GDPR. Practical advice

Everyone has heard of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which enters into force on May 2? 2018. Fines are large and will have to match. Like any official document, it is written dry and can be interpreted in different ways. Over the past six months, I analyzed a dozen different web systems for GDPR compliance, and the same problems were encountered everywhere. In this regard, the purpose of this article is not to explain what the GDPR is (it has already been written about this), but to give practical advice to technical people on what needs to be done in your system so that it corresponds to the GDPR.
 
 
A couple of interesting moments on the rules:
 
 
 
If there is at least one customer from Europe, whose personal data you store, you automatically fall under the GDPR
 
The regulation is based on three basic ideas: the protection of personal data, the protection of human rights and freedoms in protecting their data, limiting the movement of personal data within the European Union (Art. 1 GDPR)
 
UK is still in the EU, so it falls under the GDPR, after Brexit, the GDPR will be replaced by the Data Protection Bill, which is inherently very similar to the GDPR (https://ico.org.uk/for-organisations/data-protection -bill)
 
Serious limitation is the transfer of data to third countries. The European Commission determines which "third" countries or which sectors or organizations in these countries are allowed to transfer personal data to Art. 45 GDPR. Here is the list of allowed countries .
 
It is clear that no one will enter the supervisory body inside the system, which means that it is possible to demonstrate just how steep the security of the system and processes is "on paper". If the safety of processes, systems and personal data is not documented, then the company does not comply with the GDPR. "The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing is carried out in accordance with this Regulation." (Art. 24 GDPR)
 
 

Implementation of GDPR in practice


 
Public pages on the site
 
 
 
Privacy Policy is the main document that requires compliance with the GDPR
 
It should be clearly stated which personal and non-personal information the system collects
 
For what purposes does the information collect
 
What rights does the user have (Art. 15 - 18 GDPR)
 
Policy of data storage (Data Retention Policy)
 
Data can not be stored longer than necessary for the purposes for which personal data was collected (Art. 5 GDPR)
 
Transfer of data to other countries (International transfers of your personal data) Art. 45 GDPR
 
As the data will be protected
 
Contact information, including legal address; Contacts Data Protection Officer, if it is
 
Terms of Use - it is necessary to add bold text "If the system does not work purposefully with children or children's content, otherwise you need to add functionality to Age Checks in the system the checkbox on the registration page and the receipt of parental consent, if the user is less than 16. Art. 8 GDPR
 
Compliance & Security is optional, but users are already asking what you have with the GDPR, so it's better to have a resource where you will be detailed how you organize data protection
 
Payment Policy, Cookie Policy - sign how payments are made, and which cookies the system uses
 
 
The registration page is
 
 
 
The number of fields should be minimal and reasonable ('data minimization') Art. 5 GDPR
 
Granular Consent Art. 7 GDPR
 
A mandatory checkbox that agrees with the Terms of Use and Privacy Policy
 
A separate checkbox if you want to sign the user to the mailing list
 
 
User Profile Page
 
 
 
The user should be able to change any field about himself Art. 16 GDPR
 
Button Delete Account (Art. 17 GDPR). The user must have the ability to remove himself and all of his information from the system.
 
Button Restrict Processing Mode (Art. 18 GDPR). If the user has turned on this mode, then personal information should no longer be available in public access, other users and even system administrators. As the GDPR positions, for the user it is an alternative to complete removal from the system.
 
Button Export Personal Data Art. 20 GDPR. You can upload in any format: XML, JSON, CSV
 
Again, Granular Consent Art. 7 GDPR
 
Possibility to give /withdraw consent to the actions of the system for working with personal data (for example, subscription to news or marketing material)
 
 
Additional functionality
 
 
 
Automatic deletion or anonymization of personal data that is no longer needed. Art. 5 GDPR. For example, the information in the orders that are processed.
 
Automatic deletion of personal data in other services with which the system is integrated Art. 19 GDPR
 
 

Organizational measures for data protection


 
Development of the following policies and documents
 
 
 
Personal Data Protection Policy Art. 24 (2) GDPR
 
Inventory of Processing Activities Art. 30 GDPR
 
Security incident response policy: During 72 hours you need to notify your supervisory authority about the leak (Art.33 GDPR), you need to notify the data subject that its data has flowed away (but under certain conditions, you can not do this) (Art 34 GDPR )
 
Data Breach Notification Form to the Supervisory Authority Art. 33 GDPR
 
Data Breach Notification Form to the Data Subjects Art. 34 GDPR
 
Data Retention Policy Articles 5 (1) (e), 13 (1), 1? 30
 
 
"Nice to have" policies
 
 
 
