hate these ads?, log in or register to hide them
Page 1 of 2 12 LastLast
Results 1 to 20 of 39

Thread: GDPR stuff

  1. #1

    Join Date
    May 31, 2011
    Posts
    3,831

    GDPR stuff

    Creating this thread to collect tricks, stories around GDPR, as I didn't see a fitting existing thread.

    If you deal with websites in one form or another, you might be interested in Embetty by the folks of the c't computer magazine (as in "dead wood"). It was formerlsy published as "Shariff".

    The tl;dr of this project: Embed all those Twitter/FB/etc. "Share" buttons into your websites without enabling them to track your users by just simply visiting your site.

    @Mods: feel free to give this thread a more fitting name.

  2. #2

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,138
    Oooh a GDPR thread. good call.

    Here's a question:
    We, the IT department receive a data disclosure request form a staff member, so create an archive of every email with their name, email address, or login name in it for them. Due to the nature of email it's 154gb and contains 127,000 unique items.

    1. There could be emails in there which contain sensitive information not relevant to the staff member's request. is it normal, or even legal to ask them to sign a NDR before releasing the data.

    2. Are we, the IT department, under any form of legal obligation to clean, index or tidy the data in any shape or form, or can we just say "here's your archive now fuck off" and leace them to worry about how to move a 154gb pst file about, mount it, index it etc.
    Please don't teach me what to do with my pc.

  3. #3

    Join Date
    April 13, 2011
    Posts
    6,184
    Quote Originally Posted by Itiken View Post
    2. Are we, the IT department, under any form of legal obligation to clean, index or tidy the data in any shape or form...
    Yes. You need to be scrubbing any third party PII irrelevant to the SAR from the data bundle you're sending out. Essentially this means you're ok to copy over any emails sent to or from the data subject, as they were involved and already have that information, but need to be much more careful when handling emails _about_ the data subject (e.g. between managers, HR, IT etc.). There will be inevitable scenarios where even masking the PII will not mask the identity, in which case it is probably unreasonable to hand over this content, and you've got a handful of exceptions to apply that prevent you from handing over data.

    You're also well within your rights to not hand over the contents of the emails if the emails aren't relevant to the subject themselves; an email address is not inherently PII so unless the contents contain the subject's PII it's none of their business - they're the property of the employer.

    You have 40 days to do all of this.

    This is why businesses should really strongly consider auto-deleting all emails after 3-6 months maximum. They're a legal nightmare.

  4. #4

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,138
    The persons invoking the request are convinced there was a conspiracy between senior management to prevent him from gaining any promotions, so is using the request to trawl through emails to back up his paranoid fantasy.

    So wants every email his name appears in.

    Now you lay it out a little, i'm not convinced he's doing it right, but i could be mistaken. since an email with his name in, discussing him isn't necessarily his Personal information / property.
    Please don't teach me what to do with my pc.

  5. #5
    Keckers's Avatar
    Join Date
    July 31, 2012
    Posts
    16,082
    Any news about the complaint that was immediately filed against facebook, google, amazon etc on May 25th?
    Quote Originally Posted by Paul Mason
    It is absurd that we are capable of witnessing a 40,000 year old system of gender oppression begin to dissolve before our eyes yet still see the abolition of a 200 year old economic system as an unrealistic utopia.

  6. #6

    Join Date
    April 13, 2011
    Posts
    6,184
    Quote Originally Posted by Itiken View Post
    since an email with his name in, discussing him isn't necessarily his Personal information / property.
    If it's got his name in and it isn't covered by one of the exemptions you're pretty shit out of luck. The SAR process was designed exactly for this purpose.

    Quote Originally Posted by Keckers View Post
    Any news about the complaint that was immediately filed against facebook, google, amazon etc on May 25th?
    Not yet. It'll take time. It's being run by a new group called NOYB, who will happily keep you informed of and fight for your rights. Another one to watch is ICANN suing a german registrar for not harvesting and sharing personal data. Yeah, that's a thing.

  7. #7

    Join Date
    May 31, 2011
    Posts
    3,831
    Quote Originally Posted by Itiken View Post
    Here's a question:
    We, the IT department receive a data disclosure request form a staff member [...]
    That part irritates me a bit. Such a request would go to your DPO (Data Protection Officer), who then might hand the technical task to collect the data over to you guys in IT. But you receiving the request directly makes me wonder, if that's appropriate.

    [Added]
    I just realized that we need to keep in mind that as with every EU regulation, its up to the countries to write the actual law applying to it, so the implementation may differ from country to country. Scratch that, see elmicker's reply below.

