What's an example of a start-up collecting personal information, using it in a complex way that can't be summarized in a few paragraphs, but being unfairly burdened by this?
It doesn't have to be doing any of that. Just the time and money to have a lawyer review this letter and identify the actual obligations is already a significant burden. For example, notice that just replying with everything requested here would in itself potentially breach data protection law.
Perhaps, but making sure a company isn't screwing you over by throwing your personal information around willy-nilly doesn't require opening with a direct threat and then listing 40 or so different demands for information, several of which are technicalities which have little relevance to determining whether or not the data is really being handled safely and responsibly anyway.
A normal person who really was worried about how their data was being used would probably write a polite letter asking what data was being stored, how it was being used, and maybe a couple of supplementary points if they had particular concerns or perhaps had heard a warning about some specific practice that could be dangerous.
Because it's hard to correctly understand. That's the point of the letter, it's called nightmare letter because it was specifically crafted to be as confusing and hard to understand as possible.
It's not hard to understand. It's only hard to understand if you've built your business around slurping people's data and using it without consent - something that's already mostly illegal in the EU.
A lot of GDPR is not new. It's just clarification of existing law.
I think it's very clear written. It's a nightmare letter because it ticks all the boxes, so to speak -- author asks all possible GDPR-related questions he can ask and business is legally required to respond to.
Yes. That's the policy goal. Don't start businesses that are inevitably going to hurt people.
There are lots of other profitable businesses you're not allowed to start, like "an agile, disruptive restaurant that cuts costs by never cleaning" or "an investment advisor that front-runs their own customers" or "a healthcare startup that runs on unpatched Windows XP" or "a company that helps you get work visas for nonexistent jobs" or whatever.
No, they say that you can either run a fly-by-the-seat-of-your-pants startup, or handle private data, but not both at the same time.
If you want to be entrusted with people's private data, then the table stakes are much higher than simply starting a business, and you have to be prepared to invest the time and resources to do it properly, or you're not allowed to do it at all.
Don't start certain kinds of businesses without being willing to deal with the reasonable requirements of starting businesses of that kind.
If I start a biotech startup, then I need to make sure I'm keeping all health data I encounter well protected. This _does_ mean it's harder to start a business in this space—but not impossible
If you're not willing to make that tradeoff, then don't start that kind of business.
I certainly respect your desire for no businesses to have certain pieces of of your personal data, but there's a difference between "I don't want to be a customer of certain kinds of businesses" and "such businesses shouldn't exist at all".
And beside that, regulations that effectively result in prohibiting certain kinds of businesses even though they don't explicitly do so are bad regulations IMO.
> but there's a difference between "I don't want to be a customer of certain kinds of businesses" and "such businesses shouldn't exist at all".
There are companies tracking the SSID of my phone with wifi beacons to find out which stores I was physically visiting. How do I opt-out of that?
Sorry to bring the tired "you're not the customer, you're the product" line, but the way the industry is set up today, I'm starting to doubt there is so much difference between the two options.
Tracking and data collection is baked into so many services nowadays that you'd have to be extremely attentive as a consumer to avoid any tracking - also be prepared to face a lot of inconveniences and restrictions. If possible at all.
I understand your sentiment, but we’ve swung so far towards the unrelenting abuse of consumer data, I’m supportive of regulation through any means necessary.
To your point, if a business is not explicitly banned, but banned because of regulation about what that business can do, that’s exactly the sort of regulation we want. We don’t dictate your business specifically, just what you can and can’t do with the data. If you can operate within those regulations, congrats!
If you don't have basic infosec when starting a business... Don't start a business. It's 2018. Companies get hacked for a ton of reasons, it's redicolous how badly companies exploit customer data and then fail to protect it. Companies need to be held liable for that
GPDR does not, and government checklists can not, ever, cause companies to have acceptable infosec. Any attempt at security-by-bureaucracy is inherently doomed to failure. This is why business consulting groups’ “security” divisions are the butt of countless jokes among security researchers. No bureaucrat, executive, or politician can ever make enough forms and flow charts to secure data.
