Where's the problem? To me it shows what an excellent job the creation of the GDPR was. It makes companies think in depth about the data they hold on me and how they process it. It also provides clear ways to question and challenge it.
I've seen a number of articles trying to frame the GDPR as some kind of shambles. The shambles is the way too many companies have abused and mis-processed the data for too many years and somehow the EU lawmakers are bureaucratic imbeciles. Yet, everyone I know is fully in favour of this as consumers.
And, for context, I am the person who will have to deal with these at our company. Our customers are absolutely entitled to expect us to process their personal information is a responsible manner and I hope a number of these letters are sent to every company, it's about time there was a power shift in this area.
About 50% of small business survive their 5th year and roughly 30% survive to their 10th year. The concern is the drip/drip effect of more and more regulation making those numbers even worse. In addition you may be saying to a poor or middle class person that the money costs of starting certain types business are not longer in reach due to much higher costs. A large well established business is in a much better position to weather these costs so the wealthy get wealthier. What are the costs compared to the benefits?
You hear the advice for new startups; only recruit the best from the start, cut away the fat from your task lists to only focus on the critical issues that generate business.
Here's another, bake privacy into your company from the start. Create a culture that takes it seriously and threads it through everything it does. Once you have this culture you'll find it costs less than when you try to retrofit it after 3 years.
In terms of the benefits, I can only assume you're American to ask this. In Europe we view our privacy as a human right and that our lawmakers should protect that right, it's that simple.
> bake privacy into your company from the start. Create a culture that takes it seriously and threads it through everything it does.
Replace "privacy" with "security" above, and you'll get the widely accepted best practice approach: "you cannot bolt on security later", etc. Likely it will work for privacy equally well.
It also works for performance, reliability, UX quality, etc. What GDPR does is forcing business to make privacy their core concern. Since time & budgets are inherently limited, this will come at the expense of something else.
> What GDPR does is forcing business to make privacy their core concern.
Not really. It will mostly be a problem for companies which use a lot of SaaS services with no on-premise solution and companies in the business of selling their users data. Not gonna shed a lot of tears for those.
In the same way that AWS wasn't originally certified for government work, and then developed GovCloud: they realized there was a lot of money in it.
If supporting GDPRs is a requirement for having European B2B customers, SaaS providers are going to start certifying against and architecting around that.
Actually what it did for me was allow me to ignore the EU entirely. This makes my implementation more simple since I don’t have to focus on the GDPR and can ignore the localization crap from having 2 versions of English.
Careful, the EU is a big market. If you exclude the EU, and get big enough, someone can just copy your business, but abide by EU law. Suddenly you have a compeditor who has access to a large market that you don't have access to.
this is extremely true from a network security perspective for new ISP infrastructure as well. It is very "easy" to start forming layer-2 and layer-3 adjacency between things geographically distributed around a city/state sized area without much regard to security. Will create a huge amount of work to come back and fix later. Whereas if you design the architecture from the start with security in mind (how you're going to deal with your management VRFs, monitoring systems, OOB authentication, NOC and neteng access to stuff in private IP space, etc) it will be much easier to scale.
You can't engineer this sort of thing away. A business that gets 1000 of these letters will have to hire someone to handle it, regardless of how good a job they did designing things.
Wrong. Even if I didn’t store anything besides absolutely necessary (does your product involve usernames or emails - bam, personal information) and was absolutely above board, it would take me hours to respond to this.
You see: you should have read the law before assuming that requesting this information from the user is legal. It had to be stored in one, single place. Therefore answering this question shouldn't take more than 5 minutes, if you have anticipated GDPR.
What about their employees? Aren't employees, or ex-employees, also entitled under GDPR to be informed about what personal data the company stores or processes? Honest question!
I mean, if those records are being kept, it shouldn't be that hard to make them easily user-accessible, right? Support people that got the letters could just give users the link to the page with the data.
It seems to me that could easily create a privacy issue of its own. Certainly just a link would be terribly insecure, you'd need to authenticate the user. And whatever you do, you've now created a web-facing portal to the private data you're supposed to protect. Seems risky to me.
My company (Aptible) makes a product called Gridiron that does this. All of the data that a requester is entitled to can be pre-structured and organized in a source of truth. That's what Gridiron is.
The answer is going to be automation. You don't hire a person to physically handle each of those 1000 requests, just like you don't have someone typing in each employee's pay stub and calculating their tax withholdings.
In practice, no. The legislation has major loopholes, such as allowing unsolicited business-to-business marketing. And spammers still send junk to individuals with a disclaimer such as "This message is addressed to a business, if this is in error click here to opt out". And they seem to get away with it.
My mailbox (the physical one) disagrees with your claim. There are mechanisms to opt-out (at the cost of uglyfying my mailbox with highly visible label), but they are not banned.
Neither of those represent threats to "privacy" in a typical legal sense. Both suck, but you're saying that you'll think the EU cares about car safety when they ban juggling.
Yes you are correct. What are the costs compared to the benefits? Is the additional privacy going to be worth it? If we discover a few years from now that European companies are sharing roughly the same amount of data with other companies as their American counterparts, just documenting it better, have you gained anything?
If hiring one person changes the calculus that much, it's nonetheless easy to afford if profitable companies paid their workers more instead of sending it to shareholders or doing stock buybacks. The proportion of wealth held by the managerial class exceeds the Roman Empire at its height. https://persquaremile.com/2011/12/16/income-inequality-in-th... For reference, the gini coefficient of the united states in 2016 was 0.48. Rome at its population peak was between 0.42-0.44 according to the article. A gini coefficient of 0 is a perfectly equal society and a coefficient of 1 is perfectly unequal.
Small startups also often get the benefit of reduced regulatory burden, which is fitting because they have less overall impact on society. Once they become large, it is fitting that they play by rules that benefit the majority.
How is a gini coefficient relevant to higher priced products due to regulatory overhead?
It seems you have an axe to grind and derailed the conversion to compare the US with ancient Rome. Please provide a citation showing a correlation between increased privacy regulations and reduced gini coefficients.
I was responding to the claim that increased privacy would lead to possibly unacceptable price increases. I accept as axiomatic that increased privacy reduces profits, because, for one, you can't sell data that is private let alone the regulatory burden. My position is that these vociferous critiques of even minor bequests to the public are ill founded.
Another legitimate question is: is the fact that you are willing to pay more a good enough reason to force me to pay more? What if I don't care about privacy as much as you?
That's the real issue here. You can either decide that privacy is a basic right that everyone has and cannot be negotiated away, in which case this law makes sense.
Or you can decide that it's a decision each person makes, and let the market take care of providing options that are more vs. less privacy-respecting.
> You can either decide that privacy is a basic right that everyone has and cannot be negotiated away, in which case this law makes sense.
> Or you can decide that it's a decision each person makes, and let the market take care of providing options that are more vs. less privacy-respecting.
Or, collectively, a group of people can agree on a government that supports privacy protection for goods sold under its remit. Which is what's happened here. I get that it's not popular in the US, but privacy controls are quite popular in Europe, and the EU is in this case following the mood of its people.
Yes, "a group of people" acting through the government to support privacy protection is what my first sentence meant. Clearly that's what's happened.
Not sure why you phrase it "or"? I think we agree that that's one sensible approach to take (treating it as a basic right that can't be negotiated away, much like other things).
I find it quite worrying that 1) you are all over this discussion downplaying/minimizing the value and importance of privacy, and 2) you are the "founder of iCouch, a platform for psychologists, therapists and counselors".
Most people don't die from food safety violations, they just have a really bad day. I would say this is equivalent to the harm done by something like the Equifax breach.
Such were held and enforced by the state, not by local businesses. Say, more or less the same people who run network-scale intercepts and tracking nowadays, and collect/access/process a lot of real-word records about you. Do you really think that as a EU citizen I can go ask TSA all data they have on me and why they opened my bag last time I flew out of the US?
Intersting question. How far into state agencies does the GDPR apply in the same way it does for businesses? Can i make a GDPR request to my city library, hosptial, police or secret service? Or maybe even to the state as a whole?
Google and Facebook analytics get people like Trump elected. Which is a far more dangerous situation than food poisoning or a building fire due to its long term impact.
of course they do! what magical kingdom of the future do you think you're living in, where economic ends have no bearing on survival?! your business on the brink succeeds or fails; a personal relationship blossoms or sours. sure, we mustn't rely too much one any one thing going a certain way on these kinda things that data sharing or Google Analytics can impact. but in aggregate these factors have significant bearing on one's access to medical, nutritional, & fitness resources & technology, even will to live, thus they do drive life or death outcomes all the same.
So Google Analytics kills people? It saps your bodily fluids, I mean, will to live, at the same level as fluoridated water, and is equally dangerous with building fires.
Gotcha. This is the best example of false equivalence I've yet seen.
People subject to identity theft due to poor control of their data do indeed suffer real world consequences. I wouldn't necessarily want to argue it's a case of life or death - but there's undoubtedly actual harm in some cases ranging from social issues if their data is sensitive, right down to financial loss.
And if you wanted to examine whether it could be a matter of life or death, it wouldn't be that big of a stretch. Consider what might be the result of someone trying to escape from an abusive relationship having their personal data exposed. Or a whistleblower / political dissident. For example, imagine a Chinese dissident with a free-Tibet facebook record whose data gets back to the Chinese government.
I'd focus on China particularly because they're developing a system for working out how much people align with the state and it appears it may be partly based on the information they can find out about people's internet postings:
I wouldn't be at all surprised if it's actually cheaper for smaller businesses to properly handle personal data than it is for big ones. Big ones tend to have much bigger, more complex data systems that require complicated oversight and governance, and are presumably much more likely to engage in risky behaviors like dumping stuff into a data lake.
This might have an outsize impact on startups that deal primarily in data about people. I'm actually pretty OK with that. Some kinds of activities really should have high barriers to entry.
If a business cannot afford to properly handle and audit customer data then it should avoid any sort of collection. Businesses that produce value from customer data should be able to pay for necessary protections.
> The concern is the drip/drip effect of more and more regulation making those numbers even worse.
There are industries, like construction, that have a lot more regulations that this one. And small companies survive.
> What are the costs compared to the benefits?
Benefit: Citizens have the right to protect their privacy, to not be tracked without reason, to be notified when a data breach put their safety at risk, etc.
Cost: Companies need to have reasonable data governance that will increase short-term cost, but probably have a long-term positive impact on cost as bad data governance is just technical debt.
I don't give a fig about startup survival rates. I care about the fact that they're currently making money by externalizing costs.
Yes, it makes it harder to get into some areas. If that means a net positive for society, I'm surprisingly OK with that. There's no intrinsic reasons why we should care how many companies survive.
In general I strongly agree that regulations can be one of the slow drip/drips that crush a society over time.
However there are two forms of complexity at war here; complexity for business (regulation) and complexity for ordinary people (having data about you everywhere, about everything, forever). So we have to decide which kind of complexity is worse, or how to strike the right balance.
I usually register on non essential websites with a custome address like website.com@domain. Over the years I experienced several hidden data breaches as I look once in a while into my spam folder. This regulation gives me as a customer a good feeling as businesses are required now to think hard about their data protection strategy. As a business owner I have no problem answering these requests as I designed my software with data protection from the get go. Now it’s at least a requirement for all businesses which is good. This is a huge benefit for the consumer.
If you have taken GDPR into account from the start, the costs are trivial, it only means you will organize data differently so this "startup worrying" thing is a nonsense. Those worries are trying to do PR from companies/developers that are used to capture as much as possible from customers (potentially also sell those data) and are basing their bussiness model on that.
The real cost comes in "old" companies. Those should complain, but those are also responsible for need for GDPR.
Everything there might be true. Everything might also be false. It might be cheaper to start a business because PPI information will be handled properly from the start and not be a cost centre. This might increase new business viability.
Maybe there are no "costs". Just benefits and benefits?
The benefits are to me as a consumer, of course. Just because companies would prefer to treat data and security as burdensome doesn't mean that I should let them. As an argument to reverse this regulation, this seems unconvincing.
This website is inherently an egregious GDPR violation. It collects the most highly protected data category, political views, stores it forever, shares it with everyone on the internet, makes opaque automated decisions related to ranking, vote weighting, and anti-spam, and provides no mechanism for takeout or deletion. Because it's publicly available, an unlimited number of unregulated third parties can obtain your data and process it for undisclosed reasons without your opt-in.
Can anyone explain how it's possible to be positive about GDPR and HN at the same time? I'm not surprised that some people like it. I'm stunned to see them commenting here.
> It collects the most highly protected data category, political views
It collects user comments and posts. What you post to this website is entirely under your own control, and there is plenty of opportunity to meaningfully participate here while offering not much more than technical opinions.
Furthermore, none of the information you post here needs to be personally identifiable, under the definition of the GDPR. It is identified by a username, which can be completely arbitrary and unique. You could even use a new one for every post you make.
You don't have to tell HN an email address. They should have appropriate privacy protections in place for the PII they do store, but they should have that even without GDPR.
I do agree that we all can choose what to share on HN. Usernames can be as arbitrary as you like, and not linked in any way to meatspace identity. HN allows registration and posting via VPN services. And maybe even via Tor.
However, it does appear that GDPR will require that HN delete a user's posts upon request. It might even require that HN delete posts that mention other people, including nonusers.
Edit: Yes, also via Tor. It did ask for an email address, for password resets.
HN probably doesn't fall within the material scope of GDPR, unless they perform business activity that falls within the scope of EU law that I'm not aware of.
That would be different if they marketed/promoted/sold in the EU, offered European language or currency support, or somehow otherwise took action to position themselves for the EU.
As a thought experiment, if HN was regulated by GDPR:
1. Yes, all kinds of user generated content can contain GDPR Art. 9's special categories of personal data. HN would probably rely on the exemption in Art. 9(2)(e), which permits processing "personal data which are manifestly made public by the data subject." The purpose of HN is to let you share your own data on the Internet, that's the entire point. That's fine under GDPR.
2. HN would still need a lawful basis for processing under Art. 6. For a paid service, a Terms of Service would normally be fine. I don't think HN has or wants one of those, and they don't track users at all before registration, so they could collect an explicit consent from users on registration. If they did track prior, a cookie popup could collect the consent. Also, under Art. 8, the default minimum age of consent is 16, so we'd want to consider age confirmation too.
3. Archiving posts on the Internet forever is not a problem, if that's the intended use of the site, which it is. My guess is that deleting a user and their posts is feasible at the application/database layer. The problem would be deleting personal data from backups of the site if the user withdraws their consent and requests Art. 17 erasure. In that case, only retaining the backups as long as necessary and documenting that justification internally is probably sufficient.
4. Article 22 restricts "automated processing, including profiling, which produces legal effects concerning [the data subject] or similarly significantly affects" the data subject. Ranking, voting, and anti-spam probably don't qualify as weighty enough subjects to be restricted. Recital 71 ("Profiling" https://gdpr-info.eu/recitals/no-71/) sheds some light on what the EU is trying to prevent.
5. They'd have to get a data protection agreement or other Art. 46 agreement with hosting vendors. Cloudflare is on top of this: https://www.cloudflare.com/gdpr/introduction/ Not sure what other subprocessors are involved.
6. Being able to see most of your own data on HN means you have Art. 15 access, which is nice. I think they'd have to also give you any hidden metadata as well. Not sure what that might be (vote weight score?).
6. There's a bunch of other stuff they'd probably do, like appoint a data protection officer, publish a privacy policy, add the ability to delete your account, etc.
The GDPR doesn't use an expectation-of-privacy standard. Personal data is not just an explicit disclosure of your name and address, it's anything that can be used to identify you. Writing style and the sum total of comments indicating your experiences and the cities and organizations you've been attached to certainly fit that standard.
Well, Mirimir can just request that his posts be deleted.
However, I do see an issue: quotes by other users. That's one of the leaks that took down DPR. He deleted his old posts about Silk Road. But another user had quoted part of a post, which didn't get deleted.
GDPR puts the burden on the company to comply if it processes any in-scope personal data, regardless of whether it's possible for the data subjects themselves to minimize that data.
I'm a lawyer but not your lawyer and I have no idea about specific YC or HN details, so take this with a grain of salt, but I think the best argument for why HN is exempt or at very low risk for enforcement is that it does not hold itself out into the EU market for business and is not otherwise subject to EU law(as far as I know, and I have no special knowledge). Users may be from the EU, but HN has no particular nexus to EU law that I'm aware of.
This is important because Article 2 of GDPR ("Material scope") expressly says "This Regulation does not apply to the processing of personal data ... in the course of an activity which falls outside the scope of Union law"
To be completely honest, from everything I've seen, I'd love to see the GPDR be copy-pasted into US law and made a part of international treaties. It seems like The Right Thing to do.
There's a good chance that a lot of big US tech companies are going to apply the GDPR to everyone. It'd be too hard for (say) Facebook to have 2 databases.
True, the only issue I see here is that big company will manage to adjust to GPDR rules or cleverly trick users of the service to allow for all they want (I guess the number of users who does not agree for changes in terms and conditions that keeps showing up on Facebook or Google pages is not large).
Small e-commerce sites (someone sells socks, hand made goods, used pianos, etc.) are different story here. Usually such sites were put together on some ready-made PHP + MySql solution hosted on a 100 bucks a year hosting and that was done by some small IT shop specialized in this kind of business.
Owners of such small firms are going to have really hard time with GPDR. I suspect there will be a lot of scummy law firms that will go after them and blackmail them either to use their "service to be GPDR compliant" or be sued under GPDR.
Such people are an easy target, they don't even realize that maybe software that was installed for them by some third party that no longer exists puts to logs customer first and last name, or there is somewhere backup with customer e-mails.
This law will have zero impact on say, Facebook, people would give them their data freely as they do now, average FB user will not risk to "get imperfect Facebook experience" (or some other similar clause that clever FB lawyers will figure out) if they block permission to be tracked and their data cannot be sold to advertisers.
One requirement of EU data protection law is "informed consent", which must be freely given. Pages of legalese that we all know no-one reads, then you could say it's not informed consent.
And you have to be able to revoke consent, at any time, and it has to be as easy to revoke consent as to give consent.
Reading through the "nightmare" letter, I was looking for something I'd consider unreasonable for a user to be concerned with or ask about, and couldn't find anything. Honestly, this seems like a pretty low bar. If you can't answer these questions about your business, I'd be loathe to continue doing business with you. I'd surely be reluctant to let you collect my personal information.
I'm not very familiar with the legislation. Is a company receiving such requests required to respond to them individually, regardless of merit? If so, it seems blasting a few thousand requests at a small company would be a fairly simple act of sabotage. Even if the requests are fake, it would take the company time to figure out that they don't have any relevant records and to figure out whether to respond and how to respond.
The right can only be enforced against a "controller," which is the entity that "determines the purposes and means of the processing of personal data."
It's worth noting that GDPR does not give the data subject the right to request everything in the letter. Only a more limited set of things.
The practical effect for SaaS companies is that they should keep track of data and the systems and services where data is processed. With good preparation and a system of record for security/privacy management data, you can prepare for this kind of request very well. My company does just that - helps others prepare.
To create the data subject access request, you first need to understand your own internal process. For that, you need to comply with article 30 i.e. records of processing activities.
We help you create at that ecomply.io and then once you're done, we will help you create data subject access request as well.
>It makes companies think in depth about the data they hold on me and how they process it.
Except, of course, if your company is one of those favored with an exemption from the GDPR. Because we can't have everyone playing by the same rules in the EU.
If you get a letter like this, reply in plain language:
Given that the "requests are complex or numerous", I will be responding within three months as recommended by the ICO[1]. Have a nice day.
You now have plenty of time to deal with it properly.
If you have a lot of data on someone, you can enumerate the categories (1) and then request they break it down (specifically request 1c; see Recital 63[2] of the GDPR for the exact language). Almost everything else should be in your privacy policy anyway.
If you do not have a lot of data on someone, then three months should certainly be enough time to properly respond to this.
Most businesses do not have any personal data on anyone beyond what you need for an invoice. If you have a dedicated CRM that contains leads of potential customers, or you use an online service like SalesForce, you can probably get their support in complying.
The GDPR gives you one month to reply to such requests by default, except if the nature of the request is so complex that you can believably justify why you'd need more time to reply to it. In general, I would recommend implementing automated procedures for answering such requests.
I imagine most companies might only deal with this once or perhaps twice ever, and if they do not keep very much personal data then automating it would not be very efficient use of their time. That's why in general I'd wait until you get such a request, ask your lawyer to explain it (will probably only cost a few hundred pounds), then decide what to do next.
Only very large companies (or companies that deal with a lot of personal data) will benefit from up-front automation.
Since the content of the request is very generic and applies to almost any individual and business, it's not unthinkable that it will be automated on the other end, so anyone can push a button and send the request to hundreds of companies of their choosing.
I certainly have several businesses in mind that I plan to send requests to once GDPR is in place.
EDIT: Although I suppose small, non-EU businesses that mostly do not deal with personal data are unlikely to receive any requests. So you are probably right that "most companies" are unlikely receive GDPR requests.
https://selbstauskunft.net/ exists to allow you to send a BDSG §34 request (like GDPR request, but under the older German law for it) to basically any company. You select the company, sign it, and they automate all other steps.
Yes, I read the responses and take action upon them. The last time I quit my bank account to move to a different bank.
Also, I'd recommend sending another request some time after quiting your contract with the company, just to make sure they give you a written guarantee that they deleted all data about you they don't _seriously have to_ maintain.
Keeping my data private has costs associated with it? What a shocker!
Do you also argument against mandatory seatbelts? All they do is drive the cost of cars up. The justice system that works to enforce the laws brings the taxes up should we get rid of it too?
I read them, and often I make decisions based on this — or can use it to convince e.g. my family to stop using payback (a discount scheme where a company logs all your purchases, even cash ones, and you get ~1% cashback).
I think if you can easily automate it this is the time to because it will make everything easier as privacy rights continue their spread to additional countries and on to the UN's charter on human rights. Granting the rest of your users the same rights before they officially have them seems the right thing to do because it does not seem ethical to only uphold some of your users privacy.
Won’t adding round trips to the process (by sending letters indicating you’re delaying) just waste more of your lawyers’ billable hours?
Anyway, the main target of this legislation are the hundreds of businesses you’ve never heard of brokering your personal information. I doubt they have salesforce leads for each person they track, and I think most people want to see that entire industry collapse.
Similarly (in terms of regulatory burden, not consumer sentiment), most legit consumer businesses rely on razor thin transaction costs. Spending any additional per-customer human time could be the difference between profit and loss.
To see the problem, consider what would happen if you walked into any store with affinity cards, and handed this letter to the manager.
> Won’t adding round trips to the process (by sending letters indicating you’re delaying) just waste more of your lawyers’ billable hours?
There are only four requests in this letter, and they were written by a PWC consultant to appear as intimidating and confusing as possible, so a small business that does not have easy access to legal advice would not find it difficult to convince a regulator as such.
That said, a lawyer can help you identify them and ignore the rest. For the cost-conscious, spending time on the ICO's website will also help you discover them so that when you talk to a lawyer you can be efficient with their time (and therefore your spending).
> most legit consumer businesses...
Most consumer businesses do not keep very much personal data, if the cost of understanding this letter within three months would cause a company to go into administration then they were going to fail anyway.
> the main target of this legislation are the hundreds of businesses you’ve never heard of brokering your personal information. I doubt they have salesforce leads for each person they track
I don't agree with this at all. Who do you think the "main target" of this legislation is?
Then you haven't thought it through or don't understand the gdpr.
Though this letter doesn't mention it, you not only have to provide all data in your systems -- every single db inside your company -- but also data from every 3rd party system. Your transactional emailer, your marketing emailer, your billing system, your logging system, your retargeting system, etc.
Good. Stop casually aerosolizing information about your customers all over the cloud, and ignoring employees casually copying live databases here there and everywhere.
That’s not totally true. GDPR only applies if the data is stored in an “filing system”. Things like logs almost certainly don’t fall under that. (Unless you where feeding them into a data mining system, that would change things)
Believe whatever you want but (1) our lawyers disagree; (2) if you can query your logs, you have to (PS: you can; that's literally the point of things like sumologic); (3) the various privacy orgs that have published reasonable amounts of guidance -- notably ICO and DPC -- disagree.
True, but hidden IDs like the row GUID of the user are not, are they? They should be considered more like pseudonymous data[1] as they're meaningless outside the dataset.
I think so, too. Certainly, they should be in scope for the “data protection” part, or (extreme example) you would be allowed to log personal data to a publicly visible server.
To be clear, when I say GDPR doesn’t apply. I’m taking about information requests (the topic of the linked article).
The data protection part of GDPR of course applies to all PII regardless of how it’s stored. But that part is not new in GDPR, the EU has had strong data protection laws for a while. (Even if people didn’t talk about it)
Sorry, but ICO stands for "Information Commissioner Office", and they seem to be UK organization, having .uk domain and all that. How can they recommend anything with regard to EU-wide law? Or, stating differently, how their recommendation hold any value at all?
Each country will have a Data Protection Authority (DPA) which is the regulator in the country. The ICO is the one in the UK.
The last letter of the GDPR is Regulation. A regulation is very different than than a Directive (the pre-GDPR law is based on a directive). There is very little wiggle-room with a Regulation, even between countries. The ICO also works with other DPAs currently as part of Working Party 29, which ensures the DPAs are working in Sync.
So the ICO advice is worthy of close study, especially if your local DPA (assuming you have one) has not commented or given guidance on a certain matter.
To add, the difference between directive and regulation is in Article 288 of the TFEU:
To exercise the Union's competences, the institutions shall adopt regulations, directives, decisions, recommendations and opinions.
A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States.
A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods.
Basically, a regulation is like a law. It’s directly binding as law.
A directive is something member states have to implement themselves, probably also by passing a law using their own national process for doing so. As such there can be (greater) differences in the different national implementations of the directives.
"The EU" doesn't enforce the GDPR, the Supervisory Authorities in each member state (like the ICO) enforce the GDPR.
The member states have agreed to abide by the GDPR, but their own specific data protection laws are allowed have slight variations, e.g. the specific age limit defining minor vs. adult.
There are a lot of businesses that market and sell in the EU, or that recruit or hire contractors in the EU. GDPR affects not only your CRM, but your marketing and sales stack, your HR stack, and any other part of your business that might touch personal data.
