back to article Rolling in personally identifiable data? It's a bit of a minefield if you don't keep your feet

The world – well, Europe at least – is going potty about the impending new General Data Protection Regulation. If I signed up to every data protection seminar invitation in my inbox I'd have no hours left in the day to work... or drink or sleep, for that matter. So it's easy to forget that data protection legislation has existed …

  1. Nigel Cro

    DPA 1984???

    I think I take the point - that the UK has had data protection legislation since 1984 (at least) but the article is slightly confusing.

    The 1984 DP Act was replaced by the 1998 DP Act which is currently the relevant legislation in the UK..

    1. Anonymous Coward
      Anonymous Coward

      Re: DPA 1984???

      Think it is legitimate, the author was stating that data protection laws have been around since the DPA 1984, there's been many updates and laws since then, not just the DPA 1988.

  2. Fazal Majid

    PII covers more than you think

    IP addresses and device IDs like the Apple Identifier for Advertising or Google Android Advertising ID are considered PII, and thus GDPR encompasses more than many companies think.

  3. frank ly Silver badge

    Just wondering

    Every now and then, El Reg sends me an email about a seminar or a white paper or something and I simply delete them, no worries. If I sent an email to you, asking you to stop this, would you be required to do so with all haste?

    1. DaLo

      Re: Just wondering

      Unless you explicitly asked to have them anyway then they would no longer be able to send them in the first place after 25th May 2018. Only subjects who have given consent equivalent to GDPR can have their data processed for those purposes. So unless you ticked a box to say that you wanted to receive those, they would not be able to be sent to you.

      1. DaLo

        Re: Just wondering

        Oh and it can't just be part of the terms and conditions, it must be more explicit about what you are consenting and also a service can't usually be limited if you choose to decline.

    2. Doctor Syntax Silver badge

      Re: Just wondering

      " If I sent an email to you, asking you to stop this, would you be required to do so with all haste?"

      That raises a further issue. Marketing emails are usually sent with a no-reply email address. If there is no acceptable means of communicating one's wish to opt out (and clicking links in an unsolicited email has been a non-no these many years) when is this in itself an offence under the GDPR?

      1. DaLo

        Re: Just wondering

        Chapter 3 of the GDPR asserts your rights as a data subject. There is very little, as with all regulations, saying exactly what you can and cannot do. So having a 'no reply' e-mail address would not in itself be forbidden.

        However easy access to your data, to rectify your data and to erase your data is required. In the best case this would be via a control panel that the user can access to do all this and for companies with a significant number of requests this may also become a necessity. Other than that the data subject would need another way of easily completing this, that doesn't require jumping through hoop sor fees.

        The issue will be companies from outside the EU - trying to find the source of the data transfer, which may have happened many years ago will be hard. If they aren't trying to sell you an EU product or Service you will still get the same amount of spam as before.

        After the 25th May 2018 I would suggest a good use of the + email extension to allow you to tag every e-mail address given out with a unique reference or the company name. Even better your own mail domain with a different e-mail address for every company you deal with. That way the source of any data transfers will be obvious and you can ask the ICO to fine them 2% (maybe even 4%) of their turnover. Or maybe even just threaten them with the ICO unless they give you substantial compensation.

  4. DaLo

    Article doesn't clear much up but muddies it further.

    If anyone is using this article for their own research then I would recommend a lot of extra reading. For instance

    "This said, though, explicit consent isn't always required. According to Article 6 of GDPR processing, PII is legitimate (albeit with a couple of caveats) if: "processing is necessary for the purposes of the legitimate interests pursued by the controller". If you want to buy something from my online store it would be daft if I was obliged to ask you explicitly for permission to use your card number to take payment and your address to post you the goods."

    However the legitimate interests is a sub section 6(1)(f) and states ...

    “processing is necessary for the purposes of the legitimate

    interests pursued by the controller or by a third party, except

    where such interests are overridden by the interests or

    fundamental rights and freedoms of the data subject which

    require protection of personal data, in particular where the data

    subject is a child.”

    The caveats are key as anything as absolutely necessary to function (e.g. not marketing) would not be in the interests of the data subject. The data collected and processed would need to be the absolute minimum with a clear assessment of why data was included. This section also does not apply to public bodies.

