GDPR and technology - details matter, Kalle Varisvirta, Exove
Exove and Bird & Bird seminar on Nov 23rd 2016: "GDPR - Practical Effects on Digital Business - juridical, technical, and customer point of view"
6. Documentation
vs. reality
Privacy policies (as well as PIAs) are usually written by
interviewing Developers and Systems Engineers, but
unfortunately by non-technical people
Technical people simplify things when asked about
details by non-technical people - that’s what we’re told
to do
18. Finally the actual data
master, its logs,
backups and
development
environment
19. Residual data
Data flows are complicated
Residual data is easily overlooked and forgotten
Removal of data becomes very problematic in the real
world
Removing from backups
21. Electronic format
There are a lot of requirements for providing data in an
electronic format
Most systems have the data spread out optimized for
the system, not aggregation
Gathering data to a “single” electronic format would be
a complicated and slow manual task for most
environments
24. What to do?
Take the regulation seriously
Map out your systems, in full detail
Consider data flow through the system
Consider the cloud / SaaS services you might be
using
Consider residual data
25. What to do?
For compliance, make sure technical personnel (either
internal or from your vendors) are involved
To understand the regulation, not just to provide
answers