Where's the problem? To me it shows what an excellent job the creation of the GDPR was. It makes companies think in depth about the data they hold on me and how they process it. It also provides clear ways to question and challenge it.<p>I've seen a number of articles trying to frame the GDPR as some kind of shambles. The shambles is the way too many companies have abused and mis-processed the data for too many years and somehow the EU lawmakers are bureaucratic imbeciles. Yet, everyone I know is fully in favour of this as consumers.<p>And, for context, I am the person who will have to deal with these at our company. Our customers are absolutely entitled to expect us to process their personal information is a responsible manner and I hope a number of these letters are sent to every company, it's about time there was a power shift in this area.
If you get a letter like this, reply in plain language:<p>Given that the "requests are complex or numerous", I will be responding within three months as recommended by the ICO[1]. Have a nice day.<p>You now have plenty of time to deal with it properly.<p>If you have a lot of data on someone, you can enumerate the categories (1) and then request they break it down (specifically request 1c; see Recital 63[2] of the GDPR for the exact language). Almost everything else should be in your privacy policy anyway.<p>If you do not have a lot of data on someone, then three months should certainly be enough time to properly respond to this.<p>Most businesses do not have any personal data on anyone beyond what you need for an invoice. If you have a dedicated CRM that contains leads of potential customers, or you use an online service like SalesForce, you can probably get their support in complying.<p>[1]: <a href="https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/" rel="nofollow">https://ico.org.uk/for-organisations/guide-to-the-general-da...</a><p>[2]: <a href="http://www.privacy-regulation.eu/en/recital-63-GDPR.htm" rel="nofollow">http://www.privacy-regulation.eu/en/recital-63-GDPR.htm</a>
It's not baking security/privacy in from the start that's the problem, it's the need to have a "compliance officer" and have to handle these requests. Small companies don't have time or resources for this.<p>Look at the American Disabilities Act, an act that has done enormous good in many ways, but that has also lead to an entire industry of lawyers hassling tiny businesses over insignificant infractions. (e.g. <a href="https://www.mercurynews.com/2016/04/10/serial-ada-lawsuit-filer-striking-bay-area/" rel="nofollow">https://www.mercurynews.com/2016/04/10/serial-ada-lawsuit-fi...</a>)<p>Startups in the US won't have this hassle. You don't have to serve EU customers to reach mid size/product market fit, you can concentrate on iterating on your core product. When it's time to scale, then you can look at GDPR. So limited resources stretch further.<p>But if the lawyers in Europe start becoming a nuisance to startups there, it's just going to force more and more services to be located overseas, and more and more government complaining about the dominance of overseas tech, a problem they're probably going to make worse.
The reason why this is such a great letter is because it questions the competence of the recipient DPO. The data subject has a right to <i>some</i> of the information, but by no means all of it.<p>If the DPO complies with all of it, they will breach the GDPR (e.g. Request 9b). Of course a data subject also has no right to know what security controls (request 8) you have in place, other than they are 'commercially reasonable'.<p>A regulator can require this information, but not a consumer (data subject). This could be the basis of a great interview test for selecting your DPO.
Technical types seem naively optimistic about how GDPR is going to work out.<p>Businesses will do enough to pass the sniff test of proper compliance with GDPR, and no more. I've worked with enough to know most mid sized orgs are far too reactive, too technically incompetent, and far too busy making money to do a proper job on adhering. Most flout existing laws already, I don't think they'll be scared of disregarding elements of this too.
Reading this actually makes me feel pretty good, my team & I have been working on GDPR tooling for our app for the past couple of months & combined with the fact-sheets we've prepared answering such a letter while complying with the individuals rights would be pretty straightforward.
It seems to me that this letter is similar to a denial of service attack in the way that, although a valid request, it places an impossible burden on the recipient.<p>If so, the GDPR is similar to a broken protocol.<p>Maybe the people who designed it assume that it will never be misused. Anyone with experience designing protocols could tell them how dangerously naive that is.
