The EU GDPR, which came into force in May 2018, protects all EU citizens from privacy and data breaches. According to the GDPR FAQ:
In other words, if a company is providing services to customers in the European Union, its data handling will need to comply entirely with GDPR. From a DevSecOps point of view, it's related to data collection, handling, storage, backup, modification, transport, and removal—in a secure manner. According to GDPR Article 5, there are six privacy principles:
- Lawfulness, fairness, and transparency
- Purpose limitations
- Data minimization
- Accuracy
- Storage limitations
- Integrity and confidentiality
GDPR, like other security compliance policies, doesn't define the technical approach to achieve it. GDPR can still be too high-level for an engineering team. It needs to translate into software security requirements, design, threat modeling, tools, and so on. The following table summarizes typical security practices for the engineering team:
|
Stage |
Common security practices for privacy or sensitive info handing |
|
Design |
Privacy Impact Assessment (PIA) |
|
Coding |
|
|
Testing |
OWASP testing for weak cryptography, testing for error handling, testing for configuration, and so on |
|
Deployment |
|
|
Monitoring |
|
