Everyone has heard about the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which enters into force on May 25, 2018. Fines are big and everyone has to correspond. Like any official document, it is written in very official style and can be interpreted in different ways. Over the past six months we have analyzed a dozen different web systems for GDPR compliance, and everywhere we found the same problems. Therefore, the purpose of this article is not to explain what the GDPR is (much has been written about this), but to give practical advice to technical people — what needs to be done in your system so that it corresponds to GDPR.

A couple of interesting points on regulations

If you have at least one customer from Europe, whose personal data you store, you automatically fall under GDPR

The regulation is based on three main ideas: the protection of personal data, the protection of human rights and freedoms in protecting their data, limiting the movement of personal data within the European Union (Art. 1 GDPR)

UK is still in the EU, so it falls under the GDPR, after Brexit, GDPR will be replaced by the Data Protection Bill, which is inherently very similar to the GDPR (https://ico.org.uk/for-organisations/data-protection-bill/)

Serious restrictions for transferring data to third countries. The European Commission determines which “third” countries or which sectors or organizations in these countries are allowed to transfer personal data to Art. 45 GDPR. Here is a list of allowed countries — http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm

It is clear that a supervisor not be allowed to enter the system inside, which means that it is possible to demonstrate how reliable the security of the system and processes only on paper. If the security of processes, systems and personal data is not documented, then the company does not comply with GDRP. “The controller shall implement the appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing is carried out in accordance with this Regulation.” (Art.24 GDPR)

Implementation of the GDPR in practice

Public pages on the site

Privacy Policy — the main document that requires compliance with the GDPR

It should be clearly stated which Personal and Non-personal information the system collects

For what purposes information is collected

What rights does a user have (Art. 15–18 GDPR)

Data Retention Policy

Data can not be stored longer than it is necessary for the purposes for which personal data was collected (Art.5 GDPR)

Transfer of data to other countries (International transfers of your personal data) Art. 45 GDPR

How data will be protected

Contact information, including legal address; Contacts Data Protection Officer, if any

Terms of Use — you need to add the phrase in bold text “ The Website is available only to individuals who are at least 16 years old ”, if the system does not work specifically with children or children’s content, otherwise, you need to add the functionality of Age Checks in the form of a checkbox on the registration page and obtaining parental consent if the user is less than 16. Art. 8 GDPR

”, if the system does not work specifically with children or children’s content, otherwise, you need to add the functionality of in the form of a checkbox on the registration page and obtaining parental consent if the user is less than 16. Art. 8 GDPR Compliance & Security is optional, but users are already asking what about GDPR, so it’s better to have a resource where you describe in detail how data protection is organized

Payment Policy, Cookie Policy describes how payments are made, and what cookies the system uses

2. Registration page

The number of fields should be minimal and reasonable (‘data minimization’) Art. 5 GDPR

Granular Consent Art. 7 GDPR

A mandatory checkbox that a user agrees with the Terms of Use and Privacy Policy

A separate checkbox if you want to sign a user for a mailing

3. User Profile Page

A user should be able to change any field about himself Art. 16 GDPR

Button Delete Account (Art. 17 GDPR). A user should have the ability to remove himself and all of his information from the system.

Button Restrict Processing Mode (Art. 18 GDPR). If a user has turned on this mode, then personal information should no longer be available in public access, for other users and even system administrators. GDPR makes it clear that for a user this is an alternative to a complete removal from the system.

Button Export Personal Data Art. 20 GDPR. You can upload in any format: XML, JSON, CSV

And again Granular Consent Art. 7 GDPR

The ability to give / withdraw consent to the actions of the system to work with personal data (for example, a subscription to news or marketing material)

4. Additional functionality

Automatic deletion or anonymization of personal data that is no longer needed. Art. 5 GDPR. For example, the information in the orders that are processed.

Automatic deletion of personal data in other services with which the system is integrated Art. 19 GDPR

5. Organizational measures for data protection

Development of the following policies and documents:

Personal Data Protection Policy Art. 24 (2) GDPR

Inventory of Processing Activities Art. 30 GDPR

Security incident response policy:

Within 72 hours you need to notify your supervisory authority about the leak (Art.33 GDPR)

It is necessary to notify a data subject that his data has flowed (but under certain conditions it is possible not to do so) (Art.34 GDPR)

Data Breach Notification Form to the Supervisory Authority Art. 33 GDPR

Data Breach Notification Form to the Data Subjects Art. 34 GDPR

Data Retention Policy Articles 5(1)(e), 13(1), 17, 30

“Nice to have“ policies

Data Disposal Policy

Backup policy

System access control Policy

SLA and escalation procedures

Cryptographic control policy

Disaster Recovery and business continuity

Coding standards and rollout procedure

Employment policy and processes

In order not to produce a bunch of documents, you can combine them into one IG Policy (Information Governance Policy)

6. Technical measures for data protection

In the GDPR there is no clear guideline which security controls to use, but the architecture should be built on the basis of the principle Data Protection by Design and by default (Art.25 GDPR)

Firewalls, VPN Access

Encryption for data at rest (whole disk, database encryption)

Encryption for data in transit (HTTPS, IPSec, TLS, PPTP, SSH)

Access control (physical and technical)

Intrusion Detection/Prevention, Health Monitoring*

Backups encryption

2-factor authentication, Strict authorization

Antivirus

And others, depending on the system

* As a detection tool, we usually offer our customers an inexpensive solution Dhound Lightweight Intrusion Detection System (https://dhound.io)

A few specific points, which may require the involvement of lawyers:

Processing of ‘special data’ (Art. 4 GDPR) is prohibited by default. Collection of Personal Information in relation to health, sexual life and orientation, biometric and genetic data, philosophical and religious beliefs prohibited (Art. 9 GDPR), except as described herein, (Art. 9 GDPR)

If the controller or processor is not registered in the EU area, then an official and documented representative in the EU must be appointed Art.28 GDPR

All subcontractors with which the data controller works, no matter where they are, must also comply with GDPR, the corresponding changes must also be made in contracts (Art.28 GDPR)

A subcontractor is not entitled to use the services of another subcontractor without the written consent of the data controller (Art.28 GDPR)

Serious restrictions on the transfer of data, so it is better to read all transfer conditions if the data is sent or stored outside the EU (Chapter 5 GDPR)

Data Protection Officer. This role is mandatory if the ‘special category of data’ is processed or data processing is performed by the state authority (Art.37 GDPR)

United Kingdom. Information Commissioner’s Officer (ICO) registration

Information Commissioner’s Officer (ICO) registration Ordinary users can also send their questions and complaints about the protection of their data in this or that company, after which the proceedings will begin (https://ico.org.uk/for-the-public/raising-concerns/ )

Companies need to report about hacking and leaks of personal data here too

Not all organizations are required to register and pay annual fees to the ICO, it is only for those who fall under certain conditions (https://ico.org.uk/for-organisations/register/self-assessment/)

References:

Regulations — https://gdpr-info.eu/art-27-gdpr/

Checklist for compliance with GDPR — https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Guideline for contract changes — https://iapp.org/media/pdf/draft-gdpr-contracts-guidance-v1-for-consultation-september-2017.pdf

A real example of a fine when companies made a newsletter mailing without the consent of users https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/03/ico-warns-uk-firms-to-respect-customers-data-wishes-as-it-fines-flybe-and-honda/

Denis Koloshko, CEO at dhound.io, CISSP