The GDPR is an EU regulation, but you appear to be adopting some US(?) based conventions and terminology, and then posting a string of buzzwords that have little if any connection to the subject at hand.
Also, are you seriously suggesting that in response to a formal legal communication it's a good idea to reply without having input from a lawyer?
You probably need a lawyer to help you write the document the first time, and to update it when you make new partnerships or develop major new pipelines for data. You probably don't need a lawyer every time you receive such a letter.
You probably don't need a lawyer every time you receive such a letter.
For routine enquiries, maybe not. For a letter like this, from someone who is clearly intending to trip you up and cause trouble, our lawyer is the first call I'm making, every time.
And that initial conversation is already going to cost me hundreds of pounds and a half-day of work, even if I already have reasonable answers to anything we are actually required to respond with under the GDPR here.
> For a letter like this . . . our lawyer is the first call I'm making
/shrug It's your money. You could do that, or you could even light it on fire if you wish. It's no skin off my back. If your company is profitable enough to eat this self-imposed overhead, then its owners will just make less money. If it's not, then leaner competitors will replace it. I'm fine with either outcome.
In this area, we have no idea which overheads are actually going to prove justified and which are just throwing money away. That's one of my main points here. As I've argued several times on HN recently, a big part of the problem is that if you're running a small business that isn't handling large amounts of personal data but obviously is going to be subject to the GDPR like everyone else, there is no clear indication of what you have to do to be considered reasonably compliant.
The GDPR itself is very heavy and has little in the way of moderation for small-scale data controllers/processors, so in practice it's going to come down to interpretation by regulators (and potentially anyone who has rights under the GDPR and wants to make trouble, as in the example we're discussing). If you don't do enough, you potentially face even greater overheads due to formal audits, financial penalties, etc. If you do too much, then as you rightly point out, you leave yourself at a disadvantage compared to competition who don't do as much (and this remains the case even if that competition is knowingly breaking the law as a result, and that in turn doesn't matter if they face no meaningful penalties for it).
> we have no idea which overheads are actually going to prove justified and which are just throwing money away
Life is risk. I contend that if you make a good faith effort to comply with this law (i.e. consult with a lawyer, once, to develop those eight documents you mentioned in another part of this thread) and generally practice good private information hygiene (wipe out old data, don't log private info, don't retain logs or emails too long, etc.), you're probably going to be fine. This is probably not going to be in the "inner loop" of risks your small business faces.
In every regulation, there are winners and losers. Some of the losers didn't do anything wrong, but are just losing because that's the nature of designing laws that factor in disparate interests. At this point, it's the law, and your only choice is how you're going to handle it. And my contention is that, if your small business is receiving letters like this with any regularity, calling a lawyer and spending half a day on it each time is not among the reasonable spectrum of risk-mitigating responses.
To be fair, the EU introduced a two-year transition period with the express purpose that businesses should update their processes and basically identify and prepare for potential problems such as this one.
This transition period is ending this summer. Why is this discussion taking place now?
I'm involved in GDPR-compliance taskforce in our company, and I can answer this question.
GDPR is very broad and open to interpretations, which will happen only when someone got caught, i.e. during first legal battles.
So, transition period does not really help, be that 2 years or 4. We need to see how this law gonna be enforced by regulators, and which common IT practices constitute breaking the law and which are not.
This transition period is ending this summer. Why is this discussion taking place now?
Because no-one thought to inform most of the businesses affected by it before, and awareness has only grown in recent weeks (and even then probably only among business people who frequent forums like HN where the subject has come up).
> (and even then probably only among business people who frequent forums like HN where the subject has come up).
Every business I've worked with over the last couple of years of consulting have had sessions on GDPR entirely without any technically minded people having to bring it up.
I'm sure there will be people caught by surprise, by what I've seen has been very promising.
Every business I've worked with over the last couple of years of consulting
OK, but if you're going into a business and consulting, that already suggests both a certain scale and a degree of awareness within those businesses, so this isn't likely to be a representative sample.
I'm not consulting on the GDPR, and my clients range from 2-person companies to 2000 people with most of them being much closer to the low end than the high, so while it certainly will be a biased selection in other respects (e.g. they're companies with a certain degree of technical complexity) I don't think it says much about awareness (other than already having more tech staff) or scale.