What provisions are there in place for a company receiving this type of request to confirm the identity of the requesting party? Are companies expected to be able to properly identify a citizen, in order to not disclose possibly very sensitive information to someone else impersonating them? In a lot of cases the company might not even have enough information stored in order to know who the owner of a given account is. How do you prove "abc123@example.com" is Mr. Smith, if your service doesn't ask them for names? Or if it does, which Mr. Smith do you have on record? Email original senders can be spoofed.<p>The first thing I'd do if I was a black hat type attacker would be to submit GDPR information requests to all internet companies I could think of in behalf of all my targets.
What frustrates me the most about the GDPR is that a single person building a mailing list for a $19 ebook launch is just as affected and burdened as any other company. A side-business that might make you $30,000/yr is now no longer worth pursuing because of the costs of working with a lawyer to make sure you are GDPR compliant and have all of the right policies in place.<p>It raises the barrier to entry for small one person businesses even more, forcing out anyone who can't justify the costs of compliance.
The comments are an eye opening experience, amazed to see how so many people think they don't have a huge responsibility to the owner of personal information. More of a reason why GDPR is needed.
If this kind of request is a "nightmare" or too much of a burden, they should automate it.<p>"We put lots of engineering effort into mining your personal data and selling bits to other people, but we can't be bothered to put any engineering effort into disclosing on your profile or account-settings page what we're doing with your data."<p>A lot of the questions are answerable generically (no differences between users). You can't tell me that writing a data privacy FAQ with those answers in clear, simple language, once, with a link on every page and on users' profiles, is an excessive burden. These companies just <i>don't want to</i> have even that minimal burden and process to ensure that changes in usage of personal data get documented and updated on such a faq.
There's a different "nightmare letter" in the US, one that ordinary citizens receive. It comes from a credit agency or a company that uses a credit agency. The letter informs folks that they have been the victim of a data breach and that their personal data "may have been accessed." The nightmare letter provides little meaningful detail beyond that.<p>The letter is sent via regular snail mail and arrives months after the actual data breach occurred. The letter is largely devoid of any meaningful recourse for the victim. It does however offer "free credit monitoring" for up to 1 year by the same agency that displayed complete disregard for security.<p>If compliance and accountability with people's data especially when they are not permitted to opt out of such a system constitutes a "nightmare" then perhaps those companies should rethink parts of their business model.
This is basic cyber security stuff and I get these questions from customers almost daily. If you are going to be in the business of using peoples personal information then you need to be prepared to answer these questions.
My business takes credit card payment information from users. But it doesn't store that information - it just forwards it to Stripe.<p>So if a user asks me for details of all her personal information, do I have to go to Stripe and say, "Please give me the credit card information you have on Jenny Smith"? Or do I say to the user, "Please contact Stripe directly - your Stripe customer ID is cus_34534985798243"?
Simple question: if I just want to not make my business available to subjects that fall under GDPR regulation (so that I don't have to worry about it at all), would putting up a disclaimer that you have to accept before entering the website be enough? I was thinking about something similar to how many sites that deal with alcohol content, for example, make you confirm that you are 21 or older by clicking on a button before you get access to the website.<p>Please, refrain from sidetracking to things like "well, you wouldn't worry about it if you built everything with GDPR in mind in the first place". That's not what I was asking.
This is all good, and consistent with GDPR’s attempt to reframe data as a liability rather than an asset. The first months and years are going to be painful, but eventually companies will adapt to the new normal.
All those people who complied with the 1995 regulation and in the UK the subsequent 1998 Data Protection Act that passed it into law must be feeling a bit smug about this, as they will have this process in place already.<p>The new General Data Protection Regulation is a welcome incremental update, which brings in much better methods of enforcement against the cross-border nature of large data processors. Facebook of course were not around in 1995.<p>I also welcome the need for explicit plain language privacy terms. Any law that pushes out legalese must be welcome.
