BSides Scotland 2019: GDPR For Devs - Magda De Jager

welcome to this very exciting topic around yet another talk on gdpr this is me my name is master Omega here as most people know me around these parts I am NOT a privacy expert I will start by saying that but in my job as an information security person especially this officer call it what you will I actually see my job very much as a translator kind of between business and take people to try and get them to talk the same language so this talk today is really my musings around questions that I've either been asked things that I've seen statements that I've heard people make where I'm a bit like really not so sure that's

correct and I thought you know I could probably give anybody who's kind of in the developer side just some concrete help couple of things you can remember without being an expert on gdpr to try and figure out what are the right questions to ask at the start of the project we will talk about that at the start of a project quite a bit today mainly as I said I'm going to try and give you enough information enough questions to be able to be able to ask the right questions but when in doubt go and speak to your data protection officer or privacy team I know there is someone in your company who does this find out who they are and

talk to them so this might be a complete guide to DPR this will not be he'll happy to hear a legal training session we're not really going to talk about security even though this is a security conference I do know that we're not gonna be talking about breach notifications or bangs or jurisdictions so now you might ask yourself err what will you be talking about then it's as I said general awareness around gdpr it's going to help you ask the right questions and we're going to talk about that privacy by design and by default I promise you GTR is not a bad thing so these are some of the statements that I've heard in the last

couple of years you might identify you might have heard some of those if you have some of your own or even questions please let me know even now or later on Twitter or afterwards if you want to catch me I'm happy to add that too to this hopefully by the end of this talk we'll all have answered and we can kind of go true or false to all of these things yeah I would I would spoil it for you if you think some of this is true anyway we'll go through the talk we'll see how we can answer all of these questions for you so first things first gdpr is really not about compliance and

I think this is the most difficult thing for most developers and I'm going to I know most of you probably aren't developers here today or some of you might not be that's okay it will give you some information to go and talk to your developer team but the difficult thing for us to understand is that gdpr is not about compliance we like statements as things like PCI right PCI has got a list of stuff you do all these things you're compliant great ISO 27001 is similar and that it gives you a list of things that you can do gdpr is not like that so this is a note to self if you go out there and you see a

vendor or a new system that says we're fully gdpr compliant there's no such thing there really isn't gdpr is not a compliance law it's all about risk-based security one risk-based security and risk-based privacy it says you need to do the best to your ability in a particular situation which means all situations will be different which means nothing will be exactly the same no one's they will be exactly the same next thing so this is Alice it really is the most difficult thing for us to get our minds around that gdpr is just not about compliance you can't be compliance to GDP are it's not only about consent that's the other thing we often hear it's really about marketing there's a

whole different law called it's nice nice to say the pecker which is about marketing I'll touch on that a little bit later cookies again this is not GDP are it's related but it's really not GDL and GTL actually is also not about information security but not only about information security it's a very small part of the whole GDP our thing

this is what do DPR is about this is actually word for word from recital for in the GDP our it says that the process in the personal data is it designed or should be designed to serve mankind now that is not an you know a very great objective I don't know what is so if we get this right people I'm telling you the power is yours first I'm going to spend a few minutes just talking about different terms and to clarify a few things and I think it is important as with all conversations remember I told you my job is a little bit about being a translator half of that is just to make sure that when I say a thing and when

you say a thing we're actually talking about the same thing even if we use the same words so it really is important to understand that there might be differences in interpretation the first thing I want to talk about is privacy is not security now many of us are security experts and that's great but being a security expert does not make you the privacy expert those are two completely different disciplines they come from different they look at the world very very differently there is some overlap my personal opinion is you are one or the other in experts in one or the other you're not normally an expert in both security is about protecting the business it's about being the castle

wall is about being the moat it's about being the praetorian guard standing in the front watching what's going in and what's going out if I had to sum it up in one word I would say it's about confidentiality whereas privacy has got nothing to do with the business it's got nothing to do with the business model that's got nothing to do with how the business makes money it really is about an individual person the question you should be asking yourself when it comes to privacy is not can we do something but should we and this is the second thing I think is really really important to understand when it comes to privacy when you're thinking about gdpr you're

