
No one’s ready for GDPR - neuland
https://www.theverge.com/2018/5/22/17378688/gdpr-general-data-protection-regulation-eu
======
kerrsclyde
I have been helping a school who I do IT work for with their GDPR roll out -
not because it is my area of expertise but because they had nobody else to
turn to and the Local Authority who control the school have released zero
guidance in preparation.

There are many, many unresolved issues:

We are supposed to employ a 'data officer' this basically cannot be anyone who
works in the school at present. We sought volunteers but didn't get a single
applicant. It is difficult to justify paying someone to do it (if you can find
a qualified person) - the budget for things like school books is already paper
thin.

I contact external suppliers who use our data and receive a wall of silence.

Things like publicly visible visitors books are outlawed (depending on how you
read guidance), the alternative are electronic systems - more cost.

Displaying certain sensitive information, prescriptions for pupils, are now
outlawed, this could compromise safety.

There seems to be a raft of GDPR training systems which are basically a single
page questionnaire, costing upwards of £300.

I don't have an issue with what the legislation is trying to do it just seems
so vaguely implemented. Basically we all know that the organisations who need
to clean up their act will be doing the least to comply.

~~~
castlecrasher2
> Things like publicly visible visitors books are outlawed

Does this mean the quaint guest book visitors could sign at the hotel I stayed
in a couple weeks ago would be illegal under the GDPR?

~~~
existencebox
Disclaimers, although I was responsible for implementing GDPR for a subsection
of a bigCo, I am not a lawyer, do not speak for my company, etc. I've just
been getting increasingly annoyed by the amount if misinformation on both
sides of the GDPR debate, (that it's both a straight good or a straight bad)
even in sister comments to this, that I figured I'd try and give a Real Answer
to your question.

They would need to provide functionality such that an EU resident could
request timely export and deletion of any records belonging to them in that
guestbook.

If your guestbook is physical and substantial, this may be limiting without
additional systems, but GDPR also is rather vague in the pushback you're
allowed to give if you're completing the export with best intentions, so this
will likely not be settled until precedent occurs; this will be even more
grey-area due to considerations of "ease of access" of the information in
question, and other "softer" considerations.

So to answer your question more bluntly: Without the bare minimum of a
business process for someone to call up and say "I want to export/delete my
entry in your guestbook" I'd say the experts who guided my team would probably
agree that the business owner should err on the side of assuming non-
compliance, so long as you don't reasonably preclude EU visitors.

~~~
test525
>If your guestbook is physical and substantial, this may be limiting without
additional systems, but GDPR also is rather vague in the pushback you're
allowed to give if you're completing the export with best intentions, so this
will likely not be settled until precedent occurs;

And then you are fined 4% of revenue when you are the scapegoat setting a
precedent for a vaguely defined law...

~~~
s73v3r_
That will never, ever, ever, ever happen. I guarantee that no inn will ever be
fined 4% of revenue over a simple paper guestbook.

~~~
test525
You really don't think it's possible that one of the 28 member nations of the
EU will pass down an absurdly large fine for some minor infraction? This
happens all the time...

The fact is, if I am not GDPR compliant in any way there is no mechanism built
into the law to limit the amount I am fined and some judge that is in a bad
mood or hates the idea of my business can simply fine me 20 million to kill my
business and still be abiding by the letter of the law.

~~~
craigsmansion
> You really don't think it's possible

For signing a guestbook or something similarly trivial? No.

If you truly believe that (if it really escalated) the European Commission,
and _then_ the European parliament, and _then_ ultimately the European Court
of Justice is going to put up with 20-million-fine-for-a-guestbook
shenanigans, I don't know what to tell you, except that I think your
definition of "reasonable" is not reasonable.

Maybe I'm not jaded enough, and I can believe in a single bad actor, but all
of them? Including an entire institution that has direct public
accountability?

As an aside, I think it would be helpful if participants in GDPR discussions
would indicate if they approach it from a USA or EU angle (or even a non-EU
and non-USA perspective. I've haven't really noticed any specific opinions
from outside the USA/EU).

