GDPR

General Data Protection Regulation

What is GDPR?

The General Data Protection Regulation (GDPR) standardizes data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also extends the protection of personal data and data protection rights by giving control back to EU residents. GDPR replaces the 1995 EU Data Protection Directive, and goes into force on May 25, 2018. It also supersedes the 1998 UK Data Protection Act.

Tech requirements GDPR

LET'S BUILD TOGETHER

- “Forget me” (the right to erasure)

- Data destruction (data minimization principle)

- Mark profile as restricted (right to restriction of processing)

- Export data (right to portability)

- Allow profile editing (right to rectification)

- Consent checkboxes • Age checks

- “See all my data” (right to access)

Forget me

LET'S BUILD TOGETHER

Delete all data relating to a user

- Void forgetUser(UUID userId)
- Useful for integration tests

What about foreign keys?

- Allow nullable foreign keys 
- Anonymize user (leave only ID) 
- Cascade delete

Forget me

LET'S BUILD TOGETHER

Notify 3rd parties / call 3rd parties APIs:

- CRMs, Payment gateways, etc. 
- Return 404 for indexable pages

Backups – store anonymized IDs separately

Restrict processing

LET'S BUILD TOGETHER

Mark user as “restricted”
- Boolean database column
- Button on profile page “restrict processing of personal data”
- Button on admin page
Don’t show in searches, don’t send emails, don’t include in automated processing
• Mark as restricted in 3rd party systems (e.g. with a custom field)
• Don’t show on public pages / 404
• Why?
• Edge cases: user objects to erasure;

Export data

LET'S BUILD TOGETHER

- Right to data portability (no vendor lock-in; in theory)
- Formats: JSON, XML, CSV or other standards
- Schema: prefer schema.org
- Could be a background process that sends email when done
- Could be a manual process (easier to get compliant)
- All personal data + all data, associated with the user (orders, messages, etc.)
- Logs? No
- Data from 3rd party systems? Yes
          - they should have that functionality as well

Editable user profile

- Right to rectification
- All personal data fields should be editable
- Could be a manual support process: “please fix my name or my email”
- Data obtained from 3rd parties
- If email/phone is included, user should be    able to modify email/phone
- If not – manual process

LET'S BUILD TOGETHER

Ask for consent

- No more “I accept the Terms and conditions and the privacy policy”
- Unchecked checkbox for each processing purpose on registration
- Data processing business processes to be listed in a register
- User should be able to withdraw consent from the user profile page
- If data is used for machine learning, get explicit consent for that
- Store consent in a secure way
- Consents table with boolean field and timestamping
- Re-request consent for existing users via email
- Oral consent (Accept by phone call)

LET'S BUILD TOGETHER

See all my data

Data should be displayed in the regular UI of the application 

Allow non-registered users to check if you have data about them
- Confirm email
- Show the processing records from the register

LET'S BUILD TOGETHER

Age check

On registration ask for age / date of birth / (checked) checkbox “I’m older than 16”

• Ask parent for consent

LET'S BUILD TOGETHER

Limit data retention

- Don’t store data for longer than “necessary”
- Database column for “data retention deadline”
- Scheduled job to delete/anonymize/pseudonymize data that past its deadline
- Deadline vs confirmation event, e.g. “goods delivered”
- Applicable to “purchase without registration”
- Theoretically applicable to registered users
- In practice: “I agree to having my address stored for the purpose of not entering it again on subsequent purchases”.

LET'S BUILD TOGETHER

Do's

LET'S BUILD TOGETHER

Best practices for protect data sensitive

Restrict access to production data servers…

```
Encrypt the data in transit
```
```
Encrypt the data at rest
```
```
Encrypt your backups
```
```
Implement pseudonymisation
```
```
Protect data integrity
```
```
Log access to personal data
```
```
Register all API consumers
```

Don’t’s

LET'S BUILD TOGETHER

Bad practices for protect data sensitive

- Don’t put fields on the registration/profile form that you don’t need

- Don’t use data for purposes that the user hasn’t agreed with

- Don’t assume 3rd parties are compliant (Verify that the service complies with data protection)

- Don’t log personal data (Save data in sql and send to others, or save data in csv or xls to send)
- Don’t dump personal data on public servers/buckets

Business requirements for GDPR

LET'S BUILD TOGETHER

Audit data across Company products
Identify and eliminate the big risks
Revise privacy policies of Company and its products
Data processing procedures
Training for Comany staff
Delegate CDO

LET'S BUILD TOGETHER

rocka.co

juan@rocka.co

http://rocka.co

LET'S BUILD TOGETHER