Introduction

The General Data Protection Regulation is a regulation of the European Union that defines the processing of personal data. In order to comply with this regulation we introduced GDPR handling. This concept describes the GDPR export feature and how customers can customize it. The GDPR export was developed as generic, adaptable and migration-friendly. Fields of persistent objects containing any kind of personal data can be serialized as JSON. When the process is completed the CSR (the administrator) can download the data as a ZIP archive.

Glossary

Term	Description
CSR	Customer service representative
GDPR	General Data Protection Regulation
JSON	JavaScript Object Notation
Serialization	Transform Java Object to JSON
Absent value	Value of a referential type (like Java 8 optional)

References

Export Overview

The export logic is located in the bc_gdpr cartridge within the f_business component set. The diagram below presents the export algorithm.

Crawl tables and get all data.
Filtrate non-personal data.
Provide data for serialization.
Group data into files.
Combine JSON files in a single ZIP archive.

Directory and Files
GDPR directory in server	share\sites\<Org-Chanel-Site>\1\units\<Org-Chanel>-Anonymous\gdpr
Filename pattern	<Org-Chanel-Site>_<first name>_<last_name>_<request id>.zip

Filtration of Personal Data

Due to complications with persistent objects and the importance of the data, we offer a filtration logic. The filtration is realized by a custom JsonFilter provided by Jackson.

There are two classes responsible for this logic:

PropertyFilterGDPRImpl- Added specific logic for filtration, support different scopes for specific table or global- ignorePropertyInTable, ignoreALL.
PropertyFilterConfigurationProviderGDPRImpl - Declares which properties must be ignored and instance of PropertyFilterGDPRImpl.

@Inject
private PropertyFilterGDPRImpl propertyFilterGDPRImpl;

For a list with all ignored properties, refer to Concept - GDPR Export.

Serialization Preferences

The serialization preferences must be defined in Jackson ObjectMapper. In this project there are declared in MapperBasicConfigSetting. The ObjectMapper has a provider that makes all default settings available to the mapper.

@Inject
@Named("JacksonObjectMapperGDPR")
private ObjectMapper objectMapper;

JacksonObjectMapperGDPR Settings:

Preference	Default value
Visibility	serialize only public method and fields
Write dates as timestamp	disabled
Fail on empty bean	disabled
Serialization inclusion	without empty and absent values

Customization

The GDPR feature uses Guice as dependency injection framework and is therefore easy to integrate into our implementation. Guice works with modules and each module provides a declaration of bindings between interfaces and classes. Those bindings are stored in the object graph. To customize the export, you need to know which classes are declared in our API and what they are used for.

Interface	Implementation	Responsibility
PersonalDataSerializer	PersonalDataJsonSerializerImpl	Serialization of personal data
PersonalDataProvider	PersonalDataProviderImpl	Provides personal data for serialization
-	PersonalInformationRO	Presentation of single personal data entity

The bindings can be overridden via declaration in objectgraph.properties:

Override bindings

global.overrideModules = <YourNamingModule>

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.