------
cs702
Like everyone else, I've been bombarded with numerous "we've updated our
privacy policy" emails over the past few weeks.

I'm not sure updating privacy policies with CYA language will suffice.

The evidence suggests European regulators really want companies to change
their _behavior_.

~~~
vidarh
Well, I've _also_ gotten a ton of "please, please, please confirm that we can
keep sending you the e-mails we're sure you really don't want to miss" from
companies I don't remember ever dealing with, which I've gleefully ignored, so
it seems quite a few companies _are_ changing their behaviour in as much as
they seem to be purging their mailing lists. Even if that's all that's
achieved, it'd still be a big improvement/

~~~
jdietrich
Most of those e-mails are either illegal or unnecessary.

If you've already opted-in to receive marketing messages, then they don't need
to ask for your consent again just because GDPR is coming.

If you haven't already opted-in, then the Privacy and Electronic
Communications Directive only allows unsolicited messages containing marketing
information related to previous purchases you have made from that company.

~~~
ramy_d
that doesn't make sense, it would make all corporate news letters illegal
unless a purchase was made.

~~~
the_watcher
Unless you've explicitly opted in (not failed to opt out), that is exactly
what GDPR does

------
dwrowe
Genuine question as it pertains to US-based companies. How can a foreign law
have such seemingly deep impact on US-based companies, let alone, situations
where the visitor is not paying for services? Maybe this gets into
International Law, but even if I'm not _targeting_ European visitors, say they
cross some threshold by percentage compared to US visitors - why must I abide
by a foreign law?

~~~
Waterluvian
It's really funny to read this because my perception, possibly wrong, is that
the U.S. acts this way all the time to the rest of the world.

~~~
ovao
Can you provide a few examples?

~~~
lawn
In Sweden we have a mandatory tax on all storage units, harddrives, dvds usb
drives, you name it. This is to combat piracy and the loss of profit for
companies.

Of course this was pushed through by US lobbyists and, you guessed it, that's
where the money goes as well.

~~~
kodablah
Completely different situation. If it was only to sales to US customers, then
it would be comparable. That the Swedish government allowed external influence
to change the laws for its own citizens is nothing like the GDPR applying only
to EU citizens.

------
padolsey
I feel really bad for smaller companies/orgs. I've received countless emails
from various businesses I've had interactions with over the years. I've seen
the full gamut of messaging -- from "changes in our privacy policy" to "please
fill out this entire sign-up form again with your details" to "please send us
an email if you wish to unsubscribe". It's obvious that it's entirely unclear
to businesses what they should be doing here. So they're all just cargo-
culting off each-other, hoping that they're sufficiently covered. I feel bad
because I know those who don't have the time, money or knowledge to properly
deal with this are going to end up losing their only communication avenue with
customers. Customers, too, do not understand the gravity of these new opt-in
affirmations.

It seems utterly beholden on our regulators to not only regulate, but to
regulate _clearly_ so that the 'reasonable person' has a chance in hell of
abiding to-the-letter.

~~~
djhworld
> I feel really bad for smaller companies/orgs.

Why? I've seen most places (big and small) adopt a very simple page with one
button on it asking if you want to opt in or out. Takes 5 seconds at most.

Too many 'smaller' and larger companies have gotten my details buy buying data
from resellers, and then they have the gall to plead with me to let them keep
mailing their crap?

I'm happy to opt-in to companies that I like doing business with.

~~~
padolsey
I understand the point about the data resellers, and I agree. But TBH I'm more
concerned about the minority of 'good actors' in this space, who have gotten
my information the correct way, but now, due to various constraints or
ignorances, are left at a great disadvantage and may end up losing a vast
chunk of their diligently acquired subscribers.

------
mykull
Lots of companies are ready for GDPR, i.e. the ones that handle user
information responsibly in the first place, and aren't opaque data hoarders as
a central part of their business model.

I'm personally not a fan of the "lets collect it because we can" mentality.

