• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Codemotion Magazine

Codemotion Magazine

We code the future. Together

  • Magazine
  • Dev Hub
    • Community Manager
    • CTO
    • DevOps Engineer
    • Backend Developer
    • Frontend Developer
    • Web Developer
    • Mobile Developer
    • Game Developer
    • Machine Learning Developer
    • Blockchain Developer
    • Designer – CXO
    • Big Data Analyst
    • Security Manager
    • Cloud Manager
  • Articles
    • Stories
    • Events
  • Sign In
Home » Dev Hub » Security Manager » How to comply with GDPR in a serverless world
Security Manager

How to comply with GDPR in a serverless world

Codemotion and Facebook organized the Tech Leadership Training boot camp, heres a personal reportage from one of our attendees.

Last update May 29, 2019 by Toby Moncaster

Two of the biggest buzzwords of 2018 are Serverless and GDPR. So, when I saw a talk titled “How to go serverless and not violate the GDPR”, I was hooked!

There are good reasons why everyone is talking about Serverless and GDPR. Serverless technology transforms app development. Getting rid of the backend servers and connecting directly to service APIs simplifies development significantly. Meanwhile, the adoption of GDPR on May 25th, 2018 saw a radical change in emphasis for data protection. Suddenly, developers and app providers became responsible not just for protecting user data, but also for providing mechanisms to allow users to access and delete their data and provide consent about how it is used. All this backed up by the threat of some of the toughest fines in the world.

For many people, GDPR threatens to kill off the serverless dream. In a serverless architecture, how on earth do you know where your data is being stored, how do you ensure it’s deleted and how do you control access to it? Surely, that makes it totally incompatible with the aims of GDPR?

In the talk, Sebastian Schmidt and Rachel Myers, both engineers on Google’s Firebase team, showed how Firebase can solve these issues using its security, logging and record deletion APIs. They gave some great advice on how to design a GDPR-compliant serverless app:

  1. Reduce the amount of data your store. If your app needs to check users are over 18 and EU citizens, don’t store their DOB and country of origin, just use flags for is_adult and is_EU.
  2. Analyse exactly what data you need to store. Move away from “store all the things”. Do a proper audit of your app and be prepared to repeat this as your design evolves.
  3. Make it easy for the customer to delete their data if they no longer want it stored.
  4. Don’t rely on customers deleting stuff – if data becomes obsolete, you should proactively delete it.
  5. Ensure you get clear consent from your users and, importantly, make sure you log this in an append-only log.
  6. You need a plan for how to deal with existing data if your customer withdraws or alters their consent. The right plan may depend on the type data and the app.
  7. Use good access controls to make sure private data can’t be seen by anyone other than the user. Make sure any privacy settings are persisted properly.
  8. Log everything! Audit logs are essential to show you are being compliant with GDPR.

 
During the talk at Codemotion Berlin 2018, we were shown how Rachel used Firebase to create the Friendly Pix application. Following the advice above to ensure GDPR compliance.

After the talk, I caught up with Rachel and asked how to apply this to an existing app. Her advice was “It’s possible, but it will be harder!” As with building an app from scratch, the first step is to understand exactly what data your app stores and then check if it is needed, or can be simplified/removed. You can then apply the guidelines above and hopefully make your app GDPR compliant without too much pain!

So, GDPR doesn’t mean the end of the serverless dream. You just have to make data protection one of your key design considerations.

Tagged as:Codemotion Berlin

Nexi Dev Training Program: XPay backoffice API
Previous Post
Machine learning and fairness, how to make it happen
Next Post

Primary Sidebar

Whitepaper & Checklist: How to Organise an Online Tech Conference

To help community managers and companies like ours overcome the Covid-19 emergency we have decided to share our experience organizing our first large virtual conference. Learn how to organise your first online event thanks to our success story – and mistakes!

DOWNLOAD

Latest

What are the Main Areas of Development for Programmers to Land Their Dream Job? Codemotion

What are the Main Areas of Development for Programmers to Land Their Dream Job?

Backend Developer

How to Contribute to an Open-Source Project

How to Contribute to an Open-Source Project

Backend Developer

6 Great DevOps Metrics - and How to Choose the Right Metrics

6 Great DevOps Metrics – and How to Choose the Right Metrics

DevOps Engineer

Codemotion Interview with Chad Arimura

Thinking Like a Founder – meet Chad Arimura

CTO

DesignOps and UX Engineers

Move Over DevOps! Time for DesignOps and UX Engineers

Designer - CXO

Related articles

  • The Lifecycle of a Remote Code Execution Security Incident
  • Does open source software have a security problem?
  • What a Security Engineer & Software Engineer Learned by Swapping Roles
  • How to Prepare IT Infrastructure For Coworking Spaces
  • So you want to work in cybersecurity?
  • Peter Todd: Helping people to solve their problem with Cryptography
  • Cybersecurity is as much about social engineering as bugs
  • Life-cycle of a security incident: from detection to response
  • 5G: what’s in it for developers?
  • 5G: what’s in it for security?

Subscribe to our platform

Subscribe

Share and learn. Launch and grow your Dev Community. Join thousands of developers like you and code the future. Together.

Footer

  • Learning
  • Magazine
  • Community
  • Events
  • Kids
  • How to use our platform
  • About Codemotion Magazine
  • Contact us
  • Become a contributor
  • How to become a CTO
  • How to run a meetup
  • Tools for virtual conferences

Follow us

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
  • YouTube
  • RSS

DOWNLOAD APP

© Copyright Codemotion srl Via Marsala, 29/H, 00185 Roma P.IVA 12392791005 | Privacy policy | Terms and conditions

  • Learning
  • Magazine
  • Community
  • Events
  • Kids
  • How to use our platform
  • About Codemotion Magazine
  • Contact us
  • Become a contributor
  • How to become a CTO
  • How to run a meetup
  • Tools for virtual conferences

Follow us

  • Facebook
  • Twitter
  • LinkedIn
  • Instagram
  • YouTube
  • RSS

DOWNLOAD APP

CONFERENCE CHECK-IN