How to tackle GDPR on your DevOps journey
GDPR is still the main topic of discussion in many organizations. Of course, this is not surprising, because of the extreme fines and regulations. Especially when teams are moving towards Continuous Delivery and DevOps, this is something that really needs to be thought of. Because if you’re continuously delivering new features faster, how will you make sure you stay GDPR compliant? Below, I will give you an example of how we do it at my current customer.
In this organization, all sorts of institutions have a say in what can go live and how data is treated. Any application goes through a security requirements list, a threat vulnerability assessment and gets a score based on Availability, Confidentiality and Integrity. Those assessments are assembled based on all those imposed requirements, such as GDPR. Depending on the score, you may not have to take all the measures another team might (for example: if by design you clearly will not and cannot handle or store privacy-related data).
The main challenges for any Dev(Ops) team are:
- Do enough upfront design to be able to make those assessments. Become acquainted with the why behind the assessments to understand what you need to get right the first time and what you can improve further down the line to avoid BUFD (big up front design, which is a bad practice).
- Get acquainted with the people judging the assessments to get fast feedback and discuss it face to face. Sounds simple but this process can quickly feel like being judged by some foreign entity while they should be involved in the making of your product as much as you are.
- Be prepared to learn about all sorts of network, encryption, and backup/restore implications that might not be as sexy as trying the latest nodejs library. You may even have to spike it just to understand it properly.
- Live up to the design; don’t just write it and ignore it. Find a way to test the implementation as part of your sprint.
- Share the design. Make the implementation part of sprint reviews and demos. Let other teams learn from the implications you found.
Hopefully, this will help you on your DevOps journey! Of course, if you still have questions you can always leave a comment or contact us at firstname.lastname@example.org. And for our training courses regarding Security (and DevOps) please visit: www.devon.nl/en/training-courses
This blog was written by Jasper Bogers.