Despite the new law affects all people, the most influence it has on us – IT crowd. Interestingly, if you check presentations regarding GDPR, they are mainly produced by lawyers and other people, who will not tell you what it means in practice. The reason is simple: GDPR is an 88-pages-long document and it is written in a language, not all IT people can understand. Therefore, DevClub does it for you. This is our translation of what GDPR means to IT, how it affects our development, business in general and how kittens are connected to all of that.
Kirill is the father of DevClub and Senior Software Architect at MOVE Guides, global mobility management company. He acts as technical visioner, designing future of people relocation solution using various technologies and stacks: AWS, GC, Kubernetes, Docker, Java, Go, .NET,…
3. 3 MOVEGUIDES.COM
What is GDPR?
• Stands for Global Data Protection Regulation
• Made for EU
• Affects the whole world
• Replaces old 30-years-old regulation
• Took 4 years to compile
• Effective from 25.05.2018
• Game changer for IT industry
• While still can be interpreted in so many ways…
4. 4 MOVEGUIDES.COM
Are you ready?
• Gartner says 50% won’t be GDPR compliant by the end of 2018
• According to TrustArc:
• 61% - not started the process of GDPR implementation
• 23% - begun implementation
• 11% - implementation is “well underway”
• 4% claimed to be fully compliant with the GDPR
7. 7 MOVEGUIDES.COM
Consent
• Your permission for data collection and processing
• Should be clear and visible with no pre-defined acceptance
• One processing = one consent
• Recall is same easy as accept
9. 9 MOVEGUIDES.COM
Not all data is equal
• Racial or ethnic origins
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Uniquely identifiable genetic or biometric data
• Data concerning health
• Data concerning sex life or sexual orientation
…is prohibited for collection and processing (unless you
manifestly make it public or state allows collecting that!)
11. 11 MOVEGUIDES.COM
Check data they use!
• Helps to prevent discrimination
• Helps to reverse engineer processing
algorithm!
12. 12 MOVEGUIDES.COM
Two types of data
Manually inserted
and should be easily
accessible for review
through user interface
Automatically collected
and should be provided
on-demand in the
machine-readable format
free of charge! *
14. 14 MOVEGUIDES.COM
OK, why we need data fix?
• It is your right to influence the result of data processing! (be
sure you still provide correct data )
• And don’t forget, you have right not to be subject to a decision
based solely on automated processing which produces
significant legal effects like:
• Loans
• E-Recruiting
• Anything related to your performance at work, health, economic
situation, personal preferences or interests and so on and so forth (if
State or your contract didn’t allow that in advance)
18. 18 MOVEGUIDES.COM
IT reality
• Right to be forgotten means your data should be detached
from processing (including searching and displaying) and stays
immutable
• It is OK to have “soft delete”/pseudonymization and restrict
data for further modification
• Don’t forget to notify other third parties
• Do it, if it doesn’t (significantly) affect your business!
20. 20 MOVEGUIDES.COM
But should you comply at all?
• “The right of protection of personal data is not an absolute
right…”
• “The Regulation does not apply to issues of protection of
fundamental rights and freedom…”
• “…such as activities concerning national security”
• In other words, if State wants data from you, forget about
GDPR (at least, for this dataset), you have other rules to comply
21. 21 MOVEGUIDES.COM
Wait a minute, you said I can ignore that…
• Even if you have to comply, for existing solution, in case you
can prove that making it GDPR compliant has a (significant)
impact to your business, adjustments „can be postponed“ with
only one exception: consent
• For new solutions, GDPR compliance is „by design and by
default“
22. 22 MOVEGUIDES.COM
GDPR in short (for IT)
explain help to show data help to fix it
export and import forget it!
24. 24 MOVEGUIDES.COM
Wait, they say I need an officer!
• DPO = Data Protection Officer, security and GDPR expert,
reporting to the board, escalating (possible) breaches and
helping to prevent them
• But still not accountable (e.g. not financially responsible) for
failures
• You need it:
• If you are public authority (except courts)
• Large-scale (or sensitive) data processing is your core business
• Can be outsourced
25. 25 MOVEGUIDES.COM
Large-scale is…
…processing “a considerable amount of personal data at
regional, national or supranational level and which could affect a
large number of data subjects and which are likely to result in a
high risk”
…feels so precise, right?
26. 26 MOVEGUIDES.COM
Who will be checking all of that?
• The European Data Protection Board is already established
• Every State should have at least one supervisory authority
• No certification process (yet) available, but it „shall be
voluntary and available via a process that is transparent“
• Nevertheless, fines are in place: up to 4% of annual turnover or
20m€ (whichever is bigger) *
27. 27 MOVEGUIDES.COM
Welcome to Estonia!
„…in Estonia the fine is imposed by the supervisory authority in
the framework of a misdemeanour procedure <…>
Therefore the competent national courts should take into
account the recommendation by the supervisory authority
initiating the fine.“
28. 28 MOVEGUIDES.COM
I don’t care, my site is in Russia!
• GDPR is applied to any site/service able to serve EU residents
• The Board/supervisory authority has the right to block/ban
service providers, regions or whole countries if they won’t
comply
29. 29 MOVEGUIDES.COM
Solidarity principle
The fact whenever you are compliant or not is dependent on
compliance of third parties you are using (and third parties they
are using (and third parties they are using (and…)))
30. 30 MOVEGUIDES.COM
Should kittens comply?
No. GDPR is only for „natural persons“ (e.g. people). It is (still)
safe to use their pictures as they have no right to be forgotten.