What Does GDPR by Design Mean For You?

Written by Keith Mason / December 06, 2018

As reported on November 22, 2018, A German social media platform called Knuddels.de has been fined €20,000 ($22,735 USD) following a breach that exposed the personal information of 330,000 users, including their passwords and e-mail addresses, according to a statement (in German) by the regional Baden-Württemberg data protection watchdog (LfDI Baden-Württemberg). The chat/flirt/social media site, which is one of the country’s largest chat platforms, notified the authorities in September after it learned that 1.87 million username/password combinations and over 800,000 e-mail addresses were dumped on Mega.nz and Pastebin.com.

Knuddels.de stated on their site that they had verified 330,000 emails belonged to unique users. In some cases, the users’ real names and home addresses were also leaked in the attack that was found to have taken place in July. During the investigation it was identified that Knuddels.de stored user passwords in clear text. By storing user passwords in clear text, the company, knowingly or not, violated its duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a).

In our previous blog we emphasized the importance of ‘Design’, as we continue with this week’s blog, Design is still relevant to the discussion and is one of the most important considerations we all should have of organizations who hold and process our personal information. When reengineering a legacy system, like what Knuddels.de has done (ouch), Solution Architects and Software Engineers must be able to identify where personal information resides in the database(s). Systems design documentation and data maps are more than merely artifacts used to check a box for regulatory compliance, they drive important data processing decisions, and serve to identify poor design decisions - like storing user passwords in clear text.

What does “GDPR by Design” mean for you?

GDPR is first of all demanding due to its detailed transparency requirements. Any organization as well as other bodies that process personal information, are also to a large extent required to document the processing, ensure the lawfulness of processing, document the existence of sufficient procedures, provide information on security measures and to ensure that sufficient data processing agreements are in place. The importance of systems design and documentation are critical to understanding the data an organization stores, where it is located and the processing the data is subjected to.

Let’s expand upon the importance of design further and flush-out more details in some key areas of compliance.

Data Map

Data mapping is the process of creating a visual representation of all of the data an organization collects and stores, providing for insights into the potential risks associated with specific data definitions such as personally identifiable information, email addresses and passwords. As an integral part of systems design, and as required to satisfy GDPR compliance, data mapping provides a documented means for organizations to understand what data is being collected, the origination of the data, where it is being stored and the conditions in which it is stored (the ‘why’). When not taken into consideration during design, data mapping can be a challenging process for organizations to retrofit within legacy platforms. Data mapping can help organizations meet aspects of GDPR compliance by identifying and addressing any potential privacy issues and risks towards the confidentiality, integrity and availability of stored data.

The Data Map shall answer the following questions:

• What data is being collected? Does it fall under ‘Special Category’ data?
• How is data collected and from where? E.g. Site import utility, Site Registration, User authored.
• Has the Data Subject given explicit consent for data collection and processing?
• Where is the data stored and who has access to the data?
• What security measures are in place to protect the data?
• Does the data have appropriate technical and organizational safeguards?
• If data is shared, how is it shared – is it encrypted? Is it minimized?
• Is pseudonymization employed?
• Does it leave the host country?
• Are any third-party organizations involved?
• How long is data kept? Does it follow data retention policies?

A Data Breach/Incident Response Plan

The purpose of the Data Breach/Incident Response Plan is to prevent and/or minimize a serious loss of Profits, Customer Confidence or Information Assets by providing an immediate and effective response to any unexpected event involving Computer Information Systems, Networks or Databases.

Goals of Incident Response

In the event of a Privacy or Security incident, the goals of Blueberry, Inc’s Incident Response Team are to:

• Investigate the incident internally (in cooperation with law enforcement as required).
• Mitigate potential harm to affected Parties.
• Minimize adverse impact to Blueberry, Inc. in an ethically and legally appropriate manner, to include minimizing a reduction in operations, reputational harm, and/or financial harm.
• Appropriately communicate the incident or loss to:
  1. Affected Parties in a timely manner inclusive of everything known about the event
  2. Regulatory Agencies or other entities (as appropriate or required).
  3. Employees (as appropriate or required).
  4. The Information Commissioner’s Office in respect to GDPR (as appropriate or as required for Customers residing within jurisdiction).
  5. The Merchant/Acquiring Bank or respective Card Brand (Visa, MasterCard, Discover, etc.) in respect to PCI.
• Provide guidance or assistance in the development of specific corrective actions (including disciplinary actions when appropriate).
• Conduct post-incident reviews, training and education, the implementation of or modifications to any configuration/software controls, and provide internal communications in order to minimize potential future incidents.

Data Subject Access Request

Prior to GDPR, a DSAR was typically associated with employees requesting what personal information their employer held about them, how this information was being used, if their personal information left the organization, and if it did, for what purpose. Now, as defined in GDPR Article 15, if you wish to gain access to the personal information an organization holds about you as an individual, you only need to complete a Data Subject Access Request form. As you recall in our last blog, Mr. Schrems, an attorney in Europe, submitted a Data Subject Access Request to Facebook and he received a 1,200 page PDF representing three years of casual usage!

Submitting a DSAR

Upon receipt of your DSAR form (available with the platform launch in January 2019) and the appropriate supporting documents, our Data Protection Officer will review your request and notify you of the latest date by which we aim to provide this information. When we have collated the data, we will send you a copy of your details according to the medium you selected on the DSAR form. The ability to execute your DSAR with a high degree of confidence and accuracy is the product of having a comprehensive and maintained Data Map.

Blueberry, Inc. is committed to:

• Providing the requested information promptly (within 30 days as stipulated by GDPR).
• Ensuring that the information provided is complete and accurate to the best of our ability.
• The timely correction of any errors in the information as and when we are notified.
• Providing reasons why we hold the information.
• Providing details of the source of the information.
• Providing details of the people or organizations that might receive the information.

Want to learn more about GDPR? Read our other blogs on the subject.