In six months, the General Data Protection Regulation takes effect. While lawyers are sorting out consent forms and DPA agreements, we on the technical team have our own challenges: encryption, audit logs, the right to erasure, and data portability.
GDPR from a Technical Perspective¶
- Data minimization — collect only what you truly need
- Purpose limitation — use data only for its stated purpose
- Right to erasure — you must be able to delete a specific person’s data
- Data portability — export in a machine-readable format
- Breach notification — 72 hours to report a breach
Audit: Where Do We Have Personal Data?¶
We created an inventory of all systems and data flows. It took two weeks and uncovered systems nobody knew were processing personal data. Databases, logs, backups, analytics, CRM…
Technical Measures: Encryption¶
At rest: all data encrypted on disk. AWS EBS encryption, S3 server-side encryption, LUKS for on-premise. In transit: TLS everywhere, including internal services.
Right to Erasure — A Technical Nightmare¶
Data lives in the production DB, in backups from the last 90 days, in log files, in analytics systems, in cache, in search indexes… Our solution: a centralized “user data service” with an API for complete erasure.
Plan Through May 2018¶
- Q4 2017: data mapping, gap analysis
- Q1 2018: implementing encryption, erasure API, audit logging
- Q2 2018: testing, documentation, training
GDPR Is an Opportunity, Not Just an Obligation¶
Properly implemented GDPR improves security, data quality, and customer trust. Procrastination doesn’t make sense — May 25, 2018 is approaching fast.
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us