Data Disposal Policy
 
Backup policy
 
System access control Policy
 
SLA and escalation procedures
 
Cryptographic control policy
 
Disaster Recovery and business continuity
 
Coding standards and rollout procedure
 
Employment policy and processes
 
In order not to produce a bunch of documents, you can combine them into one IG Policy (Information Governance Policy)
 
 

Technical measures for data protection


 
There is no clear guideline in the GDPR which security controls to use, but the architecture should be built on the basis of the principle of protection of design and by default (Art. 25 GDPR)
 
 
 
Firewalls, VPN Access
 
Encryption for data at rest (whole disk, database encryption)
 
Encryption for data in transit (HTTPS, IPSec, TLS, PPTP, SSH)
 
Access control (physical and technical)
 
Intrusion Detection /Prevention, Health Monitoring
 
Backups encryption
 
2-factor authentication, Strict authorization
 
Antivirus
 
And others, depending on the system
 
 
A few specific points at which, it may be necessary to involve lawyers:
 
 
 
Processing of 'special data' (Art. 4 GDPR) is prohibited by default. Collection of personal information regarding health, sexuality and orientation, biometric and genetic data, philosophical and religious beliefs is prohibited (Art.9 GDPR), except as described here (Art. 9 GDPR)
 
If the controller or processor is not registered in the EU area, then an official and documented representative in EU Art must be appointed. 27 GDPR
 
All subcontractors with which the data controller works, no matter where they are, must also comply with the GDPR, the corresponding changes must also be made to contracts (Art. 28 GDPR)
 
A subcontractor is not entitled to use the services of another subcontractor without the written consent of the data controller (Art. 28 GDPR)
 
Serious restrictions on the transfer of data, so it is better to read all transfer conditions if the data is sent or stored outside the EU (Chapter 5 GDRP)
 
Data Protection Officer. This role is mandatory if the 'special category of data' is processed or the data processing is performed by the state authority (Art.37 GDRP)
 
United Kingdom. Information Commissioner's Officer (ICO) registration
 
Ordinary users can also send their questions and complaints about the protection of their data in this or that company, after which the proceedings will begin (https://ico.org.uk/for-the-public/raising-concerns/)
 
Reporting of burglaries and leaks of personal data, too, companies need here
 
Not all organizations are required to register and pay annual fees to the ICO, only for those who fall under certain conditions (https://ico.org.uk/for-organisations/register/self-assessment/)
 
 

References


 
Regulation
 
Checklist for compliance with GDPR
 
Guide for contractual changes
 
A real example of a fine when companies made a newsletter without the consent of users
 
 
Denis Koloshko, CISSP
+ 0 -

Comments 48

Offline
imran
imran 31 May 2018 15:27
I am a writer at one of the best thesis  writing services. I really like the support I get from my collogues and the friendly environment everyone stays in. One of the perk of this job is the pay I get.
Offline
ustad
ustad 21 July 2018 23:41
I would recommend my profile      is important to me, I invite you to discuss this topic. Hero Instinct
Offline
ustad
ustad 22 July 2018 02:56
Great info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have. His Secret Obsession


At this point you'll find out what is important, it all gives a url to the appealing page: His Secret Obsession

Offline
BOGNA Cook
BOGNA Cook 22 July 2018 19:20
There you can download for free, see the first of these data. James Bauer
Offline
BOGNA Cook
BOGNA Cook 23 July 2018 00:32
I prefer merely excellent resources - you will see these people in: Love Commands


