GDPR. Practical advice

Everyone has heard of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which enters into force on May 2? 2018. Fines are large and will have to match. Like any official document, it is written dry and can be interpreted in different ways. Over the past six months, I analyzed a dozen different web systems for GDPR compliance, and the same problems were encountered everywhere. In this regard, the purpose of this article is not to explain what the GDPR is (it has already been written about this), but to give practical advice to technical people on what needs to be done in your system so that it corresponds to the GDPR.
A couple of interesting moments on the rules:
If there is at least one customer from Europe, whose personal data you store, you automatically fall under the GDPR
The regulation is based on three basic ideas: the protection of personal data, the protection of human rights and freedoms in protecting their data, limiting the movement of personal data within the European Union (Art. 1 GDPR)
UK is still in the EU, so it falls under the GDPR, after Brexit, the GDPR will be replaced by the Data Protection Bill, which is inherently very similar to the GDPR ( -bill)
Serious limitation is the transfer of data to third countries. The European Commission determines which "third" countries or which sectors or organizations in these countries are allowed to transfer personal data to Art. 45 GDPR. Here is the list of allowed countries .
It is clear that no one will enter the supervisory body inside the system, which means that it is possible to demonstrate just how steep the security of the system and processes is "on paper". If the safety of processes, systems and personal data is not documented, then the company does not comply with the GDPR. "The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing is carried out in accordance with this Regulation." (Art. 24 GDPR)

Implementation of GDPR in practice

Public pages on the site
Privacy Policy is the main document that requires compliance with the GDPR
It should be clearly stated which personal and non-personal information the system collects
For what purposes does the information collect
What rights does the user have (Art. 15 - 18 GDPR)
Policy of data storage (Data Retention Policy)
Data can not be stored longer than necessary for the purposes for which personal data was collected (Art. 5 GDPR)
Transfer of data to other countries (International transfers of your personal data) Art. 45 GDPR
As the data will be protected
Contact information, including legal address; Contacts Data Protection Officer, if it is
Terms of Use - it is necessary to add bold text "If the system does not work purposefully with children or children's content, otherwise you need to add functionality to Age Checks in the system the checkbox on the registration page and the receipt of parental consent, if the user is less than 16. Art. 8 GDPR
Compliance & Security is optional, but users are already asking what you have with the GDPR, so it's better to have a resource where you will be detailed how you organize data protection
Payment Policy, Cookie Policy - sign how payments are made, and which cookies the system uses
The registration page is
The number of fields should be minimal and reasonable ('data minimization') Art. 5 GDPR
Granular Consent Art. 7 GDPR
A mandatory checkbox that agrees with the Terms of Use and Privacy Policy
A separate checkbox if you want to sign the user to the mailing list
User Profile Page
The user should be able to change any field about himself Art. 16 GDPR
Button Delete Account (Art. 17 GDPR). The user must have the ability to remove himself and all of his information from the system.
Button Restrict Processing Mode (Art. 18 GDPR). If the user has turned on this mode, then personal information should no longer be available in public access, other users and even system administrators. As the GDPR positions, for the user it is an alternative to complete removal from the system.
Button Export Personal Data Art. 20 GDPR. You can upload in any format: XML, JSON, CSV
Again, Granular Consent Art. 7 GDPR
Possibility to give /withdraw consent to the actions of the system for working with personal data (for example, subscription to news or marketing material)
Additional functionality
Automatic deletion or anonymization of personal data that is no longer needed. Art. 5 GDPR. For example, the information in the orders that are processed.
Automatic deletion of personal data in other services with which the system is integrated Art. 19 GDPR

Organizational measures for data protection

Development of the following policies and documents
Personal Data Protection Policy Art. 24 (2) GDPR
Inventory of Processing Activities Art. 30 GDPR
Security incident response policy: During 72 hours you need to notify your supervisory authority about the leak (Art.33 GDPR), you need to notify the data subject that its data has flowed away (but under certain conditions, you can not do this) (Art 34 GDPR )
Data Breach Notification Form to the Supervisory Authority Art. 33 GDPR
Data Breach Notification Form to the Data Subjects Art. 34 GDPR
Data Retention Policy Articles 5 (1) (e), 13 (1), 1? 30
"Nice to have" policies
Data Disposal Policy
Backup policy
System access control Policy
SLA and escalation procedures
Cryptographic control policy
Disaster Recovery and business continuity
Coding standards and rollout procedure
Employment policy and processes
In order not to produce a bunch of documents, you can combine them into one IG Policy (Information Governance Policy)

