• the rights to rectification, to erasure and 'to be forgotten'
• the right to object, including to the use of personal data for the
purposes of 'profiling'
• the right to data portability from one service provider to another

6. 20M €
Or:
4% of global
annual turnover
GDPR maximum penalty:

7. Privacy By Design
• Your right to privacy
• Built-in privacy
• Privacy by default
• Transparency
• Executive management support

8. Training
• The need for privacy
• Internal & external requirements
• Organisation & responsibilities
• Governance, regulatory requirements, standards, procedures
• Methodology for development etc
• Tools, standards, best practices
• OWASP
• Microsoft SDL

9. Requirements
• Privacy & Security
• User & ownership of information
• Processer of information, recipients of information
• Collection & processing of information must be necessary
• Collection, storing, processing, display, communicating & deletion.
• Encryption & access control
• Risk analysis
• Consequences for privacy

10. Design
• Data oriented design:
• Limit amount of information collected
• Hide connections between data (pseudo-anonymization, encryption)
• Data separation
• Aggregate data – remove details about data subjects
• Privacy by default
• Process oriented design
• Information to the user
• User has access to control personal information
• Enforcement of privacy; responsibilities and processes
• Vulnerability minimization & threat modeling

11. Coding
• Generally accepted tools & frameworks
• Control of API’s, third-party libraries etc
• Static code analysis (secure coding principles)
• Source code review

12. Testing
• Checklist from design phase should be verified
• Security testing (vulnerability scans)
• Dynamic testing (user access, security errors)
• Fuzzing
• Penetration testing / vulnerability analysis
• Threat model analysis / attack surface review

13. Release to production
• Incident handling procedures
• Internal
• External
• Governance reporting
• Customer reporting
• Doc review of previous steps for consistency & completeness
• Head of security/privacy final approval before push to production

14. Maintenance
• Incident management & error handling
• Operations, maintenance & development of software

16. I am not going to waste any more of your time,
but the potential of additional user damages due
to «Impact Team» being provoked by the slow
legal process etc may keep the story in the
media. Tell the audience and others and warn
them about the psychological hell a little bit of
rashness online can lead to. I am almost a
completely broken man, and I don’t know if I will
ever be able to stand up again. And I had a life
full of great qualities. Not as whining, but as a
«matter of fact» and a strong warning.

17. per@thorsheim.net
+47 90 99 92 59
(Signal|Wire|Whatsapp)
@thorsheim