Additionally, most companies without much technical infrastructure are less likely to be affected much in the first place.
Unfortunately, that guidance still doesn't provide specific, actionable advice in even a lot of everyday areas, as we've seen in just about every HN discussion on the GDPR in recent weeks when recurring themes like backups or log files or payment processing services come up.
Also, having "fucking reams of advice" is not a good thing. To be practically useful for the kind of organisation we're talking about, advice needs to be clear and concise. A starting point that will take days just to read through and understand isn't very helpful.
> Also, are you seriously suggesting that in response to a formal legal communication it's a good idea to reply without having input from a lawyer?
You don't need a lawyer to reply to GDPR letters. You do need to comply with the law when you collect personal data. What you're saying is "I should be free to ignore the law until someone writes to ask about my compliance, and when they do it's burdensome for me to get legal advice to respond to that letter".
I'm saying no such thing, and it's neither courteous nor constructive to twist words like that.
You keep asserting that it's not necessarily to have a lawyer review a letter, despite the letter being legal in nature and in this case clearly coming from someone who is looking to cause trouble. Clearly you and I have very different attitudes to risk in this respect.
In any case, an obligation to comply with the law is self-evident. My objection is that the law itself is poorly implemented and that what is necessary to comply is ambiguous.
Everything you do with customers is legal in nature
But most interactions with my customers do not begin with a multi-page letter that literally opens with a direct threat and then proceeds to demand a response on 40 different points.
Your repeated scare mongering around GDPR is fucking tedious
I run small businesses, and we have been dealing with GDPR issues. The ambiguity and overheads I have been talking about in this discussion are costing us time and money right now. Dealing with a letter like they one we're discussing would cost us more time and money. Apparently we aren't alone in these respects.
Some of the GDPR's supporters have argued that the lack of proportionality in the actual regulations is not a problem because the regulators will enforce it pragmatically. I have personally heard such arguments made about onerous EU rules before, and through my own businesses I have been on the receiving end of government mistakes and their rather unpleasant consequences. And again, that wasn't some freak unlucky event: thousands of other businesses are known to have been subject to similar problems, in more than one incident, involving more than one government authority.
A few people have suggested that involving lawyers in response to a letter like this is unnecessary. Clearly it's going to be a matter of risk assessment, but I don't think it's unreasonable. Once again, I have personally seen (at a former employer in this case) how much time can be wasted if a company gets caught up in formal legal proceedings even having done nothing wrong.
In short, there are people out there dealing with the issues you call "scare mongering" every day. These are not just hypothetical problems. Maybe you've never been caught up in them yourself, but sadly not everyone is that lucky.
especially since almost everything you've said about it is false.
If you're going to call me a liar, please at least tell me what I've written anywhere in this discussion that was false so I can set the record straight.
Aren't those letters already pretty standard anyway? I was sending those to various places > 10 years ago using the existing privacy/data protection laws in the country I was a resident in.
(you get fun stuff back, I got all the logs from my public transit card that way)
Well yes, if you've built a business around illegally using personal data you may need to get a lawyer involved.
It would be better to get the lawyer involved when you start your business so you know you're complying with the law.
And almost everything in GDPR comes from existing laws (IN UK the data protection act and PECR), so if your breaking the law under GDPR you're probably breaking the laws that exist now too.
>Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
Data Classification
>a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
Data Classification
>b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.
Asset Inventory
>2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
Privacy Impact Assessment
>3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
Privacy Impact Assessment
>a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.
Privacy Impact Assessment
>b. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.
Asset Inventory
>c. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.
Access Control
>4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.
Data Retention
>5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
Data Collection
>6. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.
>7. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
Breach Escalation
>a. Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.
Backup
>a. What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.
Log Review
>c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.
Security Awareness Training
>8. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security.
I'm sorry, but this comment reads like something written by an academic with no real world experience of data protection issues and running businesses at all.
You should be able to provide this from a SQL query.
Please tell us all what that query should be, then, and how it's going to cover the relevant data stored in log files, emails, remote services used for payment processing, off-site backups, etc.
