I gave this talk at Isle of Ruby conference in Exeter, England on April 14th 2018. My goal was to explain some fundamental ideas of GDPR but also show what developers face when trying to comply with this regulation

1. GDPR or:How I Stopped Worrying And Love My Users
Holger Frohloff 1

2. Holger Frohloff
☞ Developer for over 10 years
☞ Freelancer & consultant helping companies with Rails and
ReactJS
☞ Credit card data stolen (ca. €2.500 in 2009)
☞ Affected by breaches: MyFitnessPal (2018), BrowserStack (2014),
Kickstarter (2014), Gawker (2010) and others
☞ Private photo sharing plattform (2013)
Holger Frohloff 2

3. German Bundestag | Picture by Thomas Quine (CC-
BY-2.0)
Holger Frohloff 3

4. Mossack Fonseca - Panama Papers | Picture by Falco Emert (CC-BY-2.0)
Holger Frohloff 4

5. Texas Lottery
Picture by Wil C. Fry (CC BY-NC-ND 2.0)
Holger Frohloff 5

6. Picture by shopcatalog.com(CC BY 2.0)
Holger Frohloff 6

7. Visualization: Information is beautiful
http://www.informationisbeautiful.net/visualizations/worlds-
biggest-data-breaches-hacks/
Holger Frohloff 7

8. GDPRGeneral Data Protection Regulation
Holger Frohloff 8

9. The
history
Holger Frohloff 9

10. The history
☞ Approved and adopted by the EU
Parliament in April 2016.
☞ Will take effect and be in force
from May 25th 2018.
☞ OECD guidelines from the 1980s
and a Data Protection Directive
from 1995
Holger Frohloff 10

11. Who
does
it
apply
toHolger Frohloff 11

12. Who does it apply to
☞ Organizations located within
the EU
☞ Organizations outside of the
EU (if they offer goods or
services to, or monitor the
behavior of, EU data
subjects)
☞ Processing & holding the
personal data of data
subjects residing in the
European Union
Holger Frohloff 12

13. Violations
and
finesPhoto by Gerry Lauzon (CC-BY-2.0)
Holger Frohloff 13

14. Violations and fines
☞ up to 2% of annual global turnover
for breaching GDPR
or
☞ €10 Million, whichever is higher
Holger Frohloff 14

15. Personal
data
Holger Frohloff 15

16. Personal data
☞ Any information related to a
natural person or ‘Data
Subject’
☞ used to directly or indirectly
identify the person.
☞ name, a photo, an email
address, bank details, posts
on social networking
websites, medical
information, or a computer
IP address.
Holger Frohloff 16

17. Key points
Consent
Right to Access
Data Portability
Right to be Forgotten
Privacy by design
Privacy by default
Holger Frohloff 17

18. Consent
Article 7
☞ legible
☞ clear & distinguishable
☞ giving and withdrawing made
easy
Holger Frohloff 18

19. Consent
Article 7
❝Any part of such a declaration
which constitutes an infringement of
this Regulation shall not be binding.❞
Holger Frohloff 19

20. Right of Access
Article 15
☞ Confirmation whether or not
personal data concerning them is
being processed, where and for
what purpose.
☞ Receive their data, free of charge,
in a machine-readable format
☞ At any time
Holger Frohloff 20

21. Data Portability
Article 20
☞ Data controller transmit their
data to another controller
☞ Without hindrance
☞ Free of charge
Holger Frohloff 21

22. Right to be forgotten
Article 17
☞ Erasure of personal data
☞ Without undue delay
☞ Halt processing with third parties
☞ A little respect
Photo by Andwhatsnext on Wikipedia (CC-BY-
SA-3.0)
Holger Frohloff 22

23. Privacy by design & Privacy by default
Article 25
☞ Optimal data protection to be
provided as standard
☞ Security of data and the
proper steps to ensure
privacy should be the default
Holger Frohloff 23

24. Privacy by Default
Framework
and why the GDPR makes sense
Holger Frohloff 24

25. Data Protection Impact
Assessments (DPIA)
☞ Required for data-intensive
projects, make sense for
almost every (bigger) project
☞ Results accessible for all
parties involved
☞ Describe processes related to
data and privacy risks
Holger Frohloff 25

26. Data Collection and Retention
☞ Data collection & processing?
Retention, storage location (cloud?)
☞ How long? When deleted?
☞ Consent? Verifiable? Explicit? Legal
basis?
☞ Controls about retention for users?
Holger Frohloff 26

27. Technical and Security
Measures
☞ Do you use encryption,
anonymization,
pseudonymization?
☞ Backups? How? When?
☞ What TSM exist at host (AWS
etc.)?
Holger Frohloff 27