"Data is the new oil" is a great analogy because not only is it valuable, the
industry of data gathering is booming with little to no care about the side
effects or long term consequences.

Had the right to privacy been enshrined in protective laws much earlier,
requiring explicit consent to profile peoples behavior as it pertains to
technology, things would obviously be a lot different. Obstacles often
represent opportunities for improvement. Hypothesizing:

1\. Alternatives to traditional advertising as a method for creating markets
for products and services would have a better chance of taking off. A world
where we have a relationship with the source of product/service introductions,
where we can discriminate and depend on them to discriminate, could prevent a
lot of manipulative, misleading and damaging crap from reaching people, and
ensure demand goes to the highest quality products/services.

2\. The difficulty of gathering would drive the value of peoples personal
information higher, likely leading to better protection i.e. more careful
handling, fewer data breaches and leaks.

3\. A lot of "wasted effort" gathering and storing information as part of this
data frenzy that ultimately doesn't provide value to anyone, despite all the
moving money, could have been avoided.

~~~
andybak
> the ones that handle user information responsibly in the first place, and
> aren't opaque data hoarders as a central part of their business model.

Do you only acknowledge the existence of these two categories? So only "data
hoarders" would struggle with becoming GDPR compliant?

I've got clients in the charitable sector having to reconfirm their entire
contact list - 99% of whom would be happy to stay in touch - because the
provenance isn't up to GDPR standards. We're expecting to lose most of those
because people forget to respond to yet another GDPR request.

Expensive audits and code reviews, re-architecting parts of the system that
accidentally record fairly innocent personal data (IP addresses in logs and
backups, historical shop order data, Test data copied from live data. Staging
servers and all the other places that data ends up in when a website has been
around for a decade or more)

Yes - this data could potentially be misused and it would have been wonderful
to have anticipated when the system was originally built but that was in a
more innocent age and nobody could have made a business case for it back then.

I would argue that the cost to organisations (many of whom are non-profit) vs
the benefits to users is fairly out of kilter. Protecting user data perfectly
is a noble aim but perfection costs.

~~~
mykull
No, I was a bit hyperbolic perhaps in response to the tone of the article or
its headline. Of course there are responsible organizations who are affected
and have costs associated with GDPR. Knowing nothing of what your clients do,
99% seems a bit hyperbolic to me, too. The reason email is so "hard" is
because in reality not many people want to get the emails being sent. I find
it annoying that I have to unsubscribe from a mailing list and sometimes even
go out of my way not to get repeat snail mail when I'm being charitable and
giving a donation to someone. Aside from all that, costs of doing business
happen. I don't think the cost vs benefit is so out of kilter as you say.

~~~
andybak
I'll put my hands up to 99% being hyperbolic. ;-)

I do worry that a lot of GDPR compliance will amount to "box ticking" rather
than a genuine improvement in user privacy.

Legislation is a blunt instrument and it's hard to get sizeable real world
benefit from a heady mix of noble sentiment and complex statute.

~~~
mykull
That is a fair concern.

------
roel_v
I happened to be looking into pinterest's 'updated privacy policy' for the
last 30 mins. They just seems to wiggle and bend in every direction to make it
seem like they're complying, but even my blind granny can see they're not. I
wonder how companies like them will survive - because their whole existence is
based on doing the exact things the gdpr wants to stop.

~~~
Spearchucker
Not sure why the doom and gloom. Because they can carry on as always except in
Europe. If that's 90% of their base then yes, they may have problems.

For such companies GDPR simply shrinks profits, no?

~~~
mrweasel
Europe is 500 million potential users, so if you're not privately held, then
you also need to explain to stockholders that you intent to leave that market
open to competitors. Sure all EU citizens aren't equally wealthy, but a large
number of those 500 million are in a lucrative segment.