not thinking about how do I protect the business you shouldn't be thinking about how can I reduce my fines that's really not what GDP is about GDP are is about protecting an individual and I think this is what makes the job of a day protection officer very difficult because even though they're getting paid by a company their job really is not to work for that company but to work for individual people which could be customers employees any kind of you know the personal data that that company's processing the DPO is a champion of those people not for the business it's a very busy slide don't worry about it I've put down these two terms so some

people use them interchangeably personal data PII very technically speaking they're not the same thing PII is used more in America it's defined by NIS t and in HIPAA law and so on where it's personal data the worth of actually used and defined and GDP our own European law graphically I would say all PII is personal data but not all personal data is PII again does really matter don't take this away the thing you need to remember as I said before make sure you're actually talking about the same thing if someone says PII and you think PRI just raise a question and just say can I just stop you and are we talking about the same thing if

in your company you use those words as the same thing fair enough but if you work in a global organization and maybe you've got American cut colleagues be very careful because what they say and what you think they're saying might not be the same the next term I want to quickly talk about is deep breath because to pronounce this is see it anonymization yes it's the last I'm gonna say that word that thing up there this is actually defined in the GDP are about what that is and how that should be how that you work and I think it's a pretty easy concept to understand for most developers it's using a user ID an alias of some sort which isn't actually

identifying a personal record so you might have one table that has you know name address all of the personal stuff around one person in there but then for all your other stuff it might be a separate table so you have the user ID so you could tie those together if you had both sets of data so there's a reversible process it's not complete and on ization where you never know what the original was you can reverse that process but important to remember here and GDP are actually says less is that data or the table that you have which you use to reverse the process to re-identify individuals it must be kept separately so if you are using this and it's a

really good idea by the way and keep you know all your personal data to one side keep it separate and don't allow people access data subject if you're wondering what that is but it's just the person the individual whose data we were looking at in most cases it's probably going to be your end user not in all cases if you're talking about applications with logins it's probably going to be your customers they were talking about HR systems for example if you know your end user is going to be the HR person but the data inside it actually gonna be all your employees so not in all cases that in most cases it helps you to think about your end user

and then the subject access so just quickly gonna explain this what this is if you don't know and this is one of the reasons it's important to come to this talk and listen to this information and take that away back to your to your company because what happens is any data subject any person whose data your process can actually call you up and say hey company I want to know where you know about me write it down tell me where this information is what data do you hold about me and you know what's gonna happen is your privacy team's gonna probably answer that call they are not going to be looking for their data they're going to come back to

you and say what data do we hold about a person so it's good to have that in mind when you start designing something from scratch isn't that lovely I know we all like to retrofit legacy systems later on but if you're designing something from beginning keep this in mind how searchable is it can I pull out individual records is it easy to do right these related laws as I said I'm going to mention them briefly so the one is the privacy in electronic communications regulations for pecker this sits alongside data protection regulation and that is exactly it it's the electronic communication so this is all about those marketing emails that you need consent for I'm not going to go

into detail on that I'm just telling you there is a different thing don't blame gdpr for everything unfortunately I think what happened last year and I saw some write-ups about this so it's not just my opinion some other people that concur with that is that in the UK we've had data protection law for about 20 years and this 20 communications regulations have been in place we'll pretty much the same around 15 years we've just been doing it really badly we've just not been doing things particularly very well if you edit their data protection very well GDP azam no-brainer it really doesn't change many things but we haven't been doing that so what people did last year

is to comply with Becker and comply with data protection law which they hadn't done before they use this big o GD P R I need to ask you for recon sent about stuff which is unfortunate I mean it served the purpose of businesses but it's kind of misinformation that's out there now data Protection Act 2018 so this is a new UK law that was brought out last year and this is a long GPR it further defines things within UK law which isn't defined by European law things like national security and immigration so yeah it just know it is there it sits alongside in very particular circumstances again if you don't know go and talk to your privacy

team they're the experts on the stuff the big thing around from GDP are is this concept of privacy by design and by default it's actually defined an article 25 if you want to go and look it up in the GDP are and it says any system that processes personal data you must design it from the start with privacy in mind now again remember that's that mind shift because privacy is not about the business privacy is about the people whose data we collecting or processing and it's quite a might shift to remember now the next thing I'm gonna quickly stop on is lawful basis of processing there are six different bases for lawful processing so processing is just why we

