Developer view on new the EU privacy legislation (GDPR)Kalle Varisvirta @kvirta

Me

Kalle Varisvirta

Technology Director

Exove

Not a lawyer!

Point-of-view:Developers

&vendors

(processors of data)

In this presentation

Overview of the GDPR

Going technical with GDPR

General Data

Protection Regulation

http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

What was before GDPR?

We’ve had a directive since 1995 (Directive 95/46/EC)

Outdated and implemented in different member states in different times and ways

There was a need to unify and modernize the legislation

GDPR is a regulation

GDPR is a regulation, not a directive, so

It’s taken automatically into use in all member states, without local legislation

However, it needs local legislation to be whole and compatible and allows a lot of locally adjusted details

When?

The regulation was adopted on 2016-04-27

Currently in a two-year transition period, it enters into application 2018-05-25

Details of the regulation are scheduled to be released by the end of 2017

Some local legislation may appear as late as May 2018

So, what’s new?

Responsibilities for the processors of data

Administrative fines directly to the processors of data

A bunch of technically tricky items

Why do we need to payattention?

Infringements of the following provisions shall,

…, be subject to administrative fines up to 20 000 000 EUR, or …, up to 4 % of the total worldwide

annual turnover

Broader definition forpersonal data

Any information concerning an identified or identifiable natural person

Pseudonymized data that can be reversed to identifiable with additional data

Tighter conditions for consent

Clear affirmative act

Specific and unambiguous and covering all purposes

No pre-ticked boxes, can’t happen from inaction

Can be reversed and this need to explained

A record of active consent

Consent can’t be required for a service that would work without processing user data

Privacy policyPrivacy policy document is now significantly more controlled

Data has to have a storage time, among a lot of other things (or a criteria how this is set)

Also, any automatic decision-making needs to be described, when it can have significant influence to the data subject

Also needed for third party data

Access to the data

Access to the data has to be given, as before

If the request comes “by electronic means”, the information needs to be provided in a “commonly used electronic form”

Time limit is one month, but with some exceptions when it can be extended

First copy needs to be free of charge

Restricting processing

A data subject has a right to restrict processing of their data

Essentially this means temporarily removing the data from the system, as it needs to be “clearly indicated” and the data “cannot be changed”

The regulation specifically allows temporary removal of data

Portability

Data subjects have the right to have their data ported to them or a new service provider in “commonly used and machine-readable format”

This only applies to data that “which he or she has provided to a controller”

And with some limitations

Objecting

If personal data is processed for profiling, especially for direct marketing purposes, there’s a right to object, which stops the processing

Online services need to provide a method of objecting by electronic means

Data subject has a right to contest automatic decision-making is it has legal or significant consequences to the data subject

Erasure

Data subject has a right to get his/her data removed permanently from the system

Again, if an online service, requesting erasure should be possible via electronic means

Controller should take “reasonable steps” to get the data, links to it, copies or replications removed, too

Removal should be done “without undue delay”

Data breach

Processors need to inform the controller “without undue delay after becoming aware of it”, without exceptions

Controllers need to inform the authorities within 72 hours after becoming aware of the breach

In some cases, the controller will need to inform the data subjects about the breach

Governance

Privacy Impact Assessments (PIA)

Data Privacy Officer

Records of processing activities

Processor using subcontractors needs a written permission from the controller

Governance

Privacy by design, or “data protection by design and data protection by default"

Transfers

Transfers outside EEA (European Economic Area) are still restricted

Safe Harbor is now replaced with Privacy Shield, a brand new deal to self-certify US companies to allow hosting data regulated by the GDPR

Administrative fines

Unknown to many EU member states, GDPR defines administrative fines of two categories

Up to 10 million euros, or 2% of the worldwide turnover, or

Up to 20 million euros, or 4% of the worldwide turnover

From regulationto action

A lot of lobbying to leave things open

Quite a lot of leeway for derogations

Member states can define a lot of things locally

More information from the EU about interpreting GDPR coming late 2017

Local legislation changes will be published in their own schedules, varying per member state

What’s bothering me about all this?

90 / 10 %

Documentation vs.

reality

Documentation vs. reality

Privacy policies (as well as PIAs) are usually written by interviewing Developers and Systems Engineers, but unfortunately by non-technical people

We automatically simplify complex concepts when talking with non-technical people

We try to help them understand the high-level and we’ve been told not to go into technical details with these people

SaaS services you don’t think about

Residual data

Residual data

Data leaves a trace when going through a system

Varnish in the front

Web servers, Nginx, PHP-FPM

Memcache, Redis or disk caches

User images

Backups of the servers

MySQL logs

Binary logs on all servers

Backups of binary logs

Random dumps made by developers

Production dumps to staging environment

Integration platform logs and local caches

Integration platform MongoDB oplogs

SaaS messaging platform logs and internal database

All those lovely SaaS cloud services to ease your life

Finally all the data backups of your master data system

Residual data

Data flows are complicated

Residual data is easily overlooked and forgotten

Removal of data becomes very problematic in the real world

Removing from backups

What’s electronic format?

Electronic format

There are a lot of requirements for providing data in an electronic format

Most systems have the data spread out optimized for the system, not aggregation

Automatic privacy panels with aggregated data need to be built

What to do?

What to do?

Take the regulation seriously

Map out your systems, in full detail

Consider residual data

Consider the SaaS services you might be using

What to do?

For compliance, make sure technical personnel are involved

To understand the regulation, not just answer questions

This is a task not just for lawyers

What to do?

Make sure you protect yourself by contracts with your clients

Recap

GDPR is coming

GDPR is coming in May 2018

It’s a law automatically in all member states

It regulates not only controllers of data, but processors, too (you and me)

Fines are super-high, so you’ll want to comply

More rights for data subjectsRight to get data faster and in electronic format

Right to restrict processing (temporarily remove data)

Right to object profiling for direct advertising among other things

Right to move their data to another vendor with certain restrictions

Data needs to be easily collected in a widely used electronic format

Consent and governance

Consent forms need to change, more regulated content, needs to be separate and consent can be withdrawn

Governance dictates PIAs and records of processing

Data breaches have to be informed in 72 hours of notice to the authorities (or in some cases to the data subjects), and without undue delay from processors to controllers

Technical challenges

Documentation doesn’t reflect the details of the reality

Cloud and SaaS-heavy architectures are the norm

Residual data will become a problem for erasure

Data aggregation with self-service UIs for controlling it will be the only solution for many systems

Thanks. Questions?