Ask HN: Good technical GDPR resources?
I am trying to find good technical resources for GDPR. Most of the articles I found up until now are generic guidelines and don't offer hints on how to implement them concretely (outside of some obvious things like having a "forget me" button).
I am working on an IoT startup with a cloud backend on AWS, so my interest is more geared toward how I could design my application from scratch to be compliant.
Examples of questions I have: - How should I design my services/infrastructure to be able to easily retrieve all personal information related to a user? - Are the data points collected by the sensors considered personal information (and thus must be deleted when the user terminate its account)?
Thanks a lot!
13 comments
[ 4.3 ms ] story [ 36.9 ms ] thread> How should I design my services/infrastructure to be able to easily retrieve all personal information related to a user?
Details depend on implementation. Might be just a simple API/DB call or more. IIRC your DB data should be encrypted, RDS supports encryption at rest out of the box.
> Are the data points collected by the sensors considered personal information (and thus must be deleted when the user terminate its account)?
If, by retrieving them, a user can be identified then yes. Can you use an UUID and control the info on the AWS side?
A common pattern is to use an envelop encryption scheme (like KMS for instance) and instead of actually deleting the data, you delete the key. This way, the data cannot be decrypted and is considered lost/deleted.
Special care should be taken in order to design your DB in a way to support deletion and data retrieval.
I like this idea. Downside is that if you want to view the data to debug a problem in production, it's harder.
Temperature alone doesn't say much. By comparison an email address can lead to a specific person.
and their other projects.
http://blog.totalcloud.io/benefits-s3-select-protect-data-gd...
There are of course some basic things you can do without understanding the legal, like how to store PII.
The example questions you have are poor. The first one depends on your infra, entirely. The second on depends on a) details you haven't supplied and b) legal structure around the data itself.
You need a consultant.
https://jacquesmattheij.com/gdpr-hysteria-part-ii-nuts-and-b...
It's the second of three pieces he did. The other two:
https://jacquesmattheij.com/gdpr-hysteria/
https://jacquesmattheij.com/so-your-start-up-receive-the-nig...
https://gdpr.eu/