need your data unfortunately consent is at the top I really wish they just stuck it at the bottom so it wasn't as obvious to people because really consent should be your very very last resort there are so many if there are five other things that you could possibly use most cases and most businesses I would say sits between contacts and legal obligation so for example Amazon right I buy something on Amazon they say great we're going to deliver it where do you want us to deliver it I have to give them an address to deliver to if I don't do it they can't fulfill their end of a contract that's as easy as that they

don't need to ask my permission to collect that data because if I don't do it they can't fulfill their contract that's it legal obligation so this is for example your you're an employee your employer the company you work for has a legal obligation to share your name your tax your ni number national insurance time bearing your salary details they have to share that with HMRC they're not going to come around and say oh by the way do you give us consent to share this information with HMRC they don't have to do that because it's not based on consent it's based on a legal obligation so the next time you sign an employment contract and they say oh and by the way

you give us consent to process your information or maybe don't tell them before we slide the contract you know afterwards go have a word this is the easy one to remember consent really is not the be-all and end-all of a lot lawful processing some GDP oh joy to tell people love about this ended legal rights of data subjects so these are all the rights that data subjects have I'm not going to go into detail on all of these but I'm gonna highlight a few which i think is important to know when you're developing an application or new system the first one is a right of access so in this kind of this this is the subject access

request thing we were talking about earlier at the point of collection you have to be able to tell st. subjects and users people who stay - you have what you're collecting why you're collecting it what you're going to do with it and how long you'll be keeping it as well as who you'll be sharing it with so this has to be before you start collecting it so this is these are the privacy notices that you see pop up whenever you're trying to fill in a form leave a comment yes yes yes yes of whatever but they you know you have to show people that information obviously as a developer usually be defining any of this

information but you should be asking these questions you know this would be a good time to say great once we you know know to want to collect this data we're on this screen I need to give people privacy notice Cullen promising people DPO where is it I need to be able to answer all of these questions rights rectification so if stuff is incorrect a data subject the user have the right to actually make you updater to make you change it what does this mean for me as a developer well it means that everything can be changed names can be changed surnames can be changed date of birth can possibly be changed especially if you've made a mistake

email addresses can be changed so make sure that those fields are updated all in whatever system you're designing don't use an email address for example as your key identifier in the table because what happens if I have to update that even if my email address is the username to log into a system if I then tell you actually I've changed my email address do I have to open a whole new account that seems a bit silly to me as a user I just want to say oh I'm using a new email address can I just use that as my username now is that easy enough to do right to aresia when I speak to developers this one actually grows

tentacles like bosons and lakes people have loads of questions around this the first thing you have to know is that the right ear erasure is not an absolute right you don't always have to delete all of the data it's for me I found it very difficult explained so I went to my favorite privacy Twitter account the privacy puffin explains this very well if it's a law contract still in place or a life-and-death scenario that requires your personal data to be processed an erasure is not available and some of those laws could be just the company law so the companies act in very broad terms again I'm not a legal expert here in very broad terms the Companies Act

normally says you have to keep transactional data for six years seven years six plus one or something today effect so to prove that your company's done business with you or a company is done business with a client they have to keep those records so a client can't come and call you and say you need to delete my data because the transaction says you bought this table on this date for this amount this person but that's business historical transactional data for accounting purposes they need that information the cut it can't just be deleted so what does this mean for me as a developer it's ask that question know that not everything must be able to be

erased but some things might so how does that affect how I architecture this system you know talk to you legal your privacy people which data might have to be deleted in the future because if you delete fields from a record does that break the system what happens to your logs when you do that that really awkward could you put the data that might be have to be deleted in the future could you put that in a separate table so you can delete stuff from there that doesn't matter but your main stuff is not affected those are the things you need to ask questions about the right to restrict processing and the right to object so again this is your your users

your data subjects they have this white can they do learn in your system if I call up a company and say hey I don't know what you've got my data from I think it's illegal you need to stop processing my data can you do that in your application can you flag a record that says you know this this must be stopped processing ie it doesn't come into reports it's not used for aggregated data all of it you have to literally stop processing it can you do that also when that restriction is lifted so it's been investigated and we actually the company says no no we have a right to to processes data you have to

