GDPR and technology - details matter Kalle Varisvirta @kvirta
Documentation vs. reality
Privacy policies (as well as PIAs) are usually written by interviewing Developers and Systems Engineers, but unfortunately by non-technical people
Technical people simplify things when asked about details by non-technical people - that’s what we’re told to do
Residual data &removing data
Data leaves a trace when going through a system
Mapping your data exactly is very difficult, as is removing it
Varnish or CDN in the front
Web server logs
Local caches
Uploaded binary files
Backups of the servers
MySQL logs
Binary logs on all servers
Backups of binary logs
Database dumps made by developers
Production dumps to staging environment
Integration platform logs and local caches
Integration platform document DB oplogs
SaaS messaging platform logs and internal database
Residual data
Data flows are complicated
Residual data is easily overlooked and forgotten
Removal of data becomes very problematic in the real world
Removing from backups
Electronic format
There are a lot of requirements for providing data in an electronic format
Most systems have the data spread out optimized for the system, not aggregation
Gathering data to a “single” electronic format would be a complicated and slow manual task for most environments
What to do?
Take the regulation seriously
Map out your systems, in full detail
Consider data flow through the system
Consider the cloud / SaaS services you might be using
Consider residual data
What to do?
For compliance, make sure technical personnel (either internal or from your vendors) are involved
To understand the regulation, not just to provide answers