Developer view on new EU privacy legislation (GDPR)
-
Upload
exove -
Category
Technology
-
view
123 -
download
1
Transcript of Developer view on new EU privacy legislation (GDPR)
General Data
Protection Regulation
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
What was before GDPR?
We’ve had a directive since 1995 (Directive 95/46/EC)
Outdated and implemented in different member states in different times and ways
There was a need to unify and modernize the legislation
GDPR is a regulation
GDPR is a regulation, not a directive, so
It’s taken automatically into use in all member states, without local legislation
However, it needs local legislation to be whole and compatible and allows a lot of locally adjusted details
When?
The regulation was adopted on 2016-04-27
Currently in a two-year transition period, it enters into application 2018-05-25
Details of the regulation are scheduled to be released by the end of 2017
Some local legislation may appear as late as May 2018
So, what’s new?
Responsibilities for the processors of data
Administrative fines directly to the processors of data
A bunch of technically tricky items
Why do we need to payattention?
Infringements of the following provisions shall,
…, be subject to administrative fines up to 20 000 000 EUR, or …, up to 4 % of the total worldwide
annual turnover
Broader definition forpersonal data
Any information concerning an identified or identifiable natural person
Pseudonymized data that can be reversed to identifiable with additional data
Tighter conditions for consent
Clear affirmative act
Specific and unambiguous and covering all purposes
No pre-ticked boxes, can’t happen from inaction
Can be reversed and this need to explained
A record of active consent
Consent can’t be required for a service that would work without processing user data
Privacy policyPrivacy policy document is now significantly more controlled
Data has to have a storage time, among a lot of other things (or a criteria how this is set)
Also, any automatic decision-making needs to be described, when it can have significant influence to the data subject
Also needed for third party data
Access to the data
Access to the data has to be given, as before
If the request comes “by electronic means”, the information needs to be provided in a “commonly used electronic form”
Time limit is one month, but with some exceptions when it can be extended
First copy needs to be free of charge
Restricting processing
A data subject has a right to restrict processing of their data
Essentially this means temporarily removing the data from the system, as it needs to be “clearly indicated” and the data “cannot be changed”
The regulation specifically allows temporary removal of data
Portability
Data subjects have the right to have their data ported to them or a new service provider in “commonly used and machine-readable format”
This only applies to data that “which he or she has provided to a controller”
And with some limitations
Objecting
If personal data is processed for profiling, especially for direct marketing purposes, there’s a right to object, which stops the processing
Online services need to provide a method of objecting by electronic means
Data subject has a right to contest automatic decision-making is it has legal or significant consequences to the data subject
Erasure
Data subject has a right to get his/her data removed permanently from the system
Again, if an online service, requesting erasure should be possible via electronic means
Controller should take “reasonable steps” to get the data, links to it, copies or replications removed, too
Removal should be done “without undue delay”
Data breach
Processors need to inform the controller “without undue delay after becoming aware of it”, without exceptions
Controllers need to inform the authorities within 72 hours after becoming aware of the breach
In some cases, the controller will need to inform the data subjects about the breach
Governance
Privacy Impact Assessments (PIA)
Data Privacy Officer
Records of processing activities
Processor using subcontractors needs a written permission from the controller
Transfers
Transfers outside EEA (European Economic Area) are still restricted
Safe Harbor is now replaced with Privacy Shield, a brand new deal to self-certify US companies to allow hosting data regulated by the GDPR
Administrative fines
Unknown to many EU member states, GDPR defines administrative fines of two categories
Up to 10 million euros, or 2% of the worldwide turnover, or
Up to 20 million euros, or 4% of the worldwide turnover
From regulationto action
A lot of lobbying to leave things open
Quite a lot of leeway for derogations
Member states can define a lot of things locally
More information from the EU about interpreting GDPR coming late 2017
Local legislation changes will be published in their own schedules, varying per member state
Documentation vs. reality
Privacy policies (as well as PIAs) are usually written by interviewing Developers and Systems Engineers, but unfortunately by non-technical people
We automatically simplify complex concepts when talking with non-technical people
We try to help them understand the high-level and we’ve been told not to go into technical details with these people
Varnish in the front
Web servers, Nginx, PHP-FPM
Memcache, Redis or disk caches
User images
Backups of the servers
MySQL logs
Binary logs on all servers
Backups of binary logs
Random dumps made by developers
Production dumps to staging environment
Integration platform logs and local caches
Integration platform MongoDB oplogs
SaaS messaging platform logs and internal database
Residual data
Data flows are complicated
Residual data is easily overlooked and forgotten
Removal of data becomes very problematic in the real world
Removing from backups
Electronic format
There are a lot of requirements for providing data in an electronic format
Most systems have the data spread out optimized for the system, not aggregation
Automatic privacy panels with aggregated data need to be built
What to do?
Take the regulation seriously
Map out your systems, in full detail
Consider residual data
Consider the SaaS services you might be using
What to do?
For compliance, make sure technical personnel are involved
To understand the regulation, not just answer questions
This is a task not just for lawyers
GDPR is coming
GDPR is coming in May 2018
It’s a law automatically in all member states
It regulates not only controllers of data, but processors, too (you and me)
Fines are super-high, so you’ll want to comply
More rights for data subjectsRight to get data faster and in electronic format
Right to restrict processing (temporarily remove data)
Right to object profiling for direct advertising among other things
Right to move their data to another vendor with certain restrictions
Data needs to be easily collected in a widely used electronic format
Consent and governance
Consent forms need to change, more regulated content, needs to be separate and consent can be withdrawn
Governance dictates PIAs and records of processing
Data breaches have to be informed in 72 hours of notice to the authorities (or in some cases to the data subjects), and without undue delay from processors to controllers
Technical challenges
Documentation doesn’t reflect the details of the reality
Cloud and SaaS-heavy architectures are the norm
Residual data will become a problem for erasure
Data aggregation with self-service UIs for controlling it will be the only solution for many systems