Let's say that Instagram decides that the EU isn't worth the hassle, and
leaves. Now competitors have 500 million users to target and build a platform
for, without the annoying interference from US based companies. If some is
successful under the GDPR, there's no real reason they could easily enter
other, less strict markets later, using the profit from their EU business,.

~~~
taysic
There are some services that wouldn't exist if it wasn't for targeted
advertising. Instagram may have millions of users in the EU but how many would
pay for the service? The number that would probably would not be enough to
sustain the network effect.

And if Instagram users switched to mainly non-targeted advertising, Instagram
may find itself not making enough money to sustain its company. While a
'competitor' willing to make less money could show up, their ability to
collect / store photos or videos / update the ui / filter out inappropriate
content would be decreased if they were barely profitable, making it a less
useful service than Instagram was.

------
Quanttek
> After four years of deliberation, the General Data Protection Regulation
> (GDPR) was officially adopted by the European Union in 2016. The regulation
> gave companies a two-year runway to get compliant, which is theoretically
> plenty of time to get shipshape. The reality is messier. Like term papers
> and tax returns, there are people who get it done early, and then there’s
> the rest of us.

That gets me the most. It seems like most companies didn't give a single f*ck
about the legislation until maybe the beginning of this year - many far later.
Of course, they are scrambling now to comply because they didn't start early
enough

~~~
js8
Come on, that's just the markets being rational.

I, for one, am glad that my procrastination problem is finally validated as
rational by market forces!

(I find it very intriguing to find parallels between human, supposedly
irrational, behavior, and organizational behavior that results as a
consequence of rational - or at least explainable - behavior of many selfish
actors.)

------
Longhanks
As a EU citizen, I certainly am. For too long companies have abused my trust
and personal data without any consequences. The general fear shows how deeply
necessary a stricter rule set was.

~~~
rubicon33
Almost certainly the "companies" you speak of were entirely FREE services and
the "abuse" was really just your lack of understanding that when a service is
free, YOU are the product.

~~~
Analemma_
"There has grown up in the minds of certain groups in this country the notion
that because a man or corporation has made a profit out of the public for a
number of years, the government and the courts are charged with the duty of
guaranteeing such profit in the future, even in the face of changing
circumstances and contrary to the public interest. This strange doctrine is
not supported by statute not common law." \- Robert Heinlein

The EU is under no obligation to allow the business model of "free, but paid
for by selling your data" to continue to exist, just because it has existed
until now.

------
trqx
Well, I cannot read the article on mobile without agreeing to being tracked,
the popup takes 3/4th of the screen.

Ain't it the browser's job to display an agree/deny message for cookie
tracking per domain? This seems backward to me as the page is already asking
the browser to agree to storing cookie. As of now I need an extension in order
to block cookies by default and whitelist them accordingly to my needs.

> We use cookies and other tracking technologies _to improve your browsing
> experience on our site_. That looks like a lie to me. Is there anything
> stopping them from creating a cookie only once/if I login?

~~~
Crespyl
> improve your browsing experience

In advertiser-speak, "relevant and interesting ads" are an "improvement to
your browsing experience".

Actual end-users _may_ have a slightly different interpretation on what
constitutes an "improvement".

~~~
aianus
As a childless man, for example, are relevant and interesting ads not an
improvement over the tampon and diaper ads that are all over TV?

~~~
PeterisP
It certainly may be, and it's your choice to make (if you wish so) by opting
in to targeted advertising.

What's wrong (and, in a few days, illegal) is for the service provider to
assume that everyone will prefer that.

------
kikki
Apparently neither is The Verge, having a fixed footer popup with the only
option being "I Accept" doesn't comply with the guidelines

~~~
simonbarker87
It complies so long as:

1\. Tracking is not enabled until you click it and 2\. You can still use the
core functionality of the site without accepting