With a good system of record, you can track and manage all of the rest of the information and issues raised in the letter.
That said, in a large company with a lot of legacy systems, it may be tough to extract the actual data itself (or even know if your system of record is complete).
It's not baking security/privacy in from the start that's the problem, it's the need to have a "compliance officer" and have to handle these requests. Small companies don't have time or resources for this.
Look at the American Disabilities Act, an act that has done enormous good in many ways, but that has also lead to an entire industry of lawyers hassling tiny businesses over insignificant infractions. (e.g. https://www.mercurynews.com/2016/04/10/serial-ada-lawsuit-fi...)
Startups in the US won't have this hassle. You don't have to serve EU customers to reach mid size/product market fit, you can concentrate on iterating on your core product. When it's time to scale, then you can look at GDPR. So limited resources stretch further.
But if the lawyers in Europe start becoming a nuisance to startups there, it's just going to force more and more services to be located overseas, and more and more government complaining about the dominance of overseas tech, a problem they're probably going to make worse.
Startups in the US are what got us into this privacy nightmare in the first place. Of course, they are no longer startups, but they still didn't fix shit once they got bigger, so I don't see how this argument holds.
I like to think of privacy like internationalisation or security. When I started programming, Unicode/UTF-8 was niche and not well supported at all. Now, for new languages, it's a given. The same with decent crypto libraries. Databases now offer pretty great unicode support (except for the old ones where it had to be bolted on, coughMySQLcough). It isn't inconceivable that privacy tools become standard in databases and data processing frameworks.
Personally, I see this as a brilliant opportunity for people/companies who want to do the right thing for their customers (whether that's consumers directly, or a company using them).
My prediction is you'll see this with cloud providers strongest. Some are putting a lot of effort into GDPR, and a properly compliant provider will become a huge value-add, and not a liability.
> Startups in the US are what got us into this privacy nightmare in the first place.
Com'on. The internet and web when they started were a wild wild west that operated on the honor system. Most people were just starting to feel their way around what kinds of businesses could even exist on it. The Morris Worm was the canary in the coal mine about how the honor system wouldn't scale.
EU startups are no different than US startups, we just have more of them, there is a greater concentration of investment in that area here.
You don’t think BNP bank or AXA insurance play loose with sharing personal data? I had my Peugeot dealer share my purchase information with a third party “extended warranty” vendor without my permission. The vendor called me and sent letters. I never told Peugeot that they could sell my data. I have never given any business permission to call me — yet they do.
Blaming US tech is naïve. European companies have been engaged in non-digital forms of privacy invasion long before Google even existed.
I agree, but people on HN don't seem to care about those as much as US startups. Plus who is worried about car dealerships going under just because they can't pass on your data to some scummy vendor? (Also, some countries have laws close the the GDPR already, where this wouldn't fly.)
Having said that, shunning one car dealership is way easier than trying to stop Facebook or Google slurping your data, even with ad blockers et al.
If I have a choice between an US startup that has no pressure to handle my data responsibly, and an EU startup that has a legal requirement to do so, I would choose the EU startup. The US startup may claim it takes care of my data and ask me to trust their word, but I know that the EU startup is forced to by law.
Perhaps it could end up as a competitive advantage for EU businesses.
You don't have to hire someone new. You just label an existing employee "compliance officer" and give him the relevant authority. Chances are he won't have to reply to a single letter, because unlike the web board imaginations, next to nobody will be motivated enough to actually send such a letter.
And all bigger companies already have a data protection officer, so he just gets this new job title.
If you look at what google does, they already offer you an admin panel where you can see all the information recorded about you, and you can download it, etc.
How is this much more of a hassle than being required to send people are receipt as proof of purchase...
Ensure customers can see what you record about them when logged in (probably in their user profile), then minimize what you record to what you need.
Every time any new regulation comes out, doesn't matter what law it is, Small Business™ trots out the same sob story: "Woe is us, we are too small to follow this new burdensome law!" I get it--it's going to be costly. This cost is one of many that founders will need to consider when they decide between go and no-go. If founders can't afford to follow (and prove they follow) the law, I think they should re-think their start-up idea. The ADA has done enormous good, in part, because of that industry of lawyers keeping a close watch for opportunities to sue. Same is probably true for HIPPA. Same will, hopefully, be true for GDPR.
The cost of compliance will fall drastically. My company (Aptible) started in HIPAA and is doing a lot with GDPR. They are very similar in a lot of ways, including the emergence of new systems of record for privacy and security management data.
The data protection officer does not have to be a full-time role. It can be part of someone's other duties, or performed by a contractor (Art 37 ¶ (6): https://gdpr-info.eu/art-37-gdpr/).
"Just look at the GDPR when you get above a certain size" probably won't be so easy. You'll have already committed to lots of things, lots of services, business model(s) etc. It's much much much easier to think about it from the start.
The reason why this is such a great letter is because it questions the competence of the recipient DPO. The data subject has a right to some of the information, but by no means all of it.
If the DPO complies with all of it, they will breach the GDPR (e.g. Request 9b). Of course a data subject also has no right to know what security controls (request 8) you have in place, other than they are 'commercially reasonable'.
A regulator can require this information, but not a consumer (data subject). This could be the basis of a great interview test for selecting your DPO.
The request themselfs are legit. E.g request 8 is aiming at the ISO 27001 which state that the information policy is to made public to stakeholders.
Request 9b is a bit tricky since the regulator have to be informed but not per se the data subject. Only if there is a risk for the data subject they have to be informed.
The letter is carefully worded itself. The parts the data subject does not have a direct right to know are friendly request (eg 4 vs 8b).
You can answer 8b just with one word: Yes. (Well or No)
The takeaway here:
If you give this letter to you technical personal you will get a detailed overview of the infrastructure they use.
If you give the same letter to your lawyer you would get a very polite letter with the bare minimum of information.
Example for 8b would be this: "We have technology in place which allows us with reasonable certainty to know whether or not you personal data has been disclosed"
This language refers to the specific grounds established by chapter 5 of the GDPR under which transfer is allowed.
The data subject is expecting you to point at the specific clause that provides legal grounds in your case.
> Example for 8b would be this: "We have technology in place which allows us with reasonable certainty to know whether or not you personal data has been disclosed"
Arguably, such technology doesn’t exist (at least when plugged into a computer network). What penalties are in place if you lie in the response?
I'd expect "with reasonable certainty" to mean something different to pedantic lawyers/regulators than to pedantic cryptographers. Although perhaps an actual lawyer might suggest another phrase there, like "industry-standard measures" or something.
Yeah I think a lawyer would write something even more nebulous... We minimized the risk according with our assessment with industry standard measures in accordance with our threat model to a reasonable level of safety as defined in the international standards taking in account user experience and the requirements of our partners all in accordance with local and EU law...
Such technology can't exist, because it is fundamentally trying to prove a negative.
There are technologies you can use (with varying degrees of effectiveness) to reduce the risk of data leaking by monitoring or intercepting specific mechanisms through which leaks can occur, but you can never have reasonable certainty in this respect.
Yes and no. That is the kind of measure that can help, but it's going to be very difficult to keep all relevant data within such a tightly controlled environment.
At some point you will probably need to work with the real data to do anything useful with it. There are situations where you really can operate on obfuscated/encrypted data, such as comparing password hashes, but these tend to be the exception rather than the rule.
And so, if you're compromised at a point with access to the raw data, or anywhere else from which access to such a point can be gained, you've still lost control of the data.
I am not Sure what penalties there are for lying. I bet it's expensive ;)
And with lawyers and words I like to think of this quote:
"It depends on what the meaning of the word 'is' is. If the--if he--if 'is' means is and never has been, that is not--that is one thing. If it means there is none, that was a completely true statement....Now, if someone had asked me on that day, are you having any kind of sexual relations with Ms. Lewinsky, that is, asked me a question in the present tense, I would have said no. And it would have been completely true."
The GDPR explicitly states that companies can prove their adherance to best practices using certification (https://gdpr-info.eu/art-42-gdpr/), so it usually would be sufficient to show a certificate from an accredited source to "prove" that data is handled appropriately. Don't forget though that the user also has the right to know which other processors or joint controllers have a copy of his/her data, so companies will have to provide a list with all of the services they use.
Technical types seem naively optimistic about how GDPR is going to work out.
Businesses will do enough to pass the sniff test of proper compliance with GDPR, and no more. I've worked with enough to know most mid sized orgs are far too reactive, too technically incompetent, and far too busy making money to do a proper job on adhering. Most flout existing laws already, I don't think they'll be scared of disregarding elements of this too.
I work at a BigCorp and we are taking this very seriously, adding processes and new retention policies to all internal datasets, and reconsidering our interactions with partners.
Similar BigTechCorp, everything around me has been GDPR for almost a year. Deadlines are coming up, there are entire teams dedicated to following them up.
A slightly different point of view: I work for a company whose one of our products is related to identity and access governance and we have a large number of ExtremelyBigCorps from all around the world throwing A LOT of money at it (except Oceania, I don't think we have any clients there).
I know that there is a HUGE concern about the fines that can be used to backup GDPR.
I know of US companies that have a EU presence legally (but with little income from EU) that are considering just blocking EU traffic as a way to stay safe and smallest over-head.
That's fine, businesses have that choice. Hopefully, GDPR gives people a choice w.r.t what happens with their data.
Many countries in the EU have a great standard of living by focussing on individual's rights vs companies. Well, I say focussing. From our perspective, it's just normal and a good balance. But if you live in a country where companies can screw you over in a million ways ("at will" employment, arbitration, NDAs, etc.), maybe such rights might seem a bit alien.
No, I mean my understanding of the law is unclear because the law itself is. It'll take a few court cases to hammer out most of the clearifications. Once it's better understood or made to be like the pci that literally spell out steps to take for minimum compliance it'll be a headache at best.
Fair enough, although how is this different from other laws? If laws were obvious, there'd be no lawyers or judges.
And if you've tried to comply with the law, but unintentionally fail to handle some edge-case with low impact, the sanctions are pretty light (e.g. a warning letter). It's not draconian, as long as you don't cut corners.
Most laws aren't so far reaching and the vast majority in terms of regulatory scope have been flushed out. These same issues do happen with any new broad far reaching regulations. This is one of the first that is both a significant increase in regulatory burden and that deals with, ostensibly, the global tech market.
Also, the fines here can be real money, which also isn't often the case. That plus the lack of clarity are why people are concerned about it.
Basically they're worried that you can do everything right and still be wrong because everything isn't well defined and is very difficult to define.
As a citizen of an EU country, I’d prefer to have the choice from as many companies as possible, and to decide myself whether I do or do not mind sharing my data with a company. This will reduce my choices.
I also disagree with you that the EU regulations are a good balance - it’s skewed way too far towards over-regulation.
That's just a band-aid though: they're effectively gambling that data protection laws won't ever come in effect in the US and Canada, all the while locking themselves out of expanding into the EEA market.
After the Equifax thing it's not looking like a very solid bet.
Would that be sufficient? I would think a EU citizen interacting with such a company from within the US would open the company for GDPR requests. Enforcing them might be hard, yes, but it could be enough of a nuisance.
I think this will change the world, just as the EUs push for lead-free soldering did.
While some outfits may blithely whistle past the graveyard - do you want to become the precedent that starts paying the % of revenue fine for non-compliance?
Reading this actually makes me feel pretty good, my team & I have been working on GDPR tooling for our app for the past couple of months & combined with the fact-sheets we've prepared answering such a letter while complying with the individuals rights would be pretty straightforward.
I was thinking the same thing. Wouldn't be too hard to give that to a support person and get good answers. After the first one, a lot of it is reusable. And then a lot of it is already in the marketing materials we use for selling our services!
It seems to me that this letter is similar to a denial of service attack in the way that, although a valid request, it places an impossible burden on the recipient.
If so, the GDPR is similar to a broken protocol.
Maybe the people who designed it assume that it will never be misused. Anyone with experience designing protocols could tell them how dangerously naive that is.
If you can't answer those questions in a few button clicks, then you probably can't be trusted with my personal data.
We keep being told that "data is the new oil". It is. Not for money making opportunities, but because you have to handle it responsibly and if it leaks it will cost millions to clean up.
Early-stage startups with just a couple of founders who are too overworked to give a good answer about data protection are probably too overworked to actually protect the data itself, law or no law. We generally don't think it's reasonable for an early-stage startup to be too overworked to get their security right - you still have to write secure code, patch your servers, set up HTTPS, etc. Why is this different?
> you still have to write secure code, patch your servers, set up HTTPS, etc. Why is this different?
It's very different. Here you're requested to answer fairly detailed and potentially tripping questions with potential legal implications on your business. This has little with how you secure things technically. It's all about jumping through some bureaucratic hoops, and wasting your time doing it. Answering those questions won't in any way, shape or form improve the security of your business. It's pure distraction.
> It's very different. Here you're requested to answer fairly detailed and potentially tripping questions with potential legal implications on your business. This has little with how you secure things technically.
The difference is that you know offhand how to do one of these things but not the other.
I think the legal implications people talk about are overwrought. Regulators are more interested in chasing down people who open flaunt the law, rather than repressing startups that can’t cross and dot their legal t and i’s.
My personal experience with the ICO has shown their quite lenient to mistakes, if you can show that you’re your honest best, and getting better.
No point crushing companies that are trying, better of getting the ones that just don’t care.
I certainly hope so. I'm not sure about Germany though. I have a feeling they're much more sticking to the rules (My company is based in Germany, but I'm not German, so it's kind of an outsider's observation).
But it's not even just about getting to a point of getting fined or under some kind of investigation or audit. It can be all those clever customers who would use some automated service or a template, just to waste your time ... At least that's what the original post is about, but I hope it won't be too common.
If the law relies on the regulator being in a good mood and be sensible, it is a badly written law. The law should give the regulator strict mantinels, not be subject to broad leeway in interpretation.
Around here, regulators are prone to scoring easy points by going after the small, naive fish. All it takes is the wrong incentives: the department needs to show results, so it gives bonuses, or establishes quotas for successfully handled cases. Bam, your small business is now investigated because a government employee needs to meet a quota and correctly guesses you can’t afford competent legal defense.
It's not designed to help you. Improving the security is your job. It's designed to reveal, through your answers, whether you're doing it right or not.
Early-stage startups with just a couple of founders who are too overworked to give a good answer about data protection are probably too overworked to actually protect the data itself, law or no law.
People keep making this kind of argument, but it makes no sense.
Personal data isn't protected from leaks and privacy intrusions by documents or emails. It's protected by encryption, or only being processed by software with a clear purpose, or simply not being stored in the first place.
I suggest that it is not only possible but also quite likely that a reasonably diligent startup will be taking reasonable practical steps to secure personal data but will not have formal documentation or automated processes in place of the kind that would deal with a SAR like this.
I agree that it is likely that a reasonably diligent startup is generally doing the right things just out of general competence. But I disagree that they are reliably doing the right things.
We expect programmers to write working code out of general competence (and we even make sure they know how to write working code in the interview process), but we still write tests and insist that they pass. We expect finance folks to handle money correctly out of general competence, but we still have written policies about how money should be handled. The reason we do these is that good, well-intended people occasionally make mistakes, and in both of these cases, the mistakes have real consequences.
A written policy about how you handle data isn't going to save you if you're messing up in general. But it should be easy to write, and it will save you from "Wait, why did one of our interns add a library that sends stack traces and local variables to a third party? How did this code review even get approved?"
The documents don't protect your users' data. Your general technical practices protect your users' data. The documents protect your general technical practices.
That seems like a reasonable argument, but I can't help observing that when we write code, documentation is generally viewed sceptically because it so easily gets out of sync with the actual behaviour of the system. Automated tests have become a more trusted check on whether code is doing the correct thing, because they aren't vulnerable to that same effect, but there doesn't seem to be any direct equivalent in this context.
So I think I would still argue that the security benefits of this law in terms of any documentation and processes it requires are at best unproven, and that a startup could be doing the practically useful things needed to protect personal data regardless of how compliant or otherwise they might be with any documentation requirements.
I wanted to send you an email or a twitter DM, but your HN profile doesn't list contact info. (I'm anonymous because I am a moderately visible figure in the tech community and don't want what I say to result in my company getting flamed.)
I wanted to tell you how impressed I am with how patiently and clearly you've responded throughout this comment section.
I likewise think the intent of the law is admirable: prevent future Equifax-es, give people control over their data, and centralize the requirements so that companies need to comply with a single EU standard, instead of 28 country-specific ones. But the amount of discretion left to regulators and the lack of any sort of proportionality built into the law make this all very scary. We are expecting a fifteen person small business to have a totally impractical degree of _documentation_ and _formal_ processes, which are 1) very expensive to produce, 2) totally unnecessary for an otherwise reasonable and well-intentioned group of people, and 3) crucially, basically orthogonal to actual data privacy and security best practices.
And even if you comply with the letter of the law, just reading and understanding an email like the one in this post will require hundreds of dollars of company time – beyond reading it, it will need to be escalated, someone will need to loop in a few other people to help with any new technical details, and so forth. If the fully-loaded cost of a white collar employee is $75/hr, this all gets expensive very quickly, and that cost can be levied on a company by an email that can be sent in one minute. Nobody is going to bring down Google with GDPR-spam but it would not be hard to do serious damage to a company of ten people.
There are a lot of well-meaning thoughts in this thread from people who are frustrated at the status quo but unfortunately don't understand how little this law will do to change it and how huge its costs will be.
When you try to deliver a novel product and build a business around it, you are forced to develop a strong sense of practicality and an understanding of the machinery of a business. Most people have never done this. Despite being very intelligent, a lot of these people haven't experienced the realities of creating a business, and as a consequence they don't really understand just how harmful this kind of law can be.
I admire how patient and articulate you are. (And I think your thoughts are clear and your point of view is correct and badly needed.) Would love to buy you a beer sometime.
Couldn't agree more. It's not just that I can totally relate to everything Silhouette was saying, but he/she definitely presented their thoughts calmly and thoughtfully, even in the face of quite blatant trolling in a few instances.
Since Silhouette (and gdpr_throwaway) want to keep their anonymity, I opted for virtual beers by upvoting :) But happy to convert those karma points to real food or drink -- and hopefully an insightful conversation -- if you feel like getting in touch (my details aren't so private).
Thank you, that's nice of you to say. The ability to contribute honestly to this sort of controversial discussion is exactly why I have a pseudonymous account, so sadly I won't be able to take you up on that beer, but I do appreciate the thought.
I disagree with you in the burden that GDPR places on a company. If a company takes data protection seriously handling such a letter would be a matter of minutes because they already have the processes in place. The GDPR is almost two years old now and it's just an update of the DPR which has been in place since the mid-90s: nobody should be caught by surprise by now except companies that deliberately decided that making sure you're compliant with the law is something that should be ignored right until the cops are knocking at your door.
What exactly about being a startup makes this a lot harder? I'd expect a startup would in many cases have a fairly easy time answering requests like this, since it won't have built years worth of legacy systems, half-abandoned projects, weird cross-department data accesses etc that could catch a large company here. You'll likely have fairly centralized storage and a reasonable number of service providers you use for specific purposes. + the typical startup has more or less the same relationship with every customer, so it should be fairly easily repeatable once you've documented it once.
For the few small companies I've worked for, this would have been a bit of work once (document the dataflows), and then a fairly easy set of queries to be repeated each time.
It's not just about answering the questions. It's also about answering them in a legal-safe way that won't put you in more trouble than not answering them at all. And any small variation in the questions can require someone with legal experience just checking this, which costs money.
To add to a sibling comment, Google can afford a big enough legal department for estimated 0.00000x% of their turnover that deals exclusively with these.
For smaller organizations, this becomes more like 0.x% of turnover...
Not to mention the distraction and plain overhead when you're juggling so many other things.
Having fewer people. The task may only be 1/100 as hard for a startup as for Google, but there are 1/10,000 as many people to perform it. If so, the burden on the startup is 100x greater than on Google.
If you work with data security departments at large companies, you get these types of questionnaires all the time already. And every single question has been answered a dozen times before, but each new request's questions have subtle nuances such that it's impossible to build up a FAQ comprehensive enough that a non-technical person could copy-and-paste answers in a legally safe way. You'd think it would be possible, it just isn't.
The part that's not clear about the GDPR is whether you're obligated to manually answer any data-related question a user has, or if you can just post a comprehensive FAQ + data export / account deletion tool, and auto-respond to GDPR requests with links to those.
Looking this over, and looking at the startups I've either worked for or applied at, I really don't see how it would take more than a couple of hours to fill out the bulk of this form (the parts that would be reusable for every request after it), and then a couple of database queries for the specific data for the user.
Hopefully if you are a company that small, you haven't had time to develop multiple data warehouses. You can write up a script to query your single warehouse to get the necessary data. You won't create a unique response for each letter, except for filling in all the user's personal information. Instead, you'll write a letter like:
Here is a listing of everything you have a right to know about our company and processes under GDPR:
<huge info dump>
Here is all of the personal data we have about you:
<very long CSV file>
Ideally, the most time-consuming part of responding, after the first such letter, will be verifying the user's identity.
Or just one of the almost-all companies that never grows beyond a handful of staff, for that matter. People talk about regulatory matters like the GDPR as if all businesses grow to become large, but here in the UK for example, only about 1 in 25 businesses has more than 10 staff.
Incidentally the minimum viable products that the early stage startups with two founders are kicking off are the ones that are most likely to put your data at risk. This is fair and just.
Why would this be harder? Wouldn't such an early state startup with two people likely have much much fewer users and by extension actual GDPR requests?
The entire reason the tech startup thing works (to the extent that it does) is leverage: each employee serves a very large multiple of users. Anything that changes that calculation has the potential to eliminate the value proposition.
The context is an "early-stage startup with just a couple founders."
It's unlikely that the number of requests of the type referenced in this article would be sufficiently large enough at that stage that it wouild "eliminate the value proposition."
These are up to limits, not start at. The second class is 20 million/4%, but still up to. And given the long list of factors to consider for the fining authority, they can't just slap close-to-max amounts around without supporting evidence for why that's appropriate.
In the Netherlands we have a similar problems due to the "Wet Openbaarheid Bestuur" (Law of Open Administration)
Basically, you can request any non-sensitive information from any government agency and they have to provide it within a reasonable term or pay a fine to the requester.
This caused people to request all calibration reports of a speed camera if they got a ticket, because for quite some time the government would waive the ticket if you stopped the request.
When it got abused too widely they automated the process and now it's not a problem. This is also how large coorporations should handle this problem.
Then they either shouldn't process private data or should only work with services that can provide such information. No one needs to process personal data - if you don't the answer is a matter of seconds.
If you phrase it as "large companies," then it sounds bad - but it forbids incompetent large companies too. It enforces that only companies that are competent enough to answer questions about data protection can be in the personal data space. If a small company is inherently incapable of answering those questions or handling the data properly, it shouldn't be allowed in that space.
It's like saying that there's a "government enforced monopoly" keeping newcomers out of the food business by not letting them just make things in their apartment and hand them to Uber Eats. It is a technically accurate description, but most people who believe that government has any legitimate functions at all see health inspections as a good thing.
You just have specialization. Most places I've worked that deal with card payments, for example, opt for payment processors that lets them tokenize payment data because it means they don't have to store it with the according additional risks of having a copy of the payment data in their database. There are still plenty of payment provider options.
Not really. You have what already exists for handling investments, e.g. you pay Yomoni (a tiny startup) to make decisions for you but your money is handled by one of the big banks e.g. Crédit Agricole. Your point is somewhat valid, but also amounts to "there is a government-enforced monopoly for large companies in the airliner production space". Damn right there is. For the same safety reasons.
We've had something similar in the UK for a long time, but it actually works pretty well.
There will always be a few people out to cause trouble with excessive requests, but I don't think we should let that block access to non-sensitive information for things we as the tax payer have paid for.
A £10 fee for a ridiculous fishing expedition which would likely require at least one person-day of work, with that person probably being a knowledgeable and key employee?
This might seem fair to the person incurring the direct cost of the response, but is markedly unfair to the person earning minimum wage who is concerned about the handling of their personal data.
The law needs to be applicable to everyone, and imposing high costs is generally considered to do the opposite: http://www.bbc.co.uk/news/uk-40727400
A person earning minimum wage may be concerned about all sorts of things, and the degree of his concern can be entirely unrelated to (1) the likelihood of the concern being legitimate, (2) the potential monetary harm to the person, (3) the cost to society of investigating and reporting on it, and (4) how fairly this cost is allocated.
It is utterly unfair to compare subsidized access to an employment tribunal (potential harm: months of undeserved unemployment, loss of home and possessions; cost of investigation: spread across the entire nation's taxpayers) to almost-free access to your GDPR privacy report (potential harm: a little bit of mental discomfort; cost of investigation: borne by one organization, potentially ruinous for a small business or solo project).
As said in other comments there is no obligation for any company to store personal information, and without such information the request can be easily dealt with by a simple form letter.
Companies storing and losing PII have a huge negative impact on the affected users, like e.g. credit card fraud or tax refund scams. This bears a huge actual cost to the victims, either because they never get back the stolen money, or because they need to invest significant time and expenses to fight for it.
A company trying to make money of my PII should better be prepared to handle it securely and to delete it upon request. Handling of GDPR requests must be calculated by them as part of the data handling expenses.
Consider:
- A landlord holding incorrect data on rental payments.
- A company holding personal financial data.
In both of these cases if the information is misused it has consequences for the individual, and (relatively) higher cost for the individual on minimum wage.
In the former, this can affect your future ability to find housing. This potentially leads to extraordinary stress.
In the latter the consequences again affect both wealthy and poor, but the person living hand to mouth faces much more serious consequences if their wages are adminstratively docked to pay for costs fraudulently registered in their name. Further, they're unlikely to be able to pay an expert to resolve this or take time out of work to do this themselves.
Legislation compliance should be built in as part of your product offering. If you don’t that day’s work is just technical debt you chose to take on immediately.
If you can't answer these questions promptly, preferably with a form letter referring to the self service features of your website, then you are setting yourself up for this.
