General Data Protection Regulation (GDPR) - useful/practical tips for small developers

[AnX]

I write everything down then delete all electronic data, then have a big bonfire every Friday night.

Works for me.

[Urs]

German Abmahn parasites will like that new law, though.

Thing is, they need to file complaints with the data protection authority first and there's a 4 week deadline (subject to extension) to fix issues.

I guess some might try though, I also guess there'll be plenty of scammers preparing stuff already.

It makes sense to pepare for this by writing down what to do when/if these letters come in. I'm gonna ask our lawyer for advice tomorrow, he'll probably just tell us to forward them.

[BMoore]

First. Yes, I'm an expert on GDPR, the German BDSG, and the UK DPA.

Cool. Our consultants would pretty much say the same.

Second. I don't give a rats ass about how much you've spent on this.
Althoug it might tell us that you really didn't have proper security for your users before.

That is correct. The GDPR has been an eye opener for me. I trust I'm not alone.

And third. The fines are not tied to data breaches.
I don't know why you're so hung up on data breaches only.

I'm hung up on data breaches because there's particular emphasize on them (see the emphasize on immediacy when reporting them to data protection authorities), and various consultants reckoned that the full extent of fines will happen on data breaches when companies could have prevented them.

I have never said that it is "all about data breaches", but you'll have a hard time convincing me that data breaches (including using data for purposes not given consent for) isn't a strong motivator for the law.

You might be in for a surprise later.

That a threat?

Oh yeah. The "immediacy" of 3 full days after becoming aware of a breach.
And your generalization of GDPR in your last posts says to me you think it's about breaches. And that's where the surprise may hit you over the head, if you're only adapting to breaches.
A threat?! Well, not from me, you dunce. Authorities maybe.

[fluffy_little_something]

German Abmahn parasites will like that new law, though.

Thing is, they need to file complaints with the data protection authority first and there's a 4 week deadline (subject to extension) to fix issues.

I guess some might try though, I also guess there'll be plenty of scammers preparing stuff already.

It makes sense to pepare for this by writing down what to do when/if these letters come in. I'm gonna ask our lawyer for advice tomorrow, he'll probably just tell us to forward them.

I suppose they will hope some of their victims don't have a clue of the details of the new law and will pay just like that.

Despite good intentions, the new law might make life even harder for European companies. Just like the new VAT law.

[llze]

hm, this guy claims about some shady motivation inspired by authorities. Was an interesting read.

https://www.datenschutz-guru.de/aufsich ... netseiten/

[Urs]

Oh yeah. The "immediacy" of 3 full days after becoming aware of a breach.
And your generalization of GDPR in your last posts says to me you think it's about breaches.

Here's the thing:

Updating Information part (Privacy Policy etc.): few hundred bucks
Updating Consent part (Newsletter Signup process etc.): few hundred bucks
Prepare for user rights (to be forgotten etc.): Free, we had that already under existing law
Data Minimization part (delete a lot of shit, order data flow): couple thousand bucks
Creating a fortress for data: 90+% of cost

Of course GDPR is not *only* about breaches, but preparation-wise, this is where in my experience the vast amount of work and money goes. Simply also because this is where the fines are. Lemme detail this thought:

Truth is, much of the hysteria about the law is about the fines, with 20.000.000€ being the *minimum fine*, or 4% of the annual revenue if that is *higher* than those 20.000.000€. Those fines won't apply for someone who forgot a comma in their Privacy Policy or who hasn't been clear enough about what data exactly he collects and on what grounds - these things are covered through the complaint mechanism. Those fines will apply to companies who exposed data (breach/abuse/leaks whatever) when a) they weren't supposed to have it, b) use it beyond the scope they were supposed to and/or c) they didn't protect it sufficiently. It's called "Data Protection" after all. Hence my initial statement:

This whole thing is quite a bit about "if and once data is breached, have a really good reason why you had it in the first place". So if data isn't essential, remove it. If you can anonymize, do so. If someone handles the data (customer support, newsletter etc.), know what they do, and restrict it to the amount of information necessary.

I don't think this is bad advice at all...?

