GDPR Compliance for Your Datastore

Who likes GDPR? @xeraa

Who is afraid of GDPR? @xeraa

“Can you recommend a GDPR expert? Yes! Great, can you give me their email address so I can contact them? No.” https://twitter.com/wardrox/status/988363811479572483 @xeraa

Questions: https://sli.do/xeraa Answers: https://twitter.com/xeraa @xeraa

General Data Protection Regulation Adopted 2016/04/14 Enforceable 2018/05/25 @xeraa

DatenschutzGrundverordnung Fines up to 4% of global revenues or €20m @xeraa

Where & Who? EU organizations Services or goods for / monitoring of EU citizens @xeraa

What? Personal Data Any information relating to an identified or identifiable natural person @xeraa

Rights? to be informed access rectification @xeraa

Rights? erasure (to be forgotten) restrict processing data portability @xeraa

Rights? object automatic decision making @xeraa

PS: Personal data in a blockchain is an issue @xeraa

Lawful use of data? Informed consent Contractual obligation Legitimate interest @xeraa

Lawful use of data? Legal obligation Vital interests Public task @xeraa

Proof Required Right to collect and legally use @xeraa

Disclosure Within 72 hours to a member state’s "supervisory body" @xeraa

Legacy Data Stop, Check, Delete @xeraa

What if no legal grounds? @xeraa

“More GDPR bizarro world logic. Log nothing, but also make sure to have a complete understanding of all your security breaches, track them down, patch them up…. with no logs.” https://twitter.com/ianlandsman/status/997561351009599488 @xeraa

1. Stop Your Service @xeraa

@xeraa

@xeraa

@xeraa

@xeraa

2. Drown them in forms @xeraa

https://twitter.com/rianjohnson/status/999730569641525248

3. Pseudonymization @xeraa

Anonymous No information that could potentially identify an individual Not considered Personal Data by GDPR @xeraa

Pseudonymous Re-identification possible if combined with additional information Without this information, reidentification practically impossible @xeraa

When? Ingestion time Search time @xeraa

Developer @xeraa

@xeraa

@xeraa

fingerprint { method => "SHA256" source => ["ip"] key => "${FINGERPRINT_KEY}" } mutate { add_field => { '[identities][0][key]' => "%{fingerprint}" '[identities][0][value]' => "%{ip}" } } mutate { replace => { "ip" => "%{fingerprint}" } } @xeraa

How Secure Are Hashes? Without salting @xeraa

“You might think it would take a long time to run through all of the possible SSNs, but computers are very fast — there are "only" one billion possible SSNs, so your laptop can hash all of them in less time than it takes you to get a cup of coffee.” https://www.ftc.gov/news-events/blogs/techftc/2012/04/does-hashing-make-dataanonymous @xeraa

“Datafinder – Reverse email hashes for $0.04 per email” https://freedom-to-tinker.com/2018/04/09/fourcents-to-deanonymize-companies-reverse-hashedemail-addresses/ @xeraa

Access Control & Encryption @xeraa

Deletion @xeraa

“Interesting #GDPR solution for the "right to erasure" : Encrypt all user's data and when you have to delete it you just get rid of the private key. Will this become the norm?” https://twitter.com/Stephan007/status/985103374118014976 @xeraa

“[...] personal data of our users can only be persisted when it is encrypted. Each user has their own set of keys [...] it reduces the impact of leaking a dataset, since the dataset by itself is useless — attackers also need the decryption keys. [...] it allows us to control the lifecycle of data for individual users centrally.” https://labs.spotify.com/2018/09/18/scalable-user-privacy/ @xeraa

Conclusion @xeraa

Data Protection The new standard and norm of approaching personal data @xeraa

I am not a lawyer @xeraa

❤ GDPR and carry on @xeraa

@xeraa

Questions? Philipp Krenn @xeraa @xeraa