From what I see most of the items pertain to one of two possibilities:
1 - General procedures or information about the company (keep this updated and it's the same for all requests)
2 - Information about the subject (export their data in an automated fashion)
The thing about 'decisions based on their data' might be tricky, but I guess you can share what you concluded from it and the overall rationale (for example, Facebook's "Why am I seeing this" over an ad)
You don't even need experience with designing protocols to understand that. Real-life experience with how law is practised in some EU member countries is enough.
There are law firms whose sole business model is targeting small companies for not complying with certain regulations like legal notice requirements or disclaimers on websites.
Only time will tell if this will be the case with GDPR but there definitely is a risk that this new regulation will be abused by dubious players.
What provisions are there in place for a company receiving this type of request to confirm the identity of the requesting party? Are companies expected to be able to properly identify a citizen, in order to not disclose possibly very sensitive information to someone else impersonating them? In a lot of cases the company might not even have enough information stored in order to know who the owner of a given account is. How do you prove "abc123@example.com" is Mr. Smith, if your service doesn't ask them for names? Or if it does, which Mr. Smith do you have on record? Email original senders can be spoofed.
The first thing I'd do if I was a black hat type attacker would be to submit GDPR information requests to all internet companies I could think of in behalf of all my targets.
I haven't seen this reasonably addressed in any of the discussions, or org-based-presentations thus far. GDPR compliance itself basically ensures you cannot collect enough information to even defend against this type of attack vector.
This is mentioned in the recitals: you can request additional identification, in fact you should if you can't identify the subject [1] and if you can demonstrate that you can't identify the data subject (with reasonable effort), you don't have to comply to the request. [2]
What frustrates me the most about the GDPR is that a single person building a mailing list for a $19 ebook launch is just as affected and burdened as any other company. A side-business that might make you $30,000/yr is now no longer worth pursuing because of the costs of working with a lawyer to make sure you are GDPR compliant and have all of the right policies in place.
It raises the barrier to entry for small one person businesses even more, forcing out anyone who can't justify the costs of compliance.
If you're building a mailing list for your ebook, won't you just need:
1) Allow people to login and view their personal information: name, email.
2) Allow people to delete the profile.
And don't retain any data other than (1) or (2). If you want to track users to see if they clicked links and what countries they are browsing from then: (A) anonymize it or (B) make it visible in the profile information (1).
If all you record is name and email, you won't need a lot of infrastructure. Your policy might say you transfer email addresses to AWS when sending emails.
The comments are an eye opening experience, amazed to see how so many people think they don't have a huge responsibility to the owner of personal information. More of a reason why GDPR is needed.
While you may be amazed, this is literally now the truth in EU.
The right to control such information is established as a right of the individual; and if you have possession of some information about me, then yes, I have more rights to control what you are allowed to do with this information in your hands than you, and that information can never in any way fully become "your property".
As if possessing something makes it your property - property is a legal notion and (in democratic countries) means just what people want it to be.
Devils advocate -- if I write a poem for instance, and post it online, then copyright law still gives me control over uses of that information. People don't have the right to do whatever they want with that info. Is this so different?
Similarly, companies often include EULA and shrinkwrap contracts governing what users are allowed to do with information accessed on their webpages. So why can't users collectively write a similar contract pointing the other way?
If this kind of request is a "nightmare" or too much of a burden, they should automate it.
"We put lots of engineering effort into mining your personal data and selling bits to other people, but we can't be bothered to put any engineering effort into disclosing on your profile or account-settings page what we're doing with your data."
A lot of the questions are answerable generically (no differences between users). You can't tell me that writing a data privacy FAQ with those answers in clear, simple language, once, with a link on every page and on users' profiles, is an excessive burden. These companies just don't want to have even that minimal burden and process to ensure that changes in usage of personal data get documented and updated on such a faq.
The GDPR applies as much to a startup or side business as it does to Facebook and Google.
A letter like this would be a hugely disproportionate burden to a small business like that. It would take many hours, if not days, to reply properly to all of those points, even for a business that is doing nothing shady or unusual.
You can't just write "automate it" as if that has no cost.
What's an example of a start-up collecting personal information, using it in a complex way that can't be summarized in a few paragraphs, but being unfairly burdened by this?
If a start-up is doing things with personal data so that answering those questions takes more than a few paragraphs, isn't the start-up pretty much a personal-information-processing business, and doesn't it deserve to have the burden? Doubly so because start-ups often leave security considerations for later; any personal information they collect or share may not even meet the minimal industry standards and expectations of larger companies (not that such informal standards are adequate—those larger companies are often incompetent themselves).
What's an example of a start-up collecting personal information, using it in a complex way that can't be summarized in a few paragraphs, but being unfairly burdened by this?
It doesn't have to be doing any of that. Just the time and money to have a lawyer review this letter and identify the actual obligations is already a significant burden. For example, notice that just replying with everything requested here would in itself potentially breach data protection law.
Perhaps, but making sure a company isn't screwing you over by throwing your personal information around willy-nilly doesn't require opening with a direct threat and then listing 40 or so different demands for information, several of which are technicalities which have little relevance to determining whether or not the data is really being handled safely and responsibly anyway.
A normal person who really was worried about how their data was being used would probably write a polite letter asking what data was being stored, how it was being used, and maybe a couple of supplementary points if they had particular concerns or perhaps had heard a warning about some specific practice that could be dangerous.
Because it's hard to correctly understand. That's the point of the letter, it's called nightmare letter because it was specifically crafted to be as confusing and hard to understand as possible.
It's not hard to understand. It's only hard to understand if you've built your business around slurping people's data and using it without consent - something that's already mostly illegal in the EU.
A lot of GDPR is not new. It's just clarification of existing law.
I think it's very clear written. It's a nightmare letter because it ticks all the boxes, so to speak -- author asks all possible GDPR-related questions he can ask and business is legally required to respond to.
Yes. That's the policy goal. Don't start businesses that are inevitably going to hurt people.
There are lots of other profitable businesses you're not allowed to start, like "an agile, disruptive restaurant that cuts costs by never cleaning" or "an investment advisor that front-runs their own customers" or "a healthcare startup that runs on unpatched Windows XP" or "a company that helps you get work visas for nonexistent jobs" or whatever.
No, they say that you can either run a fly-by-the-seat-of-your-pants startup, or handle private data, but not both at the same time.
If you want to be entrusted with people's private data, then the table stakes are much higher than simply starting a business, and you have to be prepared to invest the time and resources to do it properly, or you're not allowed to do it at all.
Don't start certain kinds of businesses without being willing to deal with the reasonable requirements of starting businesses of that kind.
If I start a biotech startup, then I need to make sure I'm keeping all health data I encounter well protected. This _does_ mean it's harder to start a business in this space—but not impossible
If you're not willing to make that tradeoff, then don't start that kind of business.
I certainly respect your desire for no businesses to have certain pieces of of your personal data, but there's a difference between "I don't want to be a customer of certain kinds of businesses" and "such businesses shouldn't exist at all".
And beside that, regulations that effectively result in prohibiting certain kinds of businesses even though they don't explicitly do so are bad regulations IMO.
> but there's a difference between "I don't want to be a customer of certain kinds of businesses" and "such businesses shouldn't exist at all".
There are companies tracking the SSID of my phone with wifi beacons to find out which stores I was physically visiting. How do I opt-out of that?
Sorry to bring the tired "you're not the customer, you're the product" line, but the way the industry is set up today, I'm starting to doubt there is so much difference between the two options.
Tracking and data collection is baked into so many services nowadays that you'd have to be extremely attentive as a consumer to avoid any tracking - also be prepared to face a lot of inconveniences and restrictions. If possible at all.
I understand your sentiment, but we’ve swung so far towards the unrelenting abuse of consumer data, I’m supportive of regulation through any means necessary.
To your point, if a business is not explicitly banned, but banned because of regulation about what that business can do, that’s exactly the sort of regulation we want. We don’t dictate your business specifically, just what you can and can’t do with the data. If you can operate within those regulations, congrats!
If you don't have basic infosec when starting a business... Don't start a business. It's 2018. Companies get hacked for a ton of reasons, it's redicolous how badly companies exploit customer data and then fail to protect it. Companies need to be held liable for that
GPDR does not, and government checklists can not, ever, cause companies to have acceptable infosec. Any attempt at security-by-bureaucracy is inherently doomed to failure. This is why business consulting groups’ “security” divisions are the butt of countless jokes among security researchers. No bureaucrat, executive, or politician can ever make enough forms and flow charts to secure data.
The GDPR is an EU regulation, but you appear to be adopting some US(?) based conventions and terminology, and then posting a string of buzzwords that have little if any connection to the subject at hand.
Also, are you seriously suggesting that in response to a formal legal communication it's a good idea to reply without having input from a lawyer?
You probably need a lawyer to help you write the document the first time, and to update it when you make new partnerships or develop major new pipelines for data. You probably don't need a lawyer every time you receive such a letter.
You probably don't need a lawyer every time you receive such a letter.
For routine enquiries, maybe not. For a letter like this, from someone who is clearly intending to trip you up and cause trouble, our lawyer is the first call I'm making, every time.
And that initial conversation is already going to cost me hundreds of pounds and a half-day of work, even if I already have reasonable answers to anything we are actually required to respond with under the GDPR here.
> For a letter like this . . . our lawyer is the first call I'm making
/shrug It's your money. You could do that, or you could even light it on fire if you wish. It's no skin off my back. If your company is profitable enough to eat this self-imposed overhead, then its owners will just make less money. If it's not, then leaner competitors will replace it. I'm fine with either outcome.
In this area, we have no idea which overheads are actually going to prove justified and which are just throwing money away. That's one of my main points here. As I've argued several times on HN recently, a big part of the problem is that if you're running a small business that isn't handling large amounts of personal data but obviously is going to be subject to the GDPR like everyone else, there is no clear indication of what you have to do to be considered reasonably compliant.
The GDPR itself is very heavy and has little in the way of moderation for small-scale data controllers/processors, so in practice it's going to come down to interpretation by regulators (and potentially anyone who has rights under the GDPR and wants to make trouble, as in the example we're discussing). If you don't do enough, you potentially face even greater overheads due to formal audits, financial penalties, etc. If you do too much, then as you rightly point out, you leave yourself at a disadvantage compared to competition who don't do as much (and this remains the case even if that competition is knowingly breaking the law as a result, and that in turn doesn't matter if they face no meaningful penalties for it).
> we have no idea which overheads are actually going to prove justified and which are just throwing money away
Life is risk. I contend that if you make a good faith effort to comply with this law (i.e. consult with a lawyer, once, to develop those eight documents you mentioned in another part of this thread) and generally practice good private information hygiene (wipe out old data, don't log private info, don't retain logs or emails too long, etc.), you're probably going to be fine. This is probably not going to be in the "inner loop" of risks your small business faces.
In every regulation, there are winners and losers. Some of the losers didn't do anything wrong, but are just losing because that's the nature of designing laws that factor in disparate interests. At this point, it's the law, and your only choice is how you're going to handle it. And my contention is that, if your small business is receiving letters like this with any regularity, calling a lawyer and spending half a day on it each time is not among the reasonable spectrum of risk-mitigating responses.
To be fair, the EU introduced a two-year transition period with the express purpose that businesses should update their processes and basically identify and prepare for potential problems such as this one.
This transition period is ending this summer. Why is this discussion taking place now?
I'm involved in GDPR-compliance taskforce in our company, and I can answer this question.
GDPR is very broad and open to interpretations, which will happen only when someone got caught, i.e. during first legal battles.
So, transition period does not really help, be that 2 years or 4. We need to see how this law gonna be enforced by regulators, and which common IT practices constitute breaking the law and which are not.
This transition period is ending this summer. Why is this discussion taking place now?
Because no-one thought to inform most of the businesses affected by it before, and awareness has only grown in recent weeks (and even then probably only among business people who frequent forums like HN where the subject has come up).
> (and even then probably only among business people who frequent forums like HN where the subject has come up).
Every business I've worked with over the last couple of years of consulting have had sessions on GDPR entirely without any technically minded people having to bring it up.
I'm sure there will be people caught by surprise, by what I've seen has been very promising.
Every business I've worked with over the last couple of years of consulting
OK, but if you're going into a business and consulting, that already suggests both a certain scale and a degree of awareness within those businesses, so this isn't likely to be a representative sample.
I'm not consulting on the GDPR, and my clients range from 2-person companies to 2000 people with most of them being much closer to the low end than the high, so while it certainly will be a biased selection in other respects (e.g. they're companies with a certain degree of technical complexity) I don't think it says much about awareness (other than already having more tech staff) or scale.
Additionally, most companies without much technical infrastructure are less likely to be affected much in the first place.
Unfortunately, that guidance still doesn't provide specific, actionable advice in even a lot of everyday areas, as we've seen in just about every HN discussion on the GDPR in recent weeks when recurring themes like backups or log files or payment processing services come up.
Also, having "fucking reams of advice" is not a good thing. To be practically useful for the kind of organisation we're talking about, advice needs to be clear and concise. A starting point that will take days just to read through and understand isn't very helpful.
> Also, are you seriously suggesting that in response to a formal legal communication it's a good idea to reply without having input from a lawyer?
You don't need a lawyer to reply to GDPR letters. You do need to comply with the law when you collect personal data. What you're saying is "I should be free to ignore the law until someone writes to ask about my compliance, and when they do it's burdensome for me to get legal advice to respond to that letter".
I'm saying no such thing, and it's neither courteous nor constructive to twist words like that.
You keep asserting that it's not necessarily to have a lawyer review a letter, despite the letter being legal in nature and in this case clearly coming from someone who is looking to cause trouble. Clearly you and I have very different attitudes to risk in this respect.
In any case, an obligation to comply with the law is self-evident. My objection is that the law itself is poorly implemented and that what is necessary to comply is ambiguous.
Everything you do with customers is legal in nature
But most interactions with my customers do not begin with a multi-page letter that literally opens with a direct threat and then proceeds to demand a response on 40 different points.
Your repeated scare mongering around GDPR is fucking tedious
I run small businesses, and we have been dealing with GDPR issues. The ambiguity and overheads I have been talking about in this discussion are costing us time and money right now. Dealing with a letter like they one we're discussing would cost us more time and money. Apparently we aren't alone in these respects.
Some of the GDPR's supporters have argued that the lack of proportionality in the actual regulations is not a problem because the regulators will enforce it pragmatically. I have personally heard such arguments made about onerous EU rules before, and through my own businesses I have been on the receiving end of government mistakes and their rather unpleasant consequences. And again, that wasn't some freak unlucky event: thousands of other businesses are known to have been subject to similar problems, in more than one incident, involving more than one government authority.
A few people have suggested that involving lawyers in response to a letter like this is unnecessary. Clearly it's going to be a matter of risk assessment, but I don't think it's unreasonable. Once again, I have personally seen (at a former employer in this case) how much time can be wasted if a company gets caught up in formal legal proceedings even having done nothing wrong.
In short, there are people out there dealing with the issues you call "scare mongering" every day. These are not just hypothetical problems. Maybe you've never been caught up in them yourself, but sadly not everyone is that lucky.
especially since almost everything you've said about it is false.
If you're going to call me a liar, please at least tell me what I've written anywhere in this discussion that was false so I can set the record straight.
Aren't those letters already pretty standard anyway? I was sending those to various places > 10 years ago using the existing privacy/data protection laws in the country I was a resident in.
(you get fun stuff back, I got all the logs from my public transit card that way)
Well yes, if you've built a business around illegally using personal data you may need to get a lawyer involved.
It would be better to get the lawyer involved when you start your business so you know you're complying with the law.
And almost everything in GDPR comes from existing laws (IN UK the data protection act and PECR), so if your breaking the law under GDPR you're probably breaking the laws that exist now too.
>Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
Data Classification
>a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
Data Classification
>b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.
Asset Inventory
>2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
Privacy Impact Assessment
>3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
Privacy Impact Assessment
>a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.
Privacy Impact Assessment
>b. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.
Asset Inventory
>c. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.
Access Control
>4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.
Data Retention
>5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
Data Collection
>6. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.
>7. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
Breach Escalation
>a. Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.
Backup
>a. What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.
Log Review
>c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.
Security Awareness Training
>8. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security.
I'm sorry, but this comment reads like something written by an academic with no real world experience of data protection issues and running businesses at all.
You should be able to provide this from a SQL query.
Please tell us all what that query should be, then, and how it's going to cover the relevant data stored in log files, emails, remote services used for payment processing, off-site backups, etc.
That's just a very minimal set of other places that almost any new online business is likely to be working with on day one.
Data Classification Plan
Asset Inventory Plan
Privacy Impact Analysis
Privacy Impact Assessment
Access Control Plan
Data Retention Plan
Data Collection Plan
Breach Escalation Plan
You're suggesting that in order to handle this kind of request -- which none of my businesses has ever received from anyone in many years of trading -- we should write up 8 different formal policies? These businesses probably don't have 8 different formal written policies in total at the moment. This is just totally detached from the realities of running small businesses, though it does reinforce my point about disproportionate burdens.
[The parent comment appears to have been edited after I wrote this. The terms above were in the original.]
You're making the parent's point. This is disproportionately burdensome to companies that don't have people dedicated to writing policies or lawyers dedicated to reviewing them.
How is that a useful solution to anything? Almost any business will handle some form of personal data, and as such will have some degree of compliance overhead.
More overheads are generally bad for business. In the run up to Brexit, and given figures from the Chancellor's statement just this week showing relatively low productivity and growth in the UK economy, it's remarkable how many people don't seem to have a problem with increasing those overheads and thus negatively affecting the creation and growth of businesses.
There is a balance to be struck here. Protecting privacy is important, but not regulating in a way that introduces excessive burdens is also important.
An ISO audit takes how long and costs how much? Do you expect every company that handles email addresses (that's PII) to perform an ISO or SOC2 audit before accepting customers?
A) You are using personal data in good faith as part of and don't need a lawyer. Just reply. I work for an organisation at the larger end of the SME scale and wont be using a lawyer. Like I don't use a lawyer for routine contractual disputes like debt collection until the debtor refuses to pay.
B) You are walking a fine line and relying on the exact wording rather than the spirit of the law. You are not acting in good faith and trying to make money out of customer data. You need a consultancy firm and lawyers and you wont get any sympathy from me.
I'm not sure whether you are serious or this continues your repeated anti-EU comments on HN, Silhouette. I find it OT and I hope the moderators do to.
Option C is that the letter was written in bad faith, and the sender intends to "rely on the exact wording rather than the spirit of the law" in order to get me in legal trouble.
That's why the regulator can, must and will exercise judgement. They can't sue you for $bignum after getting your response, they can point the regulator towards you and claim that they've been abused, but if they are the abuser, then that's not going to fly.
Being the target of a government investigation is in and of itself an expensive process. You have to spend a bunch of time preparing your side of the story in exacting detail. You probably need to put a freeze on any changes which might make the regulator think you're trying to cover up previous misconduct.
And of course, if people find out out you're under investigation, a lot of people are going to just assume you did something wrong. You won't be able to fix that no matter what the regulators conclude.
I'm not sure whether you are serious or this continues your repeated anti-EU comments on HN, Silhouette.
To the extent that I am anti-EU in some respects, particularly around the areas of small businesses and excessive regulation, that is born of experience. As I have mentioned in previous comments, which apparently you might have seen, I have been on the wrong side of EU rules being over-zealously applied before, and I have been on the wrong side of a government regulator that is for most practical purposes above the law making a mistake before. Some things that some commenters tend to dismiss as hypothetical, I know from direct personal experience to be real threats, and I will challenge bad laws that allow scope for such threats to exist.
I find it OT and I hope the moderators do to.
I'm sorry that you feel censorship is a useful response to someone with different experience and views to your own. I like to think that HN is a forum where people can discuss such differences of opinion openly and intelligently.
No, the threat is having rules that are ambiguous and subject to interpretation by regulators with the power to at minimum cause serious disruption through a formal audit and at maximum impose fines that pose an existential threat to a small business.
And as I said elsewhere, if you think that threat is imaginary, please look at how many different national tax authorities have started large numbers of incorrect claims procedures against small businesses who had done nothing wrong just because the officials made mistakes with the new VAT rules and got their own records in a mess.
Take the simple and common case of a startup storing personal data on an AWS-hosted service. Can you account for who at Amazon has access to that AWS instance, how many physical copies of the data may exist in Amazon's data centers, how you can assure that deleted data is really deleted, and so on?
The company is the controller of the data, and Amazon is the processor.
Here's Amazon's declaration and stance, stating they are GDPR-compliant both as a company (when they are the controller - of their direct customers' data), as well as then they are a processor (infra for use by others who control private data): https://aws.amazon.com/compliance/gdpr-center/
There's generally no need for a controller who relays data to a processor to understand the intricacies of the implementation on the processor's side (is deleted data really deleted ?) - what's more important is the processor's self-declaration for GDPR compliance.
The above is my personal $0.02 as I've been spending quite some time getting into GDPR recently. IANAL
If you're using AWS for your business/startup to store customer information and you don't have good answers for this already, then you aren't doing your due diligence.
To be clear, many businesses may not have good answers right now. Their response should not be "this is too much of a burden" but instead "wow, we really need to find this out ASAP".
I just read through this "Nightmare Letter" and while the cost is definitely non-zero, a conscientious startup will have the same answer for each user for almost every single point and can have a boilerplate response ready to go in those cases.
Where it gets complicated, i.e. where they buy your data from 3rd parties, I don't have a lot of sympathy for any of the complications involved. Most of the rest can be automated, not for a non-zero cost, but for a relatively low one if a startup goes in with these questions in mind, prepared to answer them when they come up.
a conscientious startup ... can have a boilerplate response ready to go in those cases
I have businesses that don't do anything shady at all with personal data, and I'd like to think we're conscientious about handling what we do have. We follow general good practice in terms of encryption, hashing passwords, and so on. We've never had any sort of request for information under existing data protection rules, nor complaints under any other regulatory regime for that matter.
So, how much time and money should we spend putting together that boilerplate, just to tick a legal box? How much of the documentation formally required under the GDPR should we actually write, given that on the evidence of several years of trading so far it has literally no value to anyone? How much should we spend on things like getting lawyers to review the contracts we have with the small number of outside services we do use, which might have access to some personal data in connection with the services they provide for us, and how often?
If you actually follow the letter of the law here, the costs of compliance would be astronomical by small business standards. There is little proportionately built into the GDPR itself, so we are reliant on regulators to introduce it, and that's not a good position to be in either legally or practically.
Depends on who you ask. Those who trust government will tell you that you can count on the subjective enforcement not to go after you as much, and of course the good ol "don't break the law and you have nothing to worry about". The rest of us that understand government incompetence/corruption and risk mitigation would tell you that you have to weigh whether these risks are real enough to you. I would tell a non-growth-focused early stage company uninterested in locale variety with limited resources (e.g. bootstrapped company in beta) to avoid EU customers since there are only downsides.
If anyone from the EU visits your website, and you're collecting server logs or analytics with IP addresses in them, you're now processing personal data of EU citizens and subject to the GDPR. They've written this regulation such that pretty much everything on the internet is subject to it.
How about email? If someone from the EU sends me an email, their IP address will likely be in one of the received-from headers, and will be in my SMTP logs.
Note that even if I don't have an email server, relying on my ISP to handle that, desktop email clients download the headers from the server.
A lot of small businesses have no idea that they are storing that information.
Well geo IP blocks are much easier than fetching those logs by user on request. This will happen if EU citizens overly burden companies with these letters... but not until then probably. I definitely wouldn't want to jeopardize my future EU prospects by ignoring the requests for info.
It may be a bit of an unlikely scenario, but people should remember their opinions on region-specific content blocking even if they think their region has enough leverage to make everyone bend to their will.
If I don't need an adblocker because all the adtech companies already preemptively block me, I personally could live with that and would consider the GDPR to be working as intended.
It doesn't have to come to this, at least from adtech's side.
Generally, your device is instructed via a publisher's site/app to reach out to ad tech servers either directly (firstparty), or indirectly (firstparty->thirdparty, firstparty->RTB exchange->thirdparty).
Due to the "chaining", GDPR is particularly onerous on the adtech industry. Granted all the data is keyed by semi-anonymous IDs (cookies, IDFAs, IPs), the concerns for consent, retrievals, deletions, in a cascading manner, are an industry-wide problem requiring collective action. The IAB proposed something for the RTB side, the publishers don't like it, and it'll be tense until and through May 25th :)
Having said that, nobody wants to shut-the-whole-thing-down. While all these servers may refuse service based on fuzzing the request as originating from the EU, they may also decide to serve as-best-as-possible and minimize logging of the sensitive fields - it may be better, for example, to lose some functionality for European devices (behavioural targeting, for example, the idea of showing you an ad for the Widget you just looked at over and over), than to serve nothing at all.
Um, nope. Go ahead, try applying EU law to a US website. I run a few, by all means, knock yourself out. It's hilarious and baffling at the same time that you think the EU can write laws for other countries.
If you are selling things to people in country X, you have to be very careful if you decide to ignore X's laws for such sales. You and your company may be beyond the legal reach of X, but your suppliers and service providers might not be.
For example, if you decide to ignore tax laws in X, X might put pressure on your credit card processors to stop aiding your tax evasion. If the credit card processors respond by cutting off your ability to processes card, they might not bother just cutting you off from accepting payments from country X. They might cut you off completely. That would be pretty annoying.
By your logic, you should be allowed to go to Ladbrokes.com and put some cash on tonight's NBA games. I could if I wanted to, and I'm sure Ladbrokes would love to take your bets if they could. But you can't, because countries can make laws about selling to their residents. Ladbrokes blocks you, because US law says they must.
I'm sure you can rely on your site being too small for EU regulators to bother with, and I'm sure it would be hard for them to enforce if you have no operations in the EU, but the fact you ignore the laws doesn't mean they lack jurisdiction.
Irrelevant. Ladbrokes is not a US firm, I don't know, need to know, or care what their legal system is. It's entirely possible their laws require them to comply with US law, or that they have assets in the US.
A website hosted in the US, owned by a US citizen, residing in the US, is not subject to laws written in other countries.
The reason I used the example of a gambling website is precisely because the US has history of prosecuting the operators of non-US websites for allowing US residents to join. There's nothing in UK law that says they can't let Americans bet. Didn't stop US authorities arresting several bosses of EU gambling websites. If you do a bit more research you'll learn that the US uses extra-territorial jurisdiction more than anyone.