28. Personnel
☞ Who has access?
☞ Data protection training?
☞ Security measures people work
with?
☞ Process for handling data breach
notifications?
☞ Process for government requests?
Holger Frohloff 28

29. Data subject (access) rights
☞ How can they access their
rights (erasure, portability,
access, be forgotten)
☞ How can they restrict their
data? How object?
☞ How can they withdraw
consent?
Holger Frohloff 29

30. Legal
☞ Contracts for all data processors,
including subcontractors?
☞ Is data transferred outside of the
EU?
☞ If yes, what safeguards and
protective measures do exist?
Holger Frohloff 30

31. Risks
☞ Risks for data subject exist
(in case of misuse, breach,
mis-access, loss)?
☞ Risks in case of modification?
☞ Main sources of risk?
☞ Steps for mitigation? Which
possible? Which taken?
Holger Frohloff 31

32. Development
Workflow
Holger Frohloff 32

33. Document it all
☞ Libraries
☞ Tools
☞ Frameworks
☞ Workflows
☞ Document how you write, test,
review, document & deploy it
Holger Frohloff 33

34. External libraries
☞ Are they safe? (Look for
DPIAs / documentation
about GDPR compliance)
☞ Handling of security
vulnerabilities
☞ Data collection & retention?
☞ => Opportunity for OSS
authors to increase adoption
by EU devs
Holger Frohloff 34

35. Code Reviews
☞ Code quality doesn’t cut it
anymore
☞ Look for handling of data,
adherence to PbD, possibilities of
encryption/sandboxing etc.
Holger Frohloff 35

36. What
good
comes from
this?Holger Frohloff 36

37. We decide!
Holger Frohloff 37

38. Thank you☞ https://idiomaticrails.com/gdpr: My newsletter about privacy
and technology (With double opt-in & 100% less tracking 😉)
☞ Twitter: 5minpause (rarely used)
☞ https://gdpr-info.eu/ A comprehensive website about the
regulation
Holger Frohloff 38

39. Sources #1:
☞ Bundestag - Thomas Quine - https://flic.kr/p/d9bCDd
☞ Panama City - Falco Emert - https://flic.kr/p/FgbicY
☞ Estimated Cash Value: $496,000,000 - Wil C. Fry - https://flic.kr/
p/C1wPYR
☞ Bend man - Marten Newhall on Unsplash - https://
unsplash.com/photos/uAFjFsMS3YY
☞ TVintage - Ajeet Mestry on Unsplasg - https://unsplash.com/
photos/UBhpOIHnazM
Holger Frohloff 39

40. Sources #2
☞ Parking Ticket Note - Gerry Lauzon - https://flic.kr/p/Aw1WP
☞ Info - Arvin Febry - https://unsplash.com/photos/
V4mNfkDmiX4
☞ Thick Rope Knot - Robert Zunikoff - https://unsplash.com/
photos/-yz22gsqAH0
☞ Step up - Mikito Tateisi - https://unsplash.com/photos/
bJhT_8nbUA0
☞ Shopping in Amsterdam - Guus Baggermans - https://
unsplash.com/photos/fbDPzqOXwuY
Holger Frohloff 40

41. Sources #3
☞ Erasure, 1986 - Andwhatsnext - https://de.wikipedia.org/wiki/
Erasure#/media/File:Erasure-andy-vince-wolfgangs-np.jpg
☞ Black Sign White Text - Kai Brame - https://unsplash.com/
photos/QnYDCO6dFPk
☞ Cat beneath blanket - Mikhail Vasilyev - https://unsplash.com/
photos/NodtnCsLdTE
☞ Paper Mountain - Christa Dodoo - https://unsplash.com/photos/
MldQeWmF2_g
Holger Frohloff 41

42. Sources #4
☞ Isolated - Jayka Herrera - https://unsplash.com/photos/
gM3NL_uqDFE
☞ Guy Fawkes mask - Samuel Zeller - https://unsplash.com/
photos/VPnmmVSJy1M
☞ Yellow Airport sign - Paul Green - https://unsplash.com/photos/
gWFXgcH-LeU
☞ Elegant man loosening tie - Ben Rosett - https://unsplash.com/
photos/WdJkXFQ4VHY
☞ House on the edge - Cindy Tang - https://unsplash.com/photos/
Holger Frohloff 42

43. Sources #5
☞ Shelf full binders - Samuel Zeller - https://unsplash.com/photos/
vpR0oc4X8Mk/info
☞ Open for business - Clem Onojeghuo - https://unsplash.com/
photos/lYjEYq5iUGU
☞ Rechercher - Olloweb Solutions - https://unsplash.com/photos/
d9ILr-dbEdg
Holger Frohloff 43