then tell the data side back again that you're starting to process it how does that work does it come into exception reports right think about that next one data portability sorry about the whirling this is actually from that's illegal act but the best way to describe this and this is probably the easiest one that you didn't know you were doing see you will read doing something that complies with gdpr hey when you open a new bank account nowadays you don't you just say Oh got a new bank account can you speak to my old bank and just get all my seven orders and things moved across and they do that automatically by magic I promise you

they're not sitting there and writing down numbers and codes and things it's probably a download for into CSV XML something like that and it's an upload on the other side and that's what this basically is it says that when you move to different provider you need to be able to easily get your data in a machine readable format and as I said I'm pretty sure this is probably the easiest thing you can do to be gdelt compliance make it electronic yay next we get to GDP our principles these are all the GDP our principles and as before I'm not going to talk about every single one just the ones that I think are really relevant to this audience so

there are those six principles and then the accountability one which kind of stands apart and the accountability principle says that you must be able to demonstrate for that you're doing the six that come before and how do we demonstrate stuff we have documentation so what does that mean for me as a developer keep documentation please tell us what you're doing and why you're doing it more importantly lawfulness fairness and transparency we talked about this a little bit before but every time you get the piece of data a piece of personal data you need to know what you're collecting why you're collecting it where is it going and where is it stored vice' is it stored just in this little

database over here what happens when you pop that up does that go to one place do you have multiple backups do you have multiple backups in different places because that's still the data it's not just about the main database it's about all of these things where is it where is it going who ascender - you need two notes you need to ask those questions of the people you know your privacy experts but from a technical architecture point of view you should be able to answer this question especially the bottom - where is it going and where is it stored purpose limitation this is an interesting one interesting challenge I think for developers out there personal data can

only be used for the purpose for which it was collected and actually I want you to think back to the last time you read a privacy notice it probably said something along the lines of we are collecting the personal data we need to collect in order to fulfill the business objectives that we will define at some point whenever we feel like it and we will be keeping that for as long as we need to so the gdpr says you need to say all of those things but it actually asks you to be specific collecting data for business purposes it doesn't tell me why you're needing it so you need to be specific and then once you are specific about it

you can only use it for that purpose you're not allowed to use them in for a different purpose so if someone comes to you in the developer and they say oh you've got this data in this table I'll just want to connect this on the system into it because we want these reports to go here and there we then going to sell it on to this person so on the challenge for you is hold on a moment am I allowed to do that and have you talked to the privacy team the next principle in gdpr is actually called data minimization and I've put it in different words because you remember I told you sometimes I say

thing and you hear another thing words mean different things to different people but what they mean by data minimization is that you need to collect the minimum data that's necessary for that purpose which we've just defined so if you're using a library or a template go through it don't just say oh well yeah yeah I got this from the mate of mine or someone's already done some the work this is a similar application I'm just gonna use all of these fields you have to ask the question do we need all of that data my golden rule is if you don't have it you can't lose it and that's what makes it really important and help security if you just don't

collect too much data just use what you need collect what you need accuracy so this comes back we've already talked about stuff must be able to be updated to be rectified and things should also be accurate so I've got an example that happened to me so I've got a bit of a funny surname well it's not funny to me it's just funny in this context in the UK it's two words of space in the middle with one is a small letter and one's a capital letter and this is not the only system that I try to register that says you're not using a proper surname like excuse me mate that is my surname that's the way that that's the correct way to

spell it we're implementation just says sorry your surname is wrong I know it's all wrong your bias in developing is wrong but that's awkward different topic for a different talk you know my daughter surname is three words or two spaces and different capitals and non capitals right so don't do this just make things usable and make sure that you can accurately reflect data storage limitation again I thought use that words on the slide because it means different things when you're talking to technical people these DDP are and I've talked about this one I mentioned privacy notice says only keep data for as long as necessary now as long as necessary is not a time frame this is

