SESSION ID: PS-W11 A Mapping of GDPR to Common Features Matt Clapham Director of Cybersecurity for Software and Cloud GE Healthcare @ProdSec #RSAC #RSAC By the time I’m done today, you’ll know a key set of features a product should have for GDPR readiness. 2 Agenda Disclaimer How we got to now in GDPR GDPR Rights for Feature Guidance Creation and Review of Features List of Features by GDPR right Application and Practical Example Q&A #RSAC I Am Not Anyone’s Lawyer Everyone deserves good privacy Want to meet or exceed… – User expectations – Regulations – Customer needs Works for us as a starting point Double-check my work in your context #RSAC The Path to GDPR Analysis This Photo by Unknown Author is licensed under CC BY-SA-NC #RSAC #RSAC The Nine GDPR “Rights” • Right to Information • Right to Right ofInformation Access • Right of Rectification to be • Right toRight be Forgotten Forgotten • Right to Restrict Processing Right of Notification Right of Access Right to Restrict Processing Right to Object • Right to Data Portability Right of • Right of Rectification Notification • Right to Object Right•toRight Data to Bring Portability Class Actions Right to Bring Class Actions Right to Information #RSAC Individuals have a right to know what type of data is being collected about them and how it will be used. Right of Access Individuals have a right to access the personal data held about them, regardless of format or storage location. This Photo by Unknown Author is licensed under CC BY-NC #RSAC #RSAC Right of Rectification Individuals have a right to get the information about them corrected if there are any errors. This Photo by Unknown Author is licensed under CC BY Right to be Forgotten Individuals have a right to request data about them be removed/erased from storage when there is no longer a valid reason to hold it. #RSAC Right to Restrict Processing Individuals have a right to exclude their information from shared processing solutions. This Photo by Unknown Author is licensed under CC BYND #RSAC Right to Data Portability Individuals have a right to request and receive an export (in a common format) of all data held about them by the system. This Photo by Unknown Author is licensed under CC BY-SA-NC #RSAC Right of Notification Individuals have a right to be notified of any disclosure, change, or correction of their information. This Photo by Unknown Author is licensed under CC BY-SA #RSAC Right to Object Individuals have a right to challenge and/or question automated decisions made about them or on their behalf. This Photo by Unknown Author is licensed under CC BY-SA #RSAC Right to Bring Class Actions Individuals have a right request group action on their behalf against an organization holding their data. This Photo by Unknown Author is licensed under CC BY-NC-ND #RSAC Feature Brainstorming, Development, and Review This Photo by Unknown Author is licensed under CC BY-SA-NC #RSAC #RSAC Features Listed and Grouped by GDPR Right Right to Information Have a posted or configurable privacy policy Right of Access Have a way for users to see "what do you know about me?” Right of Rectification Have a way for users to change/update what the system knows about them Right to be Forgotten Right to Restrict Processing Right to Data Portability Right of Notification Right to object Delete as much as possible (except as legally required) Remove or phase-out of backups Have a way for users to download "what you know about me" Have a way to notify users if/when privacy policy changes Notify on cookies use by site Have contacts for questions/updates Hidden from searches where cannot be deleted (see legal) Acquire user consent for data usage Have a way for users to export entire set of records See who accessed my stuff and when Have an unsubscribe for spam End user license agreement confirmation Remove individual's information from logs (see legal) Follow user's consent decision (as much as possible) Have a way to choose format of data export Have a way to notify users if/when a privacy incident occurs Opt-in to marketing messaging and data by default What does "forgotten" mean to your product? Under age tracking with parent approval Have a way for user to change consent choice for demographics/market ing Remove or phase-out individual's information from backups (see legal) Allow humans to correct a decision based on automated processing