GDPR is a pretty new buzzword everybody is talking about. While initially addressed against big players like Facebook, Google, LinkedIn, it also affects small businesses. If you have checked the requirements and penalties for not complying with them, you know that they are huge. The tricky thing is that if you have at least one client from EU, you automatically fall under GDPR requirements. What about Geo IP and WAF techniques you may ask? You know how easy is to bypass it with onion routing or VPN services. And that’s it. Blind lady justice doesn’t make difference.

While heavy fines and checks against small business are not expected right now, they may happen in the nearest future, as GDPR basis grows mature.

It may hit your business really hard if your system have design flaws and is not prepared to GDPR enforcement. But when it was designed with right architecture, modular approach, well-known and transparent data flow, and some common sense, deployed to GDPR compliant cloud (link), and passed security testing (link), like OWASP or NCSC, all you need to do is to compile couple PI (Personally Identifiable) handling policy documents, update your privacy policy, and add simple form to allow ‘right to be forgotten’ requests processing. All the systems we built at Bekitzur meet criterias above and are GDPR-compliant by design.

In order to track compliance in a easy to follow and clear manner we’ve created a checklist which explains how we comply with each requirement.

Checklist

Data

  • Your company has a list of all types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it.
  • Your company has a list of places where it keeps personal information and the ways data flows between them.

All our projects go through well-established onboarding pipeline with a known set of artifacts. We define and document domain and data model, storages, data flow and lifecycle on early stage of project.

All data that could be categorised as PI is modeled to be stored separately, so we avoid scattering it across pipeline/storages.

We use storages with capability of data encryption and deploy only on secure infrastructure.

We prefer HA clusters, so we avoid issues with cold storages and backups.

Reference:

Accountability & Management

Create awareness among decision makers about GDPR guidelines
Train staff to be aware of data protection

We know about GDPR enough to say that we are facing only first edition and changes will follow.

While many vendors say that they are GDPR certified, there is no known certification or recommended vendors list issues by regulator.

Our core team members passed EU GDPR Foundation training, that is probably the best option to raise GDPR awareness.

We can help your employee to pass EU GDPR F and EU GDPR P or CIPP/E and become DPO.

We will consult you stakeholders on GDPR and help you do it right. After all GDPR is about how you treat PI and nothing else.

Reference:

Make sure your technical security is up to date

Maintaining data security is one of key points to prevent PI leaks, that as per GDPR should be reported to both client and authorities.

Our CI/CD pipelines have built-in OWASP checks that guarantee early detection of security issues.

Reference:

You have a list of sub-processors and your privacy policy mentions your use of this sub-processor

Over the years we made a list of trusted 3rd-party providers for many additional functionality like SMS verification, Identity and Document verification, eSignature, etc.

Reference:

You report data breaches involving personal data to the local authority and to the people (data subjects) involved

Any personal data breaches should be reported within 72 hours to the local authority, including what data has been lost, what the consequences are and what countermeasures have been taken. Unless the data leaked was encrypted, you should also report the breach to the person (data subject) whose data you lost.

We are encrypting data storages (file system is also encrypted), utilize VPC with bastion and VPN, WAF, and other techniques to guarantee safety of any data including PI.

Reference:

  • GDPR Article 33 — Notification of a personal data breach to the supervisory authority
  • GDPR Article 34 — Communication of a personal data breach to the data subject

Customer Rights

  • Your customers can easily request access to their personal information
  • Your customers can easily update their own personal information to keep it accurate
  • Your customers can easily request deletion of their personal data
  • Your customers can easily request that you stop processing their data
  • Your customers can easily request that their data be delivered to themselves or a 3rd party
  • Your customers can easily object to profiling or automated decision making that could impact them

This part is generally known as ‘right to be forgotten’ and may be an issue if user data is scattered across the system. We always clusterize PI to make this easier.

We’ve also made a simple form for such requests that could be integrated with helpdesk or task tracking system and processed manually or even automatically.

Reference:

You automatically delete data that your business no longer has any use for

All systems we’ve built have well defined data life cycle and archive / cleanup procedure. Data is removed automatically when it’s not longer required.

Reference:

  • GDPR Article 5 — Principles relating to processing of personal data

Special Cases

You should only transfer data outside of the EU to countries that offer an appropriate level of protection

We are using only proven infrastructure providers, like AWS, that has data centers across the globe. Any data transfers, like cross data center replication are secured and encrypted.

Reference:

Talk to Us