it's really nice and meanful. it's really cool blog. Linking is very useful thing.you have really helped lots of people who visit blog and provide them usefull information. What Men Secretly Want
Offline
seomaster
seomaster 17 August 2018 08:17
This is very appealing, however , it is very important that will mouse click on the connection: Airco met zonnepanelen
Offline
seomaster
seomaster 17 August 2018 14:53
Amazing, this is great as you want to learn more, I invite to       This is my page.Airconditioning antwerpen
Offline
SSSSEO
SSSSEO 5 September 2018 07:31
Gives you the best website address       I know there alone you'll find how easy it is. Zonnepanelen prijs
Offline
Muhammad Naeem
Muhammad Naeem 7 September 2018 08:16
Acknowledges for paper such a beneficial composition, I stumbled beside your blog besides decipher a limited announce. I want your technique of inscription... San antonio web design
Offline
assacscasc
assacscasc 7 September 2018 13:49
I use only high quality materials - you can see them at: style
Offline
seomaster
seomaster 9 September 2018 08:25
You should mainly superior together with well-performing material, which means that see it: mirko_tx
Offline
Muhammad Naeem
Muhammad Naeem 9 September 2018 12:53
In this article understand the most important thing, the item will give you a keyword rich link a great useful website page: home cleaning near me
Offline
seomaster
seomaster 20 September 2018 15:14
I simply want to tell you that I am new to weblog and definitely liked this blog site. Very likely I’m going to bookmark your blog . You absolutely have wonderful stories. Cheers for sharing with us your blog. AWS Questions
Offline
Muhammad Naeem
Muhammad Naeem 23 September 2018 19:05
I am interested in such topics so I will address       page where it is cool described. Hair Transplant Montreal
Offline
seomaster
seomaster 25 September 2018 11:03
It's superior, however , check out material at the street address. buy super kamagra online
Offline
RashidGhori
RashidGhori 23 October 2018 23:56
I use only high quality materials - you can see them at: enzo liquid stevia
Offline
seomaster
seomaster 24 October 2018 07:27
These you will then see the most important thing, the application provides you a website a powerful important internet page: buy macha online
Offline
seomaster
seomaster 24 October 2018 11:43
During this website, you will see this shape, i highly recommend you learn this review. buy caramel stevia drop amazon
Offline
muneeb
muneeb 25 October 2018 13:16
You bear through a awesome vacancy. I sanity definitely quarry it moreover personally suggest to my buddys. I am self-possessed they determination be benefited from this scene. <a href="https://kartmeds.com/product/gabapin-100-gabapentin/">gabapentin 100</a>
Offline
awais
awais 28 October 2018 14:09
Great info! I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have. web 2.0
Offline
seomaster
seomaster 17 November 2018 14:30
Below you will understand what is important, the idea provides one of the links with an exciting site: Warmtepomp lucht/water
Offline
muneeb
muneeb 18 November 2018 14:55
I simply want to tell you that I am new to weblog and definitely liked this blog site. Very likely I’m going to bookmark your blog . You absolutely have wonderful stories. Cheers for sharing with us your blog. Prijs airco


I simply want to tell you that I am new to weblog and definitely liked this blog site. Very likely I’m going to bookmark your blog . You absolutely have wonderful stories. Cheers for sharing with us your blog. Prijs aircog.

I simply want to tell you that I am new to weblog and definitely liked this blog site. Very likely I’m going to bookmark your blog . You absolutely have wonderful stories. Cheers for sharing with us your blog. Prijs airco
Offline
muneeb
muneeb 20 November 2018 14:58
There you can download for free, see the first of these data. bank nifty share price


There you can download for free, see the first of these data. bank nifty share price
Offline
muneeb
muneeb 28 November 2018 15:37
You should mainly superior together with well-performing material, which means that see it: promo harbolnas
Offline
ashly doll
ashly doll 6 December 2018 11:59
I can recommend primarily decent and even responsible tips, as a result view it: best casino traffic
Offline
ashly doll
ashly doll 7 December 2018 09:07
It is fine, nonetheless evaluate the information and facts around this correct. Innebandymamma
Offline
muneeb khatri
muneeb khatri 8 December 2018 19:49
Find the best essays on     is my friend's profile page. Accessory Dwelling Unit Los Angeles
Offline
Umair
Umair 9 December 2018 12:30
Καλωσήρθατε στην Alpha Αποφρακτική Service! Με προτεραιότητα την ποιότητα παρέχουμε υπηρεσίες θέρμανσης, κλιματισμού, υδραυλικών, αποφράξεις, απολυμάνσεις, εκκενώσεις βόθρων και πολλών άλλων που αφορούν την μονοκατοικία, πολυκατοικία ή επιχείρησή σας σε όλο τον νομό Αττικής. Οι τεχνικοί μας είναι εκπαιδευμένοι και κατάλληλα εξοπλησμένοι για να επιλύσουν ανά πάσα στιγμή οποιοδήποτε πρόβλημα σας παρουσιαστεί στο σπίτι σας ή την επιχείρησή σας. Επίσης είναι τεχνικά καταρτισμένοι έχοντας λάβει εμπειρίες πάνω από μίας δεκαετίας στο συγκεκριμένο πεδίο εργασίας. Εάν αναζητάτε υπηρεσίες σχετικές με τον χώρο της κατοικίας ή εταιρείας σας σιγουρευτείτε ότι πρώτα θα απευθυνθείτε στην Alpha Αποφρακτική Service κι εμείς σας εγγυώμαστε ότι θα βρούμε την καταλληλότερη λύση στην χαμηλότερη τιμή!apofraxeis
Offline
Umair
Umair 11 December 2018 14:25
Cool you write, the information is very good and interesting, I'll give you a link to my site.bet9ja old mobile
Offline
Umair
Umair 12 December 2018 13:10
For many people this is important, so check out my profile: Bitcoin Maker

Add comment