Hopefully we're not talking health/medical IoT devices. If that's the case, please hire a consultancy to help along.

> How should I design my services/infrastructure to be able to easily retrieve all personal information related to a user?

Details depend on implementation. Might be just a simple API/DB call or more. IIRC your DB data should be encrypted, RDS supports encryption at rest out of the box.

> Are the data points collected by the sensors considered personal information (and thus must be deleted when the user terminate its account)?

If, by retrieving them, a user can be identified then yes. Can you use an UUID and control the info on the AWS side?

A common pattern is to use an envelop encryption scheme (like KMS for instance) and instead of actually deleting the data, you delete the key. This way, the data cannot be decrypted and is considered lost/deleted.

Special care should be taken in order to design your DB in a way to support deletion and data retrieval.

Not not medical. > Details depend on implementation. Might be just a simple API/DB call or more. IIRC your DB data should be encrypted, RDS supports encryption at rest out of the box. Make sense, but it's more the scaling of this concept that worries me (when you start to have multiple services and DBs). It's easy to forget one API call. > If, by retrieving them, a user can be identified then yes. Can you use an UUID and control the info on the AWS side? Points will be linked to a user via a UUID yes, but (for example) is the temperature of the room at time X considered personal data?

I like this idea. Downside is that if you want to view the data to debug a problem in production, it's harder.

> [...] is the temperature of the room at time X considered personal data?

Temperature alone doesn't say much. By comparison an email address can lead to a specific person.

There aren't good tech resources because GDPR isn't tech driven. You have to start from a legal standpoint. The tech will present itself from there, highly dependent on your architecture.

There are of course some basic things you can do without understanding the legal, like how to store PII.

The example questions you have are poor. The first one depends on your infra, entirely. The second on depends on a) details you haven't supplied and b) legal structure around the data itself.

You need a consultant.

I'm not sure what you mean by technical and I'm surprised no one else has already listed this:

https://jacquesmattheij.com/gdpr-hysteria-part-ii-nuts-and-b...

It's the second of three pieces he did. The other two:

https://jacquesmattheij.com/gdpr-hysteria/

https://jacquesmattheij.com/so-your-start-up-receive-the-nig...

Complete guide to GDPR compliance:

https://gdpr.eu/

This is probably not the most comprehensive or iron-clad solution. However, it might be of some help to you.

http://blog.totalcloud.io/benefits-s3-select-protect-data-gd...

IAB Tech Lab and their Consent Management Platform: https://github.com/InteractiveAdvertisingBureau/GDPR-Transpa...

and their other projects.

Have you looked at https://aws.amazon.com/compliance/gdpr-center/ and https://gdprchecklist.io ?

I was not familiar with the AWS link, I will take a look. Thanks!

Search HN itself (at the bottom of this page). One really good article e.g. "GDPR – A Practical Guide for Developers" https://news.ycombinator.com/item?id=16508435

What's a good way to contact you? I agree with you that the majority of articles out there are more general than technical.

You can email me at: emile [at] jdis.ca Thanks!