    The actual sub section for dealing with a shop customer is 6(1)(b)

    " processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;"

    Which covers the minimum needed to capture customer data to make a sale. This may well stop shops asking for your address when buying over the counter for instance - also it should stop shops in airports requiring your boarding pass when you aren't buying duty free goods.

    There are some critical issues relating to the GDPR that may make significant changes to the way companies operate. WIth the ruling that IP addresses can be PII, this can affect everything from weblogs, analytics and intrusion detection systems. It may be hard to justify intrusion detection as a legitimate interest if you have never had an attack but have been merrily hoovering up IP addresses of everyone who visits your website. Also call centres would no longer be able to automatically record calls apart from some industries which may have a legal obligation. They will have to give the caller an option at the beginning of the call, which will have to be auditable.

    Also remember the actual bill has not yet been published so we only know the minimum that will be in the bill not all the clauses it will contain.

    1. Adam 52 Silver badge

      Re: Article doesn't clear much up but muddies it further.

      Agreed, this article is a very bad guide to the regulation.

      I would recommend the guide on the Information Commissioner's website, it's easy to read and understand and from a source that should know what they're talking about.

  5. Anomyous Curd

    Anonymisation is not carte blanche to "go crazy". We need to be very clear what "anonymous" means in a GDPR regime. If there is a 1:1 mapping of cleartext data to masked data it is not anonymised. GDPR identifies this data as pseudo-anonymised and instructs it must be handled as fully fledged PII, due to the proven ease of reconstructing an identity from metadata.

    Pre-aggregated, randomised or truncated data is anonymous. Hashed or encrypted data is not. It is pseudo-anomymised only. Pseudo-anonymisation can serve as a an element of defence in depth to support a legitimate purpose justification, but it does not absolve you of responsibilities.

  6. Biff Takethat
    Unhappy

    IF ONLY...

    ...it was that easy

  7. Doctor Syntax Silver badge

    "If I signed up to every data protection seminar invitation in my inbox I'd have no hours left in the day to work... or drink or sleep, for that matter. "

    Sleeping wouldn't be a problem. As to drinking, clearly you need to be selective about the seminars you choose.

  8. Ken Moorhouse Silver badge

    Footfall Data: no PII in it?

    Let's say you use MAC addresses as the identifier for people moving round your store. It may be argued that a MAC address is associated with someone by virtue of the association of ownership of that device with that person.

    So you anonymise that data: say using MD5 which people here are familiar with. So using MD5 to scramble the MAC address you might reasonably suppose that is anonymous enough for your purposes. It's a "trapdoor" code in the sense that it isn't easy to decode it back to one unique entity.

    On future visits to your store, that "someone", though supposedly anonymous, is most clearly readily identifiable if they are carrying the same device. The MAC address is captured, converted to MD5 and aha, this person visited the store on 6th July 2017 and spent 13 minutes 24 seconds looking at thermal underwear (yes this is the UK, so a plausible scenario).

    Is this kind of inference acceptable?

    If our target visitor had shoplifted and got prosecuted for stealing thermal underwear on that visit, it would be tempting for Security to set a red flag whenever that device is recorded as entering the store in future.

    How would you feel if that device were sold to a second hand shop in August, you bought it and were using it? How would you like a security guy to wink at you and comment that it is a bit chilly for this time of year, don't you think?

    Ok I've rambled on a bit. What does GDPR make of all this?

    1. Adrian 4 Silver badge

      Re: Footfall Data: no PII in it?

      How would you associate the MAC address or hash with the person shoplifting ? Are you allowed to obtain this information from them if/when you catch them ?

      1. Ken Moorhouse Silver badge

        Re: Footfall Data: no PII in it?

        >Are you allowed to obtain this information from them if/when you catch them ?

        No, but it is not difficult to work out by a process of elimination when they entered and exited the store, comparing that with CCTV footage, and making a mental note of what mobile device they were using at the time. Chances are that if caught they would be taken into an area where a WAP would strongly identify that particular MAC (or MAC's if the perp had more than one mobile on them).

        I'm sure that for footfall purposes highly directional WAP devices would be utilised to be very specific about when someone entered different sales areas.

        This link gives a flavour of what GDPR is up against:-

        http://www.telegraph.co.uk/science/2016/12/27/high-street-shops-secretly-track-customers-using-smartphones/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019