
Ask HN: Good technical GDPR resources? - Sytten
I am trying to find good technical resources for GDPR. Most of the articles I found up until now are generic guidelines and don&#x27;t offer hints on how to implement them concretely (outside of some obvious things like having a &quot;forget me&quot; button).<p>I am working on an IoT startup with a cloud backend on AWS, so my interest is more geared toward how I could design my application from scratch to be compliant.<p>Examples of questions I have:
- How should I design my services&#x2F;infrastructure to be able to easily retrieve all personal information related to a user?
- Are the data points collected by the sensors considered personal information (and thus must be deleted when the user terminate its account)?<p>Thanks a lot!
======
atmosx
Hopefully we're not talking health/medical IoT devices. If that's the case,
please hire a consultancy to help along.

> How should I design my services/infrastructure to be able to easily retrieve
> all personal information related to a user?

Details depend on implementation. Might be just a simple API/DB call or more.
IIRC your DB data should be encrypted, RDS supports encryption at rest out of
the box.

> Are the data points collected by the sensors considered personal information
> (and thus must be deleted when the user terminate its account)?

If, by retrieving them, a user can be identified then _yes_. Can you use an
UUID and control the info on the AWS side?

A common pattern is to use an envelop encryption scheme (like KMS for
instance) and instead of actually _deleting_ the data, you delete the key.
This way, the data cannot be decrypted and is considered lost/deleted.

Special care should be taken in order to design your DB in a way to support
deletion and data retrieval.

~~~
Sytten
Not not medical. > Details depend on implementation. Might be just a simple
API/DB call or more. IIRC your DB data should be encrypted, RDS supports
encryption at rest out of the box. Make sense, but it's more the scaling of
this concept that worries me (when you start to have multiple services and
DBs). It's easy to forget one API call. > If, by retrieving them, a user can
be identified then yes. Can you use an UUID and control the info on the AWS
side? Points will be linked to a user via a UUID yes, but (for example) is the
temperature of the room at time X considered personal data?

I like this idea. Downside is that if you want to view the data to debug a
problem in production, it's harder.

~~~
atmosx
> [...] is the temperature of the room at time X considered personal data?

Temperature alone doesn't say much. By comparison an email address can lead to
a specific person.

------
techslave
There aren't good tech resources because GDPR isn't tech driven. You have to
start from a legal standpoint. The tech will present itself from there, highly
dependent on your architecture.

There are of course some basic things you can do without understanding the
legal, like how to store PII.

The example questions you have are poor. The first one depends on your infra,
entirely. The second on depends on a) details you haven't supplied and b)
legal structure around the data itself.

You need a consultant.

------
DoreenMichele
I'm not sure what you mean by technical and I'm surprised no one else has
already listed this:

[https://jacquesmattheij.com/gdpr-hysteria-part-ii-nuts-
and-b...](https://jacquesmattheij.com/gdpr-hysteria-part-ii-nuts-and-bolts/)

It's the second of three pieces he did. The other two:

[https://jacquesmattheij.com/gdpr-hysteria/](https://jacquesmattheij.com/gdpr-
hysteria/)

[https://jacquesmattheij.com/so-your-start-up-receive-the-
nig...](https://jacquesmattheij.com/so-your-start-up-receive-the-nightmare-
gdpr-letter/)

------
onnnon
Complete guide to GDPR compliance:

[https://gdpr.eu/](https://gdpr.eu/)

------
johnnycab
This is probably not the most comprehensive or iron-clad solution. However, it
might be of some help to you.

[http://blog.totalcloud.io/benefits-s3-select-protect-data-
gd...](http://blog.totalcloud.io/benefits-s3-select-protect-data-gdpr-
compliance/)

------
baxosin
IAB Tech Lab and their Consent Management Platform:
[https://github.com/InteractiveAdvertisingBureau/GDPR-
Transpa...](https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-
and-Consent-Framework)

and their other projects.

------
alireza94
Have you looked at [https://aws.amazon.com/compliance/gdpr-
center/](https://aws.amazon.com/compliance/gdpr-center/) and
[https://gdprchecklist.io](https://gdprchecklist.io) ?

~~~
Sytten
I was not familiar with the AWS link, I will take a look. Thanks!

------
therealmarv
Search HN itself (at the bottom of this page). One really good article e.g.
"GDPR – A Practical Guide for Developers"
[https://news.ycombinator.com/item?id=16508435](https://news.ycombinator.com/item?id=16508435)

------
anconia
What's a good way to contact you? I agree with you that the majority of
articles out there are more general than technical.

~~~
Sytten
You can email me at: emile [at] jdis.ca Thanks!