And that's where the surprise may hit you over the head, if you're only adapting to breaches.

I don't think our data protection authority is gonna come after us in any way. Simply because we have *always* been quite strict about customer privacy. We've always sought consent, e.g. for newsletters. We've always stored relevant files and folders on a need-to-know basis, i.e. employee data was only accessible to those who needed to handle it. We've always been able to tell people what we store, where and what for. We have now updated our own knowledge about that by some legal terms, and we've got a folder now for all things data protection with all sorts of data processing contracts, data flow charts, those dozens of forms we got from our authority and what not. So should our data protection authority pays us an unannounced visit, we have everything prepared for them.

However, apart from the obvious (updating their privacy policy seems to be what the majority of people talk about) we didn't know for instance that we need to offer email encryption for job applications. Easy fix. We didn't know that a cheap shredder doesn't cut it (no pun intended). Lots of little things like that which make sense once aware. There's certainly more, and we'll happily comply if our data protection authority tells us what it is and gives us those 4 weeks to fix them. Not scary at all. No devastating fines expected.

But then again, we used to have our customer database on a websever with some kind of CMS, like most companies do which offer some kind of login to review their licenses. We found this unnecessary for our business and too risky, given that most standard CMS are prone to security holes and need constant patching. Now, *that* was scary shit: Data we don't really need out there, possibly on a silver tablet for hackers to grab. The passwords were hashed, sure, but still, "what if?". So we changed the infrastructure to move the customer database into our headquarters, away from the web, where we put it behind firewalls. And we changed our website from standard CMS to pre-rendered static HTML. No more user data on webservers, no more passwords. These things were the single most expensive steps we undertook to satisfy certain aspects of GDPR. We minimized data and we secured it. That, by far, outweighted anything else that had to be done in respect to GDPR, or consent/information/privacy in general. Even the resubscription of our newsletter with double opt-in and thus loss of 80% of our email marketing base was a piece of cake in comparison.

So yes, it's not only about "data protection" or "data security", it's also about information, consent, rights (to forget, to correct, to move etc.), profiling, data minimization and all that. But most of that was there before, certainly in Germany. It was the threat of fines though which created the hysteria, and with it the desire to protect the data by all means possible which caused most of the waves. At least for me. YMMV

(that said, the plan to move the customer database "to the inside" came up long before we had heard about GDPR. Latter just gave us an extra kick to get shit done.)

[Urs]

hm, this guy claims about some shady motivation inspired by authorities. Was an interesting read.

https://www.datenschutz-guru.de/aufsich ... netseiten/

Interesting read, indeed. If this is true, anyone with a Like-button might become subject to abuse through the cease-and-desist industry. The article says that German authorities interpret the law so that consent needs to be given *before* a cookie is set, e.g. when using Google Analytics.

As far as I understood, consent for tracking *before* a cookie is set was only ever necessary for such kind of profiling which links the user activity directly to the user's profile. In other words, if the tracking data ends up in a database without being anonymized, prior consent is necessary and a cookie notice or a paragraph in a privacy statement is not enough. Not sure.

However. Tracking can not only be done with cookies. Once a user on a website can be identified (a login, a purchase whatsoever), he can as well be tracked by log files. I'm curious to see if this ends up being a problem as well. It would make offering a website very difficult in general, because how can you ever get consent before the landing page?

[sjm]

Sounds like yet another crazy EU law [...] It is a joke.

Did you miss, say, the Cambridge Analytica story?

[fluffy_little_something]

Sounds like yet another crazy EU law [...] It is a joke.

Did you miss, say, the Cambridge Analytica story?

No, I didn't. So?
Data is the gold of our times. Where there is data, it will be used in unwanted ways, I am realistic about it. Unlike with a paper document, clever nerds around the globe can access it, make countless copies of it, manipulate it etc. Others will simply sell it in order to make money. Where there is money, there is crime.

The EU is trying to, or pretending to try to achieve the impossible and probably hurting decent EU companies in the process.

