GDPR. Practical advice

Everyone has heard of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which enters into force on May 2? 2018. Fines are large and will have to match. Like any official document, it is written dry and can be interpreted in different ways. Over the past six months, I analyzed a dozen different web systems for GDPR compliance, and the same problems were encountered everywhere. In this regard, the purpose of this article is not to explain what the GDPR is (it has already been written about this), but to give practical advice to technical people on what needs to be done in your system so that it corresponds to the GDPR.
 
 
A couple of interesting moments on the rules:
 
 
 
If there is at least one customer from Europe, whose personal data you store, you automatically fall under the GDPR
 
The regulation is based on three basic ideas: the protection of personal data, the protection of human rights and freedoms in protecting their data, limiting the movement of personal data within the European Union (Art. 1 GDPR)
 
UK is still in the EU, so it falls under the GDPR, after Brexit, the GDPR will be replaced by the Data Protection Bill, which is inherently very similar to the GDPR (https://ico.org.uk/for-organisations/data-protection -bill)
 
Serious limitation is the transfer of data to third countries. The European Commission determines which "third" countries or which sectors or organizations in these countries are allowed to transfer personal data to Art. 45 GDPR. Here is the list of allowed countries .
 
It is clear that no one will enter the supervisory body inside the system, which means that it is possible to demonstrate just how steep the security of the system and processes is "on paper". If the safety of processes, systems and personal data is not documented, then the company does not comply with the GDPR. "The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing is carried out in accordance with this Regulation." (Art. 24 GDPR)
 
 

Implementation of GDPR in practice


 
Public pages on the site
 
 
 
Privacy Policy is the main document that requires compliance with the GDPR
 
It should be clearly stated which personal and non-personal information the system collects
 
For what purposes does the information collect
 
What rights does the user have (Art. 15 - 18 GDPR)
 
Policy of data storage (Data Retention Policy)
 
Data can not be stored longer than necessary for the purposes for which personal data was collected (Art. 5 GDPR)
 
Transfer of data to other countries (International transfers of your personal data) Art. 45 GDPR
 
As the data will be protected
 
Contact information, including legal address; Contacts Data Protection Officer, if it is
 
Terms of Use - it is necessary to add bold text "If the system does not work purposefully with children or children's content, otherwise you need to add functionality to Age Checks in the system the checkbox on the registration page and the receipt of parental consent, if the user is less than 16. Art. 8 GDPR
 
Compliance & Security is optional, but users are already asking what you have with the GDPR, so it's better to have a resource where you will be detailed how you organize data protection
 
Payment Policy, Cookie Policy - sign how payments are made, and which cookies the system uses
 
 
The registration page is
 
 
 
The number of fields should be minimal and reasonable ('data minimization') Art. 5 GDPR
 
Granular Consent Art. 7 GDPR
 
A mandatory checkbox that agrees with the Terms of Use and Privacy Policy
 
A separate checkbox if you want to sign the user to the mailing list
 
 
User Profile Page
 
 
 
The user should be able to change any field about himself Art. 16 GDPR
 
Button Delete Account (Art. 17 GDPR). The user must have the ability to remove himself and all of his information from the system.
 
Button Restrict Processing Mode (Art. 18 GDPR). If the user has turned on this mode, then personal information should no longer be available in public access, other users and even system administrators. As the GDPR positions, for the user it is an alternative to complete removal from the system.
 
Button Export Personal Data Art. 20 GDPR. You can upload in any format: XML, JSON, CSV
 
Again, Granular Consent Art. 7 GDPR
 
Possibility to give /withdraw consent to the actions of the system for working with personal data (for example, subscription to news or marketing material)
 
 
Additional functionality
 
 
 
Automatic deletion or anonymization of personal data that is no longer needed. Art. 5 GDPR. For example, the information in the orders that are processed.
 
Automatic deletion of personal data in other services with which the system is integrated Art. 19 GDPR
 
 

Organizational measures for data protection


 
Development of the following policies and documents
 
 
 
Personal Data Protection Policy Art. 24 (2) GDPR
 
Inventory of Processing Activities Art. 30 GDPR
 
Security incident response policy: During 72 hours you need to notify your supervisory authority about the leak (Art.33 GDPR), you need to notify the data subject that its data has flowed away (but under certain conditions, you can not do this) (Art 34 GDPR )
 
Data Breach Notification Form to the Supervisory Authority Art. 33 GDPR
 
Data Breach Notification Form to the Data Subjects Art. 34 GDPR
 
Data Retention Policy Articles 5 (1) (e), 13 (1), 1? 30
 
 
"Nice to have" policies
 
 
 
Data Disposal Policy
 
Backup policy
 
System access control Policy
 
SLA and escalation procedures
 
Cryptographic control policy
 
Disaster Recovery and business continuity
 
Coding standards and rollout procedure
 
Employment policy and processes
 
In order not to produce a bunch of documents, you can combine them into one IG Policy (Information Governance Policy)
 
 