That's just a very minimal set of other places that almost any new online business is likely to be working with on day one.
Data Classification Plan
Asset Inventory Plan
Privacy Impact Analysis
Privacy Impact Assessment
Access Control Plan
Data Retention Plan
Data Collection Plan
Breach Escalation Plan
You're suggesting that in order to handle this kind of request -- which none of my businesses has ever received from anyone in many years of trading -- we should write up 8 different formal policies? These businesses probably don't have 8 different formal written policies in total at the moment. This is just totally detached from the realities of running small businesses, though it does reinforce my point about disproportionate burdens.
[The parent comment appears to have been edited after I wrote this. The terms above were in the original.]
You're making the parent's point. This is disproportionately burdensome to companies that don't have people dedicated to writing policies or lawyers dedicated to reviewing them.
How is that a useful solution to anything? Almost any business will handle some form of personal data, and as such will have some degree of compliance overhead.
More overheads are generally bad for business. In the run up to Brexit, and given figures from the Chancellor's statement just this week showing relatively low productivity and growth in the UK economy, it's remarkable how many people don't seem to have a problem with increasing those overheads and thus negatively affecting the creation and growth of businesses.
There is a balance to be struck here. Protecting privacy is important, but not regulating in a way that introduces excessive burdens is also important.
An ISO audit takes how long and costs how much? Do you expect every company that handles email addresses (that's PII) to perform an ISO or SOC2 audit before accepting customers?
A) You are using personal data in good faith as part of and don't need a lawyer. Just reply. I work for an organisation at the larger end of the SME scale and wont be using a lawyer. Like I don't use a lawyer for routine contractual disputes like debt collection until the debtor refuses to pay.
B) You are walking a fine line and relying on the exact wording rather than the spirit of the law. You are not acting in good faith and trying to make money out of customer data. You need a consultancy firm and lawyers and you wont get any sympathy from me.
I'm not sure whether you are serious or this continues your repeated anti-EU comments on HN, Silhouette. I find it OT and I hope the moderators do to.
Option C is that the letter was written in bad faith, and the sender intends to "rely on the exact wording rather than the spirit of the law" in order to get me in legal trouble.
That's why the regulator can, must and will exercise judgement. They can't sue you for $bignum after getting your response, they can point the regulator towards you and claim that they've been abused, but if they are the abuser, then that's not going to fly.
Being the target of a government investigation is in and of itself an expensive process. You have to spend a bunch of time preparing your side of the story in exacting detail. You probably need to put a freeze on any changes which might make the regulator think you're trying to cover up previous misconduct.
And of course, if people find out out you're under investigation, a lot of people are going to just assume you did something wrong. You won't be able to fix that no matter what the regulators conclude.
I'm not sure whether you are serious or this continues your repeated anti-EU comments on HN, Silhouette.
To the extent that I am anti-EU in some respects, particularly around the areas of small businesses and excessive regulation, that is born of experience. As I have mentioned in previous comments, which apparently you might have seen, I have been on the wrong side of EU rules being over-zealously applied before, and I have been on the wrong side of a government regulator that is for most practical purposes above the law making a mistake before. Some things that some commenters tend to dismiss as hypothetical, I know from direct personal experience to be real threats, and I will challenge bad laws that allow scope for such threats to exist.
I find it OT and I hope the moderators do to.
I'm sorry that you feel censorship is a useful response to someone with different experience and views to your own. I like to think that HN is a forum where people can discuss such differences of opinion openly and intelligently.
No, the threat is having rules that are ambiguous and subject to interpretation by regulators with the power to at minimum cause serious disruption through a formal audit and at maximum impose fines that pose an existential threat to a small business.
And as I said elsewhere, if you think that threat is imaginary, please look at how many different national tax authorities have started large numbers of incorrect claims procedures against small businesses who had done nothing wrong just because the officials made mistakes with the new VAT rules and got their own records in a mess.
It doesn't have to be doing any of that. Just the time and money to have a lawyer review this letter and identify the actual obligations is already a significant burden. For example, notice that just replying with everything requested here would in itself potentially breach data protection law.