...and how is wanting to know what a company has about you a bad thing? I'd be worried if a company cannot answer this, because that means they haven't got a handle on what data they store, which means that when they get hacked, they wouldn't know what got taken!<p>EDIT: grammar (got -> get)
One interesting part about this is that it's a letter, and the author never explicitly mentions that it was sent in an email. Assuming this letter arrives in the post one day, what do you do? Ask them to email you for verification? Send you one of their 2FA codes? What if your site doesn't have a login? Can they send you a screenshot of their IP address as verification?<p>I get why the EU didn't want to overly specify the method, but it creates a lot of uncertainty about what processes are allowed/required. And with the pressure of gigantic fines on the line, it seems like GDPR opens up a significant vector for stealing other people's information via GDPR requests.
Sorry, this is off topic, but I would really like to read the article but it asks me to create a linkedIn account to read it and I am not comfortable with that. Is that the only way to read it?
How do you think Hacker News (this site) would react to such a letter, and what do you imagine a likely response would be?<p>Would all a users comments be classed as personal data? Would just pointing at the website be enough to satisfy the request for a copy?
How do you reply <i>safely</i> to such a data request? I mean, this could have been written by an impersonator. And even if you can verify the identity, you still need to send sensitive information somehow.
That looks excellent. Handling personal data is something that services should prefer not to do and if requests like this are a "nightmare" then hopefully the web will become a better place again.
I wonder if the the end result of all of this is going to be an increase in the construction of data centers close enough to the EU to serve it properly, but outside its jurisdiction entirely. In Africa, for example, or perhaps a post-Brexit UK.<p>It seems that being close to Europeans without being subject to EU law is going to be a big advantage going forwards.
Have I Been Pwned is going to hit 5 billion breached accounts any day now. If the GDPR pushes back against this kind of thing, all the better.<p>If the GDPR makes it harder to found a startup for the sole purpose of collating and monetizing people's personal data, I'm not too upset either.<p>If a company suffers a data breach and can not answer to all of point 7. in the linked page, I'll leave it to the lawyers whether this is negligence but I'm inclined towards "yes" myself.<p>The moment you want to process any credit card data, you're already bound by regulations with teeth: the PCI-DSS. That's why in several recent data breaches one of the first things you read on the breach notification was "no payment card data was affected", suggesting that it's less important to the company if they lost "only" personal data. Bring on the GDPR.
Most of this information could be made accessible to the end user via a personal dashboard and knowledge base.<p>GDPR will have broad implications. If you're not designing your services to be compliant there will be consequences.
Most of this information could be made accessible to the end user via a dashboard and knowledge base.<p>GDPR will have broad implications. If you are not designing your services to be compliant right now, there will be consequences.
I’m surprised nobody has mentioned that being forced to provide personal data on request does not in any way reduce the risk of personal data being misused.<p>What’s the damage consumers are being protected from, exactly?
Companies make millions and billions off data naively or knowingly given up for free. So, I weep. /s<p>And if this becomes more than the odd request, build it into your processes. If you can identify me "as me" to your advertisers and other data customers, you can certainly do that for me.<p>Or just do what other businesses do: pay off a few legislators to change the law, or a lobbying firm or association. If you have the money, pay to make this a patriotic move. That's how democracy works. /s
I would be willing to pay $10 to see the advice of a lawyer about how to respond to each question in the letter. Is this something that could be crowd-funded?<p>Edit: Why are people downvoting this?
Just because you are small does not mean not doing the right thing is something you should get away with. I see lot of comments of how doing the right thing can be a burden. However, I see it the other way. Not doing the right thing is a burden you have to carry with you everyday. GDPR is helping you with guidelines on how to shed that burden. I do not know how and won't imagine it is easy, but I wish something in our existing socio-economic systems would slowly edge towards making 'doing the right thing' a significant variable that everyone has to care about for their own wellbeing and prosperity.
