2. Agenda
• GDPR
• Principles
• Web Developer Role
• What Is Personal Data?
• Privacy By Design
• What are cookies
• What is a privacy notice?
3. We all have to become more diligent about:
• What data we collect,
• How we collect it, and
• What we do with it. In current turbulent times, these privacy obligations are about ethics as
well as law.
GDPR
• GDPR requires you to be more thoughtful about the sites
and services you build, more transparent about the ways you
collect and use data, more considerate of your users, and
more thorough in your development and documentation
processes.
• General Data Protection Regulation (GDPR), which becomes
enforceable across Europe on 25 May 2018. This is an
overhaul, modernization, and replacement of the existing
framework, the Data Protection Directive of 1995.
• GDPR adds is new definitions and requirements to reflect
changes in technology which simply did not exist in the Data
Protection Directive. It also tightens up requirements for
transparency, disclosure, and process.
4. Principles
• Purpose limitation
Data can be collected and used only for those purposes that have been
transmitted to the data subject and about which the consent was received.
Purpose must be “specified, explicit and legitimate”
• Data minimization
Personal data to be collected should be “adequate, relevant and limited to what is
necessary in relation to the purposes for which they are processed”.
• Accuracy
Personal data must be “accurate and where necessary kept up to date”. You must
make sure that you do not retain old and outdated contacts and ensure the
erasure of inaccurate personal data without delay
• Storage limitations
Company would have to set the retention period for personal data you collect and
justify that this period is necessary for your specific objectives
• Integrity and confidentiality
The principle of integrity and confidentiality requires you to handle personal data
“in a manner [ensuring] appropriate security”, which include “protection against
unlawful processing or accidental loss, destruction or damage”.
5. Principles
• "Implement anonymization or pseudonymization into the systems.
• Data anonymization is a type of information sanitization whose intent is privacy protection. It is the process
of removing personally identifiable information from data sets, so that the people whom the data describe
remain anonymous.
• Pseudonymization is a data management and de-identification procedure by which personally identifiable
information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms."
• Accountability
Company is responsible for compliance with the principles of the GDPR. It requires a thorough
documentation of all policies that govern the collection and procession of data.
6. Web Developer Role
Web developers have a major role to play here. After all, healthy data
protection practice is as much about the development side — code, data, and
security — as it is about the business side of process, information, and strategy.
Below, we’ll explore what you, as a developer, need to know about the new
data protection regime.
7. What Is
Personal Data?
This is defined as “any information relating to an
identified or identifiable natural person.” This can
be one piece of information or multiple data points
combined to create a record.
Beyond personal data there is also sensitive
personal data, defined as information about a
person’s:
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Health data
• Sex life or sexual orientation
• Past or spent criminal convictions
8. What Is
Personal Data?
GDPR expands the definition of personal data to include:
• Genetic data
• Biometric data (such as facial recognition or fingerprint logins)
• Location data
• Income
• Online identifiers
• IP addresses
• Mobile device IDs
• Browser fingerprints
• RFID tags
• MAC addresses
• Cookies
• Telemetry
• User account IDs
9. Privacy By
Design
The Privacy by Design framework has seven foundational principles:
• Privacy must be proactive, not reactive, and must anticipate privacy
issues before they reach the user. Privacy must also be preventative,
not remedial.
• Privacy must be the default setting. The user should not have to take
actions to secure their privacy, and consent for data sharing should not
be assumed.
• Privacy must be embedded into design. It must be a core function of
the product or service, not an add-on.
• Privacy must be positive sum and should avoid dichotomies. For
example, PbD sees an achievable balance between privacy and
security, not a zero-sum game of privacy or security.
• Privacy must offer end-to-end lifecycle protection of user data. This
means engaging in proper data minimization, retention and deletion
processes.
• Privacy standards must be visible, transparent, open, documented and
independently verifiable. Your processes, in other words, must stand
up to external scrutiny.
• Privacy must be user-centric. This means giving users granular privacy
options, maximized privacy defaults, detailed privacy information
notices, user-friendly options and clear notification of changes
10. What are
cookies
• Cookies are small text files that websites place on your device
as you are browsing. They are processed and stored by your
web browser. Cookies can also generally be easily viewed and
deleted.
• Cookies can store a wealth of data, enough to potentially
identify you without your consent. Cookies are the primary
tool that advertisers use to track your online activity so that
they can target you with highly specific ads.
Types of Cookies:
• Session cookies – These cookies are temporary and expire
once you close your browser (or once your session ends)
• Persistent cookies — This category encompasses all cookies
that remain on your hard drive until you erase them, or your
browser does, depending on the cookie’s expiration date. All
persistent cookies have an expiration date written into their
code, but their duration can vary. According to the ePrivacy
Directive, they should not last longer than 12 months
11. What are
cookies
Cookie GDPR compliance:
• Receive users’ consent before you use
any cookies except strictly necessary
cookies.
• Provide accurate and specific information
about the data each cookie tracks and its
purpose in plain language before consent
is received.
• Document and store consent received
from users.
• Allow users to access your service even if
they refuse to allow the use of certain
cookies
• Make it as easy for users to withdraw
their consent as it was for them to give
their consent in the first place
12. What is a privacy
notice?
• A privacy notice is a public document from an
organization that explains how that
organization processes personal data and how
it applies data protection principles. GDPR
provide detailed instructions on how to create
a privacy notice, placing an emphasis on
making them easy to understand and
accessible. If you are collecting data directly
from someone, you have to provide them with
your privacy notice at the moment you do so.
• The terms “privacy notice” and “privacy
policy” are interchangeable