Concept - GDPR Export

1 Introduction

The General Data Protection Regulation is a regulation of the European Union that defines the processing of personal data. In order to comply with this regulation we introduced GDPR handling. This concept describes the GDPR export feature and how customers can customize it. The GDPR export was developed as generic, adaptable and migration-friendly. Fields of persistent objects containing any kind of personal data can be serialized as JSON. When the process is completed the CSR (the administrator) can download the data as a ZIP archive.


1.1 Glossary

TermDescription
CSRCustomer service representative

GDPR

General Data Protection Regulation
JSONJavaScript Object Notation
SerializationTransform Java Object to JSON
Absent valueValue of a referential type (like Java 8 optional)

1.2 References

2 Export Overview

The export logic is located in the bc_gdpr cartridge within the f_business component set. The diagram below presents the export algorithm.

  1.  Crawl tables and get all data.
  2.  Filtrate non-personal data.
  3.  Provide data for serialization.
  4.  Group data into files.
  5.  Combine JSON files in a single ZIP archive.


Directory and Files
GDPR directory in servershare\sites\<Org-Chanel-Site>\1\units\<Org-Chanel>-Anonymous\gdpr
Filename pattern<Org-Chanel-Site>_<first name>_<last_name>_<request id>.zip

GDPR_export_seq

3 Filtration of Personal Data

Due to complications with persistent objects and the importance of the data, we offer a filtration logic. The filtration is realized by a custom JsonFilter provided by Jackson.

There are two classes responsible for this logic:

  • PropertyFilterGDPRImpl- Added specific logic for filtration, support different scopes for specific table or global- ignorePropertyInTable, ignoreALL.
  • PropertyFilterConfigurationProviderGDPRImpl - Declares which properties must be ignored and instance of PropertyFilterGDPRImpl.


@Inject
private PropertyFilterGDPRImpl propertyFilterGDPRImpl;

For a list with all ignored properties, refer to Concept - GDPR Export.

4 Serialization Preferences

The serialization preferences must be defined in Jackson ObjectMapper. In this project there are declared in MapperBasicConfigSetting. The ObjectMapper has a provider that makes all default settings available to the mapper.

@Inject
@Named("JacksonObjectMapperGDPR")
private ObjectMapper objectMapper;

JacksonObjectMapperGDPR Settings:

PreferenceDefault value
Visibilityserialize only public method and fields
Write dates as timestampdisabled
Fail on empty beandisabled
Serialization inclusionwithout empty and absent values

5 Customization

The GDPR feature uses Guice as dependency injection framework and is therefore easy to integrate into our implementation. Guice works with modules and each module provides a declaration of bindings between interfaces and classes. Those bindings are stored in the object graph. To customize the export, you need to know which classes are declared in our API and what they are used for.

InterfaceImplementationResponsibility
PersonalDataSerializerPersonalDataJsonSerializerImplSerialization of personal data
PersonalDataProviderPersonalDataProviderImplProvides personal data for serialization
-PersonalInformationROPresentation of single personal data entity

The bindings can be overridden via declaration in objectgraph.properties:

Override bindings
global.overrideModules = <YourNamingModule>

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

Customer Support
Knowledge Base
Product Resources
Support Tickets