Fetching contributors…
Cannot retrieve contributors at this time
70 lines (46 sloc) 2.33 KB
layout title type track technology related-to status when-day when-time location room-layout organizers participants invited outcomes
GDPR and DPO AppSec implications
Anders Reeves
Dinis Cruz, Francois Raynaud, Phil Parker, Stuart Gunter, Don Gibson, Robert Morschel,Neil Barlow, Steven van der Baan, Bjoern Kimminich
Kevin Fielder, Dilek Koluman, Clare Creeden


GDPR (General Data Protection Regulation) is a major EU Regulation which will affect every company that does business with the EU, which is just about every major company worldwide.

This Working Session will discuss some aspects of GDPR, including the role of the DPO (Data Protection Officer), the wider definition of PII data (like IP Addresses), and the need to report breaches and incidents within a short time period.


  • AppSec professionals
  • DPOs (and DPOs Service providers)
  • CISOs
  • Heads of InfoSec


  • Generate the list of 10 questions for the ICO to clarify the implications for AppSec specifically
  • Generate the list of questions for the ICO regarding general implications

Synopsis ad Takeaways

Letter in final draft stage.

Working materials

We need to be much more focused on the questions to ask and provide as much information about the answers that we are able to figure out.

List of questions (AppSec implications)

  • What are the AppSec implications of this regulation?
  • What is the accepted format/notation for data flows and data at rest documentation requirements?
  • How to include the DPO as part of the software security governance?
  • What constitutes personal data and what about edge cases? (Post code, First Name + Last Name, IP Address etc.)

List of questions (General implications)

  • Can it be used to improve existing Application Security practices and activities?
  • What are the real requirements for the DPO and what should he/she focus on?
  • How to become an DPO (and how to hire one)
  • The role of SOC in detecting and reporting security incidents

List of companies that will sign the first version

Working Document