================================== Ethical & Gdpr ================================== Introduction -------------- When saving the data of users, one must makes sure that the persistence of this data is in compliance with the GDPR (General Data Protection Regulation). Specifically, if the taken that is being persisted is traceable to a person--it must be well protected. Theory -------- The GDPR is a regulation in EU law and has been since 14 April 2016. Since it is a regulation, and not a directive, it is directly binding and applicable--but it also provides flexibility for individual member state allowing change in certain aspects of the regulation. It's not just data control, it also enforces a few rights for users: - The right to be forgotten; have your data deleted on your request. - The right to see or change(rectify) your own data. - The right to be notified when a company leaks your data. - The right to object to certain processing of your data(for example, an automated system that doesn't take your full situation into account). - The right to request your data as something that can be read across machines(not necessarily Excel-sheets, but certain standardized formats such as .json, .csv, or .xml files.) Implementation --------------- The EU has a site with a checklist for the GDPR. See it here: https://gdpr.eu/checklist/ For the 'implementation' of this chapter I will attach answers to the checklist. Datasecurity ^^^^^^^^^^^^^ - Take data protection into account at all times, from the moment you begin developing a product to each time you process data. With every layer, the level of security is hardened. .. image:: https://i.imgur.com/ZQnJ448.png The network has been set up using a technique called Defense-in-Depth in Cyber Security. .. image:: https://i.imgur.com/VLC7Lx8.png - Encrypt, pseudonymize, or anonymize personal data wherever possible. Since the implementation of JWTokens the back-end didn't need the requirement of storing user credentials anymore. If role-base authorization is added as a requirement, then it may be usable once more. There are no further instances of personal data. - Create an internal security policy for your team members, and build awareness about data protection. There is no team. Building awareness towards the users could be done by reminding them not to use their real life name when choosing a username. - Know when to conduct a data protection impact assessment, and have a process in place to carry it out. When signs of breaches have become apparent through the defense-in-depth implementation, an assessment has to be done to determine the severity. - Have a process in place to notify the authorities and your data subjects in the event of a data breach. In the Netherlands this is done by using the dataleak form found here: https://datalekken.autoriteitpersoonsgegevens.nl/ Privacy rights ^^^^^^^^^^^^^^^^^^ - Q. It's easy for your customers to request and receive all the information you have about them. - A: They can obtain all their information from the user-interface or through the rest API. - Q. It's easy for your customers to correct or update inaccurate or incomplete information. - A: Given that the user is authorized, they are able to update their own data. - Q. It's easy for your customers to request to have their personal data deleted. - A: Customers have full control over their own data in Ramses, and are able to delete their own account. - Q. It's easy for your customers to ask you to stop processing their data. - A: There's no direct form enabling customers to do this, however with contact information it could be possible. - Q. It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company. - A: There is no current option to dump all of the users data in a format that can be transferred nor are their plans on creating such functionality. - Q. It's easy for your customers to object to you processing their data. - A: Ramses currently has no plans for third-parties processing its data. So this is a non-issue - Q: If you make decisions about people based on automated processes, you have a procedure to protect their rights. - A: This is not the case.