Sure, that's true. It's a different subject. If one's country allows a foreign system to operate outside of it's own legal system, it's about as strong of a sign as I can think of that the people do not actually control their government.
As a US citizen, I am strongly against our interference in other countries, but even if/when we fix that, it wont matter if the root problem is not fixed, since another outside power could do the same thing.
I'm sorry but no, it's the exact same subject. It's country A prosecuting a website in country B because they did something that's illegal in country A but legal in country B. The US does the same for copyright laws. Or is it OK if it's team America thats acting as world police?
I live in the US, _good luck_ enforcing foreign law on me.
It's a sign that the people here have the most fundamental control over their legal system. It's not my problem if country B cant do that, but I would REALLY like country B to have the same power over their legal system.
I could go into the real tests and what it means to have a legal system where the individual has so much power, and how to achieve that, but you are ignoring the distinction between enforcing foreign laws on a US citizen and a citizen of country B.
You are implicitly admitting the asymmetry, but instead of fixing country B, do you want country A to weaken it's system so that it has the same foreign influence bug as country B?
Like I said, your argument boils down to "we're American: we'll enforce our laws on everyone in the world, but if you think you can tell us to obey your laws when we sell to your country, you can F off." Which is fine: you're welcome to say that because a law is hard to enforce you won't obey it. Just don't pretend you're not breaking the same principle that your government relies upon: that if you're serving a country's residents, you must obey that country's laws.
They can't enforce them on other countries but they can:
- Have their ISPs block access to your network
- Have their banks not process payments to you
And if you really want to generalize it to "laws" they can emit an arrest warrant: good luck ever travelling to another country that has an extradition treaty with any EU country.
They can't prevent a business in another jurisdiction from operating but they sure can prevent your business from being conducted with any EEA entities.
Yes, so what? Did you know that as an individual, you can literally be imprisoned for decades for violating the law? Why is it so shocking that a company that violates the law can be forced into bankruptcy?
The key term there, of course, is "up to". You don't get fined the maximum amount for the smallest violation. It's a range, depending on the severity of the violation, and probably whether there was gross negligence and/or maliciousness.
There are sentence maximums for different crimes for a reason, and often people are unjustly sentenced to the maximum level. With your analogy we should just have the option to sentence everyone to life for any transgression and then just tell everyone "but they won't".
I don't understand why this is constantly handwaved away with statements that claim to tell the future. If you are correct that the violations aren't as large in some cases, that can codify it a bit better than "trust us".
To reverse your argument: without data protection laws we're just trusting corporations that they won't commit any transgression. Your "worst case" description is exactly the current scenario that we have in place being practiced by corporations who have your private data: all you have from them is "trust us".
How much personal info that you have, do you actually need? I don't know your business, and I don't particularly want to, but this is a good opportunity to review how much of the data you retain you even should be retaining.
If the amount is anything substantial, more than contact information and whatever data customers might choose to be hosting with you, then you are exactly the right target for GDPR and you should be spending whatever amount you deem necessary to avoid the fines.
It's harsh, but it is true that software and service companies in general, maybe not you, maybe not your company, are far too lax with personal info, and so now legislative bodies like the EU are choosing to address that issue, and the easiest way to be in compliance is to not have anymore customer data than you actually need so when you do get hit with a letter like the one linked here, you have a much easier time responding.
Will this strangle some businesses? Even prevent some from even getting started? Undoubtedly, but that is a trade-off I'm willing to accept in this world where every incentive is stacked against the integrity of my privacy.
Well, speaking just for my own businesses, we've always minimised how much personal data we use, and all the processing we do is for good reasons that are directly related to what we're offering as a service. This wasn't due to any legal obligations, just basic good practice in terms of security and what I consider an ethical stance regarding the privacy of our customers.
I suppose this is why I'm so frustrated by this whole issue. I have a lot of sympathy for your argument that some businesses exploit personal data in ways we might well agree are abusive, and that something needed to be done to curb that. But as someone who does try to do the right thing both ethically and legally, this is just another set of regulations that is going to cause compliance overheads for my own businesses while offering little if any real benefit to anyone in our case.
Meanwhile, if the risk of significant enforcement action against smaller businesses really is low, the door is open for competitors to take their chances and gain an advantage over us, particularly if they're not in the EU themselves. So it also seems to be a case of no good deed going unpunished.
I'm sympathetic if your practices are already good, but the balance of power between an individual and a corporation is too far on the side of corporations as things stand. This levels things out for individuals who otherwise have to depend entirely on the goodwill of corporations.
That includes you, the individual as well, and I hope it works out for you the corporation.
If you can't already answer these questions you're probably already breaking EU law.
There's been a round of companies "reconfiming" email lists "because GDPR" - but if those companies can't show clear opt-in before sending email they're already in breach of PECR.
A conscientious startup would probably not start up under these conditions. Every regulation that creates risk reduces the number of people willing to invest and enter the market.
You could say that having to follow tax regulations also reduces the number of people willing to enter any market. Should we also drop requirements for pharmaceutical companies to do their thing? I'm 100% certain we'd have thousands of new "pharmas" popping up within a short amount of time.
Obviously this is a silly simile but the point remains: certain types of business have certain regulations, in this case if a business relies on keeping your private data then they have to follow the appropriate regulations, like most other fields.
How many cures have not been discovered because of the cost of regulation? Does every regulation save lives? Please. There is a balance between serving the public interest (safety and feel good theatrics like GDPR) and what is actually the public's interest (cure to cancer, the internet, etc...).
We had bad pharmaceuticals despite regulation. As well, there are many promising (tested on few individuals) pharmaceuticals which did not survive broad clinical trials.
I don't know, would it really be so complicated for most businesses? Taking my former SaaS business as an exmaple, I would have needed to gather the required information from two sources basically:
- Our database (containing user data like login, e-mail etc.)
- Our third-party SaaS providers such as Mailchimp (e-mail address and name), Mailjet (no personal data stored directly there) and Stripe (transaction history).
Automatically pulling together the necessary information from these sources and sending it to the user seems totally doable and not overly complex.
In general, I think the whole idea behind these rights is to incentivize companies to implement well-documented and automated processes for dealing with user data, and to keep the data in as few places as possible.
BTW I'd be very interested to hear from people running startups how they process user data and how many different data stores / services they use to manage that data!
In general, I think the whole idea behind these rights is to incentivize companies to implement well-documented and automated processes for dealing with user data, and to keep the data in as few places as possible.
That in itself is reasonable, but it lacks the proportionality aspect that is so important. My own objections to the GDPR aren't about the spirit in which it's intended; while you might not guess it from my comments on HN today, I'm generally a very strong advocate of privacy safeguards. Instead, my concern is the amount of additional red tape and ambiguous obligations that the GDPR appears to be introducing for what ought to come down to simple questions like whether you are using personal data only for legitimate purposes and you are storing it safely, which plenty of us already were anyway.
I'm kinda in your boat. IMHO, GDPR needed something for small businesses. If you're doing reasonable, expected stuff with your small businesses and you reply as such to the example letter, there should be no need to use a lawyer. And it should be codified in the law, rather than relying on prosecutorial discretion.
There should be a distinct "If you adopt these reasonable policies, you are legally in compliance with GDPR".
We do have control mechanisms, but they are practical measures. Data of a given type is kept in one primary location with systematic backups. Processing of that data is typically done by programs that all use a specific related module in the code to access the data so they're easy to review, except for things like email where the nature of the processing is obvious anyway. Only a limited number of people have access to the relevant code or data at all, and everyone involved knows everything that is going on and could immediately describe exactly what data we store and how it is used. The privacy policy discloses our practices accordingly. What we don't currently have is a lot of the formalities that may (or may not) be required once the GDPR comes into effect.
I commend your organization: by following some good practices when it comes to data collection and storage it's already very far into the process of being GDPR compliant, it looks like all you all are missing is the documenting it part of it where the processes are clearly defined and nominating someone to be the data protection officer.
He was asking in general however, without a mechanism to control that corporations are doing what yours is already doing, how would we verify compliance?
I imagine most small companies would have you as a single joining key in a MySQL database somewhere. Most of those answers would be the same for every customer anyway.
I actually started thinking about this and have tested an idea for answering data portability requests (https://www.dpkit.com) for the German market, so far there's not much interest though.
Which aspects do you think would be interesting to automate or are particularly painful from your perspective?
I’d pay for a browser plugin that sent this to every company that attempted to set a third party cookie on my browser, but I don’t live in Europe and doubt that’s what you meant. ;-)
After this whole process of ineffectual, burdensome regulation followed by inconvenient, expensive, mediocre regulatory automation, how much better off is society?
We should ask that to the dozens of millions of Americans who have their private data for sale even as I type this after the Equifax breach. Bonus: we can literally buy it and use that data to contact them directly and ask :)
There's a different "nightmare letter" in the US, one that ordinary citizens receive. It comes from a credit agency or a company that uses a credit agency. The letter informs folks that they have been the victim of a data breach and that their personal data "may have been accessed." The nightmare letter provides little meaningful detail beyond that.
The letter is sent via regular snail mail and arrives months after the actual data breach occurred. The letter is largely devoid of any meaningful recourse for the victim. It does however offer "free credit monitoring" for up to 1 year by the same agency that displayed complete disregard for security.
If compliance and accountability with people's data especially when they are not permitted to opt out of such a system constitutes a "nightmare" then perhaps those companies should rethink parts of their business model.
Considering the normal situation is they receive no actual notice at all from most breaches and find out through the news if they are lucky I would say the very absence of disclosure is the true nightmare. You usually find out a year later when the data appears on the dark web and is then pulled into something like haveIbeenpwned.com.
>"By using the “Free Dark Web Email Scan” a user will receive advertisements for Experian products at the e-mail address that is being scanned. The user agreement includes a clause which states that not only will Experian send you advertisements, but “offers for available credit cards, loan options, financial products or services, or credit-related products or services and other offers to customers.”
It's like a vertically integrated criminal syndicate.
The best way to counter this nightmare letter is to freeze your credit. It works better than monitoring, imho. You switch from opt-out to opt-in. It should be the default for most people. It takes a little planning to grant individuals access to your credit file.
The fact that the credit reporting agencies can (and do, when not prohibited by state law) charge a fee for each freeze and unfreeze event is what prevents me from doing this. While the fee isn't expensive compared to dealing with the ramifications of ID theft, it's the principle of paying the data guardians to guard my data better that I object to. Especially when I have no choice (assuming I want to live a modern life) but to have them manage my data.
That those practices are bad does not mean that something as simple & proper as storing IP addresses in your logs justifies receiving a nightmare letter.
The GDPR is trying to do a good thing, but it goes too far.
It also requires you explain the logic of any algorithmic decision you make.
I.e. If you use any sort of machine learning model, such as a neural network, you have to be able explain every decision it makes. Given that there's currently no know method to fully explain the outcome of a neural network decision, GDPR would apparently make it illegal for any EU business to use a neural network in any user facing capacity.
GDPR advocates answer to this seems to be that, while the regulations might read as such, it hasn't actually been tested in court yet and, who knows, maybe whatever judge it eventually comes up with will decide to keep neural networks legal!
So, if you're a company using machine learning in Europe, you just have to wait a few months and keep an eye on court news to determine if you entire strategy is permitted or not. Thank God for the stability and confidence provided to businesses by the single market!
Why are you storing IP addresses in your logs? The web server my college computer club ran made a point of not storing IP addresses. We would respond to legitimate requests from campus police / the deans / other people who could kick us out of the college (usually when someone was, like, making threats of violence in the comments of a WordPress blog or whatever), but we would often answer with, "No, we don't have that data, it never got logged."
If the GDPR is forcing businesses to abandon dangerous logging practices that they don't really need, it is hardly going too far.
Most applications will log ip addresses by default. Why?
1) Many security products rely on IP addresses in order to blacklist known malicious users (including fail2ban) and/or detect hacking attempts. Monitoring for stolen credentials b also will typically check IP addresses ie why is John showing up as being logged in from an unknown IP address when he's in the office with me? 2) It can be useful for debugging. Are those requests going to the right server? Is there one server where something isn't working correctly ie is that server misconfigured? 3) Some businesses are required to prevent screenscraping of certain data. Solutions to prevent that typically use and store IP address information.
1 can be done by checking but not logging IPs, which we certainly did (we'd tcpdump traffic and throw it in iptables) or logging IPs of malicious requests but not of normal behavior.
2 is what this regulation is intended to stop: you shouldn't be trading off "it might be useful in the future" for "it can be misused by authorized users, or exfiltrated by hackers".
3 seems reasonable, but does that require a retention policy of more than a couple of hours?
Both Apache and Nginx (and others?) log IP addresses by default. The expected result of this is that storing IP addresses in server logs is widespread, useful for troubleshooting, and entirely normal.
This seems like a very good reason to have a law about it: if the only reason you log IP addresses is that it's on by default and you haven't thought about the risks of storing it, you should think about it for your production servers. Otherwise it's purely a risk and has no benefit. (And the risk is to your users, not you, so it makes sense that a law would be needed to give your users the ability to complain about that needless risk.)
If you make the active decision that you specifically want the IP addresses, great, you can do that. Just have a strategy for keeping that sensitive data secure and getting rid of it at some point.
It's not a phone number because it doesn't need to resolve back to anything in particular. With carrier grade nat for instance, it could be shared by many people. At best it's shared by a house.
With regards of tracking you with the help of the ISP, if you have someone with those resources, it's not you storing an IP address that's their biggest concern.
Geoinformation can also change daily. Figuring it out afterwards isn't reliable.
I just watched Wes Bos' Learn Redux course, which was sponsored by Sentry - and he had a little video showing their service. By default it logs the user's IP (or at least did when he recorded) on all events - any client-side error, any messages the developer raises to Sentry from the client side code, any feedback form powered by Sentry the developer uses. I'm sure you can turn it off, but I imagine that kind of thing is all over some companies.
My new favorite thing is libraries that track every mouse move you make, every scroll action, every key you type, etc., including things you pasted into a textbox by mistake, and send it back over a websocket or something to a third-party service so that the website's UX people later can see how real people interact with their website and optimize it. Google for "website mouse tracking" or "website session replay" to see a bunch of startups that do this (many of whom have ads at the top).
I am incredibly excited for the GDPR to make these products too much of a regulatory burden to be worth considering.
This is basic cyber security stuff and I get these questions from customers almost daily. If you are going to be in the business of using peoples personal information then you need to be prepared to answer these questions.
My business takes credit card payment information from users. But it doesn't store that information - it just forwards it to Stripe.
So if a user asks me for details of all her personal information, do I have to go to Stripe and say, "Please give me the credit card information you have on Jenny Smith"? Or do I say to the user, "Please contact Stripe directly - your Stripe customer ID is cus_34534985798243"?
Neither, in this case. Under the GDPR, you'd be expected to reply something like "As described in our privacy policy we use Stripe for processing payments. The data you enter on our checkout is transferred directly to Stripe, and is not stored by us." You're expected to make sure that third parties your company works with are GDPR compliant, but that's just a case of "ensure Stripe's privacy policy reads as GDPR compliant".
It's also doesn't seem like a huge stretch for a GDPR-compliant 3rd party who's API you consume to add some GDPR-related API calls.
(Payment processors are probably a bad example, as they already have boatloads of legal and contractual requirements to deal with. IF they're at all reputable, the GDPR will impact them minimally. The flip side of this is ad tech, who's scummy business model is almost painfully incompatible with GDPR - at the moment.)
This is the sort of area where interpretation comes into play. Who is controlling and who is processing the different personal data involved there?
Logically, your business controls the personal information about the identity of your customer, and a Stripe token associated with their card or the equivalent. You're also presumably processing that information at least for accounting purposes.
It doesn't make much sense for your business to be considered the controller of the card data that never touches your network, so Stripe ought to be considered the controller in that case, and presumably they are also processing it and potentially passing it on to further parties within the relevant card network infrastructure in order to collect payments for you.
Hopefully a regulator would agree that this is a sensible interpretation of the responsibilities. However, given the mechanics involved, where your customer might not be aware at all that they are even dealing with Stripe when they provide their payment details on your business's web site, this is the kind of area where some official confirmation would be reassuring.
Simple question: if I just want to not make my business available to subjects that fall under GDPR regulation (so that I don't have to worry about it at all), would putting up a disclaimer that you have to accept before entering the website be enough? I was thinking about something similar to how many sites that deal with alcohol content, for example, make you confirm that you are 21 or older by clicking on a button before you get access to the website.
Please, refrain from sidetracking to things like "well, you wouldn't worry about it if you built everything with GDPR in mind in the first place". That's not what I was asking.
- Not target any advertisements about your business to EU countries.
- Only offer your site in your local language and/or English.
- Don't register your site in an EU TLD.
At that point, as far as I can tell (and of course I'm not a lawyer), you have no EU presence and even the GDPR admits that it doesn't apply to you. Presumably these conditions apply to the vast majority of small businesses where dealing with random claims of extra-territorial jurisdiction is just a waste of time.
This being HN, I'm sure somebody will be ecstatic to correct me if the above is wrong.
I am sorry for the tone, but this is exactly the kind of answer I didn't need. I didn't ask "how to work around GDPR without complying to it". My question was "is putting a disclaimer and having to click and confirm that you aren't a EU citizen enough to guarantee me no trouble from EU?"
I guess my implicit answer was "I think so -- in fact, you probably don't even need to do that much". (Though you want to replace "EU citizen" with "EU resident".) And of course nothing will _guarantee_ no trouble.
Any company can be asked about gdpr, you can ignore it, and on the whole jurisdiction isn't going to cross boundaries (the u.s does believe it's federal laws apply globally, but it's rare they enforce it)
However should you ever do business or go to an eu country you may struggle.
Just like if you insult the Thai King, then go to Bangkok on holiday, you may well get arrested. Or if your company is accused of breaking the dmca and then go to the u.s on holiday you get arrested.
I understand your point, and I agree that this is what would probably happen if I just ignored it, but how would my service be breaking the rules, if it explicitly would state that it is not designed for citizens of EU and that if you click "yes", then you confirm that you are not a EU citizen? Wouldn't that be on the user for lying, in the same way it would be if an underage person visits an adult website and clicks a button that says "Confirm that I am 21+"?
If you did that, in addition to geo-blocking (or redirecting to a page "Not available in your country") I would think (but don't know) that would be enough.
Then a user would need to take active steps (VPN, etc.) to sidestep your clear intent to not provide service to him, which would probably create some sort of "circumventing security" offense on his part.
Doesn't seem like geoblocking would make sense, since GDPR applies to any citizens of a country that is a EU member, not just the ones living in EU. Not arguing against your point here, but why would it be necessary to actually block the people, rather than just giving a warning, and if they accept, then it is on the user. Same as adult sites/liquor companies, their websites don't actually check your age, at the end of the day.
If I as an EU citizen, lives in New York and have a loyalty card at Sal's Bagels on 45th street, who has taken my name as part of the process, Sal becomes subject to the GDPR, just like Sal is subject to Thai lèse majesté laws.
The US wouldn't extradite him to the EU or Thailand if he didn't comply with these laws, but he'd have to be wary of traveling to either place, or doing business or storing assets.
I wonder if the US will raise complaints under GATT and other WTO rules.
Question for OP. If a u.s bar has a sign saying "no under 21s", and they serve a 16 year old, does that sign mean they avoid any responsibility?
This is all good, and consistent with GDPR’s attempt to reframe data as a liability rather than an asset. The first months and years are going to be painful, but eventually companies will adapt to the new normal.
As a PCI compliant company I already treat data as a liability. So much data collection is unnecessary, or the the result of defaults, like logs left on that nobody ever looks at.
All those people who complied with the 1995 regulation and in the UK the subsequent 1998 Data Protection Act that passed it into law must be feeling a bit smug about this, as they will have this process in place already.
The new General Data Protection Regulation is a welcome incremental update, which brings in much better methods of enforcement against the cross-border nature of large data processors. Facebook of course were not around in 1995.
I also welcome the need for explicit plain language privacy terms. Any law that pushes out legalese must be welcome.
...and how is wanting to know what a company has about you a bad thing? I'd be worried if a company cannot answer this, because that means they haven't got a handle on what data they store, which means that when they get hacked, they wouldn't know what got taken!
One interesting part about this is that it's a letter, and the author never explicitly mentions that it was sent in an email. Assuming this letter arrives in the post one day, what do you do? Ask them to email you for verification? Send you one of their 2FA codes? What if your site doesn't have a login? Can they send you a screenshot of their IP address as verification?
I get why the EU didn't want to overly specify the method, but it creates a lot of uncertainty about what processes are allowed/required. And with the pressure of gigantic fines on the line, it seems like GDPR opens up a significant vector for stealing other people's information via GDPR requests.
Sorry, this is off topic, but I would really like to read the article but it asks me to create a linkedIn account to read it and I am not comfortable with that. Is that the only way to read it?
I was gonna ask the same, Linkedin's authwall seems more difficult to circumvent than the news paywalls I encounter. It would be unfortunate to have to create a dummy account. If I do, I'll send them a copy of this letter ;-)
Linkedin allows you to watch "some" content, but will show a loginwall later on. It's not cookie based afaik, I couldn't catch a sensible logic there.
I'm on a job hunt cycle so I had to log in and use it in the past month many times and to me it's just as offensive and aggressive as facebook nowdays. I avoid it like the plague if possible.
Even if the user posts a comment containing what is undeniably personal data, you still might not have to consider it personal data simply because Hacker News search sucks; Recital 26 says:
To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
> Would just pointing at the website be enough to satisfy the request for a copy?
Yes, in fact recital 63 recommends "remote access" as a method:
What hn probably should do is offer a "takeout" option and a "delete me" option on the account page. The former would export every comment and submission along with vote counts, links to upvoted comments/stories profile data etc. All in machine readable form (eg: s-expressions).
The latter would delete profile along with data. Or, possibly, simply anonymize the posts.
I'm not entirely clear on the GDPR vs publishing - i don't think it's meant as a tool for "book burning" - and I've yet to see an interpretation vis-a-vis public discourse. There certainly are laws governing public archives that override parts of the GDPR in certain contexts.
So while hn would probably have an obligation to export all comments, I'm less clear if they'd have an obligation to delete, under the GDPR.
If the ip is logged along with actions, that'd also be considered personal data, and fall under the GDPR.
The reason I think Hacker News would simply delete it has nothing to do with the GDPR, but because they seem to have responded to requests to delete an account and comments in the past:
> i don't think it's meant as a tool for "book burning"
I think you've confused my statement of "I suspect Hacker News would..." to be a legal/professional opinion about what Hacker News should do, or would be compelled to do so under the GDPR.
That wasn't my intention.
> If the ip is logged along with actions, that'd also be considered personal data, and fall under the GDPR.
"A single household PC may have different family members using it under the same login identity. As a result, the IP address and cookies cannot be connected to a single user. Therefore it is unlikely that this information will be personal data."
That it may be personal data does not mean that it is personal data, nor are you under an express obligation to attempt to unmask anyone that you might have the ability to do so.
There is a risk/reward concept in the GDPR however. There are reasons that are useful to users to keep their IP addresses in a database, and there are risks with keeping their IP addresses in a database. This is why the ICO also recommends you blank out the last octet of the IP address.
> There are reasons that are useful to users to keep their IP addresses in a database, and there are risks with keeping their IP addresses in a database. This is why the ICO also recommends you blank out the last octet of the IP address.
Note: If you are going to use that IP address for determining location (which is common when dealing with the EU, because that is one of the things the EU considers acceptable evidence to justify your choice of which country's VAT to collect for an online sale), do the location lookup before blanking the last octet.
I had hoped that the first 24 would be sufficient to determine country, but that is not the case. For example, here are current results from MaxMind's GeoIP service:
5.62.58.243 US
5.62.58.244 US
5.62.58.245 DE
5.62.58.246 DE
5.62.58.247 DE
5.62.58.248 US
5.62.58.249 US
5.62.58.250 US
A couple weeks ago, BTW, 5.62.58.244 was identified as DE. This suggests that it might be a good idea to keep the full IP address around at least until you file your quarterly VAT MOSS documents, so that you can do another lookup then and possibly get a more clear picture of who you owe VAT to for the sale.
PS: I have no relationship with whoever owns those IP addresses, as far as I know. A few weeks ago I did GeoIP lookups on all 4 billion IPv4 addresses to find all the ranges of US IP addresses (there were 22029 ranges) as part of optimizing a filter that is supposed to reject non-US traffic from certain reports. To get an example for this comment I looked through those ranges looking for one where there were two different US ranges overlapping the same /24, and 5.62.58.0/24 was the first one I noticed.
Those IP addresses belong to the same AS, have the same announcement[1], and have very similar traceroute outputs (both have final hops around miami). The only thing different is their reverse DNS, which I think is throwing maxmind's algorithms off.
https://gdpr-info.eu/art-4-gdpr/
"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
So yeah, a single IP in isolation might not trace back to a single individual - but with a timestamp and billing info it might track to a residence - with other data (eg: age, occupation) it certainly will trace back to an individual.
I'm surprised at the ico's interpretation / statement on this.
> > i don't think it's meant as a tool for "book burning"
> I think you've confused my statement of "I suspect Hacker News would..." to be a legal/professional opinion about what Hacker News should do, or would be compelled to do so under the GDPR.
Indeed, that wasn't mean as a direct reply to you, more as a general comment on the GDPR.
There's a provision on right to be forgotten, and it'll be interesting to see that vis-a-vis a public interest in keeping an open archive of public discourse.
> The reason I think Hacker News would simply delete it has nothing to do with the GDPR, but because they seem to have responded to requests to delete an account and comments in the past:
True. I don't think that'll be enough to comply with the GDPR. Just as storing child pornography in bulk, isn't ok if you remove individual pictures on request.
On appeal, the Regional Court of Berlin (the "Kammergericht") ruled that IP addresses in the hands of website operators could qualify as personal data if the relevant individual provides additional details to the website operator (e.g., name, email address, etc.) in the course of using the website
That's basically the same thing as the John Smith example: There's a threshold when you have personally identifying information, and whilst it can certainly include an IP address in some circumstances, there are enough other valid uses for the IP (fraud, VAT, etc) and enough uncertainty (NAT, multiuser computers, etc) that it by itself isn't PII.
> There's a provision on right to be forgotten, and it'll be interesting to see that vis-a-vis a public interest in keeping an open archive of public discourse.
