The EU General Data Protection Regulation (GDPR)
Let’s begin by talking briefly about the EU General Data Protection Regulation (also known as the GDPR), which some have called the most significant change in data privacy regulation in the last 20 years.
The GDPR is a set of rules and regulations put in place to govern the processing and protection of personal data of individuals in the EU by an individual, company, or other organization. When you use personal data for social, cultural, or financial activities, the data protection law must be respected. If you are going to build technology that handles sensitive personal data, you have to abide by the rules and regulations of the GDPR.
ASP.NET Core Compliance
As a world leader, Microsoft has built its development tools to help other developers comply with the GDPR. Specifically, the project templates in ASP.NET Core include extension points and stubbed markup indicating where you should include your privacy and cookie use policies, as well as other vital features.
You can mark cookies as essential or non-essential to control which ones are sent to a user’s browser based upon that user’s consent to your cookie use policy.
The Cookie Consent feature in .NET Core allows you to ask for and track the consent of your users to store personal information. If a user doesn’t consent, and your app sets the CheckConsentNeeded flag to true, then non-essential cookies are never sent to that user’s browser.
In addition to cookie management, in compliance with the GDPR, the Identity Manage page includes links to download and delete user data.
Learn the Data Protection System Anatomy
The ASP.NET Core data protection stack (DPS) offers a relatively simple to use cryptographic API to protect data. The data protection stack was designed as an answer to the problem: I need a round-trip trusted state for my data through an untrusted client.
To address this, Microsoft built the DPS as five packages targeted to three specific audiences:
The Consumer APIs for application and framework developers.
These are the developers who don’t want or need to know how the stack operates or how it's configured. They want to perform operations in the simplest possible manner with a low probability of error. Chances are, this is you.
The Configuration APIs for application developers and system administrators.
These are the developers who need to customize some behavior and settings and need to instruct the DPS regarding those non-default settings. Chances are, this is not you - at least, not yet.
The Extensibility APIs for developers in charge of implementing custom policy.
These are highly-skilled security developers who may need to replace entire pieces of the system because they have highly unique and specialized requirements. This is definitely not you (or me for that matter).
The five packages of the DPS are:
Contains the IDataProtectionProvider and IDataProtector interfaces to create data protection services.
Contains the core implementation of the DPS. To instantiate the DPS or modify or extend its behavior, reference
Contains additional APIs not in the core package that highly- skilled security developers may find useful.
This is for backwards compatibility. In other words, to get an existing ASP.NET 4.x app to use the new DPS, this package is required.
Provides an implementation of the PBKDF2 password hashing routine and can be used by systems that must handle user passwords securely.
The GDPR's purpose is to ensure the protection of private data.
.NET Core complies with the GDPR in its scaffolded applications.
.NET Core’s Data Protection System targets three audiences and has five packages comprising its capabilities.
In the next chapter, we’ll look at how to use the consumer APIs from the DPS to protect data, and guess what? It’s really simple!