So long as you can still read the website around the pop up and they don’t
activate tracking until you accept it then they are in the clear. The banner
can be annoying as it wants as well.

~~~
Guest9812398
Yep, this is right. You can technically use the service without giving
consent, so it meets the guidelines. However, the Verge will make that consent
box as annoying as possible to encourage you into accepting. Oh, you don't
want half of your screen blocked? Well, just click this simple button and sign
away your soul.

All the big companies are doing something similar. If you want to be an honest
publisher and follow the laws, you can have a clearly written consent box that
lets users accept or decline. However, you'll see 95% of people decline, and
take a big hit on your revenue while your competitors prosper.

What are we really accomplishing? We're just going to have popups on every
site, that do their best into tricking users into accepting. Do you want to
see other examples of consent management solutions that will be appearing
soon?

[https://www.quantcast.com/gdpr/consent-management-
solution/](https://www.quantcast.com/gdpr/consent-management-solution/)

If you want to opt-out, you need to use the tiny "show purposes" button.

[http://acdn.origin.appnexus.net/cmp/docs/#/basic/show](http://acdn.origin.appnexus.net/cmp/docs/#/basic/show)

Click "execute" for the example. Want to opt-out? Click the "learn more"
button, and then you'll need to disable about 1,000 options.

They might as well just make personalized advertising illegal. It's pretty
clear 95%+ of people don't want to be tracked this way. However, these consent
management solutions are saying 70-80% of people are accepting. This is
happening because people are being tricked or forced into agreeing. Why are we
rewarding businesses that choose to use this kind of behavior and punishing
honest ones? Why are we turning internet browsing into an annoying experience
filled with popups that are a minefield to navigate?

~~~
PeterisP
Are you seeing the same what I'm seeing?

If I go to the quantcast link and press 'show purposes', everything is
deselected by default as it should be, and if I click 'Save' there then I
proceed without having opted in to anything. Sure, the "show purposes" button
to refuse is misleading and should be changed, but the 1000 options screen is
fine, at least for me.

~~~
Guest9812398
Everything is deselected IF you click the "show purposes" button. If you visit
the page and click what appears to be the only option, "I agree", then you're
opted-in for everything.

Why doesn't the page have two equal size buttons, "I agree" and "I disagree"?
We all know why. It's about intentionally misleading users into agreeing. This
isn't fine, and it defeats the entire purpose of these regulations.

------
teamhappy
Talked to my mother the other day. She works at a tiny local (German) home
care company. (That means 5 middle-aged women in an office and a bunch of
nurses on wheels.) They've been ready for GDPR for a year now, including
sending their new data officer to the required seminars and whatnot.

------
aaronbwebber
This quote is bonkers:

> like “an oblique reference, like the tall bald guy who lives on East 18th
> Street. If someone said that in an email, that would be information you’d
> need to provide me with access to under the GDPR,” says Straight.

I have no idea how anyone who deal with user-generated content can possibly
comply with that. Even if you had an actual person reading through all your
content to try and find data related to "Jason Straight", without personally
knowing him there's no way they would know that this is referring to that
person.

I see a lot of complaints about 1500 page bills in front of Congress and so
on, but this kind of nonsense is exactly why you need 1500 pages of dense,
precise language to define these laws.

------
ddlatham
Many grocery stores offer memberships where they offer customers discounts in
exchange for the customers using an ID to help the store track their
purchases. Such arrangements appear to be voluntary and desirable for both
consumers and stores.

Would such an arrangement fly under the GDPR?

It would seem that if consent has to be freely given, and not conditioned on
something like a cheaper price, then the GDPR would not allow the grocery
stores to give discounts only to people who agreed to the membership and
tracking.

~~~
PeterisP
Yes, there are a bunch of problems with that business model now.

1\. GDPR prohibits "bundling" of consent. Usage of your private data for, say,
physically making a membership card should have separate consent than using
that same data for tracking you; the fact that you want membership (and
consent to it) cannot imply that you must also want tracking.

2\. GDPR requests that you must be able to withdraw consent without detriment.
That ties in directly to cheaper price.