Yes. I don't think it's clear what Internet forums are required to do.
so a flag to hide all the comments of a user who has chosen to be forgotten should be sufficient.
However, if a site wants to refuse the order, they may be successful if they can argue the comments are in the public interest, but if I were a company wanted to refuse a persons rights in this way, I would call the ICO to get clarity.
> I don't think that'll be enough to comply with the GDPR.
If someone contacts the data controller (e.g. pg) and asks to have their data removed (or flagged hidden or whatever), and Pg does it, why don't you think that would be compliant?
> I suspect Hacker News would simply delete the user's information from the site and explain that they control no data on the subject.
No, that would be illegal. Hacker news can set itself up so that it doesn't keep user data longer than 30 days, and then it can just always say it has no data, but, excluding that, you can't respond to an export request by deleting the user's data and then telling them have no data - that violates the user's right to see what data you have on them.
I don't think there's a requirement that HN has to keep delete personal data that they don't need, and FYI the Hacker News privacy policy they publish[1] argue they don't have to do it if they don't want to:
You agree that any termination of your access to the Site under any provision of this Terms of Use may be effected without prior notice, and acknowledge and agree that Y Combinator may (but has obligation to) immediately deactivate or delete your account and all related information and files in your account and/or bar any further access to such files or the Site.
so we're really out on a limb here anyway. But let's assume that HN is GDPR compliant, and say that they delete all personal data after 10 years and on request, etc... Are they then required to keep that data for ten years?
My guess is not. The ICO suggests[2] repeatedly that you not keep data any longer than is necessary, and that you repeatedly review whether it is necessary.
The ICO also says[3]:
However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it would be reasonable for you to supply information you hold when you send out a response, even if this is different to that held when you received the request
which makes it sound like it's acceptable, except:
it is not acceptable to amend or delete the data if you would not otherwise have done so.
which then suggests that HN only needs to have policy that they delete personal data whenever if it is identified for export. If I were HN, and I actually wanted to do this (however), I would probably call the ICO to confirm.
The text calls out "routine use" - this clause is to permit, e.g. the last access date on the account to be the date of access to the GDPR export request portal (deleting the prior value).
The point of GDPR is to force companies to explain the data they retain and show it to users on request. Setting up a scheme where data is retained but is never available to users for export is a great example of acting in "bad faith" that is likely to increase the possibility that a judge will make an example out of you.
The final law was finalised in 2016 and was expected since at least 3-4 years ago when the agreement was made in the EU parliament.
Startups:
It costs money to develop the systems to process personal data in the first place. I don't see any unreasonable restrictions in GDPR. If new startups plan for GDPR while developing the systems it should not add too much costs. It is basically about managing data responsibly and documenting how you utilise that data.
Established companies:
I don't have much sympathy for existing companies. They have exploited the slow reaction time of the legal system to make money in an unregulated market. This has happened to other industries as well, such as the tobacco industry who had to adjust to anti-smoking laws when the politicians could no longer ignore the negative effects.
I don't have much sympathy for existing companies. They have exploited the slow reaction time of the legal system to make money in an unregulated market.
Some commenters in these discussions write as if all businesses deserve the GDPR and all its attendant overheads as some sort of punishment for assumed past transgressions. And yet I work with small businesses, and so unsurprisingly I also know many other people who do, and not one of those businesses operates with any sort of data-hoarding, privacy-invading model, nor would any of us ever want to.
All that attitude teaches the next generation of startups is that they'll be penalised whether they try to act ethically and responsibly or not, so they might as well do the questionable things and make more money anyway. Surely that is exactly the opposite of what should be happening?
GDPR has been known for 3-4 years and was finalised in 2016. They should have had 2-3 years to go through their systems. If a business can't do that, it indicates that they don't have control of the information in the first place. Most of the regulation is about adding routines, documenting the data management and updating user consents. Smaller companies under can skip some of the documentation.
The only major requirement that can not be fixed by documentation or updating user consent, is the requirement to not store data more than necessary, which depends on your business. If you need to store data for a longer time period than absolutely required, you need to either anonymise it or delete. If you run a business and need to store purchase histories to meet other legal requirements, you have a valid reason to store it. If you use it to track which purchases a specific user has done to optimise targeted advertisement you will probably have to anonymise it.
This can of course be a complex task, but I don't think it is a good argument against GDPR. Why should I lose control of my personal information just because it costs money to process it responsibly? At some point a regulation has to be implemented and some companies will unfortunately be impacted even if their intentions were good.
GDPR has been known for 3-4 years and was finalised in 2016. They should have had 2-3 years to go through their systems.
Was it posted in their local planning department in Alpha Centauri as well? Because to most people running microbusinesses -- which is most businesses, remember -- it might as well have been.
If a business can't do that, it indicates that they don't have control of the information in the first place.
Not at all. It's quite possible that an organisation has been reasonable and responsible about handling personal data and its staff know exactly what it's doing and why, but that the formal documentation and automated processes referred to throughout today's discussion aren't in place because they have never been necessary before.
Why should I lose control of my personal information just because it costs money to process it responsibly?
The trouble is that different people will have different interpretations of "responsibly". For example, I'm not sure it's irresponsible to have been storing and processing data for legitimate purposes and entirely with the subject's informed consent for years, and also to be concerned about the cost of updating or replacing all of those systems because the subject is now being given a retrospective right to withdraw that consent that they didn't have before. While this might be considered desirable in terms of reining in data hoarders like Facebook or Google, it also imposes burdens on organisations with different models and lower risks to data subjects. Some sort of balance is needed between these competing priorities.
At some point a regulation has to be implemented and some companies will unfortunately be impacted even if their intentions were good.
Right, but this is exactly why both unambiguous rules and proportionality are important.
When you move fast and break things, sometimes what ends up broken is you. That’s probably a lesson which needs to be painfully re-learned by some. As you said, too many have been outrunning real consequences for a while, but that’s not some inherent right, it’s a con.
If personal info is worth what a lot of companies seem to think it’s worth, then governments have been downright negligent in their lack of regulation. Playing fast and lose with people’s identities should never have been acceptable, and complaining that the first wave of consumer protections is anti-business mostly tells you what kinds of businesses we’re dealing with.
Did my insurance costs go down when companies started gathering and storing my personal information? I figure, if this stuff starts costing them more than a token amount, they can direct their IT manager to systematically erase the personal information that isn't utterly vital to their immediate business needs.
One example of the increased costs due to GDPR are that data subject access requests are now free to make. In the UK they used to cost £10. A small amount which never really covered the cost of fulfilling the request, but enough to deter frivolous mass use.
Now that such requests are free, there is no deterrent and companies must introduce a scalable process for dealing with them (or risk being swamped and unable to meet the 30 day deadline).
This will actually be easier for companies like Google and Facebook to comply with, as they are digital natives.
Financial services is an industry struggling with a burden of legacy systems, and even paper-based processes still. This one GDPR provision alone is causing much expense and heartache.
> Financial services is an industry struggling with a burden of legacy systems, and even paper-based processes still. This one GDPR provision alone is causing much expense and heartache.
That's a good thing. If it's causing much expense and heartache it means that our private data wasn't being handled with the necessary care and attention to value that it needed to be.
Well, the cost for GDPR won't be that high, if the EU would have thought this through. Talked to a few of the GDPR "Consultants" and as soon as people have some more in-depth questions how A or B can be handled, you just get a surprised look. I'm all for better protecting my information but if you introduce these regulations you, as the regulator, also have to have answers to basic questions.
> Talked to a few of the GDPR "Consultants" and as soon as people have some more in-depth questions how A or B can be handled, you just get a surprised look. I'm all for better protecting my information but if you introduce these regulations you, as the regulator, also have to have answers to basic questions.
Talk to better consultants. Consultants are not the regulator. The regulation itself is in plain language. What do you consider is not thought through?
I must delete personal data "without undue delay". This opens up a few questions, which as far as I can tell the text of the regulation provides no guidance for.
* I (like most companies) have a variety of unstructured and/or immutable logs. I can't just DROP FROM table WHERE. Is it acceptable to delete this data by waiting a few days for a retention period to expire, or do I have to retrofit deletion functionality in?
* What if the retention period is a week, or a month? What if I've been advised to establish those longer retention periods for other reasons?
* If a bug is found in the data deletion workflow, is it an undue delay to say we'll tackle it next sprint? Do we need to drop everything and make it a priority now?
* Once we've resolved a personal data deletion bug, is it an undue delay to roll it out slowly over a week? Does it matter if this is our standard rollout process, or if there's a risky hotfix process we're deliberately choosing not to use?
> * I (like most companies) have a variety of unstructured and/or immutable logs. I can't just DROP FROM table WHERE. Is it acceptable to delete this data by waiting a few days for a retention period to expire, or do I have to retrofit deletion functionality in?
In order to be allowed to store PII (even if it's in logs) you need a specific purpose. Why do you put PII in logs? What benefit does the user have?
> * What if the retention period is a week, or a month? What if I've been advised to establish those longer retention periods for other reasons?
If there is a legal requirement to keep PII (for example accounting) you can/must keep it as long as the legal requirement demands. If there is no legal requirement you have to delete PII, there is nothing that trumps that.
> * If a bug is found in the data deletion workflow, is it an undue delay to say we'll tackle it next sprint? Do we need to drop everything and make it a priority now?
If your next sprint starts 1 month down the road the regulator won't be happy. If it's next week and your GDPR doesn't have other gaping holes a reasonable regulator won't bat an eye.
> * Once we've resolved a personal data deletion bug, is it an undue delay to roll it out slowly over a week? Does it matter if this is our standard rollout process, or if there's a risky hotfix process we're deliberately choosing not to use?
Are you playing for time or doing responsible software development? If a regulator thinks you are bending the rules good luck, otherwise nobody will demand of you doing dangerous stuff.
I know, there are a lot of things open to interpretation. But as my lawyer told me: "There are people getting a speeding ticket for 5 above the limit and others who don't. Try to stick to the limit and make sure you are seen as one of the second category."
Under the terms of the GDPR, user benefit is not required. I can log any PII I'd like as long as the user's given consent for it to sit in that log, or for it to be used in some process that reads from that log.
I probably would want to impose stricter rules on myself for the sake of avoiding regulators. But that's part of the problem. It doesn't seem possible to comply with GDPR as such without an army of consultants to guide you; what you have to do instead is invent a stricter regulation and follow that one instead.
> If a regulator thinks you are bending the rules good luck
That's the other part of the problem. A healthy regulatory system needs some way to say "well, you think I'm bending the rules, but I'm actually compliant in this complex way you hadn't considered". If a GDPR regulator just doesn't know much about software development, and thinks that any rollout-induced delay is undue, how do I argue against that?
> Under the terms of the GDPR, user benefit is not required. I can log any PII I'd like as long as the user's given consent for it to sit in that log, or for it to be used in some process that reads from that log.
Read my comment again, it does not say a user benefit is required. What it says is that you need a specific purpose for processing PII. A user can only give you consent for a specific purpose. What is the purpose that results in his PII ending up in an immutable log file? Asking for general consent without a specific purpose does not work with GDPR.
> That's the other part of the problem. A healthy regulatory system needs some way to say "well, you think I'm bending the rules, but I'm actually compliant in this complex way you hadn't considered". If a GDPR regulator just doesn't know much about software development, and thinks that any rollout-induced delay is undue, how do I argue against that?
If you feel you are being treated unfairly you will probably argue through your lawyer. As a technical person I would love it if the GDPR is black and white. It would allow me to know if I comply or not but real life is hardly black and white. So instead of being upset with things I can't change I will just do my best to comply.
I need a specific purpose for processing PII, but that doesn't mean that I need a specific purpose for each individual place that PII ends up going. If my web server or database end up incidentally capturing the data in transit, that's not a violation, any more than it's a violation if I copy the data onto more sheets of paper than are strictly necessary.
You are right and in that case you should also have a process in place to delete the PII from the additional sheets of paper. I'm inclined to keep PII out of logs in the first place but am unsure how to proceed. Either just don't log any data / parameters or implement some kind of whitelist like you would with passwords and other secrets.
For logs, I'll suggest you aim to avoid personal data in the logs, and if necessary only log an anonymous id and separately keep a mapping to a user for the bare minimum amount of time needed, and in a way that let you explicitly delete it easily.
A lot of the "problems" of the GDPR goes away if you minimize the amount of personal data you process and retain, which incidentally generally will be good for your security as well.
A lot of the problems of the GDPR do indeed go away if you're building your systems from scratch, using data privacy standards significantly beyond what GDPR mandates.
Surely you see why this doesn't weaken the claim that it's hard for existing companies to understand what must be done to comply.
No, I don't, because the point is that my applying principles that are good to follow anyway, you reduce your exposure to a point where you don't really need to worry about what needs to be done to comply. At the same time you're improving security etc. as well (including internal security; e.g. I've deployed approaches like that at clients whose original intent was to prevent employees from accessing data they shouldn't, and where simplifying following data protection regulation was simply gravy)
How do you reply safely to such a data request? I mean, this could have been written by an impersonator. And even if you can verify the identity, you still need to send sensitive information somehow.
That looks excellent. Handling personal data is something that services should prefer not to do and if requests like this are a "nightmare" then hopefully the web will become a better place again.
The GDPR does have provisions against this in place. Something along the lines of you first of all being allowed to take more time to respond, if the requests are complex and numerous, to ask for a small fee then as well and in extreme cases, you can also report such abuse to authorities.
And at the end of the day, you'll have to get sued for taking too long to respond, at which point a judge will investigate and can then tell that those requests were not legitimate.
Long answer: people actually tried to do it to Facebook, Google, etc. As a response, they each started offering self-service tools to download your data.
First you have to implement a download data function. I might be pessimistic, but with many sites requiring a login still on http and with the wonderous amount of bugs in web apps this may not be as easy as it sounds. But then: let them burn.
I wonder if the the end result of all of this is going to be an increase in the construction of data centers close enough to the EU to serve it properly, but outside its jurisdiction entirely. In Africa, for example, or perhaps a post-Brexit UK.
It seems that being close to Europeans without being subject to EU law is going to be a big advantage going forwards.
The GDPR specifically has a clause for those cases, it applies also extraterritorially, and will be inforced, if necessary, by seizing your funds via the SWIFT interbanking system.
The UK has adopted GDPR and will sign it into UK law in April. The UK is bound by it even after Brexit. If they chose to repeal it then it could put it's firms at a competitive disadvantage with European customers
It might get tricky if you're planning on making money; at some point it seems likely credit card companies would be asked to stop funnelling money to "offshore criminal enterprises".
Have I Been Pwned is going to hit 5 billion breached accounts any day now. If the GDPR pushes back against this kind of thing, all the better.
If the GDPR makes it harder to found a startup for the sole purpose of collating and monetizing people's personal data, I'm not too upset either.
If a company suffers a data breach and can not answer to all of point 7. in the linked page, I'll leave it to the lawyers whether this is negligence but I'm inclined towards "yes" myself.
The moment you want to process any credit card data, you're already bound by regulations with teeth: the PCI-DSS. That's why in several recent data breaches one of the first things you read on the breach notification was "no payment card data was affected", suggesting that it's less important to the company if they lost "only" personal data. Bring on the GDPR.
No, and you cannot either ask a company to delete data which must be retained according to the law.
However you can ask for a copy of all their data about you, with very limited exceptions (national security, active investigations, etc.)
GDPR most certainly applies to institutions like the tax authority. As others have noted, they are required by law to keep some data/records.
But that doesn't mean you don't get to see all that data, can ask for corrections, or ask for deletions in the case where they store data they cannot justify.
How this apply (what difference it makes) will vary from institution to institution.
There are exceptions for some purposes, and I won't be surprised if governments try to stretch those as far as they can, but in general GDPR applies to governments as well.
They will tell you, that they are not subject to EU Law.
If you ask an EU equivalent they will just tell you that they don't have any data. Or that they might have but can't disclose it because of security concerns.
Actually if its data held on a EU national they are required to divulge it or be in breach of this. They don't get to dodge it just because they are in the USA, the law applies to any organisation storing data about an EU national.
Actually if its data held on a EU national they are required to divulge it or be in breach of this.
You people can keep on saying that this law pertains to any entity/organization that has any info on any EU citizen, but we know this is untrue. The rest of the world knows that the EU doesn't have this authority, so I don't why you people keep on parroting this line.
Let's get something else straight. We know there's political motives behind this law that are orthogonal to "we care about privacy", and other governments know this as well, and will respond to the EU in kind if need be.
This. If you don't have a location in the EU the court can't send you any orders to comply with. This is how Facebook doged German privacy law. The only reason why Facebook had to answer a EU court was their settlement in Ireland wich they had for taxation reasons.
The EU want to implement something like a virtual settlement for Businesses to extend their reach. Arguing that if you make profit in the EU than you have a settlement there. But as long as your country isn't willing to help the EU getting you there is nothing to fear.
At least I don't see what they could do. Ban your product... yes... But more than that?
I’m surprised nobody has mentioned that being forced to provide personal data on request does not in any way reduce the risk of personal data being misused.
What’s the damage consumers are being protected from, exactly?
Being forced to comply with GPDR forces companies to keep track of data, limit usage, add data expiration policies -- all of this makes compliance easier and definitely improves security.
A well-known researcher once joked to me that programmers are associated with a company for a few few years, programs live only for a few more years, but data lives forever.
Right now, people I don't know at various companies have access to databases with my personal information. Those same people will still have the same access and opportunity to misuse my personal information, but under GDPR I can know what personal information is stored. I could also demand it be deleted, but that doesn't apply to data that's already been shared or under control of other parties.
GDPR is far wider than that; you're just looking at it from the end user perspective because GDPR isn't just allowing the user to enquire about their data.
For a company to be GDPR compliant they also have to satisfy the regulators and that includes limiting access to data to only those that need it, knowing who those people are and putting measures in place in case of a breach.
I don't see how GDPR changes the knowledge of risk exposure. Before GDPR I know that when I give companies my personal information it is at risk. After GDPR the situation is the same.
This assumes you know all the personal data they have about you beforehand. Also, you seem to be implying that there is no benefit to knowing how risky companies are being with the data they do have.
If your data is stores in certain jurisdictions that have difference laws than you expected, that could increase the risk your data bight be accessed in ways you assumed illegal (different countries have different rules).
For a very simple example, LiveJournal is now owned and operated entirely out of Russia. It didn't start that way. a GDPR request would presumably let you know that your data was in servers in Russia, or that the company in question did not feel the need to answer your request, in which case at lest you would know that your local laws did not apply towards it. In my eyes, both are very useful information that provides additional information about the risk of that data being accessed in a way you thought it would not beyond what you might assume of an EU company that you gave personal information.
Knowing where my data is stored is hardly a consumer protection.
Whether data is hosted in Russia or the EU it’s at risk of being stolen, exposed, and misused and the liability companies have for that has not changed (there is no liability)
> Whether data is hosted in Russia or the EU it’s at risk of being stolen, exposed, and misused and the liability companies have for that has not changed (there is no liability)
So your contention is that the same risk exists no matter the storage location?
Bad things can happen anywhere. I submit that certain locations are more prone to certain situations. Knowing your information is being stored in a certain location at a minimum gives you the opportunity to deny additional information from yourself (stop using the service).
Since this discussion has regressed to the point where you're essentially arguing that additional information has no utility, and I fundamentally disagree with that point, I'm not sure the point of continuing. We're just repeating our points with different examples.
Companies make millions and billions off data naively or knowingly given up for free. So, I weep. /s
And if this becomes more than the odd request, build it into your processes. If you can identify me "as me" to your advertisers and other data customers, you can certainly do that for me.
Or just do what other businesses do: pay off a few legislators to change the law, or a lobbying firm or association. If you have the money, pay to make this a patriotic move. That's how democracy works. /s
I would be willing to pay $10 to see the advice of a lawyer about how to respond to each question in the letter. Is this something that could be crowd-funded?
Just because you are small does not mean not doing the right thing is something you should get away with. I see lot of comments of how doing the right thing can be a burden. However, I see it the other way. Not doing the right thing is a burden you have to carry with you everyday. GDPR is helping you with guidelines on how to shed that burden. I do not know how and won't imagine it is easy, but I wish something in our existing socio-economic systems would slowly edge towards making 'doing the right thing' a significant variable that everyone has to care about for their own wellbeing and prosperity.
These type of SAR requests (even milder ones) are of course impossible to handle manually. Self-assessment, the way most companies decided to handle GDPR, isn't much help here. How do you automate personal data discovery, especially for already existing data?
Funnily, the biggest fear companies have regarding GDPR and SAR does not originate from "Mr. I. Rate the customer", like in this article. It comes from disgruntled employees ratting on the company. Employees know best where personal data is stored (and often no one else in the company does), so they can really do some surgical damage. GDPR introduces a whole new dynamic.
This may be a good place to shamelessly plug a tech we developed (Show HN!) for automatically locating personal data across corporate resources: https://pii-tools.com
Personal data discovery is but a small piece in the compliance puzzle, but a piece that is critical to understanding what sensitive data is even out there: CVs with photos in backups? Scanned passports in attachments of email archives? Names and addresses in database tables? How about S3, Azure, GDrive?
Let me also add that there's no shame in not having a comprehensive view of all the corporate personal inventory. Larger companies grow their resources organically, through acquiring other companies and separate business units doing their own thing. It is a complex problem, but one where technology can help.
> How do you automate personal data discovery, especially for already existing data?
You attach an owner id to every record, and make sure all your systems can dump all information they store according to owner id. To the extent existing systems don't, you fix them.
Hrm, did you expect me to design the output of an entire industry in an HN comment? I didn't say it was easy to do. But it is what must be done. My goal was not to provide code, but an outline, a very rough sketch, rough to the extent that it could fit in a pair of sentences. I guess in that sense the owl metaphor is accurate!
We've had two years to work on this. At my company, we've had entire teams spending significant fractions of their time over the last year prepping. As a result, we'll be ready when the switch flips.
I agree we are not using the same definition of data discovery. In my use case, you know a priori which user provided the data, you just need to plumb the information through to all downstream systems. This seems sufficient for GDPR as I understand it. I had not read your entire comment and did not realize you were promoting a system to try to do something like this automatically. I did not realize the initial question was rhetorical.
FWIW I would be worried about relying on such a system! But based on the description it seems helpful. What does it do about derivative data that doesn't directly contain any PII?
Hi Everyone, I am the Co-Founder of ECOMPLY.io. I thought about jumping in and helping you all out.
First of all, you need to understand, do you have customers in Europe. If yes, is data your everyday thing? If yes, then you need to comply with Article 30 first. Article 30 asks, how many processes of you have, how many of them have personal data involved, and then tell you to answer purpose, legal basis, category of personal data and deletion request.
Now, how to answer Subject Access Request, once you're done with article 30 i.e. records of processing activities, you'll know what, where and how you obtained that data with the purpose and legal basis. This request will be difficult to answer then:
This looks like the mirror image for the requirements document for protecting PII. You may not need to be able to respond directly to every demand in the letter, but you should be able to have a watertight explanation of why not. "Burdensome" won't cut it.
I just had an awesome idea. Lets make keeping records of past information and actors encountered illegal if they don't want you to remember, while at the same time make it trivial for the same people to waste your time by demanding free consulting.
Be aware, this article is not a list of GDPR requirements. It is, however, a good list of questions that every business processing data in the cloud should be aware of. You need to be able to answer these questions.
Just remember there is a "go away†, this request is too onerous" get-out clause for GDPR requests. Just as there is a billable option for excessive queries.
Both options have to be reasoned —and the person making the request and squeal off to the ICO at any point— but in a letter like the linked one, I would find it hard to justify forensically picking through years of historical access data and not charge a fee for doing so.
Compliance regarding breach notification is forward-looking too, so all this nonsense about "has this ever happened" is outside the GDPR, as far as I can see, anyway.
† The GDPR contains no rules about being polite. If somebody made demands like this at me, I would be considerably less polite than my example there.
> hard to justify forensically picking through years of historical access data
If querying is so onerous, then why the fuck are years of historical access data even being stored ?
This desire to keep reams of nebulously categorized surveillance data "just in case" seems to be one of the issues at the heart of this legislation. If it has business value and a legitimate purpose, then formalize it. Otherwise, delete it.
In some countries and sectors it's a legal or contractual requirement that you keep audit trails for x years. I've worked on accounting systems where the insurers and banks have both had separare requirements here.
Not that this is relevant here. My point was that if people demand retroactive notice of a breach —and you're not otherwise required to notify them— even if you have that data, you can tell them to bugger off.
For every action, there is an equal and opposite reaction. If a customer can ask anything then a company asked can ask anything in return and if you send those out "en masse" you just become a subject to GDPR yourself.
I've seen a number of articles trying to frame the GDPR as some kind of shambles. The shambles is the way too many companies have abused and mis-processed the data for too many years and somehow the EU lawmakers are bureaucratic imbeciles. Yet, everyone I know is fully in favour of this as consumers.
And, for context, I am the person who will have to deal with these at our company. Our customers are absolutely entitled to expect us to process their personal information is a responsible manner and I hope a number of these letters are sent to every company, it's about time there was a power shift in this area.
Here's another, bake privacy into your company from the start. Create a culture that takes it seriously and threads it through everything it does. Once you have this culture you'll find it costs less than when you try to retrofit it after 3 years.
In terms of the benefits, I can only assume you're American to ask this. In Europe we view our privacy as a human right and that our lawmakers should protect that right, it's that simple.
Replace "privacy" with "security" above, and you'll get the widely accepted best practice approach: "you cannot bolt on security later", etc. Likely it will work for privacy equally well.
Not really. It will mostly be a problem for companies which use a lot of SaaS services with no on-premise solution and companies in the business of selling their users data. Not gonna shed a lot of tears for those.
How do you guarantee that the SaaS you chose is enforcing the privacy of the data you're paying them to process?
If supporting GDPRs is a requirement for having European B2B customers, SaaS providers are going to start certifying against and architecting around that.
https://aws.amazon.com/compliance/gdpr-center/ https://aws.amazon.com/blogs/security/aws-and-the-general-da...
Aldi has become extremely succesfull without knowing their customer. Ikea probably the same.
Doing the right thing is a burden, that’s why it’s called the right thing and not the convenient thing.
