GDPR. Practical tips
Everyone has heard of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will enter into force on May 25, 2018. The fines are large and have to match. Like any official document, it is written dryly and can be interpreted in different ways. Over the past six months, I have analyzed dozens of different web systems for GDPR compliance, and the same problems have been encountered everywhere. In this regard, the purpose of this article is not to explain what GDPR is (much has been written about this already), but to give practical advice to technical people what needs to be done in your system so that it complies with GDPR.
A couple of interesting points on the rules:
Public pages on the site
Registration Page
User Profile Page
Additional functionality
Development of the following policies and documents
“Nice to have“ policies
There are no clear requirements in the GDPR which security controls to apply, but the architecture must be built on the principle of Data protection by design and by default (Art. 25 GDPR)
A few specific points at which lawyers may be required are:
Regulation
GDPR Guideline Compliance
Guidelines for Contract Changes A
real example of a fine when companies send newsletters without user consent
Denis Koloshko, CISSP
A couple of interesting points on the rules:
- If there is at least one client from Europe whose personal data you store, you automatically fall under the GDPR
- The regulation is based on three main ideas: protecting personal data, protecting the rights and freedoms of people in protecting their data, restricting the movement of personal data within the European Union (Art. 1 GDPR)
- UK is still in the EU, therefore it is subject to the GDPR, after Brexit the GDPR will be replaced by the Data Protection Bill, which in its essence is very similar to the GDPR (https://ico.org.uk/for-organisations/data-protection -bill /)
- Seriously limited data transfer to third countries. The European Commission determines to which “third” countries or to which sectors or organizations in these countries the transfer of personal data is permitted Art. 45 GDPR. Here is a list of allowed countries .
- It is clear that no one will let the oversight body inside the system for no reason, which means that it is only possible to demonstrate how cool the security of the system and processes is “on paper”. If the security of the processes, system and personal data is not documented, then the company does not comply with GDPR. “The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” (Art. 24 GDPR)
Putting GDPR into practice
Public pages on the site
- Privacy Policy - the main document that requires compliance with GDPR
- It should be clearly stated which Personal and Non-personal information the system collects
- For what purposes is information collected
- What rights the user has (Art. 15 - 18 GDPR)
- Data Retention Policy
- Data cannot be stored for longer than necessary for the purposes for which personal data was collected (Art. 5 GDPR)
- Transfer of data to other countries (International transfers of your personal data) Art. 45 GDPR
- How data will be protected
- Contact information, including legal address; Data Protection Officer contacts, if any
- Terms of Use - you must add the bold text “The Website is available only to individuals who are at least 16 years old.” If the system does not work purposefully with children or children's content, otherwise, you need to add Age Checks functionality to the system in the form of a checkbox on the registration page and obtaining parental consent, if the user is less than 16. Art. 8 GDPR
- Compliance & Security - optional, but users are already asking what you have with GDPR, so it’s better to have a resource where it will be described in detail how you organize data protection
- Payment Policy, Cookie Policy - signs how the payments go, and which cookies the system uses
Registration Page
- The number of fields should be minimal and reasonable ('data minimization') Art. 5 GDPR
- Granular Consent Art. 7 GDPR
- Mandatory checkbox that agrees to the Terms of Use and Privacy Policy
- Separate checkbox if you want to subscribe a user to the mailing list
User Profile Page
- The user should be able to change any field about himself Art. 16 GDPR
- Delete Account Button (Art. 17 GDPR). The user should be able to delete himself and all his information from the system.
- Restrict Processing Mode button (Art. 18 GDPR). If the user has enabled this mode, then personal information should no longer be available in public access, nor to other users, or even system administrators. As the GDPR positions, for the user it is an alternative to complete removal from the system.
- Export Personal Data Art Button. 20 GDPR. You can upload in any format: XML, JSON, CSV
- Granular Consent Art. 7 GDPR
- The ability to give / withdraw consent to the actions of the system for working with personal data (for example, subscribing to news or marketing material)
Additional functionality
- Automatic deletion or anonymization of personal data that is no longer needed Art. 5 GDPR. For example, information in orders that are processed.
- Automatic deletion of personal data in other services that integrate Art. 19 GDPR
Organizational Data Protection Measures
Development of the following policies and documents
- Personal Data Protection Policy Art. 24 (2) GDPR
- Inventory of Processing Activities Art. 30 GDPR
- Security incident response policy: Within 72 hours, you must notify your supervisor of the leak (Art. 33 GDPR), you need to notify the data subject that its data has leaked (but under certain conditions you can not do this) (Art. 34 GDPR )
- Data Breach Notification Form to the Supervisory Authority Art. 33 GDPR
- Data Breach Notification Form to the Data Subjects Art. 34 GDPR
- Data Retention Policy Articles 5 (1) (e), 13 (1), 17, 30
“Nice to have“ policies
- Data Disposal Policy
- Backup policy
- System access control policy
- SLA and escalation procedures
- Cryptographic control policy
- Disaster Recovery and business continuity
- Coding standards and rollout procedure
- Employment policy and processes
- In order not to produce a bunch of documents, you can combine them into one IG Policy (Information Governance Policy)
Technical measures for data protection
There are no clear requirements in the GDPR which security controls to apply, but the architecture must be built on the principle of Data protection by design and by default (Art. 25 GDPR)
- Firewalls, VPN Access
- Encryption for data at rest (whole disk, database encryption)
- Encryption for data in transit (HTTPS, IPSec, TLS, PPTP, SSH)
- Access control (physical and technical)
- Intrusion Detection / Prevention, Health Monitoring
- Backups encryption
- 2-factor authentication, strict authorization
- Antivirus
- And others, depending on the system
A few specific points at which lawyers may be required are:
- Processing 'special data' (Art. 4 GDPR) is disabled by default. The collection of personal information regarding health, sexual life and orientation, biometric and genetic data, philosophical and religious beliefs is prohibited (Art. 9 GDPR), except as described here (Art. 9 GDPR)
- If the controller or processor is not registered in the EU zone, an official and documented representative in the EU Art. 27 GDPR
- All subcontractors that the data controller works with, no matter where they are located, must also comply with the GDPR, relevant changes must also be made to the contracts (Art. 28 GDPR)
- The subcontractor is not entitled to use the services of another subcontractor without the written consent of the data controller (Art. 28 GDPR)
- There are serious restrictions on data transfer, so it’s best to familiarize yourself with all transfer conditions if the data is sent or stored outside the EU (Chapter 5 GDRP)
- Data Protection Officer. This role is mandatory if the 'special category of data' is processed or the data is processed by a government agency (Art. 37 GDRP)
- United Kingdom. Information Commissioner's Officer (ICO) registration
- Ordinary users can also send their questions and complaints regarding the protection of their data in a particular company here, after which the proceedings will begin (https://ico.org.uk/for-the-public/raising-concerns/)
- Companies should also report hacks and leaks of personal data here
- Not all organizations are required to register and pay an annual fee in the ICO, only for those who fall under certain conditions (https://ico.org.uk/for-organisations/register/self-assessment/)
References
Regulation
GDPR Guideline Compliance
Guidelines for Contract Changes A
real example of a fine when companies send newsletters without user consent
Denis Koloshko, CISSP