    Quote Originally Posted by elmicker View Post
    Quote Originally Posted by Keckers View Post
    Any news about the complaint that was immediately filed against facebook, google, amazon etc on May 25th?
    Not yet. It'll take time. It's being run by a new group called NOYB, who will happily keep you informed of and fight for your rights. Another one to watch is ICANN suing a german registrar for not harvesting and sharing personal data. Yeah, that's a thing.

    To add to that: noyb.eu is founded and headed by the Austrian Max Schrems who sued FB a couple of years back and fought his way through Austrian/EU courts and finally won that case.

    As soon I caught wind of that new NGO, I donated to them, because besides the above international targets, they also intend to go after the Schufa (German). The Schufa is the defacto allmighty German scoring agency.
    Last edited by Hel OWeen; May 30 2018 at 03:35:37 PM.

  8. #8

    Join Date
    April 13, 2011
    Posts
    6,184
    No, European directives have national implementations. European regulations are law in and of themselves.

  9. #9
    Daneel Trevize's Avatar
    Join Date
    April 10, 2011
    Location
    T L A
    Posts
    12,328
    IIRC the UK has a slightly differing implementation in law, to preempt Brexit and ensure the same rules p much carry over regardless.

    FHC probably wants to finally ditch those shitty embedded twitter comments, that don't show at all if you have decent ad/tracking blocking.
    Quote Originally Posted by QuackBot View Post
    Idk about that, and i'm fucking stupid.

  10. #10

    Join Date
    April 13, 2011
    Posts
    6,184
    We don't yet, but will. We're still an EU member state.

  11. #11

    Join Date
    May 31, 2011
    Posts
    3,831
    Quote Originally Posted by elmicker View Post
    No, European directives have national implementations. European regulations are law in and of themselves.
    Aha, interesting. I wasn't aware of that difference.

    Thanks for pointing that out.

  12. #12

    Join Date
    April 13, 2011
    Posts
    6,184
    Quote Originally Posted by Hel OWeen View Post
    Quote Originally Posted by elmicker View Post
    No, European directives have national implementations. European regulations are law in and of themselves.
    Aha, interesting. I wasn't aware of that difference.

    Thanks for pointing that out.
    Yeah, it's one of those quirks most people don't know. It'll lead to complexity in this case because GDPR, a regulation, incorporates the e privacy directive. This means despite being a regulation there will be national variances.

    It's also why the snake oil merchants declaring that the sky will fall are talking shit. Most of the GDPR existed in the prior data protection directive. We just ignored it because the max fine was like 50k eur.

  13. #13
    Saul's Avatar
    Join Date
    April 10, 2011
    Posts
    2,244
    I thought the eprivacy changes hadn't gone through yet?

    Surprisingly, GDPR is the least of my worries. China RoHS, on the other hand... just fucking kill me.

  14. #14

    Join Date
    April 13, 2011
    Posts
    6,184
    The ePrivacy Regulation (ePR) is the GDPR-compatible* update to the current and existing ePrivacy Directive and doesn't yet exist. The ePD still very much exists. ePR, in addition to harmonising with GDPR, will principally concern itself with explicit protection of technical metadata. Something Google and Facebook are really, really not happy about. It's stuck in legislative hell at the moment so I wouldn't expect to see it for at least another 2-3 years. If we're talking in the strictest terms, the ePR won't actually be doing anything new with metadata - GDPR makes it clear that metadata should be considered PII if it can be de-anonymised (it can always be de-anonymised) - but it will remove any ambiguity.

    *For the interested, the perceived incompatibility lies in the ePDs judicious use of implied consent - those annoying clickthrough "WE'RE USING COOKIES YO" banners you see everywhere - and the GDPR's redefinition of consent as unambiguous, positive and optional. There are similar perceived incompatibilities in the ePDs allowances for digital marketing. I say perceived because they're not really incompatible, you're just typically handling multiple definitions of "consent" or different justifications for the same purpose. For example you might be relying on the implied consent allowance to place cookies as per the ePD but the legitimate purposes justification to place the same cookies under GDPR. It's an annoyance.
    Last edited by elmicker; May 30 2018 at 06:39:13 PM.

  15. #15
    Saul's Avatar
    Join Date
    April 10, 2011
    Posts
    2,244
    Right yeah that tallies with what I've read so far. This has mostly been handled by IT at group level but I have to audit it locally (like I don't have enough to worry about) so am only now starting to wrap my head around it all.