Technical measures for data protection

There is no clear guideline in the GDPR which security controls to use, but the architecture should be built on the basis of the principle of protection of design and by default (Art. 25 GDPR)
Firewalls, VPN Access
Encryption for data at rest (whole disk, database encryption)
Encryption for data in transit (HTTPS, IPSec, TLS, PPTP, SSH)
Access control (physical and technical)
Intrusion Detection /Prevention, Health Monitoring
Backups encryption
2-factor authentication, Strict authorization
And others, depending on the system
A few specific points at which, it may be necessary to involve lawyers:
Processing of 'special data' (Art. 4 GDPR) is prohibited by default. Collection of personal information regarding health, sexuality and orientation, biometric and genetic data, philosophical and religious beliefs is prohibited (Art.9 GDPR), except as described here (Art. 9 GDPR)
If the controller or processor is not registered in the EU area, then an official and documented representative in EU Art must be appointed. 27 GDPR
All subcontractors with which the data controller works, no matter where they are, must also comply with the GDPR, the corresponding changes must also be made to contracts (Art. 28 GDPR)
A subcontractor is not entitled to use the services of another subcontractor without the written consent of the data controller (Art. 28 GDPR)
Serious restrictions on the transfer of data, so it is better to read all transfer conditions if the data is sent or stored outside the EU (Chapter 5 GDRP)
Data Protection Officer. This role is mandatory if the 'special category of data' is processed or the data processing is performed by the state authority (Art.37 GDRP)
United Kingdom. Information Commissioner's Officer (ICO) registration
Ordinary users can also send their questions and complaints about the protection of their data in this or that company, after which the proceedings will begin (
Reporting of burglaries and leaks of personal data, too, companies need here
Not all organizations are required to register and pay annual fees to the ICO, only for those who fall under certain conditions (


Checklist for compliance with GDPR
Guide for contractual changes
A real example of a fine when companies made a newsletter without the consent of users
Denis Koloshko, CISSP
+ 0 -

Comments 15

imran 31 May 2018 15:27
I am a writer at one of the best thesis  writing services. I really like the support I get from my collogues and the friendly environment everyone stays in. One of the perk of this job is the pay I get.
ustad 21 July 2018 23:41
I would recommend my profile      is important to me, I invite you to discuss this topic. Hero Instinct
ustad 22 July 2018 02:56
Great info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have. His Secret Obsession

At this point you'll find out what is important, it all gives a url to the appealing page: His Secret Obsession

BOGNA Cook 22 July 2018 19:20
There you can download for free, see the first of these data. James Bauer
BOGNA Cook 23 July 2018 00:32
I prefer merely excellent resources - you will see these people in: Love Commands

it's really nice and meanful. it's really cool blog. Linking is very useful have really helped lots of people who visit blog and provide them usefull information. What Men Secretly Want
seomaster 17 August 2018 08:17
This is very appealing, however , it is very important that will mouse click on the connection: Airco met zonnepanelen
seomaster 17 August 2018 14:53
Amazing, this is great as you want to learn more, I invite to       This is my page.Airconditioning antwerpen
SSSSEO 5 September 2018 07:31
Gives you the best website address       I know there alone you'll find how easy it is. Zonnepanelen prijs
Muhammad Naeem
Muhammad Naeem 7 September 2018 08:16
Acknowledges for paper such a beneficial composition, I stumbled beside your blog besides decipher a limited announce. I want your technique of inscription... San antonio web design
assacscasc 7 September 2018 13:49
I use only high quality materials - you can see them at: style
seomaster 9 September 2018 08:25
You should mainly superior together with well-performing material, which means that see it: mirko_tx
Muhammad Naeem
Muhammad Naeem 9 September 2018 12:53
In this article understand the most important thing, the item will give you a keyword rich link a great useful website page: home cleaning near me
seomaster 20 September 2018 15:14
I simply want to tell you that I am new to weblog and definitely liked this blog site. Very likely I’m going to bookmark your blog . You absolutely have wonderful stories. Cheers for sharing with us your blog. AWS Questions
Muhammad Naeem
Muhammad Naeem 23 September 2018 19:05
I am interested in such topics so I will address       page where it is cool described. Hair Transplant Montreal
seomaster 25 September 2018 11:03
It's superior, however , check out material at the street address. buy super kamagra online

Add comment