GDPR for

Mortals

A techies view on GDPR

We will do this presentation

in English to avoid this

3

Dad Oracle DBA Sailor Musician Working at Exitas Oracle Platinum Partner in BELGIUM

http://vanpupi.stepi.net

@vanpupi

likes to be in control

Dreams at night ;-)

About Philippe

Philippe Fierens Independent Oracle DBA Architect Oracle SuperCluster SPARC and Solaris fan

Oracle ACE and most of all DAD & husband ;-) AND

…

pfierens.blogspot.com

@pfierens

Belgian Beer Lover

3MembershipTiers

• OracleACEDirector

• OracleACE

• OracleACEAssociate

bit.ly/OracleACEProgram

500+TechnicalExperts

HelpingPeersGlobally

Connect:

Nominateyourselforsomeoneyouknow:acenomination.oracle.com

@oracleace

Facebook.com/oracleaces

oracle-ace_ww@oracle.com

Disclaimer

We are techies not lawyers (and happy with that :-) )

What’s on the menu

Introduction GDPR for more mortals GDPR consequences

Can Tech Help / Products help

https://images.vrt.be/dako2017_1600s_j75/2017/03/06/2d75c678-024d-11e7-8f5f-00163edf48dd.jpg

GENERAL

DATA

PROTECTION

REGULATION

25 - May - 2018

Replaces a directive from …

Very old …

http://news.nationalgeographic.com/content/dam/news/2016/04/21/01-baby-dinosaurs.adapt.1900.1.jpg

More specific…

Older than

A directive has to be translated to

“Local” law

Consequence no uniform laws :

all interpretations

GDPR

• Is a regulation• Automagically adapted to member state law

• Focused on protecting data of EU resident

citizens

Gives back the data to

Data Subject

YOU

First some TERMS

Buzzword bingo!

Data Subject

citizen / resident of eu owner of

it’s own personal data

What is personal data ?

Data Categories

Personal Data

• name• birthdate• address• mobile device id• mac address smartphone• social media posts• photo’s• IOT data => fridge / kettle

Sensitive Personal Data

• health data • race• sex• philosophical beliefs• sexuality and sex life• union memberships

Genetic and Biometric Data

• retina scan• finger print• gene information• facial recognition

Consent

• freely given….• for a specific reason• unambiguous : clear affirmative action

sensitive data : explicit consent

necessary

Data Controller

• collects data about data subject(s)• determine purpose condition • how is the data processed• not carved into stone

Grocery store , Bank ….

Data Processor

Processes data on behalf of the

data controller

Data Protection Officer

when / what

• regular & systematic monitoring of individuals

• can be independent from company• must be able to do work independently• keeps eye on GDPR implementation

Data Protection Authority

National authority tasked with protection of data

DPA

• enforcement of GDPR• each member has atleast • 1 DPA

Territorial Scope

personal data processing of European residents

no matter where the data is captured/processed

can be collected in many ways

Pseudomisation

• transforming data• aggregations • not linked any more to data subject without

extra data

What about

/bin/laden

not applicable to national security

Rights of the Data Subject

Rights of the Data Subject

Right of Data Access

• What info do you

have on me ?• What do you do

with data

Right of rectification

Right of portability

Right to be forgotten

Data Leaks

Data controller must inform

regulator within 72h

Breach handling

• how did the breach happen• what data was exposed• how many data subjects

where concerned• consequences of the breach

for data subjects• how to mitigate

* if the breach doesn’t’ cause a risk to the rights and freedoms of data subject it doesn’t need to be reported

penalties

Penalties

up to 4% turnover or 20M euro

• when ?• not respecting basic GDPR principles

• consent• passing data illegally• failure to communicate to DPA

Penalties

Other fines

• 2% or 10M • audits• warnings

Income / Revenue in Million $ 2016

Facebook Google

Revenue 27638 89000

Net Income 10217 27892

GDPR fine 5527.6 17800

source :https://www.statista.com/

Income Revenue in Million $ 2016

0

22500

45000

67500

90000

Facebook Google

Turnover Net Income GDPR fine

Data Protection by Design

Bottom-up Design

Data Protection / Security by design

gather only :• necessary data• for limited timespan

Ask yourself :

• are multiple copies necessary • is data only used for purpose• who can view the data ?• data subject meta data easily retrievable• data modelling : ability to remove data

Can Tech help?

• Encryption• SSL connectivity• Data Masking…..• Subsetting • Auditing• Limit access• Thick DB / Smart DB ?

Can tech help?

60%

30%

10%

Security Patching

Systems Hardening

Application Design

Can Tech help?

What with

• Blockchain• Bigdata …

• Backups• Archives • Operational Data Stores• Data lakes ?

Summary

GDPR legislates common sense

Gives back control to personal

data to data subjects

privacy by design

?@pfierens @vanpupi

philippe@fierensconsulting.eu pieter.vanpuymbroeck@exitas.be