[koalaboy]

hm, this guy claims about some shady motivation inspired by authorities. Was an interesting read.

https://www.datenschutz-guru.de/aufsich ... netseiten/

Interesting read, indeed. If this is true, anyone with a Like-button might become subject to abuse through the cease-and-desist industry. The article says that German authorities interpret the law so that consent needs to be given *before* a cookie is set, e.g. when using Google Analytics.

As far as I understood, consent for tracking *before* a cookie is set was only ever necessary for such kind of profiling which links the user activity directly to the user's profile. In other words, if the tracking data ends up in a database without being anonymized, prior consent is necessary and a cookie notice or a paragraph in a privacy statement is not enough. Not sure.

However. Tracking can not only be done with cookies. Once a user on a website can be identified (a login, a purchase whatsoever), he can as well be tracked by log files. I'm curious to see if this ends up being a problem as well. It would make offering a website very difficult in general, because how can you ever get consent before the landing page?

I thought all cookies required consent, hence the EU Cookie Law (https://www.cookielaw.org/the-cookie-law/)

Either way, we received our first Subject Access Request today, a day early (well, technically not early for a SAR, but it's DPA rather than GDPR, and slightly different requirements)

[fluffy_little_something]

Cookies. What is the point in asking people to accept cookies when a site doesn't work properly without them?

[Urs]

I thought all cookies required consent, hence the EU Cookie Law (https://www.cookielaw.org/the-cookie-law/)

Well, I wouldn't know how to technically use Google Analytics or embed a Twitter feed with asking for consent first. An additional (non-tracking) landing page would possibly defeat the purpose as it breaks the referral chain.

Hence I think it is commonly accepted that standard tracking cookies can be activated/deactivated in the browser (private browsing or whatever it's called).

We've asked for written clarification from our data protection authority. Let's see if they get this done, and we can say "hey, we did what we could".

[koalaboy]

Cookies. What is the point in asking people to accept cookies when a site doesn't work properly without them?

A site can work perfectly well without cookies until someone needs to login (and even then, it's doable).

I shouldn't have a site storing cookies about me, just because I read something on one of their pages. Unfortunately, so many sites are full of trackers and beacons and adverts and all of the other things that are unrelated to the site itself (other than for monetisation, which is the unfortunate freemium model).

If you have registered users, then cookies are fine when they login, and people expect to be tracked by a site when they are logged in. If they aren't logged in, why should they be tracked ?

[llze]

As far as I understood, consent for tracking *before* a cookie is set was only ever necessary for such kind of profiling which links the user activity directly to the user's profile. In other words, if the tracking data ends up in a database without being anonymized, prior consent is necessary and a cookie notice or a paragraph in a privacy statement is not enough. Not sure.

That EU cookie law is (i think that's one topic in that blog post) not yet migrated from that directive into german national law, hence there actually isn't a requierement to do such an opt-in in germany (questionable).

However, it would need to be tied to a function that de-/activates all scripts on the page i guess, just leaving the html and css basically. Not sure if that can be avoided with those agressive trackers, but there is this thing around for quite a long time:

privacy compliant like buttons: https://www.heise.de/ct/ausgabe/2014-26 ... 63330.html

I think heise came up with it first and claimed it's requiered in germany.

Still, if that authority department misinterprets the law and makes such confusing statements, people might be uncertain and better pay those lawers to be "safe" even if they wouldn't need to.

Generally this whole topic is pretty hyped currently, but if you look back in time, fees for privacy protection related aberrations are barely imposed.

Example in Berlin 2017 on page 144: https://datenschutz-berlin.de/jahresberichte.html
There were only 16 fees imposed with a total sum of 10.350,00 EUR, with a maximum possible limit of a single fee of 300.000,00 EUR if i'm not mistaken.

24 criminal proceedings in 2017, still for Berlin i do not think thats a whole lot actually.

In 2016 it was 24 fees imposed with a total sum of 24.020,00 EUR and 4 criminal proceedings on court.

Nonethless it's good to think about it, but it also can be a barrier for a good economic flow i think.

[aMUSEd]

What I don't get is how come all the small developers are having to email everyone asking them to opt into newsletters etc, but the larger companies seem able to just get away with am email telling you they 'respect your privacy, but 'If you agree with our Privacy Policy, there’s nothing you need to do'.