search

rustdesk / rustdesk-server-pro

Some scripts for RustDesk Server Pro are hosted here.
143 stars 73 forks source link

GDPR compliant #167

Open rustdesk opened 11 months ago

rustdesk commented 11 months ago

Whie we are developing our SaaS cloud version, we will have to handle this.

Let's track it here. If you know GDPR well and have some suggestion, please let us know here.

Maurizio-DM commented 11 months ago

First of all, check if your server location is ok. https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-rules-apply-if-my-organisation-transfers-data-outside-eu_en

Bresel1 commented 5 months ago
  1. server location as said above, easiest would be to have two locations one inside the EU for EU customers, one outside
  2. Appoint a Data Protection Officer (DPO): find a good lawyer or legal firm to assist you with the below points
  3. create a list of sub-processors, purpose of sub-processors and which information they have access to, this includes any and all software you use for your day to day operations, even productivity software such as Miro/Figma... if it contains personal data of your customers
  4. your TOMs (technical organisational measures) you are using to comply with applicable laws and protect end-users data
  5. deletion concepts and processes need to be established for all data and data locations
  6. establish a roles and rights concept within your company that clearly defines who has access to what at any given time, this does not need to be published but in the case of a breach you will need to be able to show that only people that needed access to info had access (as opposed to everyone working for you) - this is called Principle of least privilege
  7. create an IT emergency plan which clearly outlines who is responsible in a breach, what actions to take and any redundancies you have to switch your operations over (which obviously includes setting up said redundancies first)
  8. Create an IT security concept
  9. you have to compile all the information into a Data Processing Addendum that you have to have ready for every customer in the EU, it needs to be signed by you and by the customer, it is a legally binding contract and any infractions could be seen as a contract violation

Prepare for a lot of work, this should not be done by an overworked IT person, this is a full-time position and if you don't get the rest of your team on board, you will already lose the battle. It only takes one person in your company to do something stupid for you to get fined till the steam comes out of your ears.