General Data Protection Regulation (GDPR) - useful/practical tips for small developers
- u-he
- 28062 posts since 8 Aug, 2002 from Berlin
Thing is, they need to file complaints with the data protection authority first and there's a 4 week deadline (subject to extension) to fix issues.fluffy_little_something wrote:German Abmahn parasites will like that new law, though.
I guess some might try though, I also guess there'll be plenty of scammers preparing stuff already.
It makes sense to pepare for this by writing down what to do when/if these letters come in. I'm gonna ask our lawyer for advice tomorrow, he'll probably just tell us to forward them.
- Banned
- 1583 posts since 19 Aug, 2011
Oh yeah. The "immediacy" of 3 full days after becoming aware of a breach.Urs wrote:Cool. Our consultants would pretty much say the same.BMoore wrote: First. Yes, I'm an expert on GDPR, the German BDSG, and the UK DPA.That is correct. The GDPR has been an eye opener for me. I trust I'm not alone.Second. I don't give a rats ass about how much you've spent on this.
Althoug it might tell us that you really didn't have proper security for your users before.I'm hung up on data breaches because there's particular emphasize on them (see the emphasize on immediacy when reporting them to data protection authorities), and various consultants reckoned that the full extent of fines will happen on data breaches when companies could have prevented them.And third. The fines are not tied to data breaches.
I don't know why you're so hung up on data breaches only.
I have never said that it is "all about data breaches", but you'll have a hard time convincing me that data breaches (including using data for purposes not given consent for) isn't a strong motivator for the law.That a threat?You might be in for a surprise later.
And your generalization of GDPR in your last posts says to me you think it's about breaches. And that's where the surprise may hit you over the head, if you're only adapting to breaches.
A threat?! Well, not from me, you dunce. Authorities maybe.
Cats are intended to teach us that not everything in nature has a function | http://soundcloud.com/bmoorebeats
-
fluffy_little_something fluffy_little_something https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=281847
- Banned
- 12880 posts since 5 Jun, 2012
I suppose they will hope some of their victims don't have a clue of the details of the new law and will pay just like that.Urs wrote:Thing is, they need to file complaints with the data protection authority first and there's a 4 week deadline (subject to extension) to fix issues.fluffy_little_something wrote:German Abmahn parasites will like that new law, though.
I guess some might try though, I also guess there'll be plenty of scammers preparing stuff already.
It makes sense to pepare for this by writing down what to do when/if these letters come in. I'm gonna ask our lawyer for advice tomorrow, he'll probably just tell us to forward them.
Despite good intentions, the new law might make life even harder for European companies. Just like the new VAT law.
- KVRAF
- 4633 posts since 21 Jan, 2008 from oO
hm, this guy claims about some shady motivation inspired by authorities. Was an interesting read.
https://www.datenschutz-guru.de/aufsich ... netseiten/
https://www.datenschutz-guru.de/aufsich ... netseiten/
- u-he
- 28062 posts since 8 Aug, 2002 from Berlin
Here's the thing:BMoore wrote:Oh yeah. The "immediacy" of 3 full days after becoming aware of a breach.
And your generalization of GDPR in your last posts says to me you think it's about breaches.
Updating Information part (Privacy Policy etc.): few hundred bucks
Updating Consent part (Newsletter Signup process etc.): few hundred bucks
Prepare for user rights (to be forgotten etc.): Free, we had that already under existing law
Data Minimization part (delete a lot of shit, order data flow): couple thousand bucks
Creating a fortress for data: 90+% of cost
Of course GDPR is not *only* about breaches, but preparation-wise, this is where in my experience the vast amount of work and money goes. Simply also because this is where the fines are. Lemme detail this thought:
Truth is, much of the hysteria about the law is about the fines, with 20.000.000€ being the *minimum fine*, or 4% of the annual revenue if that is *higher* than those 20.000.000€. Those fines won't apply for someone who forgot a comma in their Privacy Policy or who hasn't been clear enough about what data exactly he collects and on what grounds - these things are covered through the complaint mechanism. Those fines will apply to companies who exposed data (breach/abuse/leaks whatever) when a) they weren't supposed to have it, b) use it beyond the scope they were supposed to and/or c) they didn't protect it sufficiently. It's called "Data Protection" after all. Hence my initial statement:
I don't think this is bad advice at all...?Urs wrote:This whole thing is quite a bit about "if and once data is breached, have a really good reason why you had it in the first place". So if data isn't essential, remove it. If you can anonymize, do so. If someone handles the data (customer support, newsletter etc.), know what they do, and restrict it to the amount of information necessary.
