gdpr for mortals - exitas€¦ · gdpr for mortals a techies view on gdpr. we will do this...
TRANSCRIPT
GDPR for
Mortals
A techies view on GDPR
We will do this presentation
in English to avoid this
3
Dad Oracle DBA Sailor Musician Working at Exitas Oracle Platinum Partner in BELGIUM
http://vanpupi.stepi.net
@vanpupi
likes to be in control
Dreams at night ;-)
About Philippe
Philippe Fierens Independent Oracle DBA Architect Oracle SuperCluster SPARC and Solaris fan
Oracle ACE and most of all DAD & husband ;-) AND
…
pfierens.blogspot.com
@pfierens
Belgian Beer Lover
3MembershipTiers
• OracleACEDirector
• OracleACE
• OracleACEAssociate
bit.ly/OracleACEProgram
500+TechnicalExperts
HelpingPeersGlobally
Connect:
Nominateyourselforsomeoneyouknow:acenomination.oracle.com
@oracleace
Facebook.com/oracleaces
Disclaimer
We are techies not lawyers (and happy with that :-) )
What’s on the menu
Introduction GDPR for more mortals GDPR consequences
Can Tech Help / Products help
https://images.vrt.be/dako2017_1600s_j75/2017/03/06/2d75c678-024d-11e7-8f5f-00163edf48dd.jpg
GENERAL
DATA
PROTECTION
REGULATION
25 - May - 2018
Replaces a directive from …
Very old …
http://news.nationalgeographic.com/content/dam/news/2016/04/21/01-baby-dinosaurs.adapt.1900.1.jpg
More specific…
Older than
A directive has to be translated to
“Local” law
Consequence no uniform laws :
all interpretations
GDPR
• Is a regulation• Automagically adapted to member state law
• Focused on protecting data of EU resident
citizens
Gives back the data to
Data Subject
YOU
First some TERMS
Buzzword bingo!
Data Subject
citizen / resident of eu owner of
it’s own personal data
What is personal data ?
Data Categories
Personal Data
• name• birthdate• address• mobile device id• mac address smartphone• social media posts• photo’s• IOT data => fridge / kettle
Sensitive Personal Data
• health data • race• sex• philosophical beliefs• sexuality and sex life• union memberships
Genetic and Biometric Data
• retina scan• finger print• gene information• facial recognition
Consent
• freely given….• for a specific reason• unambiguous : clear affirmative action
sensitive data : explicit consent
necessary
Data Controller
• collects data about data subject(s)• determine purpose condition • how is the data processed• not carved into stone
Grocery store , Bank ….
Data Processor
Processes data on behalf of the
data controller
Data Protection Officer
when / what
• regular & systematic monitoring of individuals
• can be independent from company• must be able to do work independently• keeps eye on GDPR implementation
Data Protection Authority
National authority tasked with protection of data
DPA
• enforcement of GDPR• each member has atleast • 1 DPA
Territorial Scope
personal data processing of European residents
no matter where the data is captured/processed
can be collected in many ways
Pseudomisation
• transforming data• aggregations • not linked any more to data subject without
extra data
What about
/bin/laden
not applicable to national security
Rights of the Data Subject
Rights of the Data Subject
Right of Data Access
• What info do you
have on me ?• What do you do
with data
Right of rectification
Right of portability
Right to be forgotten
Data Leaks
Data controller must inform
regulator within 72h
Breach handling
• how did the breach happen• what data was exposed• how many data subjects
where concerned• consequences of the breach
for data subjects• how to mitigate
* if the breach doesn’t’ cause a risk to the rights and freedoms of data subject it doesn’t need to be reported
penalties
Penalties
up to 4% turnover or 20M euro
• when ?• not respecting basic GDPR principles
• consent• passing data illegally• failure to communicate to DPA
Penalties
Other fines
• 2% or 10M • audits• warnings
Income / Revenue in Million $ 2016
Facebook Google
Revenue 27638 89000
Net Income 10217 27892
GDPR fine 5527.6 17800
source :https://www.statista.com/
Income Revenue in Million $ 2016
0
22500
45000
67500
90000
Facebook Google
Turnover Net Income GDPR fine
Data Protection by Design
Bottom-up Design
Data Protection / Security by design
gather only :• necessary data• for limited timespan
Ask yourself :
• are multiple copies necessary • is data only used for purpose• who can view the data ?• data subject meta data easily retrievable• data modelling : ability to remove data
Can Tech help?
• Encryption• SSL connectivity• Data Masking…..• Subsetting • Auditing• Limit access• Thick DB / Smart DB ?
Can tech help?
60%
30%
10%
Security Patching
Systems Hardening
Application Design
Can Tech help?
What with
• Blockchain• Bigdata …
• Backups• Archives • Operational Data Stores• Data lakes ?
Summary
GDPR legislates common sense
Gives back control to personal
data to data subjects
privacy by design
?@pfierens @vanpupi