GDPR. Practical advice

Everyone has heard of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which enters into force on May 2? 2018. Fines are large and will have to match. Like any official document, it is written dry and can be interpreted in different ways. Over the past six months, I analyzed a dozen different web systems for GDPR compliance, and the same problems were encountered everywhere. In this regard, the purpose of this article is not to explain what the GDPR is (it has already been written about this), but to give practical advice to technical people on what needs to be done in your system so that it corresponds to the GDPR.
 
 
A couple of interesting moments on the rules:
 
 
 
If there is at least one customer from Europe, whose personal data you store, you automatically fall under the GDPR
 
The regulation is based on three basic ideas: the protection of personal data, the protection of human rights and freedoms in protecting their data, limiting the movement of personal data within the European Union (Art. 1 GDPR)
 
UK is still in the EU, so it falls under the GDPR, after Brexit, the GDPR will be replaced by the Data Protection Bill, which is inherently very similar to the GDPR (https://ico.org.uk/for-organisations/data-protection -bill)
 
Serious limitation is the transfer of data to third countries. The European Commission determines which "third" countries or which sectors or organizations in these countries are allowed to transfer personal data to Art. 45 GDPR. Here is the list of allowed countries .
 
It is clear that no one will enter the supervisory body inside the system, which means that it is possible to demonstrate just how steep the security of the system and processes is "on paper". If the safety of processes, systems and personal data is not documented, then the company does not comply with the GDPR. "The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing is carried out in accordance with this Regulation." (Art. 24 GDPR)
 
 

Implementation of GDPR in practice


 
Public pages on the site
 
 
 
Privacy Policy is the main document that requires compliance with the GDPR
 
It should be clearly stated which personal and non-personal information the system collects
 
For what purposes does the information collect
 
What rights does the user have (Art. 15 - 18 GDPR)
 
Policy of data storage (Data Retention Policy)
 
Data can not be stored longer than necessary for the purposes for which personal data was collected (Art. 5 GDPR)
 
Transfer of data to other countries (International transfers of your personal data) Art. 45 GDPR
 
As the data will be protected
 
Contact information, including legal address; Contacts Data Protection Officer, if it is
 
Terms of Use - it is necessary to add bold text "If the system does not work purposefully with children or children's content, otherwise you need to add functionality to Age Checks in the system the checkbox on the registration page and the receipt of parental consent, if the user is less than 16. Art. 8 GDPR
 
Compliance & Security is optional, but users are already asking what you have with the GDPR, so it's better to have a resource where you will be detailed how you organize data protection
 
Payment Policy, Cookie Policy - sign how payments are made, and which cookies the system uses
 
 
The registration page is
 
 
 
The number of fields should be minimal and reasonable ('data minimization') Art. 5 GDPR
 
Granular Consent Art. 7 GDPR
 
A mandatory checkbox that agrees with the Terms of Use and Privacy Policy
 
A separate checkbox if you want to sign the user to the mailing list
 
 
User Profile Page
 
 
 
The user should be able to change any field about himself Art. 16 GDPR
 
Button Delete Account (Art. 17 GDPR). The user must have the ability to remove himself and all of his information from the system.
 
Button Restrict Processing Mode (Art. 18 GDPR). If the user has turned on this mode, then personal information should no longer be available in public access, other users and even system administrators. As the GDPR positions, for the user it is an alternative to complete removal from the system.
 
Button Export Personal Data Art. 20 GDPR. You can upload in any format: XML, JSON, CSV
 
Again, Granular Consent Art. 7 GDPR
 
Possibility to give /withdraw consent to the actions of the system for working with personal data (for example, subscription to news or marketing material)
 
 
Additional functionality
 
 
 
Automatic deletion or anonymization of personal data that is no longer needed. Art. 5 GDPR. For example, the information in the orders that are processed.
 
Automatic deletion of personal data in other services with which the system is integrated Art. 19 GDPR
 
 

Organizational measures for data protection


 
Development of the following policies and documents
 
 
 
Personal Data Protection Policy Art. 24 (2) GDPR
 
Inventory of Processing Activities Art. 30 GDPR
 
Security incident response policy: During 72 hours you need to notify your supervisory authority about the leak (Art.33 GDPR), you need to notify the data subject that its data has flowed away (but under certain conditions, you can not do this) (Art 34 GDPR )
 
Data Breach Notification Form to the Supervisory Authority Art. 33 GDPR
 
Data Breach Notification Form to the Data Subjects Art. 34 GDPR
 
Data Retention Policy Articles 5 (1) (e), 13 (1), 1? 30
 
 
"Nice to have" policies
 
 
 
Data Disposal Policy
 
Backup policy
 
System access control Policy
 
SLA and escalation procedures
 
Cryptographic control policy
 
Disaster Recovery and business continuity
 
Coding standards and rollout procedure
 
Employment policy and processes
 
In order not to produce a bunch of documents, you can combine them into one IG Policy (Information Governance Policy)
 
 

Technical measures for data protection


 
There is no clear guideline in the GDPR which security controls to use, but the architecture should be built on the basis of the principle of protection of design and by default (Art. 25 GDPR)
 
 
 
Firewalls, VPN Access
 
Encryption for data at rest (whole disk, database encryption)
 
Encryption for data in transit (HTTPS, IPSec, TLS, PPTP, SSH)
 
Access control (physical and technical)
 
Intrusion Detection /Prevention, Health Monitoring
 
Backups encryption
 
2-factor authentication, Strict authorization
 
Antivirus
 
And others, depending on the system
 
 
A few specific points at which, it may be necessary to involve lawyers:
 
 
 
Processing of 'special data' (Art. 4 GDPR) is prohibited by default. Collection of personal information regarding health, sexuality and orientation, biometric and genetic data, philosophical and religious beliefs is prohibited (Art.9 GDPR), except as described here (Art. 9 GDPR)
 
If the controller or processor is not registered in the EU area, then an official and documented representative in EU Art must be appointed. 27 GDPR
 
All subcontractors with which the data controller works, no matter where they are, must also comply with the GDPR, the corresponding changes must also be made to contracts (Art. 28 GDPR)
 
A subcontractor is not entitled to use the services of another subcontractor without the written consent of the data controller (Art. 28 GDPR)
 
Serious restrictions on the transfer of data, so it is better to read all transfer conditions if the data is sent or stored outside the EU (Chapter 5 GDRP)
 
Data Protection Officer. This role is mandatory if the 'special category of data' is processed or the data processing is performed by the state authority (Art.37 GDRP)
 
United Kingdom. Information Commissioner's Officer (ICO) registration
 
Ordinary users can also send their questions and complaints about the protection of their data in this or that company, after which the proceedings will begin (https://ico.org.uk/for-the-public/raising-concerns/)
 
Reporting of burglaries and leaks of personal data, too, companies need here
 
Not all organizations are required to register and pay annual fees to the ICO, only for those who fall under certain conditions (https://ico.org.uk/for-organisations/register/self-assessment/)
 
 

References


 
Regulation
 
Checklist for compliance with GDPR
 
Guide for contractual changes
 
A real example of a fine when companies made a newsletter without the consent of users
 
 
Denis Koloshko, CISSP
+ 0 -

Add comment