I don't think our data protection authority is gonna come after us in any way. Simply because we have *always* been quite strict about customer privacy. We've always sought consent, e.g. for newsletters. We've always stored relevant files and folders on a need-to-know basis, i.e. employee data was only accessible to those who needed to handle it. We've always been able to tell people what we store, where and what for. We have now updated our own knowledge about that by some legal terms, and we've got a folder now for all things data protection with all sorts of data processing contracts, data flow charts, those dozens of forms we got from our authority and what not. So should our data protection authority pays us an unannounced visit, we have everything prepared for them.BMoore wrote:And that's where the surprise may hit you over the head, if you're only adapting to breaches.
However, apart from the obvious (updating their privacy policy seems to be what the majority of people talk about) we didn't know for instance that we need to offer email encryption for job applications. Easy fix. We didn't know that a cheap shredder doesn't cut it (no pun intended). Lots of little things like that which make sense once aware. There's certainly more, and we'll happily comply if our data protection authority tells us what it is and gives us those 4 weeks to fix them. Not scary at all. No devastating fines expected.
But then again, we used to have our customer database on a websever with some kind of CMS, like most companies do which offer some kind of login to review their licenses. We found this unnecessary for our business and too risky, given that most standard CMS are prone to security holes and need constant patching. Now, *that* was scary shit: Data we don't really need out there, possibly on a silver tablet for hackers to grab. The passwords were hashed, sure, but still, "what if?". So we changed the infrastructure to move the customer database into our headquarters, away from the web, where we put it behind firewalls. And we changed our website from standard CMS to pre-rendered static HTML. No more user data on webservers, no more passwords. These things were the single most expensive steps we undertook to satisfy certain aspects of GDPR. We minimized data and we secured it. That, by far, outweighted anything else that had to be done in respect to GDPR, or consent/information/privacy in general. Even the resubscription of our newsletter with double opt-in and thus loss of 80% of our email marketing base was a piece of cake in comparison.
So yes, it's not only about "data protection" or "data security", it's also about information, consent, rights (to forget, to correct, to move etc.), profiling, data minimization and all that. But most of that was there before, certainly in Germany. It was the threat of fines though which created the hysteria, and with it the desire to protect the data by all means possible which caused most of the waves. At least for me. YMMV
(that said, the plan to move the customer database "to the inside" came up long before we had heard about GDPR. Latter just gave us an extra kick to get shit done.)
- u-he
- 28062 posts since 8 Aug, 2002 from Berlin
Interesting read, indeed. If this is true, anyone with a Like-button might become subject to abuse through the cease-and-desist industry. The article says that German authorities interpret the law so that consent needs to be given *before* a cookie is set, e.g. when using Google Analytics..maki wrote:hm, this guy claims about some shady motivation inspired by authorities. Was an interesting read.
https://www.datenschutz-guru.de/aufsich ... netseiten/
As far as I understood, consent for tracking *before* a cookie is set was only ever necessary for such kind of profiling which links the user activity directly to the user's profile. In other words, if the tracking data ends up in a database without being anonymized, prior consent is necessary and a cookie notice or a paragraph in a privacy statement is not enough. Not sure.
However. Tracking can not only be done with cookies. Once a user on a website can be identified (a login, a purchase whatsoever), he can as well be tracked by log files. I'm curious to see if this ends up being a problem as well. It would make offering a website very difficult in general, because how can you ever get consent before the landing page?
-
- KVRAF
- 2367 posts since 17 Apr, 2004
Did you miss, say, the Cambridge Analytica story?fluffy_little_something wrote:Sounds like yet another crazy EU law [...] It is a joke.
Voted KVR's resident drunk Robert Smith impersonator (thanks Frantz!)
https://open.spotify.com/artist/2myYesRBRgQB3LkZzEYdt5 | https://soundcloud.com/steevm/
https://open.spotify.com/artist/2myYesRBRgQB3LkZzEYdt5 | https://soundcloud.com/steevm/
-
fluffy_little_something fluffy_little_something https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=281847
- Banned
- 12880 posts since 5 Jun, 2012
No, I didn't. So?sjm wrote:Did you miss, say, the Cambridge Analytica story?fluffy_little_something wrote:Sounds like yet another crazy EU law [...] It is a joke.
Data is the gold of our times. Where there is data, it will be used in unwanted ways, I am realistic about it. Unlike with a paper document, clever nerds around the globe can access it, make countless copies of it, manipulate it etc. Others will simply sell it in order to make money. Where there is money, there is crime.
The EU is trying to, or pretending to try to achieve the impossible and probably hurting decent EU companies in the process.