Small startups also often get the benefit of reduced regulatory burden, which is fitting because they have less overall impact on society. Once they become large, it is fitting that they play by rules that benefit the majority.
It seems you have an axe to grind and derailed the conversion to compare the US with ancient Rome. Please provide a citation showing a correlation between increased privacy regulations and reduced gini coefficients.
That's the real issue here. You can either decide that privacy is a basic right that everyone has and cannot be negotiated away, in which case this law makes sense.
Or you can decide that it's a decision each person makes, and let the market take care of providing options that are more vs. less privacy-respecting.
> Or you can decide that it's a decision each person makes, and let the market take care of providing options that are more vs. less privacy-respecting.
Or, collectively, a group of people can agree on a government that supports privacy protection for goods sold under its remit. Which is what's happened here. I get that it's not popular in the US, but privacy controls are quite popular in Europe, and the EU is in this case following the mood of its people.
Not sure why you phrase it "or"? I think we agree that that's one sensible approach to take (treating it as a basic right that can't be negotiated away, much like other things).
Ask yourself this: why does a company want my data? Because they're bored or because they want to manipulate me into spending more?
This is a false equivalence.
And those who end up in hospital, in the US, possibly without insurance? I guess that, and the ensuing bills is "just" an _extremely_ bad day then?
Gotcha. This is the best example of false equivalence I've yet seen.
And if you wanted to examine whether it could be a matter of life or death, it wouldn't be that big of a stretch. Consider what might be the result of someone trying to escape from an abusive relationship having their personal data exposed. Or a whistleblower / political dissident. For example, imagine a Chinese dissident with a free-Tibet facebook record whose data gets back to the Chinese government.
I'd focus on China particularly because they're developing a system for working out how much people align with the state and it appears it may be partly based on the information they can find out about people's internet postings:
https://en.wikipedia.org/wiki/Social_Credit_System
This might have an outsize impact on startups that deal primarily in data about people. I'm actually pretty OK with that. Some kinds of activities really should have high barriers to entry.
There are industries, like construction, that have a lot more regulations that this one. And small companies survive.
> What are the costs compared to the benefits?
Benefit: Citizens have the right to protect their privacy, to not be tracked without reason, to be notified when a data breach put their safety at risk, etc.
Cost: Companies need to have reasonable data governance that will increase short-term cost, but probably have a long-term positive impact on cost as bad data governance is just technical debt.
Yes, it makes it harder to get into some areas. If that means a net positive for society, I'm surprisingly OK with that. There's no intrinsic reasons why we should care how many companies survive.
However there are two forms of complexity at war here; complexity for business (regulation) and complexity for ordinary people (having data about you everywhere, about everything, forever). So we have to decide which kind of complexity is worse, or how to strike the right balance.
The real cost comes in "old" companies. Those should complain, but those are also responsible for need for GDPR.
Maybe there are no "costs". Just benefits and benefits?
Can anyone explain how it's possible to be positive about GDPR and HN at the same time? I'm not surprised that some people like it. I'm stunned to see them commenting here.
It collects user comments and posts. What you post to this website is entirely under your own control, and there is plenty of opportunity to meaningfully participate here while offering not much more than technical opinions.
Furthermore, none of the information you post here needs to be personally identifiable, under the definition of the GDPR. It is identified by a username, which can be completely arbitrary and unique. You could even use a new one for every post you make.
However, it does appear that GDPR will require that HN delete a user's posts upon request. It might even require that HN delete posts that mention other people, including nonusers.
Edit: Yes, also via Tor. It did ask for an email address, for password resets.
That would be different if they marketed/promoted/sold in the EU, offered European language or currency support, or somehow otherwise took action to position themselves for the EU.
As a thought experiment, if HN was regulated by GDPR:
1. Yes, all kinds of user generated content can contain GDPR Art. 9's special categories of personal data. HN would probably rely on the exemption in Art. 9(2)(e), which permits processing "personal data which are manifestly made public by the data subject." The purpose of HN is to let you share your own data on the Internet, that's the entire point. That's fine under GDPR.
2. HN would still need a lawful basis for processing under Art. 6. For a paid service, a Terms of Service would normally be fine. I don't think HN has or wants one of those, and they don't track users at all before registration, so they could collect an explicit consent from users on registration. If they did track prior, a cookie popup could collect the consent. Also, under Art. 8, the default minimum age of consent is 16, so we'd want to consider age confirmation too.
3. Archiving posts on the Internet forever is not a problem, if that's the intended use of the site, which it is. My guess is that deleting a user and their posts is feasible at the application/database layer. The problem would be deleting personal data from backups of the site if the user withdraws their consent and requests Art. 17 erasure. In that case, only retaining the backups as long as necessary and documenting that justification internally is probably sufficient.
4. Article 22 restricts "automated processing, including profiling, which produces legal effects concerning [the data subject] or similarly significantly affects" the data subject. Ranking, voting, and anti-spam probably don't qualify as weighty enough subjects to be restricted. Recital 71 ("Profiling" https://gdpr-info.eu/recitals/no-71/) sheds some light on what the EU is trying to prevent.
5. They'd have to get a data protection agreement or other Art. 46 agreement with hosting vendors. Cloudflare is on top of this: https://www.cloudflare.com/gdpr/introduction/ Not sure what other subprocessors are involved.
6. Being able to see most of your own data on HN means you have Art. 15 access, which is nice. I think they'd have to also give you any hidden metadata as well. Not sure what that might be (vote weight score?).
6. There's a bunch of other stuff they'd probably do, like appoint a data protection officer, publish a privacy policy, add the ability to delete your account, etc.
HN does not require you to disclose personal information, such as who you are.
However, I do see an issue: quotes by other users. That's one of the leaks that took down DPR. He deleted his old posts about Silk Road. But another user had quoted part of a post, which didn't get deleted.
I'm a lawyer but not your lawyer and I have no idea about specific YC or HN details, so take this with a grain of salt, but I think the best argument for why HN is exempt or at very low risk for enforcement is that it does not hold itself out into the EU market for business and is not otherwise subject to EU law(as far as I know, and I have no special knowledge). Users may be from the EU, but HN has no particular nexus to EU law that I'm aware of.
This is important because Article 2 of GDPR ("Material scope") expressly says "This Regulation does not apply to the processing of personal data ... in the course of an activity which falls outside the scope of Union law"
Small e-commerce sites (someone sells socks, hand made goods, used pianos, etc.) are different story here. Usually such sites were put together on some ready-made PHP + MySql solution hosted on a 100 bucks a year hosting and that was done by some small IT shop specialized in this kind of business.
Owners of such small firms are going to have really hard time with GPDR. I suspect there will be a lot of scummy law firms that will go after them and blackmail them either to use their "service to be GPDR compliant" or be sued under GPDR.
Such people are an easy target, they don't even realize that maybe software that was installed for them by some third party that no longer exists puts to logs customer first and last name, or there is somewhere backup with customer e-mails.
This law will have zero impact on say, Facebook, people would give them their data freely as they do now, average FB user will not risk to "get imperfect Facebook experience" (or some other similar clause that clever FB lawyers will figure out) if they block permission to be tracked and their data cannot be sold to advertisers.
And you have to be able to revoke consent, at any time, and it has to be as easy to revoke consent as to give consent.
The right can only be enforced against a "controller," which is the entity that "determines the purposes and means of the processing of personal data."
It's worth noting that GDPR does not give the data subject the right to request everything in the letter. Only a more limited set of things.
The practical effect for SaaS companies is that they should keep track of data and the systems and services where data is processed. With good preparation and a system of record for security/privacy management data, you can prepare for this kind of request very well. My company does just that - helps others prepare.
We help you create at that ecomply.io and then once you're done, we will help you create data subject access request as well.
Except, of course, if your company is one of those favored with an exemption from the GDPR. Because we can't have everyone playing by the same rules in the EU.
Who has received that? Can't find anything by searching.
It would be good if, like FDIC insurance, small companies could opt out, with the obvious disclaimer they do not comply.
Given that the "requests are complex or numerous", I will be responding within three months as recommended by the ICO[1]. Have a nice day.
You now have plenty of time to deal with it properly.
If you have a lot of data on someone, you can enumerate the categories (1) and then request they break it down (specifically request 1c; see Recital 63[2] of the GDPR for the exact language). Almost everything else should be in your privacy policy anyway.
If you do not have a lot of data on someone, then three months should certainly be enough time to properly respond to this.
Most businesses do not have any personal data on anyone beyond what you need for an invoice. If you have a dedicated CRM that contains leads of potential customers, or you use an online service like SalesForce, you can probably get their support in complying.
[1]: https://ico.org.uk/for-organisations/guide-to-the-general-da...
[2]: http://www.privacy-regulation.eu/en/recital-63-GDPR.htm
I imagine most companies might only deal with this once or perhaps twice ever, and if they do not keep very much personal data then automating it would not be very efficient use of their time. That's why in general I'd wait until you get such a request, ask your lawyer to explain it (will probably only cost a few hundred pounds), then decide what to do next.
Only very large companies (or companies that deal with a lot of personal data) will benefit from up-front automation.
I certainly have several businesses in mind that I plan to send requests to once GDPR is in place.
EDIT: Although I suppose small, non-EU businesses that mostly do not deal with personal data are unlikely to receive any requests. So you are probably right that "most companies" are unlikely receive GDPR requests.
https://selbstauskunft.net/ exists to allow you to send a BDSG §34 request (like GDPR request, but under the older German law for it) to basically any company. You select the company, sign it, and they automate all other steps.
I’ve sent dozens just this week.
Also, I'd recommend sending another request some time after quiting your contract with the company, just to make sure they give you a written guarantee that they deleted all data about you they don't _seriously have to_ maintain.
I also consider it activism to keep companies aware of their responsibilities.
Does anyone actually understand that this law will make things cost more?
Do you also argument against mandatory seatbelts? All they do is drive the cost of cars up. The justice system that works to enforce the laws brings the taxes up should we get rid of it too?
Anyway, the main target of this legislation are the hundreds of businesses you’ve never heard of brokering your personal information. I doubt they have salesforce leads for each person they track, and I think most people want to see that entire industry collapse.
Similarly (in terms of regulatory burden, not consumer sentiment), most legit consumer businesses rely on razor thin transaction costs. Spending any additional per-customer human time could be the difference between profit and loss.
To see the problem, consider what would happen if you walked into any store with affinity cards, and handed this letter to the manager.
There are only four requests in this letter, and they were written by a PWC consultant to appear as intimidating and confusing as possible, so a small business that does not have easy access to legal advice would not find it difficult to convince a regulator as such.
That said, a lawyer can help you identify them and ignore the rest. For the cost-conscious, spending time on the ICO's website will also help you discover them so that when you talk to a lawyer you can be efficient with their time (and therefore your spending).
> most legit consumer businesses...
Most consumer businesses do not keep very much personal data, if the cost of understanding this letter within three months would cause a company to go into administration then they were going to fail anyway.
> the main target of this legislation are the hundreds of businesses you’ve never heard of brokering your personal information. I doubt they have salesforce leads for each person they track
I don't agree with this at all. Who do you think the "main target" of this legislation is?
Why are you using lawyers to respond to DPA / GDPR requests?
I really don’t see what the fuss is about if you run a semi-professional operation.
Though this letter doesn't mention it, you not only have to provide all data in your systems -- every single db inside your company -- but also data from every 3rd party system. Your transactional emailer, your marketing emailer, your billing system, your logging system, your retargeting system, etc.
[1] https://www.whitecase.com/publications/article/chapter-5-key...
The data protection part of GDPR of course applies to all PII regardless of how it’s stored. But that part is not new in GDPR, the EU has had strong data protection laws for a while. (Even if people didn’t talk about it)
The last letter of the GDPR is Regulation. A regulation is very different than than a Directive (the pre-GDPR law is based on a directive). There is very little wiggle-room with a Regulation, even between countries. The ICO also works with other DPAs currently as part of Working Party 29, which ensures the DPAs are working in Sync.
So the ICO advice is worthy of close study, especially if your local DPA (assuming you have one) has not commented or given guidance on a certain matter.
To exercise the Union's competences, the institutions shall adopt regulations, directives, decisions, recommendations and opinions.
A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States.
A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods.
A directive is something member states have to implement themselves, probably also by passing a law using their own national process for doing so. As such there can be (greater) differences in the different national implementations of the directives.
The member states have agreed to abide by the GDPR, but their own specific data protection laws are allowed have slight variations, e.g. the specific age limit defining minor vs. adult.
They're widely respected, but you're right it remains to be seen whether UK and EU enforcement will diverge.
With a good system of record, you can track and manage all of the rest of the information and issues raised in the letter.
That said, in a large company with a lot of legacy systems, it may be tough to extract the actual data itself (or even know if your system of record is complete).
Look at the American Disabilities Act, an act that has done enormous good in many ways, but that has also lead to an entire industry of lawyers hassling tiny businesses over insignificant infractions. (e.g. https://www.mercurynews.com/2016/04/10/serial-ada-lawsuit-fi...)
Startups in the US won't have this hassle. You don't have to serve EU customers to reach mid size/product market fit, you can concentrate on iterating on your core product. When it's time to scale, then you can look at GDPR. So limited resources stretch further.
But if the lawyers in Europe start becoming a nuisance to startups there, it's just going to force more and more services to be located overseas, and more and more government complaining about the dominance of overseas tech, a problem they're probably going to make worse.
Startups in the US are what got us into this privacy nightmare in the first place. Of course, they are no longer startups, but they still didn't fix shit once they got bigger, so I don't see how this argument holds.
I like to think of privacy like internationalisation or security. When I started programming, Unicode/UTF-8 was niche and not well supported at all. Now, for new languages, it's a given. The same with decent crypto libraries. Databases now offer pretty great unicode support (except for the old ones where it had to be bolted on, coughMySQLcough). It isn't inconceivable that privacy tools become standard in databases and data processing frameworks.
Personally, I see this as a brilliant opportunity for people/companies who want to do the right thing for their customers (whether that's consumers directly, or a company using them).
My prediction is you'll see this with cloud providers strongest. Some are putting a lot of effort into GDPR, and a properly compliant provider will become a huge value-add, and not a liability.
Com'on. The internet and web when they started were a wild wild west that operated on the honor system. Most people were just starting to feel their way around what kinds of businesses could even exist on it. The Morris Worm was the canary in the coal mine about how the honor system wouldn't scale.
EU startups are no different than US startups, we just have more of them, there is a greater concentration of investment in that area here.
Blaming US tech is naïve. European companies have been engaged in non-digital forms of privacy invasion long before Google even existed.
Having said that, shunning one car dealership is way easier than trying to stop Facebook or Google slurping your data, even with ad blockers et al.
If I have a choice between an US startup that has no pressure to handle my data responsibly, and an EU startup that has a legal requirement to do so, I would choose the EU startup. The US startup may claim it takes care of my data and ask me to trust their word, but I know that the EU startup is forced to by law.
Perhaps it could end up as a competitive advantage for EU businesses.
And all bigger companies already have a data protection officer, so he just gets this new job title.
How is this much more of a hassle than being required to send people are receipt as proof of purchase...
Ensure customers can see what you record about them when logged in (probably in their user profile), then minimize what you record to what you need.
If the DPO complies with all of it, they will breach the GDPR (e.g. Request 9b). Of course a data subject also has no right to know what security controls (request 8) you have in place, other than they are 'commercially reasonable'.
A regulator can require this information, but not a consumer (data subject). This could be the basis of a great interview test for selecting your DPO.
Request 9b is a bit tricky since the regulator have to be informed but not per se the data subject. Only if there is a risk for the data subject they have to be informed.
The letter is carefully worded itself. The parts the data subject does not have a direct right to know are friendly request (eg 4 vs 8b).
You can answer 8b just with one word: Yes. (Well or No)
The takeaway here:
If you give this letter to you technical personal you will get a detailed overview of the infrastructure they use.
If you give the same letter to your lawyer you would get a very polite letter with the bare minimum of information.
Example for 8b would be this: "We have technology in place which allows us with reasonable certainty to know whether or not you personal data has been disclosed"
Do you know if there's really a requirement to provide requestors with your beliefs about the law, or with legal advice you've received?
Arguably, such technology doesn’t exist (at least when plugged into a computer network). What penalties are in place if you lie in the response?
There are technologies you can use (with varying degrees of effectiveness) to reduce the risk of data leaking by monitoring or intercepting specific mechanisms through which leaks can occur, but you can never have reasonable certainty in this respect.
At some point you will probably need to work with the real data to do anything useful with it. There are situations where you really can operate on obfuscated/encrypted data, such as comparing password hashes, but these tend to be the exception rather than the rule.
And so, if you're compromised at a point with access to the raw data, or anywhere else from which access to such a point can be gained, you've still lost control of the data.
And with lawyers and words I like to think of this quote:
"It depends on what the meaning of the word 'is' is. If the--if he--if 'is' means is and never has been, that is not--that is one thing. If it means there is none, that was a completely true statement....Now, if someone had asked me on that day, are you having any kind of sexual relations with Ms. Lewinsky, that is, asked me a question in the present tense, I would have said no. And it would have been completely true."
Businesses will do enough to pass the sniff test of proper compliance with GDPR, and no more. I've worked with enough to know most mid sized orgs are far too reactive, too technically incompetent, and far too busy making money to do a proper job on adhering. Most flout existing laws already, I don't think they'll be scared of disregarding elements of this too.
I know that there is a HUGE concern about the fines that can be used to backup GDPR.
I know of US companies that have a EU presence legally (but with little income from EU) that are considering just blocking EU traffic as a way to stay safe and smallest over-head.
Many countries in the EU have a great standard of living by focussing on individual's rights vs companies. Well, I say focussing. From our perspective, it's just normal and a good balance. But if you live in a country where companies can screw you over in a million ways ("at will" employment, arbitration, NDAs, etc.), maybe such rights might seem a bit alien.
And if you've tried to comply with the law, but unintentionally fail to handle some edge-case with low impact, the sanctions are pretty light (e.g. a warning letter). It's not draconian, as long as you don't cut corners.
Also, the fines here can be real money, which also isn't often the case. That plus the lack of clarity are why people are concerned about it.
Basically they're worried that you can do everything right and still be wrong because everything isn't well defined and is very difficult to define.
I also disagree with you that the EU regulations are a good balance - it’s skewed way too far towards over-regulation.
After the Equifax thing it's not looking like a very solid bet.
I think this will change the world, just as the EUs push for lead-free soldering did.
While some outfits may blithely whistle past the graveyard - do you want to become the precedent that starts paying the % of revenue fine for non-compliance?
If so, the GDPR is similar to a broken protocol.
Maybe the people who designed it assume that it will never be misused. Anyone with experience designing protocols could tell them how dangerously naive that is.
We keep being told that "data is the new oil". It is. Not for money making opportunities, but because you have to handle it responsibly and if it leaks it will cost millions to clean up.
It's very different. Here you're requested to answer fairly detailed and potentially tripping questions with potential legal implications on your business. This has little with how you secure things technically. It's all about jumping through some bureaucratic hoops, and wasting your time doing it. Answering those questions won't in any way, shape or form improve the security of your business. It's pure distraction.
The difference is that you know offhand how to do one of these things but not the other.
Answering the questions is not intended to improve the security of your business, it's a form of serving your customers.
My personal experience with the ICO has shown their quite lenient to mistakes, if you can show that you’re your honest best, and getting better.
No point crushing companies that are trying, better of getting the ones that just don’t care.
But it's not even just about getting to a point of getting fined or under some kind of investigation or audit. It can be all those clever customers who would use some automated service or a template, just to waste your time ... At least that's what the original post is about, but I hope it won't be too common.
Around here, regulators are prone to scoring easy points by going after the small, naive fish. All it takes is the wrong incentives: the department needs to show results, so it gives bonuses, or establishes quotas for successfully handled cases. Bam, your small business is now investigated because a government employee needs to meet a quota and correctly guesses you can’t afford competent legal defense.
People keep making this kind of argument, but it makes no sense.
Personal data isn't protected from leaks and privacy intrusions by documents or emails. It's protected by encryption, or only being processed by software with a clear purpose, or simply not being stored in the first place.
I suggest that it is not only possible but also quite likely that a reasonably diligent startup will be taking reasonable practical steps to secure personal data but will not have formal documentation or automated processes in place of the kind that would deal with a SAR like this.
We expect programmers to write working code out of general competence (and we even make sure they know how to write working code in the interview process), but we still write tests and insist that they pass. We expect finance folks to handle money correctly out of general competence, but we still have written policies about how money should be handled. The reason we do these is that good, well-intended people occasionally make mistakes, and in both of these cases, the mistakes have real consequences.
A written policy about how you handle data isn't going to save you if you're messing up in general. But it should be easy to write, and it will save you from "Wait, why did one of our interns add a library that sends stack traces and local variables to a third party? How did this code review even get approved?"
The documents don't protect your users' data. Your general technical practices protect your users' data. The documents protect your general technical practices.
So I think I would still argue that the security benefits of this law in terms of any documentation and processes it requires are at best unproven, and that a startup could be doing the practically useful things needed to protect personal data regardless of how compliant or otherwise they might be with any documentation requirements.
I wanted to tell you how impressed I am with how patiently and clearly you've responded throughout this comment section.
I likewise think the intent of the law is admirable: prevent future Equifax-es, give people control over their data, and centralize the requirements so that companies need to comply with a single EU standard, instead of 28 country-specific ones. But the amount of discretion left to regulators and the lack of any sort of proportionality built into the law make this all very scary. We are expecting a fifteen person small business to have a totally impractical degree of _documentation_ and _formal_ processes, which are 1) very expensive to produce, 2) totally unnecessary for an otherwise reasonable and well-intentioned group of people, and 3) crucially, basically orthogonal to actual data privacy and security best practices.
And even if you comply with the letter of the law, just reading and understanding an email like the one in this post will require hundreds of dollars of company time – beyond reading it, it will need to be escalated, someone will need to loop in a few other people to help with any new technical details, and so forth. If the fully-loaded cost of a white collar employee is $75/hr, this all gets expensive very quickly, and that cost can be levied on a company by an email that can be sent in one minute. Nobody is going to bring down Google with GDPR-spam but it would not be hard to do serious damage to a company of ten people.
There are a lot of well-meaning thoughts in this thread from people who are frustrated at the status quo but unfortunately don't understand how little this law will do to change it and how huge its costs will be.
When you try to deliver a novel product and build a business around it, you are forced to develop a strong sense of practicality and an understanding of the machinery of a business. Most people have never done this. Despite being very intelligent, a lot of these people haven't experienced the realities of creating a business, and as a consequence they don't really understand just how harmful this kind of law can be.
I admire how patient and articulate you are. (And I think your thoughts are clear and your point of view is correct and badly needed.) Would love to buy you a beer sometime.
Since Silhouette (and gdpr_throwaway) want to keep their anonymity, I opted for virtual beers by upvoting :) But happy to convert those karma points to real food or drink -- and hopefully an insightful conversation -- if you feel like getting in touch (my details aren't so private).
For the few small companies I've worked for, this would have been a bit of work once (document the dataflows), and then a fairly easy set of queries to be repeated each time.
To add to a sibling comment, Google can afford a big enough legal department for estimated 0.00000x% of their turnover that deals exclusively with these.
For smaller organizations, this becomes more like 0.x% of turnover...
Not to mention the distraction and plain overhead when you're juggling so many other things.
By that logic don't you need a lawyer to handle all customer support interaction?
Couldn't you get sued to fraud if you fail to document purchases in a legal-safe way?
The part that's not clear about the GDPR is whether you're obligated to manually answer any data-related question a user has, or if you can just post a comprehensive FAQ + data export / account deletion tool, and auto-respond to GDPR requests with links to those.
Here is a listing of everything you have a right to know about our company and processes under GDPR:
<huge info dump>
Here is all of the personal data we have about you:
<very long CSV file>
Ideally, the most time-consuming part of responding, after the first such letter, will be verifying the user's identity.
Then limit what you record. What do you need to store that isn't visible from peoples user profile when logged in?
It's unlikely that the number of requests of the type referenced in this article would be sufficiently large enough at that stage that it wouild "eliminate the value proposition."
Basically, you can request any non-sensitive information from any government agency and they have to provide it within a reasonable term or pay a fine to the requester.
This caused people to request all calibration reports of a speed camera if they got a ticket, because for quite some time the government would waive the ticket if you stopped the request.
When it got abused too widely they automated the process and now it's not a problem. This is also how large coorporations should handle this problem.
Can't feel too sorry for them
If you phrase it as "large companies," then it sounds bad - but it forbids incompetent large companies too. It enforces that only companies that are competent enough to answer questions about data protection can be in the personal data space. If a small company is inherently incapable of answering those questions or handling the data properly, it shouldn't be allowed in that space.
It's like saying that there's a "government enforced monopoly" keeping newcomers out of the food business by not letting them just make things in their apartment and hand them to Uber Eats. It is a technically accurate description, but most people who believe that government has any legitimate functions at all see health inspections as a good thing.
There will always be a few people out to cause trouble with excessive requests, but I don't think we should let that block access to non-sensitive information for things we as the tax payer have paid for.
See:
https://ico.org.uk/for-organisations/guide-to-the-general-da...
https://ico.org.uk/for-the-public/personal-information/
You can wait 3 months (not one).
You can charge £10 if the request is complicated.
A $1000 fee would seem a little bit more fair.
The law needs to be applicable to everyone, and imposing high costs is generally considered to do the opposite: http://www.bbc.co.uk/news/uk-40727400
It is utterly unfair to compare subsidized access to an employment tribunal (potential harm: months of undeserved unemployment, loss of home and possessions; cost of investigation: spread across the entire nation's taxpayers) to almost-free access to your GDPR privacy report (potential harm: a little bit of mental discomfort; cost of investigation: borne by one organization, potentially ruinous for a small business or solo project).
Companies storing and losing PII have a huge negative impact on the affected users, like e.g. credit card fraud or tax refund scams. This bears a huge actual cost to the victims, either because they never get back the stolen money, or because they need to invest significant time and expenses to fight for it.
A company trying to make money of my PII should better be prepared to handle it securely and to delete it upon request. Handling of GDPR requests must be calculated by them as part of the data handling expenses.
In both of these cases if the information is misused it has consequences for the individual, and (relatively) higher cost for the individual on minimum wage.