This is a useful exercise and not as scary as I expected. I'll bet this will be used as a template for requestors.<p>Which makes me wonder about these requests en masse as a form of activism.
These type of SAR requests (even milder ones) are of course impossible to handle manually. <i>Self-assessment</i>, the way most companies decided to handle GDPR, isn't much help here. How do you automate personal data discovery, especially for already existing data?<p>Funnily, the biggest fear companies have regarding GDPR and SAR does not originate from "Mr. I. Rate the customer", like in this article. It comes from disgruntled employees ratting on the company. Employees know best where personal data is stored (and often no one else in the company does), so they can really do some surgical damage. GDPR introduces a whole new dynamic.<p>This may be a good place to shamelessly plug a tech we developed (Show HN!) for automatically locating personal data across corporate resources: <a href="https://pii-tools.com" rel="nofollow">https://pii-tools.com</a><p>Personal data discovery is but a small piece in the compliance puzzle, but a piece that is critical to understanding what sensitive data is even out there: CVs with photos in backups? Scanned passports in attachments of email archives? Names and addresses in database tables? How about S3, Azure, GDrive?<p>Let me also add that there's no shame in not having a comprehensive view of all the corporate personal inventory. Larger companies grow their resources organically, through acquiring other companies and separate business units doing their own thing. It is a complex problem, but one where technology can help.
Hi Everyone, I am the Co-Founder of ECOMPLY.io. I thought about jumping in and helping you all out.<p>First of all, you need to understand, do you have customers in Europe. If yes, is data your everyday thing? If yes, then you need to comply with Article 30 first. Article 30 asks, how many processes of you have, how many of them have personal data involved, and then tell you to answer purpose, legal basis, category of personal data and deletion request.<p>I took an interview from Mailjet how they did it: <a href="https://ecomply.io/how-to-become-gdpr-compliant-insights-from-mailjets/" rel="nofollow">https://ecomply.io/how-to-become-gdpr-compliant-insights-fro...</a><p>Now, how to answer Subject Access Request, once you're done with article 30 i.e. records of processing activities, you'll know what, where and how you obtained that data with the purpose and legal basis. This request will be difficult to answer then:<p>Here are the 10 steps you need to do: <a href="https://ecomply.io/10-critical-steps-to-general-data-protection-regulation-gdpr-for-smes/" rel="nofollow">https://ecomply.io/10-critical-steps-to-general-data-protect...</a><p>It's a piece of cake then.<p>Plus, you need to change your way of doing sales & marketing in Europe: <a href="https://ecomply.io/pimping-up-your-sales-in-a-post-gdpr-world/" rel="nofollow">https://ecomply.io/pimping-up-your-sales-in-a-post-gdpr-worl...</a>
This looks like the mirror image for the requirements document for protecting PII. You may not need to be able to respond directly to every demand in the letter, but you should be able to have a watertight explanation of why not. "Burdensome" won't cut it.
I just had an awesome idea. Lets make keeping records of past information and actors encountered illegal if they don't want you to remember, while at the same time make it trivial for the same people to waste your time by demanding free consulting.
Be aware, this article is not a list of GDPR requirements. It is, however, a good list of questions that every business processing data in the cloud should be aware of. You need to be able to answer these questions.
Just remember there is a "go away†, this request is too onerous" get-out clause for GDPR requests. Just as there is a billable option for excessive queries.<p>Both options have to be reasoned —and the person making the request and squeal off to the ICO at any point— but in a letter like the linked one, I would find it hard to justify forensically picking through years of historical access data and not charge a fee for doing so.<p>Compliance regarding breach notification is forward-looking too, so all this nonsense about "has this ever happened" is outside the GDPR, as far as I can see, anyway.<p>† The GDPR contains no rules about being polite. If somebody made demands like this at me, I would be considerably less polite than my example there.
> 3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.<p>I wonder whether this includes police and TLAs.