-
- KVRAF
- 2194 posts since 18 Mar, 2006 from Plymouth, UK
I thought all cookies required consent, hence the EU Cookie Law (https://www.cookielaw.org/the-cookie-law/)Urs wrote:Interesting read, indeed. If this is true, anyone with a Like-button might become subject to abuse through the cease-and-desist industry. The article says that German authorities interpret the law so that consent needs to be given *before* a cookie is set, e.g. when using Google Analytics..maki wrote:hm, this guy claims about some shady motivation inspired by authorities. Was an interesting read.
https://www.datenschutz-guru.de/aufsich ... netseiten/
As far as I understood, consent for tracking *before* a cookie is set was only ever necessary for such kind of profiling which links the user activity directly to the user's profile. In other words, if the tracking data ends up in a database without being anonymized, prior consent is necessary and a cookie notice or a paragraph in a privacy statement is not enough. Not sure.
However. Tracking can not only be done with cookies. Once a user on a website can be identified (a login, a purchase whatsoever), he can as well be tracked by log files. I'm curious to see if this ends up being a problem as well. It would make offering a website very difficult in general, because how can you ever get consent before the landing page?
Either way, we received our first Subject Access Request today, a day early (well, technically not early for a SAR, but it's DPA rather than GDPR, and slightly different requirements)
-
fluffy_little_something fluffy_little_something https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=281847
- Banned
- 12880 posts since 5 Jun, 2012
Cookies. What is the point in asking people to accept cookies when a site doesn't work properly without them?
- u-he
- 28062 posts since 8 Aug, 2002 from Berlin
Well, I wouldn't know how to technically use Google Analytics or embed a Twitter feed with asking for consent first. An additional (non-tracking) landing page would possibly defeat the purpose as it breaks the referral chain.koalaboy wrote:I thought all cookies required consent, hence the EU Cookie Law (https://www.cookielaw.org/the-cookie-law/)
Hence I think it is commonly accepted that standard tracking cookies can be activated/deactivated in the browser (private browsing or whatever it's called).
We've asked for written clarification from our data protection authority. Let's see if they get this done, and we can say "hey, we did what we could".
-
- KVRAF
- 2194 posts since 18 Mar, 2006 from Plymouth, UK
A site can work perfectly well without cookies until someone needs to login (and even then, it's doable).fluffy_little_something wrote:Cookies. What is the point in asking people to accept cookies when a site doesn't work properly without them?
I shouldn't have a site storing cookies about me, just because I read something on one of their pages. Unfortunately, so many sites are full of trackers and beacons and adverts and all of the other things that are unrelated to the site itself (other than for monetisation, which is the unfortunate freemium model).
If you have registered users, then cookies are fine when they login, and people expect to be tracked by a site when they are logged in. If they aren't logged in, why should they be tracked ?
- KVRAF
- 4633 posts since 21 Jan, 2008 from oO
That EU cookie law is (i think that's one topic in that blog post) not yet migrated from that directive into german national law, hence there actually isn't a requierement to do such an opt-in in germany (questionable).Urs wrote:
As far as I understood, consent for tracking *before* a cookie is set was only ever necessary for such kind of profiling which links the user activity directly to the user's profile. In other words, if the tracking data ends up in a database without being anonymized, prior consent is necessary and a cookie notice or a paragraph in a privacy statement is not enough. Not sure.
However, it would need to be tied to a function that de-/activates all scripts on the page i guess, just leaving the html and css basically. Not sure if that can be avoided with those agressive trackers, but there is this thing around for quite a long time:
privacy compliant like buttons: https://www.heise.de/ct/ausgabe/2014-26 ... 63330.html
I think heise came up with it first and claimed it's requiered in germany.
Still, if that authority department misinterprets the law and makes such confusing statements, people might be uncertain and better pay those lawers to be "safe" even if they wouldn't need to.
Generally this whole topic is pretty hyped currently, but if you look back in time, fees for privacy protection related aberrations are barely imposed.
Example in Berlin 2017 on page 144: https://datenschutz-berlin.de/jahresberichte.html
There were only 16 fees imposed with a total sum of 10.350,00 EUR, with a maximum possible limit of a single fee of 300.000,00 EUR if i'm not mistaken.
24 criminal proceedings in 2017, still for Berlin i do not think thats a whole lot actually.
In 2016 it was 24 fees imposed with a total sum of 24.020,00 EUR and 4 criminal proceedings on court.
Nonethless it's good to think about it, but it also can be a barrier for a good economic flow i think.
- KVRAF
- 35265 posts since 14 Sep, 2002 from In teh net
What I don't get is how come all the small developers are having to email everyone asking them to opt into newsletters etc, but the larger companies seem able to just get away with am email telling you they 'respect your privacy, but 'If you agree with our Privacy Policy, there’s nothing you need to do'.