    Worryingly the local implementation relied on a fairly content-light 'how to' book and absolutely no actual reading of the regulation itself. I read EU regs/standards on an almost daily basis these days so am currently about 2/3rds of the way through the first read. I've already pushed through a ton of extra documentation and exposed several holes in the data map so looks like it's gonna be a long year. Epriv stuff is next on the list.

    As to the 'fucktons of gigs of emails' SAR, that's fucking terrifying. I struggle to think how we would do this if it happened to us. Also does it really still apply if it's the subject's name in other people's emails? That's not something I'd really considered and sounds like an astonishingly huge back door into exactly that kind of fishing request (with potentially massive implications).
    Last edited by Saul; May 30 2018 at 10:13:04 PM.

  16. #16

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,138
    Quote Originally Posted by Hel OWeen View Post
    Quote Originally Posted by Itiken View Post
    Here's a question:
    We, the IT department receive a data disclosure request form a staff member [...]
    That part irritates me a bit. Such a request would go to your DPO (Data Protection Officer), who then might hand the technical task to collect the data over to you guys in IT. But you receiving the request directly makes me wonder, if that's appropriate.
    I was paraphrasing. it's come to us via the DPO.
    Please don't teach me what to do with my pc.

  17. #17
    Donor erichkknaar's Avatar
    Join Date
    April 9, 2011
    Posts
    10,279
    Quote Originally Posted by elmicker View Post
    Quote Originally Posted by Itiken View Post
    2. Are we, the IT department, under any form of legal obligation to clean, index or tidy the data in any shape or form...
    Yes. You need to be scrubbing any third party PII irrelevant to the SAR from the data bundle you're sending out. Essentially this means you're ok to copy over any emails sent to or from the data subject, as they were involved and already have that information, but need to be much more careful when handling emails _about_ the data subject (e.g. between managers, HR, IT etc.). There will be inevitable scenarios where even masking the PII will not mask the identity, in which case it is probably unreasonable to hand over this content, and you've got a handful of exceptions to apply that prevent you from handing over data.

    You're also well within your rights to not hand over the contents of the emails if the emails aren't relevant to the subject themselves; an email address is not inherently PII so unless the contents contain the subject's PII it's none of their business - they're the property of the employer.

    You have 40 days to do all of this.

    This is why businesses should really strongly consider auto-deleting all emails after 3-6 months maximum. They're a legal nightmare.
    Hi thar, hope you don't do R&D or have to comply with SOX as well.
    meh

  18. #18

    Join Date
    April 13, 2011
    Posts
    6,184
    Quote Originally Posted by erichkknaar View Post
    Hi thar, hope you don't do R&D or have to comply with SOX as well.
    Yeah that has nothing to do with email retention. In fact if you're going to just sit on the buggers in your exchange server you're going to have a tougher time complying than if you've got a robust classification, filing and disposal system that forces people to clear out their inboxes. That's why you can't move for the likes of Boldon James in financial services.
    Last edited by elmicker; May 31 2018 at 09:18:13 AM.

  19. #19
    Donor erichkknaar's Avatar
    Join Date
    April 9, 2011
    Posts
    10,279
    Quote Originally Posted by elmicker View Post
    Quote Originally Posted by erichkknaar View Post
    Hi thar, hope you don't do R&D or have to comply with SOX as well.
    Yeah that has nothing to do with email retention. In fact if you're going to just sit on the buggers in your exchange server you're going to have a tougher time complying than if you've got a robust classification, filing and disposal system that forces people to clear out their inboxes. That's why you can't move for the likes of Boldon James in financial services.
    I got a chance to walk through one of the big Sun archival tape "rooms" once, on a visit to Broomfield. Real "This would kill me if it started moving" scenes.

    Discovery for patent defenses etc. is also fun.
    meh

  20. #20
    Saul's Avatar
    Join Date
    April 10, 2011
    Posts
    2,244
    Following up the 'fucktons of emails' SAR, I checked with our team today and they don't think that the email dump is necessary at all. Use of the subject's name does not mean the subject owns that data, and to provide others' emails that simply happen to have his name would potentially constitute a breach of someone else privacy. I think the most we would provide in that scenario is the metadata, the reason the emails were processed (legitimate company interest) and the rest of the non-problematic data.

    How correct that approach is I don't know, however I struggle to believe that provision of the full email dump is required by the regulation. It seems nonsensical.

    Seems you guys know this better than me so how correct does that sound to the DPOs and implementers here? I'm going from memory and am pretty tired so don't crucify me if I missed a bit or got it slightly wrong...

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •