Skip to content

Instantly share code, notes, and snippets.

@nocash

nocash/gdpr-notes.md

Created March 29, 2018 21:46
Show Gist options
  • Save nocash/891d326d3cb4033a0fa57399153bddd7 to your computer and use it in GitHub Desktop.
Save nocash/891d326d3cb4033a0fa57399153bddd7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gdpr-notes.md

https://techblog.bozho.net/gdpr-practical-guide-developers/

The rights of the user/client (referred to as “data subject” in the regulation) that I think are relevant for developers are:

  • the right to erasure (the right to be forgotten/deleted from the system)
  • right to restriction of processing (you still keep the data, but mark it as “restricted” and don’t touch it without further consent by the user),
  • the right to data portability (the ability to export one’s data in a machine-readable format),
  • the right to rectification (the ability to get personal data fixed),
  • the right to be informed (getting human-readable information, rather than long terms and conditions),
  • the right of access (the user should be able to see all the data you have about them).

Additionally, the relevant basic principles are:

  • data minimization (one should not collect more data than necessary),
  • integrity and confidentiality (all security measures to protect data that you can think of + measures to guarantee that the data has not been inappropriately modified).

[“personal data” is] every piece of data that can be used to uniquely identify a person or data that is about an already identified person. It’s data that the user has explicitly provided, but also data that you have collected about them from either 3rd parties or based on their activities on the site (what they’ve been looking at, what they’ve purchased, etc.)

What about backups? Ideally, you should keep a separate table of forgotten user IDs, so that each time you restore a backup, you re-forget the forgotten users. This means the table should be in a separate database or have a separate backup/restore process.

https://www.smashingmagazine.com/2017/07/privacy-by-design-framework/

The steps in a [Privacy Impact Assessment] are as follows:

  1. Identify the need for a PIA.
  2. Describe the information flows within a project or service (user to service provider, user to user, service provider to user, user to third parties, service provider to third parties).
  3. Identify the privacy- and data-protection risks.
  4. Identify and evaluate the privacy solutions.
  5. Sign off and record the PIA outcomes.
  6. Integrate the outcomes into the project plan.
  7. Consult with internal and external stakeholders as needed throughout the process.

Your app, product or service should have a privacy information notice, including the following details:

  • What data are you collecting?
  • Why are you collecting it, and is that reasoning legally justifiable?
  • Which third parties are you sharing it with?
  • What third-party data are you aggregating it with?
  • Where are you getting that information from?
  • How long are you keeping it?
  • How can the user invoke their rights?
  • Include any information regarding the use of personal data to fulfil a contract.

https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/

And remember the golden rule of GDPR — document it, or it didn’t happen. Your testing results, and the methodologies you used to achieve them, need to be noted and actioned as living documents.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment