back to article The lady (or man) vanishes: The thorny issue of GDPR coding

Europe's General Data Protection Regulation (GDPR) is now less than a year away, coming into effect in May 2018, and any legal or compliance department worth its salary should already have been making waves about what it means for your organisation. As a technology pro, you know that these waves will lap up against the side of …

Anonymous Coward

"Using a single consolidated database that serves as the single source of information on data subjects does away with the whole gnarly problem of storing multiple records in different systems."

Giving one convenient point for a hacker to compromose to get everything?

15
4
Silver badge
Coat

One DB to rule them all, One DB to find them; One DB to bring them all and in the darkness bind them.

14
0
Silver badge

@AC

If you think having information scattered across multiple systems in multiple vendors is inherently more secure than having a single large store-house where you can focus all your defences and mitigation then you are sorely mistaken.

13
0
Silver badge

Re: @AC

GDPR and data protection are driven from different angles, but they all point to having the information in as few places as possible. As soon as you take a copy of data, it start deviating from the original. No matter how hard you try or how much MDM you do, it will eventually deviate. Been shown to be true for decades.

So, you need to delete someone; what's easier than from a single place. You need to ensure your data is accurate; if it's in one place, you only have one place to look and different 'copies' can't be different. Securing a small number of DBs is always going to be easier and more effective than trying to secure many, including some you're probably only vaguely aware of. etc.etc.

The proliferation of copies of data is one of the prime 'crimes' of IT today.

8
0
Coat

AE1B

That is just the AE1B design paradigm (all eggs in one basket) - what could possibly go wrong?

5
0
Silver badge

Re: AE1B

"what could possibly go wrong?"

You did not have a tested working & encrypted off-site backup?

6
0
Silver badge

Re: @AC

The proliferation of copies of data is one of the prime 'crimes' of IT today.

But your backups and archives are presumably going to be caught up by this legislation also. Be a nice job for someone cleaning out records from backup sets, do the geniuses in the EU specify how this is to happen?

3
1

Re: @AC

Is it even possible for tape backup?

0
0
Bronze badge

Re: AE1B

"You did not have a tested working & encrypted off-site backup?"

How are you going to delete people from the encrypted off-site backup?

0
0
Silver badge

This reminds me...

Heh, I actually listened to that film once... yes, _listened_. This was back in the tube-based B&W telly era, and ours just went completely dead. Dad and me ultimately figured out the CRT's heating filament gave up the ghost, so we shorted it out (so the rest of the tubes could warm up - all the filaments used to be in series...) and powered the box back up in "audio only" mode. Which is when we realised this film was on, having seen it before. This was in the entertainment-scarce commie years though, and we were so starved for any that we, well, sat down and... just watched it again with, erm, no picture...

5
0
Silver badge
Mushroom

How many decades ?

How long before 50% (let alone 100%) of companies comply with the regulations ?

For fun - just imagine 1% of the users of Microsoft products query M$ for the data that M$ hold on them (or the same for Google !!!).

How many firms are going to go back over their archival backups to delete individual's data ?

Accounting records have to be kept in the UK for a number of years - how does this interact with the GDPR? If a user requests that his data is deleted - does this then have to happen when the retention period required by tax lax expires?

7
0
Silver badge

Re: How many decades ?

ICO say

"When can I refuse to comply with a request for erasure?

You can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

•to exercise the right of freedom of expression and information;

•to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;

•for public health purposes in the public interest;

•archiving purposes in the public interest, scientific research historical research or statistical purposes; or

•the exercise or defence of legal claims."

Accounts records being legal requirement comes under 2? So looks like you'd need system to hold requests until the right period had expired.

1
0
Anonymous Coward

Re: How many decades ?

How many firms are going to go back over their archival backups to delete individual's data ?

AFAIK GDPR explicitly does not require that you do that. The problem is, if you restore that data it becomes active again, and how do you know if anyone in it had previously asked to be deleted?

There are also exceptions to allow businesses to keep records on ex-customers, so that you can't ask to be deleted and then try to sign up again with a "new customer" discount, or to hide a bad credit record.

It's like a lot of bright ideas dreamt up by politicians, nice on the surface and unworkable in practice. Of course those politicians won't ever be the ones blamed for the impending fiasco.

5
0
Silver badge
Big Brother

Re: How many decades ?

"How long before 50% (let alone 100%) of companies comply with the regulations ?"

also consider jurisdiction. If EU passes a law, then it's the EU that's affected. If your data "accidentally" ends up on a server in, let's say, SINGAPORE, or the USA even, how is THAT going to be enforced?

HOWEVER... there is a silver lining. If the EU is perceived as having "better human rights" than the USA in this regard, then U.S. lawmakers *might* have to do something similar...

In any case, when "your data" is collected, you'll really need to know several things:

a) what's being collected [and a viewer to see it]

b) "delete all data" if you don't like it

c) a list of "3rd parties" that have seen your data [and if you delete, they too MUST delete!]

having a central 'cloudy' repository for this might not be so bad, so that nobody really copies it [by law anyway] and accesses the cloud database instead for ad slinging etc..

I think Amazon keeps a lot of data on me. They keep offering me things related to what I've purchased from them. Occasionally I fall for it and buy "that thing" they ad-slung at me. But I don't mind. I chose to do business with them.

(I also 'opt out' with google data collection and personalized ads. And I avoid the 'Microsoft Logon' whenever I can)

1
1
Bronze badge

Re: How many decades ?

The solution to this is not technical it's legal and practical. You could get away with a flag that hides the user's details so you don't actually have to delete anything. What does delete even mean? I know that file systems and databases use indexes and flags to make data disappear. The byes are still present where you last left them.

Legally you just use the exemptions.

0
0
Anonymous Coward

Re: How many decades ?

'What does delete even mean?' - that is a very good point. Has 'delete' been defined in this legislation?

0
0
Gold badge
WTF?

"A single source of truth"

That's across all those legacy systems like

HPUX boxes

HP 3000 boxes (stack architecture, integrated proprietary DB)

IBM iSeries

Sperry mainframes (Just for variety, as everyone mentions IBM mainframes, also Fujitsu and ICL)

Windows running whatever DB

Linux running whatever DB

Whenever I hear the words "Oh yeah, we cover all the platforms" they usually mean all the DB's on Windows (or maybe they do Linux as well). Most of the time they have no f**king clue of the range of data sources you might have to search and map. And there's a big wide world out there that is not Windows or *nix.

Yes this is going to be a big problem. The sooner all companies start recognizing this the sooner they start scheduling time to deal with it.

4
0
Silver badge
Devil

Re: "A single source of truth"

"HP 3000 boxes (stack architecture, integrated proprietary DB)"

those are still being used? They were invented at the same time as the VAX [and VAX had a proprietary VMS database system last I looked]. I haven't used either one of those (VAX or HP3000) since the 90's. [I worked with ASK/MANMAN etc. in case you wondered].

I don't think HP uses MPE or MPEXL any more, anyway. I think they went to HP/UX (which is a form of UNIX, so would be a "*nix").

0
0
Anonymous Coward

Re: "A single source of truth"

"those are still being used? invented at the same time as the VAX [and VAX had a proprietary VMS database system last I looked]"

I can't comment on HP3000, but OpenVMS (as it later became named) is certainly still being used, and even still being developed.

Back in the day, the then-owner of VMS offered a bundled/free simple ISAM setup (RMS), a Codasyl-style database, and later a highish end relational database (RdB). Other databases from other companies were also available on VMS and some still are.

VMS development and support is now owned by a different company, VSI (not DEC, not Compaq, not HP). It has long since moved on past VAX (via Alpha, and IA64, and more recently towards x86-64).

RMS is still part of VMS. DEC's original RdB has been owned by Oracle for ages (though you wouldn't know it unless you asked).

Anyway surely all this GDPR stuff is just another incremental opportunity for the SAP folks?

1
0
Bronze badge

Re: "A single source of truth"

It's going to be a failure and cause massive problems.

It even contradicts it's own principles. How can you delete someone from all your various records without keeping a record of the person you're deleting? If you delete their delete request and then they show up somewhere you forgot to look you won't have done the job. If you don't delete their delete request then you will have failed the other way.

The only way to be successful at this is to fudge it. Just make sure they are not on any mailing lists of yours and they probably won't know they're still on your system. Then use the legal exceptions to cover the rest. Job done.

1
0
Anonymous Coward

One of the biggest problems I find is actually what the term 'Personally identfiable information' is. I work with telephone calls that are linked to cookies and a provided CLI and an IP address. Now technically if I had an address linked to that phone number, then yes, it is personally identifying, but then not having an address, is it still identifiying? I have a phone number which may or not be a personal number.

This has been surprisingly hard to get a definitive answer on. A phone number *could* be used to identify someone with something as simple as a google search. But then it also might not.

If it is classed as personally identifiable, then you now have a potential headache with regards to any phone that stores the cli that called you. Which seems ludicrous on the surface. There is also implied consent from the point of view that if you use a phone, you have to have a phone number and accept the rules that exist for making a call. The same for the web regarding your IP address (especially if it is fixed IP).

Regardless of what is deemed 'acceptable' by the ICO in the UK regarding GDPR - I am finding that there are considerable grey areas that you can't get a definitive answer on because, well you know, they don't really know either. Language is an interesting thing. And lawyers who specialise in this aren't really helping because they err on the side of no risk. So it isn't a set of guidelines, just a set of guildlines that don't say 'you are compliant if you do this' because they haven't been tested.

AC because, you know, my username is Personally Identifiable. Or is it?

8
0

re:'Personally identfiable information'

I think the guidance runs along the lines of "any piece of data that you hold that could identify an individual or could be combined with something else that you hold or could reasonably expect to have or gather that identifies an individual.

The data just has to be descriptive so saying "the ginger bloke that works in IT at XYZ company" could potentially identify an individual if there is no other ginger bloke in IT at that company. Under GDPR, this extends to things like IP addresses (called "online identifiers" I believe).

GDPR is going to be a bit of a nightmare for some, a pain for most and a cash-cow for others

9
0
Anonymous Coward

Re: re:'Personally identfiable information'

yes it could. Yet that Giner bloke can go out and walk in a street and be seen by everyone. It is implied consent. He can't stop that under reasonable use.

Same with an IP address. You can't not have one when browsing, regardless of NAT or not.

"Under GDPR, this extends to things like IP addresses (called "online identifiers" I believe)."

Using a gmail or email address as an identifier is different to an ip address. I don't think an IP address, unless linked to a specific person using data you already hold, is covered under that.

However, I may know that a person who came from ip address X came back several times over the course of a month. That means I can see that a single person may have browsed, but that in itself is not allowing me to tie it to a specific person unless that person registered with me from that address, then I could do so. That changes things - it is now personally identifying.

Same with a phone number, you can't not supply a calling number to a telecom provider (hint - withholding your number doesn't withhold it to a telecom provider in normal practice, they just can't pass on your number) so therefore in order to use a phone, you have to do this in the normal course of business.

So either everyone who has a phone, or anyone who phones up a callee means that that callee's telco now has a responsibility to the person making the call outside of the normal Telecom obligations? Well that would be crazy and couldn't be complied with. So this is why I state that there is difficulty in a lot of areas of compling. This is why, I suspect, that evidence of attempting to comply is given a lot of credence in GDPR and data protection in general, than saying 'You must comply or die' because in most cases, it would be unsustainable without clear rules. But the language isn't clear. So there are so many ways to interpret it.

Hence, GDPR is a good gig to get into.

3
0
Silver badge

Re: re:'Personally identfiable information'

Hence, GDPR is a good gig to get into.

Definitely this. I receive a large number of inane sales contacts about training, tools and other junk vaguely associatable with GDPR. Most of them know nothing about it, the training companies are there to promote training(therefore the courses are almost all doom and gloom with few "facts", many of which are incorrect and seem to be designed to promote further training and services provided by the vendor of the training.

If you're concerned, which you should be to some extent, then download and read the GDPR. It's a bit dry as all legalise documents are, but it is readable and understandable and you'll find that the reality is quite different to the scare mongering that's going on that's lead by the training and tools pushers who most stand to benefit from it.

One of the most important aspects that you need to know is that consent for incidental data collection can no longer be opt-out and that consent must be explicit, therefore no more "tick this to opt out of our shitty newsletter" or "untick this otherwise we'll send your details to our 'partners'". However if the collection of the data is for genuine operational purposes then as long as you can justify this you are welcome to collect it as long as you don't disperse this data (unless explicitly agreed to). In short, define what you need to do and collect the data for that and record and justify this.

The rules about automated processing are interesting however the clauses reduce the restrictions to sensible levels.

The rules about a "request to be deleted" are fine, however get operationally interesting quickly. Many organisations will need to record that an individual has requested to be deleted (because otherwise they may be contacted incidentally otherwise), many organisations have very genuine operational reasons for retaining historical data (restrictions on which do not apply to the deceased) and then there's the practical aspect of genuinely deleting all references to an individual - in theory if this individual is recorded in a backup tape somewhere then they would have to be removed from these as well.

The rules about ensuring that data is accurate are of note but the FUD being spread is ridiculous. Nowhere in the GDPR does it mandate contacting, by post, all data subjects once a year to check that their details are correct, all it states is that reasonable endeavours must be applied to ensure that the data is accurate. What these reasonable endeavours may be depend entirely on the situation, the source of the data and the importance of the processing.

3
0
Silver badge
Devil

Re: re:'Personally identfiable information'

"However, I may know that a person who came from ip address X came back several times over the course of a month. That means I can see that a single person may have browsed, but that in itself is not allowing me to tie it to a specific person unless that person registered with me from that address"

theoretically, yes. However, browser fingerprinting, and hidden graphics with cookies (among other 'tricks'), get around that limitation. They know it's you, even if your dynamically assigned IP address changes. Unless you have cookie blockers and script blockers [which I do]. But my browser fingerprint (being FreeBSD) isn't all that unique...

(and yet I could change it to say 'Windows 10' if I wanted to, but that would make statcounter give an unnecesary/inaccurate 'bump' to Win-10-nic's "popularity")

0
0
Anonymous Coward

Personally Identifiable data

Hi

It really is any form of data that can be tracked to an individual, somehow or someway. Email, IP address, photos, phone numbers....Clearly a mobile number could be tracked to a person. How about a DDI? Well, in theory, yes.

There was also an earlier mention of removing data from tape back up; that has to be done as well.

In addition to all of this joy, there is talk of GDPR being the new PPI; class action from legal firms attacking companies who fail the 30 day ruling to supply an individual with ALL of the info held by said company as well as proof that it has ALL been deleted.

We are engaged with clients who are starting to look at this and have realised that a) it affects every company ("but we are only a small organisation" being a common statement) b) the clock ticks away faster than you would believe.

0
0
Anonymous Coward

Re: re:'Personally identfiable information'

that comment is probably also racist or gingerist or similar....)

0
0
Bronze badge

From a technical point of view your database needs a unique identifier. You could then use that as an index to the details of the actual person. A MAC address is pretty unique and if it belongs to the persons phone then it's unique and can be indexed to a person.

What the legal people mean about personally identifiable is are you safe from someone coming and finding you if they have this info.

If you have their postcode and the fact they have one eye then you could find them. A computer could do it but you would not want to use this to structure your database. Some info is more identifiable than others.

An NHS database for showing disabilities by region would hold disabilities by postcode.

0
0
Bronze badge

Re: re:'Personally identfiable information'

Ginger Bloke.

The practical way of applying this is to assume personally identifiable data is just that where there is a one to one relationship between the index value and a record you can get holding all their details.

If you extend it to what a detective could deduce with Ginger bloke in IT at ABC then it would be impossible to prevent at least some of your anonymized data from identifying the person. Say the bloke was not ginger, then you have three to chose from.

So instead of shooting just the ginger you have to shoot all the men in the IT department. This right to be forgotten is really just a big waste of time and money.

0
0
Anonymous Coward

possible side effect?

The GDPR includes a requirement that if you are asked to delete personal data, you also have to inform anyone you passed that personal data to.

Which might make it easier to purge your address from some junk mail (proviso that they are ones that are EU based and follow the rules). I guess at moment if you've signed up for marketing from Company A and ticked the "From time to time we may pass your details to other trusted organisations...." bollocks, then telling Company A you no longer want to hear from them doesn't necessarily affect Company B and C who've already got your details from Company A.

3
0
Silver badge

Re: possible side effect?

I'm wondering whether this will work any better than the "you have to have an 'unsubscribe' link in your spam" clause. I get daily spam from several (allegedly) different sources that I have never ever even visited, and if I ever click "unsubscribe", they actually tend to stop - except I immediately start receiving daily spam from one new source I never heard about. Thankfully it's all a bit academic - Google catches all of it sight unseen and I only see it if I explicitly go looking for something in my spam folder...

3
0
Anonymous Coward

Re: possible side effect?

I had a piece of conventional junk mail in post yesterday. product was nothing I remember enquiring about, and (unsurprisingly?) had no indication for possible opt-out from further mailings.

The actual sender of the mailing was a firm registered at Canary Wharf which when I looked it up "offers" a new way of getting suitable marks for mailings. Wonder if - instead of taking existing mailing information - it looks to combine snippets of info from various public or private data to create a target list. Eg taking a land registry entry plus some social media info to figure out that you're a retiree home owner and therefore up for some overpriced tat.

1
0
Anonymous Coward

Data lake

Data lake is my new least-favourite jargon term.

10
0
Bronze badge

Re: Data lake

Sounds like a data swamp to me.

Drain it. Problem solved. :)

4
0
Anonymous Coward

Never happen in the US

Wow, this regulation actually enforces consumer rights. How is it you right-pondians are able to break free of the lobbyists? I can't imaging regulations this strict even being proposed in the US, much less adopted. The money that would flow to stop it would be limitless.

3
0
Bronze badge

Re: Never happen in the US

Funny, I've been coding similar things in the US (and Canada) for a couple of years. Several states passed data protection laws which indirectly upped the ante for companies gambling with security in a characteristically American way: lawsuits. Furthermore I expect the Trump administration to crack down ten times harder. I assume they've already found the authority under existing law and are busy collecting evidence against the worst offenders.

Web security practices being what they are - utterly worthless - the only way to win the Personal Data Mining Game is not to play.

0
0
Silver badge
Devil

Re: Never happen in the US

it COULD happen in the US if it's seen to be WORKING in EU, and perceived to be "better human rights" than the USA has. Embarass Con-grab into doing it! [and use the FTC, that's what it's there for, already done for banking transaction/information AFAIK]

0
0
Anonymous Coward

Employee data?

All the GDPR articles I've read deal with customer data, what about employee data?

I work for a charity that provides support for disabled people. We keep extensive HR, PRC and disclosure records on our employees and past employees. Some of this is to prevent scenarios like someone being sacked for abusing a person under their care and then re-employed at a later date in another part of the country. We hold data going back over twenty years.

Are we still allowed to hold this data on ex-employees? What if they ask for it to be deleted?

1
0
Silver badge

Re: Employee data?

The articles are using the wrong terminology. GDPR refers to "natural persons" - i.e. people and not organisations. It does not matter whether or not the people you are dealing with are suppliers, customers, employees, volunteers or any other form of contact.

The retention of HR data is covered by the employment regulations (and therefore covered by the legal requirements clauses), the retention of data for the protection of individuals is also covered by clauses. It does, however, get a bit more involved when referring to the protection of vulnerable individuals as this requires protection that goes above and beyond the GDPR and is governed elsewhere.

If your business has a public benefit in the retention of these records then this is also an exception to the automatic removal of them.

In short, despite the obnoxious sellers of training courses and consultancy, the GDPR is not there to cripple businesses and organisations, it's there to strike a good balance between preventing abuse of personal data and the genuine use of personal data by an organisation. Download the GDPR, take a marker pen and highlight the sections that apply to you and cross out those that don't. Then re-read it and you'll see your obligations quite clearly.

For those that don't know, it can be downloaded here: GDPR: REGULATION (EU) 2016/679

4
0
Anonymous Coward

Re: Employee data?

herein lies a very big problem with the definition that is circulating to companies. It is not client data. It is not personal data. It is personally identifiable data, be that your clients, prospects or your own staff.

0
0

What of micro-businesses, clubs & societies

I'm starting to be asked about GDPR by people who know I work in IT and by some of our very small clients (that's their business that are very small, not necesarilly the clients).

I did the on-line chat thing with ICO the other day (summaries for clarity).

"Have you read our on-line stuff?" (stuff is my word)

Yes. Doesn't say anything about small businesses, clubs and societies who were exempt under the prevuious Data Protection. Do you have some specific guidance for these organisations?

"We have guidance for commercial businesse, public bodies and fund-raising charities"

Do you intend providing guidance for the people I mentioned?

"We have no plans to."

Thanks a bunch.

On the "Overview" page is says (in 'Who does the GDPR apply to?')

"If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR"

Does this mean there will be exemptions as with the DPA?

There's nothing on the site ... haven't had a chance to ask them ... what are the chances of a helpful answer?

2
0
Silver badge

Re: What of micro-businesses, clubs & societies

what are the chances of a helpful answer?

Zero? :)

Just download the GDPR, print it out and assault it with a marker pen. It's not really that hard to read and you will quickly have an idea as to what applies to you and what you need to do. Some of it is intentionally fuzzy (for example, the definition of a public body) and some of it is contextual but there's nothing really scary in there.

For those that don't know, it can be downloaded here: GDPR: REGULATION (EU) 2016/679

2
0
Bronze badge

Re: What of micro-businesses, clubs & societies

> It's not really that hard to read

Upvoted for deadpan humor. That's an 88-page wall of legal text with massive paragraphs in 8-point font.

2
0
Anonymous Coward

Re: What of micro-businesses, clubs & societies

No reason to exclude small business etc. You could be a small company with just one employee and still have data on a thousand individuals.

The key difference as I see it between DPA and GDPR is that organizations actually have to document what they do with personal data.

0
0
Silver badge
Happy

Re: What of micro-businesses, clubs & societies

maybe it's a good business practice to have a privacy policy that already includes the ability to delete any collected data, and to reveal who it was disclosed to (upon request).

it wouldn't be hard to add this kind of transaction info into a database or a written record someplace...

"delete from collected_data where customer=12345" <-- or similar

and

"select third_party from disclosed_data where customer=12345"

etc.

(make it the back-end of a web page that uses the tracking info in your browser to "log in")

0
0
Silver badge

Just customers?

Employees are also data subjects. Also all those non-customers in the email lists marketing have got their grubby ittle hands on.

3
0
Anonymous Coward

With so many old systems being kept alive besides more modern systems and employees having private archives with copies on dropbox one may wonder what the highest number of copies turns out to be. I would not be surprised if some companies turn out to keep 20 copies or more of some of their data in various locations.

2
0
Silver badge
Devil

"backup copies" maybe? that doesn't count in my book.

An internal policy of NOT restoring things that were requested to be deleted would have to be done. Yeah, not too difficult I say.

0
0
Anonymous Coward

re: one db

i think they are getting at 1 db with customer personal info and customerid then only customerid is stored everywhere else however what is personal info precisely.....

there are also lots of reasonable excuses for keeping info.

personally i want to know how this relates to business contact info - the relationship is with the business regardless who happens to be employed there at the moment.

and this whole concept is dumb as f... what are they hoping to achieve? it is clear people don't care about privacy nowadays

0
0

GDPR - Joint Data

Has anyone else had issue with corporate bodies comprising of multiple personal entities (directors, partners, trustees etc). We have individual personal data (no problems) and items such as imaged documents that refer to both parties...htf can we remove/forget personal data when it is inextricably linked to another's personal data...and you don't want to delete the other person's data.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018