In the former, this can affect your future ability to find housing. This potentially leads to extraordinary stress.
In the latter the consequences again affect both wealthy and poor, but the person living hand to mouth faces much more serious consequences if their wages are adminstratively docked to pay for costs fraudulently registered in their name. Further, they're unlikely to be able to pay an expert to resolve this or take time out of work to do this themselves.
Which items do you feel are an impossible burden?
From what I see most of the items pertain to one of two possibilities:
1 - General procedures or information about the company (keep this updated and it's the same for all requests)
2 - Information about the subject (export their data in an automated fashion)
The thing about 'decisions based on their data' might be tricky, but I guess you can share what you concluded from it and the overall rationale (for example, Facebook's "Why am I seeing this" over an ad)
There are law firms whose sole business model is targeting small companies for not complying with certain regulations like legal notice requirements or disclaimers on websites.
Only time will tell if this will be the case with GDPR but there definitely is a risk that this new regulation will be abused by dubious players.
Impossible? Why is it not possible?
The first thing I'd do if I was a black hat type attacker would be to submit GDPR information requests to all internet companies I could think of in behalf of all my targets.
[1] https://gdpr-info.eu/recitals/no-57/
[2] https://gdpr-info.eu/art-12-gdpr/ (point 2)
It raises the barrier to entry for small one person businesses even more, forcing out anyone who can't justify the costs of compliance.
1) Allow people to login and view their personal information: name, email. 2) Allow people to delete the profile.
And don't retain any data other than (1) or (2). If you want to track users to see if they clicked links and what countries they are browsing from then: (A) anonymize it or (B) make it visible in the profile information (1).
If all you record is name and email, you won't need a lot of infrastructure. Your policy might say you transfer email addresses to AWS when sending emails.
The right to control such information is established as a right of the individual; and if you have possession of some information about me, then yes, I have more rights to control what you are allowed to do with this information in your hands than you, and that information can never in any way fully become "your property".
As if possessing something makes it your property - property is a legal notion and (in democratic countries) means just what people want it to be.
Similarly, companies often include EULA and shrinkwrap contracts governing what users are allowed to do with information accessed on their webpages. So why can't users collectively write a similar contract pointing the other way?
"We put lots of engineering effort into mining your personal data and selling bits to other people, but we can't be bothered to put any engineering effort into disclosing on your profile or account-settings page what we're doing with your data."
A lot of the questions are answerable generically (no differences between users). You can't tell me that writing a data privacy FAQ with those answers in clear, simple language, once, with a link on every page and on users' profiles, is an excessive burden. These companies just don't want to have even that minimal burden and process to ensure that changes in usage of personal data get documented and updated on such a faq.
A letter like this would be a hugely disproportionate burden to a small business like that. It would take many hours, if not days, to reply properly to all of those points, even for a business that is doing nothing shady or unusual.
You can't just write "automate it" as if that has no cost.
If a start-up is doing things with personal data so that answering those questions takes more than a few paragraphs, isn't the start-up pretty much a personal-information-processing business, and doesn't it deserve to have the burden? Doubly so because start-ups often leave security considerations for later; any personal information they collect or share may not even meet the minimal industry standards and expectations of larger companies (not that such informal standards are adequate—those larger companies are often incompetent themselves).
It doesn't have to be doing any of that. Just the time and money to have a lawyer review this letter and identify the actual obligations is already a significant burden. For example, notice that just replying with everything requested here would in itself potentially breach data protection law.
A normal person who really was worried about how their data was being used would probably write a polite letter asking what data was being stored, how it was being used, and maybe a couple of supplementary points if they had particular concerns or perhaps had heard a warning about some specific practice that could be dangerous.
A lot of GDPR is not new. It's just clarification of existing law.
1) an updated Asset Inventory
2) a Data Classification Scheme
3) Data Labeling Policy & Procedure
Those are basic components of an InfoSec 101 course taught by Community Colleges and the top basic items GDPR is wanting.
Don't do those things when you start a business.
But, then, don't have your business collect and process data on individuals.
> But, then, don't have your business collect and process data on individuals.
Aren't those two statements together effectively equivalent to "don't ever start certain kinds of businesses"?
There are lots of other profitable businesses you're not allowed to start, like "an agile, disruptive restaurant that cuts costs by never cleaning" or "an investment advisor that front-runs their own customers" or "a healthcare startup that runs on unpatched Windows XP" or "a company that helps you get work visas for nonexistent jobs" or whatever.
In other words, some businesses have requirements. If you don’t want to follow those requirements, don’t go into that business.
If you want to be entrusted with people's private data, then the table stakes are much higher than simply starting a business, and you have to be prepared to invest the time and resources to do it properly, or you're not allowed to do it at all.
Don't start certain kinds of businesses without being willing to deal with the reasonable requirements of starting businesses of that kind.
If I start a biotech startup, then I need to make sure I'm keeping all health data I encounter well protected. This _does_ mean it's harder to start a business in this space—but not impossible
If you're not willing to make that tradeoff, then don't start that kind of business.
My data is my data, not the fundemental requirement of some businesses.
And beside that, regulations that effectively result in prohibiting certain kinds of businesses even though they don't explicitly do so are bad regulations IMO.
There are companies tracking the SSID of my phone with wifi beacons to find out which stores I was physically visiting. How do I opt-out of that?
Sorry to bring the tired "you're not the customer, you're the product" line, but the way the industry is set up today, I'm starting to doubt there is so much difference between the two options.
Tracking and data collection is baked into so many services nowadays that you'd have to be extremely attentive as a consumer to avoid any tracking - also be prepared to face a lot of inconveniences and restrictions. If possible at all.
To your point, if a business is not explicitly banned, but banned because of regulation about what that business can do, that’s exactly the sort of regulation we want. We don’t dictate your business specifically, just what you can and can’t do with the data. If you can operate within those regulations, congrats!
* Data Classifications
* Privacy Impact Assessments
* Log Reviews
* Incident Reponse
Also, are you seriously suggesting that in response to a formal legal communication it's a good idea to reply without having input from a lawyer?
For routine enquiries, maybe not. For a letter like this, from someone who is clearly intending to trip you up and cause trouble, our lawyer is the first call I'm making, every time.
And that initial conversation is already going to cost me hundreds of pounds and a half-day of work, even if I already have reasonable answers to anything we are actually required to respond with under the GDPR here.
/shrug It's your money. You could do that, or you could even light it on fire if you wish. It's no skin off my back. If your company is profitable enough to eat this self-imposed overhead, then its owners will just make less money. If it's not, then leaner competitors will replace it. I'm fine with either outcome.
The GDPR itself is very heavy and has little in the way of moderation for small-scale data controllers/processors, so in practice it's going to come down to interpretation by regulators (and potentially anyone who has rights under the GDPR and wants to make trouble, as in the example we're discussing). If you don't do enough, you potentially face even greater overheads due to formal audits, financial penalties, etc. If you do too much, then as you rightly point out, you leave yourself at a disadvantage compared to competition who don't do as much (and this remains the case even if that competition is knowingly breaking the law as a result, and that in turn doesn't matter if they face no meaningful penalties for it).
Life is risk. I contend that if you make a good faith effort to comply with this law (i.e. consult with a lawyer, once, to develop those eight documents you mentioned in another part of this thread) and generally practice good private information hygiene (wipe out old data, don't log private info, don't retain logs or emails too long, etc.), you're probably going to be fine. This is probably not going to be in the "inner loop" of risks your small business faces.
In every regulation, there are winners and losers. Some of the losers didn't do anything wrong, but are just losing because that's the nature of designing laws that factor in disparate interests. At this point, it's the law, and your only choice is how you're going to handle it. And my contention is that, if your small business is receiving letters like this with any regularity, calling a lawyer and spending half a day on it each time is not among the reasonable spectrum of risk-mitigating responses.
This transition period is ending this summer. Why is this discussion taking place now?
GDPR is very broad and open to interpretations, which will happen only when someone got caught, i.e. during first legal battles.
So, transition period does not really help, be that 2 years or 4. We need to see how this law gonna be enforced by regulators, and which common IT practices constitute breaking the law and which are not.
Because no-one thought to inform most of the businesses affected by it before, and awareness has only grown in recent weeks (and even then probably only among business people who frequent forums like HN where the subject has come up).
Every business I've worked with over the last couple of years of consulting have had sessions on GDPR entirely without any technically minded people having to bring it up.
I'm sure there will be people caught by surprise, by what I've seen has been very promising.
OK, but if you're going into a business and consulting, that already suggests both a certain scale and a degree of awareness within those businesses, so this isn't likely to be a representative sample.
Additionally, most companies without much technical infrastructure are less likely to be affected much in the first place.
This is just untrue. THere are fucking reams of advice to small businesses.
https://ico.org.uk/for-organisations/resources-and-support/g...
Also, having "fucking reams of advice" is not a good thing. To be practically useful for the kind of organisation we're talking about, advice needs to be clear and concise. A starting point that will take days just to read through and understand isn't very helpful.
You don't need a lawyer to reply to GDPR letters. You do need to comply with the law when you collect personal data. What you're saying is "I should be free to ignore the law until someone writes to ask about my compliance, and when they do it's burdensome for me to get legal advice to respond to that letter".
You keep asserting that it's not necessarily to have a lawyer review a letter, despite the letter being legal in nature and in this case clearly coming from someone who is looking to cause trouble. Clearly you and I have very different attitudes to risk in this respect.
In any case, an obligation to comply with the law is self-evident. My objection is that the law itself is poorly implemented and that what is necessary to comply is ambiguous.
Your repeated scare mongering around GDPR is fucking tedious, especially since almost everything you've said about it is false.
But most interactions with my customers do not begin with a multi-page letter that literally opens with a direct threat and then proceeds to demand a response on 40 different points.
Your repeated scare mongering around GDPR is fucking tedious
I run small businesses, and we have been dealing with GDPR issues. The ambiguity and overheads I have been talking about in this discussion are costing us time and money right now. Dealing with a letter like they one we're discussing would cost us more time and money. Apparently we aren't alone in these respects.
Some of the GDPR's supporters have argued that the lack of proportionality in the actual regulations is not a problem because the regulators will enforce it pragmatically. I have personally heard such arguments made about onerous EU rules before, and through my own businesses I have been on the receiving end of government mistakes and their rather unpleasant consequences. And again, that wasn't some freak unlucky event: thousands of other businesses are known to have been subject to similar problems, in more than one incident, involving more than one government authority.
A few people have suggested that involving lawyers in response to a letter like this is unnecessary. Clearly it's going to be a matter of risk assessment, but I don't think it's unreasonable. Once again, I have personally seen (at a former employer in this case) how much time can be wasted if a company gets caught up in formal legal proceedings even having done nothing wrong.
In short, there are people out there dealing with the issues you call "scare mongering" every day. These are not just hypothetical problems. Maybe you've never been caught up in them yourself, but sadly not everyone is that lucky.
especially since almost everything you've said about it is false.
If you're going to call me a liar, please at least tell me what I've written anywhere in this discussion that was false so I can set the record straight.
(you get fun stuff back, I got all the logs from my public transit card that way)
It would be better to get the lawyer involved when you start your business so you know you're complying with the law.
And almost everything in GDPR comes from existing laws (IN UK the data protection act and PECR), so if your breaking the law under GDPR you're probably breaking the laws that exist now too.
Data Classification
>a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
Data Classification
>b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.
Asset Inventory
>2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
Privacy Impact Assessment
>3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
Privacy Impact Assessment
>a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.
Privacy Impact Assessment
>b. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.
Asset Inventory
>c. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.
Access Control
>4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.
Data Retention
>5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
Data Collection
>6. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.
>7. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
Breach Escalation
>a. Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.
Backup
>a. What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.
Log Review
>c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.
Security Awareness Training
>8. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security.
Get an ISO audit.
You should be able to provide this from a SQL query.
Please tell us all what that query should be, then, and how it's going to cover the relevant data stored in log files, emails, remote services used for payment processing, off-site backups, etc.
That's just a very minimal set of other places that almost any new online business is likely to be working with on day one.
Data Classification Plan
Asset Inventory Plan
Privacy Impact Analysis
Privacy Impact Assessment
Access Control Plan
Data Retention Plan
Data Collection Plan
Breach Escalation Plan
You're suggesting that in order to handle this kind of request -- which none of my businesses has ever received from anyone in many years of trading -- we should write up 8 different formal policies? These businesses probably don't have 8 different formal written policies in total at the moment. This is just totally detached from the realities of running small businesses, though it does reinforce my point about disproportionate burdens.
[The parent comment appears to have been edited after I wrote this. The terms above were in the original.]
I wasn’t finished writing.
>we should write up 8 different formal policies?
Yes. That’s obvious.
More overheads are generally bad for business. In the run up to Brexit, and given figures from the Chancellor's statement just this week showing relatively low productivity and growth in the UK economy, it's remarkable how many people don't seem to have a problem with increasing those overheads and thus negatively affecting the creation and growth of businesses.
There is a balance to be struck here. Protecting privacy is important, but not regulating in a way that introduces excessive burdens is also important.
* Data Classifications
* Privacy Impact Assessments
* Log Reviews
* Incident Reponse
A) You are using personal data in good faith as part of and don't need a lawyer. Just reply. I work for an organisation at the larger end of the SME scale and wont be using a lawyer. Like I don't use a lawyer for routine contractual disputes like debt collection until the debtor refuses to pay.
B) You are walking a fine line and relying on the exact wording rather than the spirit of the law. You are not acting in good faith and trying to make money out of customer data. You need a consultancy firm and lawyers and you wont get any sympathy from me.
I'm not sure whether you are serious or this continues your repeated anti-EU comments on HN, Silhouette. I find it OT and I hope the moderators do to.
And of course, if people find out out you're under investigation, a lot of people are going to just assume you did something wrong. You won't be able to fix that no matter what the regulators conclude.
To the extent that I am anti-EU in some respects, particularly around the areas of small businesses and excessive regulation, that is born of experience. As I have mentioned in previous comments, which apparently you might have seen, I have been on the wrong side of EU rules being over-zealously applied before, and I have been on the wrong side of a government regulator that is for most practical purposes above the law making a mistake before. Some things that some commenters tend to dismiss as hypothetical, I know from direct personal experience to be real threats, and I will challenge bad laws that allow scope for such threats to exist.
I find it OT and I hope the moderators do to.
I'm sorry that you feel censorship is a useful response to someone with different experience and views to your own. I like to think that HN is a forum where people can discuss such differences of opinion openly and intelligently.
Access Controls, Data Classifications, and Privacy Impact Assessments requested by GDPR are not a threat.
That’s just security 101 basics.
And as I said elsewhere, if you think that threat is imaginary, please look at how many different national tax authorities have started large numbers of incorrect claims procedures against small businesses who had done nothing wrong just because the officials made mistakes with the new VAT rules and got their own records in a mess.
The company is the controller of the data, and Amazon is the processor.
Here's Amazon's declaration and stance, stating they are GDPR-compliant both as a company (when they are the controller - of their direct customers' data), as well as then they are a processor (infra for use by others who control private data): https://aws.amazon.com/compliance/gdpr-center/
There's generally no need for a controller who relays data to a processor to understand the intricacies of the implementation on the processor's side (is deleted data really deleted ?) - what's more important is the processor's self-declaration for GDPR compliance.
The above is my personal $0.02 as I've been spending quite some time getting into GDPR recently. IANAL
To be clear, many businesses may not have good answers right now. Their response should not be "this is too much of a burden" but instead "wow, we really need to find this out ASAP".
Where it gets complicated, i.e. where they buy your data from 3rd parties, I don't have a lot of sympathy for any of the complications involved. Most of the rest can be automated, not for a non-zero cost, but for a relatively low one if a startup goes in with these questions in mind, prepared to answer them when they come up.
I have businesses that don't do anything shady at all with personal data, and I'd like to think we're conscientious about handling what we do have. We follow general good practice in terms of encryption, hashing passwords, and so on. We've never had any sort of request for information under existing data protection rules, nor complaints under any other regulatory regime for that matter.
So, how much time and money should we spend putting together that boilerplate, just to tick a legal box? How much of the documentation formally required under the GDPR should we actually write, given that on the evidence of several years of trading so far it has literally no value to anyone? How much should we spend on things like getting lawyers to review the contracts we have with the small number of outside services we do use, which might have access to some personal data in connection with the services they provide for us, and how often?
If you actually follow the letter of the law here, the costs of compliance would be astronomical by small business standards. There is little proportionately built into the GDPR itself, so we are reliant on regulators to introduce it, and that's not a good position to be in either legally or practically.
Here's how the potential fines are defined:
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
whichever is greater... So since my company's turnover is order of magnitude less than €20 Million, I guess this means we can get totally buried??
If anyone from the EU visits your website, and you're collecting server logs or analytics with IP addresses in them, you're now processing personal data of EU citizens and subject to the GDPR. They've written this regulation such that pretty much everything on the internet is subject to it.
Note that even if I don't have an email server, relying on my ISP to handle that, desktop email clients download the headers from the server.
A lot of small businesses have no idea that they are storing that information.
It may be a bit of an unlikely scenario, but people should remember their opinions on region-specific content blocking even if they think their region has enough leverage to make everyone bend to their will.
Generally, your device is instructed via a publisher's site/app to reach out to ad tech servers either directly (firstparty), or indirectly (firstparty->thirdparty, firstparty->RTB exchange->thirdparty).
Due to the "chaining", GDPR is particularly onerous on the adtech industry. Granted all the data is keyed by semi-anonymous IDs (cookies, IDFAs, IPs), the concerns for consent, retrievals, deletions, in a cascading manner, are an industry-wide problem requiring collective action. The IAB proposed something for the RTB side, the publishers don't like it, and it'll be tense until and through May 25th :)
Having said that, nobody wants to shut-the-whole-thing-down. While all these servers may refuse service based on fuzzing the request as originating from the EU, they may also decide to serve as-best-as-possible and minimize logging of the sensitive fields - it may be better, for example, to lose some functionality for European devices (behavioural targeting, for example, the idea of showing you an ad for the Widget you just looked at over and over), than to serve nothing at all.
For example, if you decide to ignore tax laws in X, X might put pressure on your credit card processors to stop aiding your tax evasion. If the credit card processors respond by cutting off your ability to processes card, they might not bother just cutting you off from accepting payments from country X. They might cut you off completely. That would be pretty annoying.
Too "bad" about the US dropping the TPP, I assume that was the backdoor planned for "compliance".
Demand all you want, this is the point of national sovereignty.
I'm sure you can rely on your site being too small for EU regulators to bother with, and I'm sure it would be hard for them to enforce if you have no operations in the EU, but the fact you ignore the laws doesn't mean they lack jurisdiction.
A website hosted in the US, owned by a US citizen, residing in the US, is not subject to laws written in other countries.
http://www.nytimes.com/2006/07/18/technology/18gamble.html
As a US citizen, I am strongly against our interference in other countries, but even if/when we fix that, it wont matter if the root problem is not fixed, since another outside power could do the same thing.
It's a sign that the people here have the most fundamental control over their legal system. It's not my problem if country B cant do that, but I would REALLY like country B to have the same power over their legal system.
I could go into the real tests and what it means to have a legal system where the individual has so much power, and how to achieve that, but you are ignoring the distinction between enforcing foreign laws on a US citizen and a citizen of country B.
You are implicitly admitting the asymmetry, but instead of fixing country B, do you want country A to weaken it's system so that it has the same foreign influence bug as country B?
- Have their ISPs block access to your network
- Have their banks not process payments to you
And if you really want to generalize it to "laws" they can emit an arrest warrant: good luck ever travelling to another country that has an extradition treaty with any EU country.
They can't prevent a business in another jurisdiction from operating but they sure can prevent your business from being conducted with any EEA entities.
The key term there, of course, is "up to". You don't get fined the maximum amount for the smallest violation. It's a range, depending on the severity of the violation, and probably whether there was gross negligence and/or maliciousness.
I don't understand why this is constantly handwaved away with statements that claim to tell the future. If you are correct that the violations aren't as large in some cases, that can codify it a bit better than "trust us".
If this is carrot and stick the stick is fucking tiny and hardly ever used.
If the amount is anything substantial, more than contact information and whatever data customers might choose to be hosting with you, then you are exactly the right target for GDPR and you should be spending whatever amount you deem necessary to avoid the fines.
It's harsh, but it is true that software and service companies in general, maybe not you, maybe not your company, are far too lax with personal info, and so now legislative bodies like the EU are choosing to address that issue, and the easiest way to be in compliance is to not have anymore customer data than you actually need so when you do get hit with a letter like the one linked here, you have a much easier time responding.
Will this strangle some businesses? Even prevent some from even getting started? Undoubtedly, but that is a trade-off I'm willing to accept in this world where every incentive is stacked against the integrity of my privacy.
I suppose this is why I'm so frustrated by this whole issue. I have a lot of sympathy for your argument that some businesses exploit personal data in ways we might well agree are abusive, and that something needed to be done to curb that. But as someone who does try to do the right thing both ethically and legally, this is just another set of regulations that is going to cause compliance overheads for my own businesses while offering little if any real benefit to anyone in our case.
Meanwhile, if the risk of significant enforcement action against smaller businesses really is low, the door is open for competitors to take their chances and gain an advantage over us, particularly if they're not in the EU themselves. So it also seems to be a case of no good deed going unpunished.
That includes you, the individual as well, and I hope it works out for you the corporation.
There's been a round of companies "reconfiming" email lists "because GDPR" - but if those companies can't show clear opt-in before sending email they're already in breach of PECR.
Obviously this is a silly simile but the point remains: certain types of business have certain regulations, in this case if a business relies on keeping your private data then they have to follow the appropriate regulations, like most other fields.
- Our database (containing user data like login, e-mail etc.)
- Our third-party SaaS providers such as Mailchimp (e-mail address and name), Mailjet (no personal data stored directly there) and Stripe (transaction history).
Automatically pulling together the necessary information from these sources and sending it to the user seems totally doable and not overly complex.
In general, I think the whole idea behind these rights is to incentivize companies to implement well-documented and automated processes for dealing with user data, and to keep the data in as few places as possible.
BTW I'd be very interested to hear from people running startups how they process user data and how many different data stores / services they use to manage that data!
That in itself is reasonable, but it lacks the proportionality aspect that is so important. My own objections to the GDPR aren't about the spirit in which it's intended; while you might not guess it from my comments on HN today, I'm generally a very strong advocate of privacy safeguards. Instead, my concern is the amount of additional red tape and ambiguous obligations that the GDPR appears to be introducing for what ought to come down to simple questions like whether you are using personal data only for legitimate purposes and you are storing it safely, which plenty of us already were anyway.
There should be a distinct "If you adopt these reasonable policies, you are legally in compliance with GDPR".
He was asking in general however, without a mechanism to control that corporations are doing what yours is already doing, how would we verify compliance?
Which aspects do you think would be interesting to automate or are particularly painful from your perspective?
* Data Classifications
* Privacy Impact Assessmemts
* Breach Escalations
* Access Controls
That’s more like Security 101 Basics to me.
We should ask that to the dozens of millions of Americans who have their private data for sale even as I type this after the Equifax breach. Bonus: we can literally buy it and use that data to contact them directly and ask :)
The letter is sent via regular snail mail and arrives months after the actual data breach occurred. The letter is largely devoid of any meaningful recourse for the victim. It does however offer "free credit monitoring" for up to 1 year by the same agency that displayed complete disregard for security.
If compliance and accountability with people's data especially when they are not permitted to opt out of such a system constitutes a "nightmare" then perhaps those companies should rethink parts of their business model.
http://securityaffairs.co/wordpress/64043/deep-web/experian-...
From the article:
>"By using the “Free Dark Web Email Scan” a user will receive advertisements for Experian products at the e-mail address that is being scanned. The user agreement includes a clause which states that not only will Experian send you advertisements, but “offers for available credit cards, loan options, financial products or services, or credit-related products or services and other offers to customers.”
It's like a vertically integrated criminal syndicate.
The GDPR is trying to do a good thing, but it goes too far.
By asking for:
* Data Classifications?
* Privacy Impact Assessments?
* Access Controls?
* Breach Escalations?
If your business is collecting and processing data on individuals, you should already have these Security 101 basics in place.
I.e. If you use any sort of machine learning model, such as a neural network, you have to be able explain every decision it makes. Given that there's currently no know method to fully explain the outcome of a neural network decision, GDPR would apparently make it illegal for any EU business to use a neural network in any user facing capacity.
GDPR advocates answer to this seems to be that, while the regulations might read as such, it hasn't actually been tested in court yet and, who knows, maybe whatever judge it eventually comes up with will decide to keep neural networks legal!
So, if you're a company using machine learning in Europe, you just have to wait a few months and keep an eye on court news to determine if you entire strategy is permitted or not. Thank God for the stability and confidence provided to businesses by the single market!
If the GDPR is forcing businesses to abandon dangerous logging practices that they don't really need, it is hardly going too far.
2 is what this regulation is intended to stop: you shouldn't be trading off "it might be useful in the future" for "it can be misused by authorized users, or exfiltrated by hackers".
3 seems reasonable, but does that require a retention policy of more than a couple of hours?
Both Apache and Nginx (and others?) log IP addresses by default. The expected result of this is that storing IP addresses in server logs is widespread, useful for troubleshooting, and entirely normal.
If you make the active decision that you specifically want the IP addresses, great, you can do that. Just have a strategy for keeping that sensitive data secure and getting rid of it at some point.
The real question is what value does storing the IP address even hold?
Other information you can retrieve from IP address is geolocation information such as https://www.ip2location.com
With regards of tracking you with the help of the ISP, if you have someone with those resources, it's not you storing an IP address that's their biggest concern.
Geoinformation can also change daily. Figuring it out afterwards isn't reliable.
- You can figure out where in the world your traffic is coming from
- It can be helpful in responding to security incidents
- this can be done and then discard the address
- how so? What does knowing the address months later help? Something like fail2ban and other automated systems, sure, but long term logging?
I am incredibly excited for the GDPR to make these products too much of a regulatory burden to be worth considering.
So if a user asks me for details of all her personal information, do I have to go to Stripe and say, "Please give me the credit card information you have on Jenny Smith"? Or do I say to the user, "Please contact Stripe directly - your Stripe customer ID is cus_34534985798243"?