Technical measures for data protection


 
There is no clear guideline in the GDPR which security controls to use, but the architecture should be built on the basis of the principle of protection of design and by default (Art. 25 GDPR)
 
 
 
Firewalls, VPN Access
 
Encryption for data at rest (whole disk, database encryption)
 
Encryption for data in transit (HTTPS, IPSec, TLS, PPTP, SSH)
 
Access control (physical and technical)
 
Intrusion Detection /Prevention, Health Monitoring
 
Backups encryption
 
2-factor authentication, Strict authorization
 
Antivirus
 
And others, depending on the system
 
 
A few specific points at which, it may be necessary to involve lawyers:
 
 
 
Processing of 'special data' (Art. 4 GDPR) is prohibited by default. Collection of personal information regarding health, sexuality and orientation, biometric and genetic data, philosophical and religious beliefs is prohibited (Art.9 GDPR), except as described here (Art. 9 GDPR)
 
If the controller or processor is not registered in the EU area, then an official and documented representative in EU Art must be appointed. 27 GDPR
 
All subcontractors with which the data controller works, no matter where they are, must also comply with the GDPR, the corresponding changes must also be made to contracts (Art. 28 GDPR)
 
A subcontractor is not entitled to use the services of another subcontractor without the written consent of the data controller (Art. 28 GDPR)
 
Serious restrictions on the transfer of data, so it is better to read all transfer conditions if the data is sent or stored outside the EU (Chapter 5 GDRP)
 
Data Protection Officer. This role is mandatory if the 'special category of data' is processed or the data processing is performed by the state authority (Art.37 GDRP)
 
United Kingdom. Information Commissioner's Officer (ICO) registration
 
Ordinary users can also send their questions and complaints about the protection of their data in this or that company, after which the proceedings will begin (https://ico.org.uk/for-the-public/raising-concerns/)
 
Reporting of burglaries and leaks of personal data, too, companies need here
 
Not all organizations are required to register and pay annual fees to the ICO, only for those who fall under certain conditions (https://ico.org.uk/for-organisations/register/self-assessment/)
 
 

References


 
Regulation
 
Checklist for compliance with GDPR
 
Guide for contractual changes
 
A real example of a fine when companies made a newsletter without the consent of users
 
 
Denis Koloshko, CISSP
+ 0 -

Comments 15

Offline
imran
imran 31 May 2018 15:27
I am a writer at one of the best thesis  writing services. I really like the support I get from my collogues and the friendly environment everyone stays in. One of the perk of this job is the pay I get.
Offline
ustad
ustad 21 July 2018 23:41
I would recommend my profile      is important to me, I invite you to discuss this topic. Hero Instinct
Offline
ustad
ustad 22 July 2018 02:56
Great info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have. His Secret Obsession


At this point you'll find out what is important, it all gives a url to the appealing page: His Secret Obsession

Offline
BOGNA Cook
BOGNA Cook 22 July 2018 19:20
There you can download for free, see the first of these data. James Bauer
Offline
BOGNA Cook
BOGNA Cook 23 July 2018 00:32
I prefer merely excellent resources - you will see these people in: Love Commands


it's really nice and meanful. it's really cool blog. Linking is very useful thing.you have really helped lots of people who visit blog and provide them usefull information. What Men Secretly Want
Offline
seomaster
seomaster 17 August 2018 08:17
This is very appealing, however , it is very important that will mouse click on the connection: Airco met zonnepanelen
Offline
seomaster
seomaster 17 August 2018 14:53
Amazing, this is great as you want to learn more, I invite to       This is my page.Airconditioning antwerpen
Offline
SSSSEO
SSSSEO 5 September 2018 07:31
Gives you the best website address       I know there alone you'll find how easy it is. Zonnepanelen prijs
Offline
Muhammad Naeem
Muhammad Naeem 7 September 2018 08:16
Acknowledges for paper such a beneficial composition, I stumbled beside your blog besides decipher a limited announce. I want your technique of inscription... San antonio web design
Offline
assacscasc
assacscasc 7 September 2018 13:49
I use only high quality materials - you can see them at: style
Offline
seomaster
seomaster 9 September 2018 08:25
You should mainly superior together with well-performing material, which means that see it: mirko_tx
Offline
Muhammad Naeem
Muhammad Naeem 9 September 2018 12:53
In this article understand the most important thing, the item will give you a keyword rich link a great useful website page: home cleaning near me
Offline
seomaster
seomaster 20 September 2018 15:14
I simply want to tell you that I am new to weblog and definitely liked this blog site. Very likely I’m going to bookmark your blog . You absolutely have wonderful stories. Cheers for sharing with us your blog. AWS Questions
Offline
Muhammad Naeem
Muhammad Naeem 23 September 2018 19:05
I am interested in such topics so I will address       page where it is cool described. Hair Transplant Montreal
Offline
seomaster
seomaster 25 September 2018 11:03
It's superior, however , check out material at the street address. buy super kamagra online

Add comment