GDPR. Practical advice

Everyone has heard of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which takes effect on May 25, 2018. Fines are big and have to match. Like any official document, it is written dryly and can be interpreted in different ways. Over the past six months, I have analyzed a dozen different web systems for compliance with the GDPR, and the same problems have been encountered everywhere. In this regard, the goal of this article is not to clarify what is GDPR (much has already been written about this), but to give practical advice to technical people on what needs to be done in your system so that it corresponds to GDPR.

A couple of interesting points on the rules:

• If there is at least one customer from Europe whose personal data you store, you automatically fall under the GDPR
• The regulation is based on three main ideas: protection of personal data, protection of the rights and freedoms of people in protecting their data, restricting the movement of personal data within the European Union (Art. 1 GDPR)
• UK is still in the EU, so it falls under the GDPR, after Brexit the GDPR will be replaced by Data Protection Bill, which is inherently very similar to GDPR (https://ico.org.uk/for-organisations/data-protection -bill /)
• Seriously limited data transfer to third countries. The European Commission determines which “third” countries or sectors or organizations in these countries are allowed to transfer personal data Art. 45 GDPR. Here is a list of allowed countries .
• It is clear that no one will let the supervisory body inside the system, which means that it is only “on paper” that can demonstrate how abrupt the security of the system and processes are. If the security of processes, systems and personal data is not documented, then the company does not correspond to the GDPR. “It’s not a rule.” (Art. 24 GDPR)

Putting GDPR into practice

Public pages on the site
')

• Privacy Policy - the main document that requires compliance with the GDPR
• It should be clearly stated what kind of Personal and Non-personal information the system collects.
• For what purposes is the information collected
• What rights does the user have (Art. 15 - 18 GDPR)
• Data Retention Policy
• Data cannot be stored longer than necessary for the purposes for which personal data were collected (Art. 5 GDPR)
• Data transfer to other countries (International transfers of your personal data) Art. 45 GDPR
• How data will be protected
• Contact information, including legal address; Data Protection Officer contacts, if any
• Terms of Use - you need to add bold text “If you don’t work with children or children’s content, otherwise you need to add Age Checks functionality to the system checkbox on the registration page and obtain parental consent, if the user is less than 16. Art. 8 GDPR
• Compliance & Security - optional, but users are already asking what you have with the GDPR, so it’s better to have a resource where it will be described in detail how you organize data protection
• Payment Policy, Cookie Policy - signs how payments are made, and which cookies the system uses

Registration page

• The number of fields must be minimal and reasonable ('data minimisation') Art. 5 GDPR
• Granular Consent (Granular Consent) Art. 7 GDPR
• Required checkbox that agree with the Terms of Use and Privacy Policy
• Separate checkbox, if you want to subscribe the user to the mailing list

User profile page

• The user should be able to change any field about himself Art. 16 GDPR
• Button Delete Account (Art. 17 GDPR). The user should be able to remove himself and all of his information from the system.
• Restrict Processing Mode button (Art. 18 GDPR). If the user has turned on this mode, then personal information should no longer be available in public access, or to other users and even system administrators. As positioned by the GDPR, for the user it is an alternative to a complete removal from the system.
• Export Personal Data Art. 20 GDPR. You can upload in any format: XML, JSON, CSV
• Granular Consent Again (Granular Consent) Art. 7 GDPR
• Opportunity to give / withdraw consent for the system's actions on working with personal data (for example, subscribing to news or marketing material)

Additional functionality

• Automatic deletion or anonymization of personal data that are no longer needed Art. 5 GDPR. For example, information in orders that are processed.
• Automatic deletion of personal data in other services with which the system is integrated Art. 19 GDPR

Organizational data protection measures

Development of the following policies and documents

• Personal Data Protection Policy Art. 24 (2) GDPR
• Inventory of Processing Activities Art. 30 GDPR
• Security incident response policy: Within 72 hours, you must notify your supervisory authority of the leak (Art. 33 GDPR), you must notify the data subject, but its data has leaked (but under certain conditions you may not do so) (Art. 34 GDPR )
• Data Breach Form to the Supervisory Authority Art. 33 GDPR
• Data Breach Notification Form to the Data Subjects Art. 34 GDPR
• Data Retention Policy Articles 5 (1) (e), 13 (1), 17, 30

“Nice to have“ policies

• Data Disposal Policy
• Backup policy
• System access control Policy
• SLA and escalation procedures
• Cryptographic control policy
• Disaster Recovery and business continuity
• Coding standards and rollout procedure
• Employment policy and processes
• In order not to produce a bunch of documents, you can combine them into one IG Policy (Information Governance Policy)

Technical data protection measures

The GDPR does not have clear instructions on what security controls to apply, but the architecture should be built on the principle of Data protection by design and by default (Art. 25 GDPR)

• Firewalls, VPN Access
• Encryption for data at rest (whole disk, database encryption)
• Encryption for data in transit (HTTPS, IPSec, TLS, PPTP, SSH)
• Access control (physical and technical)
• Intrusion Detection / Prevention, Health Monitoring
• Backups encryption
• 2-factor authentication, Strict authorization
• Antivirus
• And others, depending on the system

Some specific moments at which, probably, attraction of lawyers will be required:

• Processing 'special data' (Art. 4 GDPR) is disabled by default. Collection of personal information regarding health, sexuality and orientation, biometric and genetic data, philosophical and religious beliefs is prohibited (Art. 9 GDPR), except as described here (Art. 9 GDPR)
• If the controller or processor is not registered in the EU zone, then an official and documented representative in EU Art must be appointed. 27 GDPR
• All subcontractors with whom the data controller works, no matter where they are, must also comply with the GDPR, appropriate changes must also be made to the contracts (Art. 28 GDPR)
• The subcontractor is not entitled to use the services of another subcontractor without the written consent of the data controller (Art. 28 GDPR)
• Serious restrictions on the transfer of data, so it is better to get acquainted with all the conditions of transfer, if the data is sent or stored outside the EU (Chapter 5 GDRP)
• Data Protection Officer. This role is required if the 'special category of data' is processed or the data is processed by a government agency (Art. 37 GDRP)
• United Kingdom. Information Commissioner's Officer (ICO) registration
• Ordinary users can also send their questions and complaints about the protection of their data in a company, and then the proceedings will begin (https://ico.org.uk/for-the-public/raising-concerns/)
• It is also necessary for companies to report about hacks and leaks of personal data.
• Not all organizations must register and pay an annual fee at the ICO, only for those who fall under certain conditions (https://ico.org.uk/for-organisations/register/self-assessment/)

Links

Regulations
Checklist for compliance with GDPR
Guideline for contractual changes
A real example of a fine when companies send out mailings without user consent.

Denis Koloshko, CISSP