(Payment processors are probably a bad example, as they already have boatloads of legal and contractual requirements to deal with. IF they're at all reputable, the GDPR will impact them minimally. The flip side of this is ad tech, who's scummy business model is almost painfully incompatible with GDPR - at the moment.)
Logically, your business controls the personal information about the identity of your customer, and a Stripe token associated with their card or the equivalent. You're also presumably processing that information at least for accounting purposes.
It doesn't make much sense for your business to be considered the controller of the card data that never touches your network, so Stripe ought to be considered the controller in that case, and presumably they are also processing it and potentially passing it on to further parties within the relevant card network infrastructure in order to collect payments for you.
Hopefully a regulator would agree that this is a sensible interpretation of the responsibilities. However, given the mechanics involved, where your customer might not be aware at all that they are even dealing with Stripe when they provide their payment details on your business's web site, this is the kind of area where some official confirmation would be reassuring.
Please, refrain from sidetracking to things like "well, you wouldn't worry about it if you built everything with GDPR in mind in the first place". That's not what I was asking.
- Incorporate your business outside the EU.
- Have no offices in the EU.
- Reside outside the EU.
- Not visit the EU (?).
- Not employ any EU residents.
- Not target any advertisements about your business to EU countries.
- Only offer your site in your local language and/or English.
- Don't register your site in an EU TLD.
At that point, as far as I can tell (and of course I'm not a lawyer), you have no EU presence and even the GDPR admits that it doesn't apply to you. Presumably these conditions apply to the vast majority of small businesses where dealing with random claims of extra-territorial jurisdiction is just a waste of time.
This being HN, I'm sure somebody will be ecstatic to correct me if the above is wrong.
However should you ever do business or go to an eu country you may struggle.
Just like if you insult the Thai King, then go to Bangkok on holiday, you may well get arrested. Or if your company is accused of breaking the dmca and then go to the u.s on holiday you get arrested.
Then a user would need to take active steps (VPN, etc.) to sidestep your clear intent to not provide service to him, which would probably create some sort of "circumventing security" offense on his part.
The US wouldn't extradite him to the EU or Thailand if he didn't comply with these laws, but he'd have to be wary of traveling to either place, or doing business or storing assets.
I wonder if the US will raise complaints under GATT and other WTO rules.
Question for OP. If a u.s bar has a sign saying "no under 21s", and they serve a 16 year old, does that sign mean they avoid any responsibility?
That said, if you have no effective presence or business within the EEA then you're out of its reach.
The new General Data Protection Regulation is a welcome incremental update, which brings in much better methods of enforcement against the cross-border nature of large data processors. Facebook of course were not around in 1995.
I also welcome the need for explicit plain language privacy terms. Any law that pushes out legalese must be welcome.
EDIT: grammar (got -> get)
I get why the EU didn't want to overly specify the method, but it creates a lot of uncertainty about what processes are allowed/required. And with the pressure of gigantic fines on the line, it seems like GDPR opens up a significant vector for stealing other people's information via GDPR requests.
I think this recent trend of using LinkedIn to post blogs really needs to be reconsidered.
I'm on a job hunt cycle so I had to log in and use it in the past month many times and to me it's just as offensive and aggressive as facebook nowdays. I avoid it like the plague if possible.
Would all a users comments be classed as personal data? Would just pointing at the website be enough to satisfy the request for a copy?
I suspect Hacker News would simply delete the user's information from the site and explain that they control no data on the subject.
If they are clever they would include an invoice for £10 with that response.
> Would all a users comments be classed as personal data?
Probably not. A user name is probably not personal data. The name "John Smith" might not even be personal data. The ICO explains:
By itself the name John Smith may not always be personal data because there are many individuals with that name.
https://ico.org.uk/media/for-organisations/documents/1554/de...
Even if the user posts a comment containing what is undeniably personal data, you still might not have to consider it personal data simply because Hacker News search sucks; Recital 26 says:
To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
> Would just pointing at the website be enough to satisfy the request for a copy?
Yes, in fact recital 63 recommends "remote access" as a method:
http://www.privacy-regulation.eu/en/recital-63-GDPR.htm
What hn probably should do is offer a "takeout" option and a "delete me" option on the account page. The former would export every comment and submission along with vote counts, links to upvoted comments/stories profile data etc. All in machine readable form (eg: s-expressions).
The latter would delete profile along with data. Or, possibly, simply anonymize the posts.
I'm not entirely clear on the GDPR vs publishing - i don't think it's meant as a tool for "book burning" - and I've yet to see an interpretation vis-a-vis public discourse. There certainly are laws governing public archives that override parts of the GDPR in certain contexts.
So while hn would probably have an obligation to export all comments, I'm less clear if they'd have an obligation to delete, under the GDPR.
If the ip is logged along with actions, that'd also be considered personal data, and fall under the GDPR.
The reason I think Hacker News would simply delete it has nothing to do with the GDPR, but because they seem to have responded to requests to delete an account and comments in the past:
* https://news.ycombinator.com/item?id=2493474
> i don't think it's meant as a tool for "book burning"
I think you've confused my statement of "I suspect Hacker News would..." to be a legal/professional opinion about what Hacker News should do, or would be compelled to do so under the GDPR.
That wasn't my intention.
> If the ip is logged along with actions, that'd also be considered personal data, and fall under the GDPR.
The ICO disagrees.
https://ico.org.uk/media/for-organisations/documents/1591/pe...
"A single household PC may have different family members using it under the same login identity. As a result, the IP address and cookies cannot be connected to a single user. Therefore it is unlikely that this information will be personal data."
That it may be personal data does not mean that it is personal data, nor are you under an express obligation to attempt to unmask anyone that you might have the ability to do so.
There is a risk/reward concept in the GDPR however. There are reasons that are useful to users to keep their IP addresses in a database, and there are risks with keeping their IP addresses in a database. This is why the ICO also recommends you blank out the last octet of the IP address.
Note: If you are going to use that IP address for determining location (which is common when dealing with the EU, because that is one of the things the EU considers acceptable evidence to justify your choice of which country's VAT to collect for an online sale), do the location lookup before blanking the last octet.
I had hoped that the first 24 would be sufficient to determine country, but that is not the case. For example, here are current results from MaxMind's GeoIP service:
A couple weeks ago, BTW, 5.62.58.244 was identified as DE. This suggests that it might be a good idea to keep the full IP address around at least until you file your quarterly VAT MOSS documents, so that you can do another lookup then and possibly get a more clear picture of who you owe VAT to for the sale.PS: I have no relationship with whoever owns those IP addresses, as far as I know. A few weeks ago I did GeoIP lookups on all 4 billion IPv4 addresses to find all the ranges of US IP addresses (there were 22029 ranges) as part of optimizing a filter that is supposed to reject non-US traffic from certain reports. To get an example for this comment I looked through those ranges looking for one where there were two different US ranges overlapping the same /24, and 5.62.58.0/24 was the first one I noticed.
[1] https://bgp.he.net/net/5.62.58.0/23
https://www.whitecase.com/publications/alert/court-confirms-...
They also seem to be at odds with the GDPR:
https://gdpr-info.eu/art-4-gdpr/ "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
So yeah, a single IP in isolation might not trace back to a single individual - but with a timestamp and billing info it might track to a residence - with other data (eg: age, occupation) it certainly will trace back to an individual.
I'm surprised at the ico's interpretation / statement on this.
> > i don't think it's meant as a tool for "book burning"
> I think you've confused my statement of "I suspect Hacker News would..." to be a legal/professional opinion about what Hacker News should do, or would be compelled to do so under the GDPR.
Indeed, that wasn't mean as a direct reply to you, more as a general comment on the GDPR.
There's a provision on right to be forgotten, and it'll be interesting to see that vis-a-vis a public interest in keeping an open archive of public discourse.
See 3a)
https://gdpr-info.eu/art-17-gdpr/
> The reason I think Hacker News would simply delete it has nothing to do with the GDPR, but because they seem to have responded to requests to delete an account and comments in the past:
True. I don't think that'll be enough to comply with the GDPR. Just as storing child pornography in bulk, isn't ok if you remove individual pictures on request.
No, just keep reading on:
On appeal, the Regional Court of Berlin (the "Kammergericht") ruled that IP addresses in the hands of website operators could qualify as personal data if the relevant individual provides additional details to the website operator (e.g., name, email address, etc.) in the course of using the website
That's basically the same thing as the John Smith example: There's a threshold when you have personally identifying information, and whilst it can certainly include an IP address in some circumstances, there are enough other valid uses for the IP (fraud, VAT, etc) and enough uncertainty (NAT, multiuser computers, etc) that it by itself isn't PII.
> There's a provision on right to be forgotten, and it'll be interesting to see that vis-a-vis a public interest in keeping an open archive of public discourse.
Yes. I don't think it's clear what Internet forums are required to do.
The ICO has some pretty good guidance here:
https://ico.org.uk/for-organisations/guide-to-the-general-da...
and the ICO has previously weighted in on how they interpret erasure:
https://ico.org.uk/media/for-organisations/documents/1475/de...
so a flag to hide all the comments of a user who has chosen to be forgotten should be sufficient.
However, if a site wants to refuse the order, they may be successful if they can argue the comments are in the public interest, but if I were a company wanted to refuse a persons rights in this way, I would call the ICO to get clarity.
> I don't think that'll be enough to comply with the GDPR.
If someone contacts the data controller (e.g. pg) and asks to have their data removed (or flagged hidden or whatever), and Pg does it, why don't you think that would be compliant?
No, that would be illegal. Hacker news can set itself up so that it doesn't keep user data longer than 30 days, and then it can just always say it has no data, but, excluding that, you can't respond to an export request by deleting the user's data and then telling them have no data - that violates the user's right to see what data you have on them.
I don't think there's a requirement that HN has to keep delete personal data that they don't need, and FYI the Hacker News privacy policy they publish[1] argue they don't have to do it if they don't want to:
You agree that any termination of your access to the Site under any provision of this Terms of Use may be effected without prior notice, and acknowledge and agree that Y Combinator may (but has obligation to) immediately deactivate or delete your account and all related information and files in your account and/or bar any further access to such files or the Site.
so we're really out on a limb here anyway. But let's assume that HN is GDPR compliant, and say that they delete all personal data after 10 years and on request, etc... Are they then required to keep that data for ten years?
My guess is not. The ICO suggests[2] repeatedly that you not keep data any longer than is necessary, and that you repeatedly review whether it is necessary.
The ICO also says[3]:
However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it would be reasonable for you to supply information you hold when you send out a response, even if this is different to that held when you received the request
which makes it sound like it's acceptable, except:
it is not acceptable to amend or delete the data if you would not otherwise have done so.
which then suggests that HN only needs to have policy that they delete personal data whenever if it is identified for export. If I were HN, and I actually wanted to do this (however), I would probably call the ICO to confirm.
[1]: http://www.ycombinator.com/legal/
[2]: https://ico.org.uk/for-organisations/guide-to-data-protectio...
[3]: https://ico.org.uk/for-organisations/guide-to-data-protectio...
The point of GDPR is to force companies to explain the data they retain and show it to users on request. Setting up a scheme where data is retained but is never available to users for export is a great example of acting in "bad faith" that is likely to increase the possibility that a judge will make an example out of you.
Startups: It costs money to develop the systems to process personal data in the first place. I don't see any unreasonable restrictions in GDPR. If new startups plan for GDPR while developing the systems it should not add too much costs. It is basically about managing data responsibly and documenting how you utilise that data.
Established companies: I don't have much sympathy for existing companies. They have exploited the slow reaction time of the legal system to make money in an unregulated market. This has happened to other industries as well, such as the tobacco industry who had to adjust to anti-smoking laws when the politicians could no longer ignore the negative effects.
Some commenters in these discussions write as if all businesses deserve the GDPR and all its attendant overheads as some sort of punishment for assumed past transgressions. And yet I work with small businesses, and so unsurprisingly I also know many other people who do, and not one of those businesses operates with any sort of data-hoarding, privacy-invading model, nor would any of us ever want to.
All that attitude teaches the next generation of startups is that they'll be penalised whether they try to act ethically and responsibly or not, so they might as well do the questionable things and make more money anyway. Surely that is exactly the opposite of what should be happening?
The only major requirement that can not be fixed by documentation or updating user consent, is the requirement to not store data more than necessary, which depends on your business. If you need to store data for a longer time period than absolutely required, you need to either anonymise it or delete. If you run a business and need to store purchase histories to meet other legal requirements, you have a valid reason to store it. If you use it to track which purchases a specific user has done to optimise targeted advertisement you will probably have to anonymise it.
This can of course be a complex task, but I don't think it is a good argument against GDPR. Why should I lose control of my personal information just because it costs money to process it responsibly? At some point a regulation has to be implemented and some companies will unfortunately be impacted even if their intentions were good.
Was it posted in their local planning department in Alpha Centauri as well? Because to most people running microbusinesses -- which is most businesses, remember -- it might as well have been.
If a business can't do that, it indicates that they don't have control of the information in the first place.
Not at all. It's quite possible that an organisation has been reasonable and responsible about handling personal data and its staff know exactly what it's doing and why, but that the formal documentation and automated processes referred to throughout today's discussion aren't in place because they have never been necessary before.
Why should I lose control of my personal information just because it costs money to process it responsibly?
The trouble is that different people will have different interpretations of "responsibly". For example, I'm not sure it's irresponsible to have been storing and processing data for legitimate purposes and entirely with the subject's informed consent for years, and also to be concerned about the cost of updating or replacing all of those systems because the subject is now being given a retrospective right to withdraw that consent that they didn't have before. While this might be considered desirable in terms of reining in data hoarders like Facebook or Google, it also imposes burdens on organisations with different models and lower risks to data subjects. Some sort of balance is needed between these competing priorities.
At some point a regulation has to be implemented and some companies will unfortunately be impacted even if their intentions were good.
Right, but this is exactly why both unambiguous rules and proportionality are important.
If personal info is worth what a lot of companies seem to think it’s worth, then governments have been downright negligent in their lack of regulation. Playing fast and lose with people’s identities should never have been acceptable, and complaining that the first wave of consumer protections is anti-business mostly tells you what kinds of businesses we’re dealing with.
Now that such requests are free, there is no deterrent and companies must introduce a scalable process for dealing with them (or risk being swamped and unable to meet the 30 day deadline).
This will actually be easier for companies like Google and Facebook to comply with, as they are digital natives.
Financial services is an industry struggling with a burden of legacy systems, and even paper-based processes still. This one GDPR provision alone is causing much expense and heartache.
That's a good thing. If it's causing much expense and heartache it means that our private data wasn't being handled with the necessary care and attention to value that it needed to be.
If they were putting my data at risk because they didn't have enough money, then this was required, right?
"Unfortunately we have to increase prices, because we now have be careful with your personal data"
Talk to better consultants. Consultants are not the regulator. The regulation itself is in plain language. What do you consider is not thought through?
* I (like most companies) have a variety of unstructured and/or immutable logs. I can't just DROP FROM table WHERE. Is it acceptable to delete this data by waiting a few days for a retention period to expire, or do I have to retrofit deletion functionality in?
* What if the retention period is a week, or a month? What if I've been advised to establish those longer retention periods for other reasons?
* If a bug is found in the data deletion workflow, is it an undue delay to say we'll tackle it next sprint? Do we need to drop everything and make it a priority now?
* Once we've resolved a personal data deletion bug, is it an undue delay to roll it out slowly over a week? Does it matter if this is our standard rollout process, or if there's a risky hotfix process we're deliberately choosing not to use?
In order to be allowed to store PII (even if it's in logs) you need a specific purpose. Why do you put PII in logs? What benefit does the user have?
> * What if the retention period is a week, or a month? What if I've been advised to establish those longer retention periods for other reasons?
If there is a legal requirement to keep PII (for example accounting) you can/must keep it as long as the legal requirement demands. If there is no legal requirement you have to delete PII, there is nothing that trumps that.
> * If a bug is found in the data deletion workflow, is it an undue delay to say we'll tackle it next sprint? Do we need to drop everything and make it a priority now?
If your next sprint starts 1 month down the road the regulator won't be happy. If it's next week and your GDPR doesn't have other gaping holes a reasonable regulator won't bat an eye.
> * Once we've resolved a personal data deletion bug, is it an undue delay to roll it out slowly over a week? Does it matter if this is our standard rollout process, or if there's a risky hotfix process we're deliberately choosing not to use?
Are you playing for time or doing responsible software development? If a regulator thinks you are bending the rules good luck, otherwise nobody will demand of you doing dangerous stuff.
I know, there are a lot of things open to interpretation. But as my lawyer told me: "There are people getting a speeding ticket for 5 above the limit and others who don't. Try to stick to the limit and make sure you are seen as one of the second category."
I probably would want to impose stricter rules on myself for the sake of avoiding regulators. But that's part of the problem. It doesn't seem possible to comply with GDPR as such without an army of consultants to guide you; what you have to do instead is invent a stricter regulation and follow that one instead.
> If a regulator thinks you are bending the rules good luck
That's the other part of the problem. A healthy regulatory system needs some way to say "well, you think I'm bending the rules, but I'm actually compliant in this complex way you hadn't considered". If a GDPR regulator just doesn't know much about software development, and thinks that any rollout-induced delay is undue, how do I argue against that?
Read my comment again, it does not say a user benefit is required. What it says is that you need a specific purpose for processing PII. A user can only give you consent for a specific purpose. What is the purpose that results in his PII ending up in an immutable log file? Asking for general consent without a specific purpose does not work with GDPR.
> That's the other part of the problem. A healthy regulatory system needs some way to say "well, you think I'm bending the rules, but I'm actually compliant in this complex way you hadn't considered". If a GDPR regulator just doesn't know much about software development, and thinks that any rollout-induced delay is undue, how do I argue against that?
If you feel you are being treated unfairly you will probably argue through your lawyer. As a technical person I would love it if the GDPR is black and white. It would allow me to know if I comply or not but real life is hardly black and white. So instead of being upset with things I can't change I will just do my best to comply.
PS: I don't understand the downvote.
I need a specific purpose for processing PII, but that doesn't mean that I need a specific purpose for each individual place that PII ends up going. If my web server or database end up incidentally capturing the data in transit, that's not a violation, any more than it's a violation if I copy the data onto more sheets of paper than are strictly necessary.
A lot of the "problems" of the GDPR goes away if you minimize the amount of personal data you process and retain, which incidentally generally will be good for your security as well.
Surely you see why this doesn't weaken the claim that it's hard for existing companies to understand what must be done to comply.
Doing so makes it super easy to comply with from the get-go and puts you ahead of incumbent players and their inertia and legacy systems.
You're going to have to do this at some point, may as well do it early and give yourself an advantage?
And at the end of the day, you'll have to get sued for taking too long to respond, at which point a judge will investigate and can then tell that those requests were not legitimate.
Long answer: people actually tried to do it to Facebook, Google, etc. As a response, they each started offering self-service tools to download your data.
It seems that being close to Europeans without being subject to EU law is going to be a big advantage going forwards.
That's a very bad idea
If the GDPR makes it harder to found a startup for the sole purpose of collating and monetizing people's personal data, I'm not too upset either.
If a company suffers a data breach and can not answer to all of point 7. in the linked page, I'll leave it to the lawyers whether this is negligence but I'm inclined towards "yes" myself.
The moment you want to process any credit card data, you're already bound by regulations with teeth: the PCI-DSS. That's why in several recent data breaches one of the first things you read on the breach notification was "no payment card data was affected", suggesting that it's less important to the company if they lost "only" personal data. Bring on the GDPR.
But that doesn't mean you don't get to see all that data, can ask for corrections, or ask for deletions in the case where they store data they cannot justify.
How this apply (what difference it makes) will vary from institution to institution.
If you ask an EU equivalent they will just tell you that they don't have any data. Or that they might have but can't disclose it because of security concerns.
You people can keep on saying that this law pertains to any entity/organization that has any info on any EU citizen, but we know this is untrue. The rest of the world knows that the EU doesn't have this authority, so I don't why you people keep on parroting this line.
Let's get something else straight. We know there's political motives behind this law that are orthogonal to "we care about privacy", and other governments know this as well, and will respond to the EU in kind if need be.
The EU want to implement something like a virtual settlement for Businesses to extend their reach. Arguing that if you make profit in the EU than you have a settlement there. But as long as your country isn't willing to help the EU getting you there is nothing to fear.
At least I don't see what they could do. Ban your product... yes... But more than that?
Oh yea I was asking exactly this. How does EU national verify what NSA tells them. There is no way for them.
GDPR will have broad implications. If you're not designing your services to be compliant there will be consequences.
GDPR will have broad implications. If you are not designing your services to be compliant right now, there will be consequences.
What’s the damage consumers are being protected from, exactly?
A well-known researcher once joked to me that programmers are associated with a company for a few few years, programs live only for a few more years, but data lives forever.
How? What procedure improves security?
Right now, people I don't know at various companies have access to databases with my personal information. Those same people will still have the same access and opportunity to misuse my personal information, but under GDPR I can know what personal information is stored. I could also demand it be deleted, but that doesn't apply to data that's already been shared or under control of other parties.
For a company to be GDPR compliant they also have to satisfy the regulators and that includes limiting access to data to only those that need it, knowing who those people are and putting measures in place in case of a breach.
It may also incentive companies to play more carefully with the data, since they have to explain what that have done with it.
If your data is stores in certain jurisdictions that have difference laws than you expected, that could increase the risk your data bight be accessed in ways you assumed illegal (different countries have different rules).
For a very simple example, LiveJournal is now owned and operated entirely out of Russia. It didn't start that way. a GDPR request would presumably let you know that your data was in servers in Russia, or that the company in question did not feel the need to answer your request, in which case at lest you would know that your local laws did not apply towards it. In my eyes, both are very useful information that provides additional information about the risk of that data being accessed in a way you thought it would not beyond what you might assume of an EU company that you gave personal information.
Whether data is hosted in Russia or the EU it’s at risk of being stolen, exposed, and misused and the liability companies have for that has not changed (there is no liability)
So your contention is that the same risk exists no matter the storage location?
Bad things can happen anywhere. I submit that certain locations are more prone to certain situations. Knowing your information is being stored in a certain location at a minimum gives you the opportunity to deny additional information from yourself (stop using the service).
Since this discussion has regressed to the point where you're essentially arguing that additional information has no utility, and I fundamentally disagree with that point, I'm not sure the point of continuing. We're just repeating our points with different examples.
And if this becomes more than the odd request, build it into your processes. If you can identify me "as me" to your advertisers and other data customers, you can certainly do that for me.
Or just do what other businesses do: pay off a few legislators to change the law, or a lobbying firm or association. If you have the money, pay to make this a patriotic move. That's how democracy works. /s
Edit: Why are people downvoting this?
Which makes me wonder about these requests en masse as a form of activism.
How should I send the personal data?
http://www.privacy-regulation.eu/en/recital-63-GDPR.htm
It depends on what kind of data you have, how you keep it, how you know it is their personal data, how long you keep it, and so on.
Funnily, the biggest fear companies have regarding GDPR and SAR does not originate from "Mr. I. Rate the customer", like in this article. It comes from disgruntled employees ratting on the company. Employees know best where personal data is stored (and often no one else in the company does), so they can really do some surgical damage. GDPR introduces a whole new dynamic.
This may be a good place to shamelessly plug a tech we developed (Show HN!) for automatically locating personal data across corporate resources: https://pii-tools.com
Personal data discovery is but a small piece in the compliance puzzle, but a piece that is critical to understanding what sensitive data is even out there: CVs with photos in backups? Scanned passports in attachments of email archives? Names and addresses in database tables? How about S3, Azure, GDrive?
Let me also add that there's no shame in not having a comprehensive view of all the corporate personal inventory. Larger companies grow their resources organically, through acquiring other companies and separate business units doing their own thing. It is a complex problem, but one where technology can help.
You attach an owner id to every record, and make sure all your systems can dump all information they store according to owner id. To the extent existing systems don't, you fix them.
I'm not sure we understand "data discovery" to mean the same thing, but you reminded me of "How To Draw An Owl":
http://sethgodin.typepad.com/seths_blog/2014/01/how-to-draw-...
We've had two years to work on this. At my company, we've had entire teams spending significant fractions of their time over the last year prepping. As a result, we'll be ready when the switch flips.
What you suggest is (as far as I understand you) orthogonal to automated data discovery / inventory mapping, though.
FWIW I would be worried about relying on such a system! But based on the description it seems helpful. What does it do about derivative data that doesn't directly contain any PII?
First of all, you need to understand, do you have customers in Europe. If yes, is data your everyday thing? If yes, then you need to comply with Article 30 first. Article 30 asks, how many processes of you have, how many of them have personal data involved, and then tell you to answer purpose, legal basis, category of personal data and deletion request.
I took an interview from Mailjet how they did it: https://ecomply.io/how-to-become-gdpr-compliant-insights-fro...
Now, how to answer Subject Access Request, once you're done with article 30 i.e. records of processing activities, you'll know what, where and how you obtained that data with the purpose and legal basis. This request will be difficult to answer then:
Here are the 10 steps you need to do: https://ecomply.io/10-critical-steps-to-general-data-protect...
It's a piece of cake then.
Plus, you need to change your way of doing sales & marketing in Europe: https://ecomply.io/pimping-up-your-sales-in-a-post-gdpr-worl...
Both options have to be reasoned —and the person making the request and squeal off to the ICO at any point— but in a letter like the linked one, I would find it hard to justify forensically picking through years of historical access data and not charge a fee for doing so.
Compliance regarding breach notification is forward-looking too, so all this nonsense about "has this ever happened" is outside the GDPR, as far as I can see, anyway.
† The GDPR contains no rules about being polite. If somebody made demands like this at me, I would be considerably less polite than my example there.
If querying is so onerous, then why the fuck are years of historical access data even being stored ?
This desire to keep reams of nebulously categorized surveillance data "just in case" seems to be one of the issues at the heart of this legislation. If it has business value and a legitimate purpose, then formalize it. Otherwise, delete it.
In some countries and sectors it's a legal or contractual requirement that you keep audit trails for x years. I've worked on accounting systems where the insurers and banks have both had separare requirements here.
Not that this is relevant here. My point was that if people demand retroactive notice of a breach —and you're not otherwise required to notify them— even if you have that data, you can tell them to bugger off.
I wonder whether this includes police and TLAs.