why DPR is lovely because they're made like risk-based thing you define what is necessary but that's the thing you need to actually define it someone has to tell you how long that is necessary is not a time frame it's got to be two months three months five years six years ten years someone has to tell you what that is and you've got to make them tell you please do so when you design in your system do you put in some I don't know automates a deletion script of some achieve that effect this says this data we only need for six months there are further they'll be deleted what is that do teal system what does that do to your logs you know

can we delete that without breaking application can we change that time frame you know if we review this in a year's time if they're actually we now need it 23 months or maybe a bit longer can you change that think about that when you're developing your system integrity and confidentiality so this is the only little bit that talks about security in GDL basically it says don't lose stuff but if so the actual word says you need to use the proprietary code and organizational methods to protect the data that you're keeping it does not define what appropriate technical organizational methods is unfortunately it does say use examples gdpr says for example encryption for example serialization for example they use these

things it doesn't mean everything has to be encrypted you need to look at your system what data are you keeping how much of it are you keeping where are you keeping it is it MacLeod is it in a public facing system because yeah then I would suggest you probably need to encrypt that is it I mean the internal system is it you know behind various other things I don't know I don't understand your system you need to you know as I said do a risk assessment what is your threat model how can people get into the data how do I keep it secure please do document what you're doing because that again be useful to to

show gdpr compliance but more like if there's a breach so be you can go back and say well we made this decision we design it this way because of such-and-such a reason what else can I do so this again as a developer the main thing is maybe that a 23 year old why why I'm doing this can we do that why are we doing that why do we need all of this data why are we collecting it why are we keeping it why are we keeping it for 10 years ask those questions and make people actually answer them and if they don't just documents it anyway when there's personal data involved please involve your privacy team and I'm going to

emphasize this again security people aren't privacy experts privacy experts on security experts so you know when we're in a situation where we say oh projects just gone live but I really wish they'd talk to the security team in the beginning and I could have helped them the privacy people feel exactly the same way so when you're developing a new system and there's any sort of personal data involved make sure you involve the DPO or someone's with some privacy privacy experience right from the start remember that gdpr stairs privacy by designer by default but make sure you get those things in from the start it's much easier to do that than to try and fix things later on keep your wiki's and

documentation is up to date we all love doing it but it's really really very helpful to define define all of those things purposes how long we're keeping data for at the time that it was discussed because that also happens to years down the line you're like oh why are we keeping this data for 10 years no one knows because someone came up with a random number at some point document those decisions as you keep going through the design process and as I just said with the previous point a general description of the security measures and the risk assessment that's helped you get there is really really useful so in summary we see is not security when personal data vault called

the privacy team make sure those questions are answered what are we collecting why we're collecting it how long do we need at all make sure you can update stuff think about those situations where you need to update things or delete things and what that does to your system hopefully it doesn't break it the documentation is important most importantly if you're not sure ask I really think I hope that this talk has given you some information some ammunition to go and ask the questions that need to be answered and make sure that you then speak to the right people and involve them in your projects that's it for me I'm happy to take questions if I can't answer them

I promise go away and find the answers [Music]

[Music]

[Music]

and see the questions being asked definitely the answers I'm not so sure about that because you know if those questions so it comes back about understanding what you're doing and yes you might not know the algorithm in detail but cuz it's right at the start about what data you're collecting and what's the purpose you're collecting it for if you're actually putting there well the purpose is to improve our systems or to teach our machine learning singing you know at least you've been clear about that from the very beginning then you also need to consider that that mightier Asia is as I said luckily not all data can be raised but it's definitely something to think about if

someone who says actually I want you to stop processing my date I want you to stop doing that can you just stop can you take that away and can you remove it from the system probably not so as I said the answers aren't really there but definitely the questions are being answered and with all of these things you need all of those experience in the same room right you need the privacy people who can actually interpret the role you need the developers who can actually hopefully explain to you what they're doing how that works I mean all these talk around to make sure we're doing the right thing and yes testing systems is a very

interesting dynamic he's never I read a Provost privacy statement it says we're going to use your data and up allow testing systems as well but in some places is absolutely needed documentation is my best advice all of that just document when you've had a discussion and what the results were because as I said dude car doesn't say you can't do it it just says you need to make a risk-based decision so once you've documented that that should help great well I hope you found that useful and welcome to talk to you afterwards and you've got some time for maybe a quick cup of coffee before we finished today