4. GDPR says “WHAT” , It doesn’t say “HOW”
Nothing about:
» specific tools to use
» specific processes to use
» specific standards to use
» examples or templates for solutions
» Best practices for development or guidelines
actual ”privacy engineering (privacy by default)”
Specs from GDPR??
7. Personal Data Flow – subcontractor management (example)
Cloud based
storage in USAApplication
server in Finland
Administration
and support in
India
Remote
connections to
systems
API
Data
analytics
HTTPS / SSL encryption
Finland USA
EU India
API
Contractor
Vendor
Vendors
subsidiary
In all boxes, note:
• Data retention
(Right to erasure)
• Minimisation
• Agreements
Application
development
partner
Outside EU/ETA
Aditro’s Customer
Aditro
Data Subject
HTTPS / SSL encryption, EULA, Input forms
8. 8
I mage: Based on PrivaOn presentation
* https://www.enisa.europa.eu/topics/data-protection/privacy-enhancing-technologies (PET)
• ”Privacy by Design” is today undefined
• Official privacy by design will be defined aftre precedent legal
cases
Privacy
requirements
Security
requirements
PET*a
Evidence collection for accountability, technology (log, authentication) process (test reports, memos)
Backlog
P-I-A
Privacy Architecture
Threat analyzes
Security testing
Implementation
Auditing
Certification
Data access process
Data retention
Backups