3\. In general, GDPR declares that permission to use your data is _not_
something that can be "traded away" in a contract, that privacy is a core
right and thus you can't enter into a voluntary contract saying, for example
"I give Bob $5, Bob allows me to use his data" \- or, more exactly, you may
sign the contract, but the clause that gives permission to use data would
automatically be null and void, and Bob could revoke consent without detriment
anyway. Exactly as it is with binding arbitration and many other clauses in
consumer contracts; in EU there are many aspects that can't really be given
away in voluntary contracts - as far as I understand, common law has a bit
different approach and tradition regarding contracts in this aspect than civil
law in core EU countries, EU law doesn't shy away from regulating what a
contract may include (or what can be binding if included) even if both parties
agree to it.

~~~
ddlatham
That seems unfortunate for businesses like those grocery stores, and for their
consumers.

~~~
PeterisP
IMHO we'll be seeing a switch to pseudonymous/anonymous purchase tracking
instead of all these 'loyalty cards'; it's a bit more tricky and a bit less
useful, but it can be powerful anyway and get most of the analysis results
you'd want.

------
the_watcher
Only tangentially related but I've found it somewhat ironic that GDPR has
resulted in an extreme increase in communications from companies whose email
marketing I've unsubscribed from as every company with my email address sends
me their updated terms of service, most of which contain marketing surrounding
their "transactional" email.

------
davidhyde
It's refreshing to see an objective article written about this subject. They
presented plenty of facts from both sides of the argument and left the
subjectivity up to the reader. Well done.

------
waiseristy
“Companies, especially US companies, are definitely scrambling here in the
last month to get themselves ready.”

[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Timeline)

They had two years to prepare for this

~~~
dmitriid
I love the "especially US companies" bit. US companies have long assumed any
laws are just words on paper that don't apply to them. I really truly hope
GDPR hits many of these (and similar companies) really hard.

------
tw1010
Also true: The news maximizes fearmongering.

------
ggg9990
The GDPR exists for the EU to help itself to some $billion of the >$1 trillion
increase in the value of US tech companies over the last three years. If you
live in the real world, and not in the theoretical world of law as written,
you don’t have to worry about a thing unless you’ve got a business as
profitable as Facebook or as abusive as Unroll.me.

------
paxunix
So when does the cottage industry of companies spring up that take data
deletion requests in bulk from classes of EU citizens and batch them up for
submission en masse to BigCo? And then also sell you a monitoring service to
make sure that BigCo actually did go and delete all the data they were using
(at least, that which is publicly visible)? And then when they find that one
piece of data that wasn't deleted, sue BigCo?

It's probably far-fetched to think there's DDOS potential here for a company's
data officer(s), but when do the bot farm service vendors craft significant
numbers of realistic user accounts and then use the above companies to drown
BigCo in deletion requests for those fake users?

------
xiangservices
Hello there for any cyber hacking service Xiang services delivers a quality
service in various platforms of hacking. Hacking Services : -Mspy application
( Features > Call logs, Location, messages, images emails). The application
allows you spy on targets cell phone. \- Crediting an account (Terms and
conditions applied). \- Changing database information. \- Changing school
grades . -Money transfer. -Activation of firewalls. \- Retrieval of deleted
message. All hacking services above, for service rendered. Contact
xiangvadm98090 @gmail. com Text no: +1(423)-212-6649. Whatsapp
no:+1(781)-720-7259.

Keep in touch

------
captainbland
Well it didn't make any odds last quarter so they're only preparing for it
now...

------
tango12
I've been getting opt-out emails instead of opt-in? Isn't that exactly what
GDPR said not to do?

------
joering2
I already benefit from GDPR - here is a constant spammer of my maiblox from
channelwisewq.im and now I wanted to know whos behind.

Ups... [https://snag.gy/4nAZOw.jpg](https://snag.gy/4nAZOw.jpg)

------
whataretensors
Intelligence agencies are. They are exempt from it and get a monopoly on data
collection.

~~~
falcon620
Are you suggesting EU intelligence agencies should abide by the GDPR?

~~~
sena
They already abide by the GDPR. There are exemptions on the GDPR for: national
security; defence; public security; the prevention, investigation, detection
or prosecution of criminal offences; etc.

------
gaius
I am ready. I have a list of targets already in mind.

I’m a big fan of EdX for example but it’s unacceptable that their app wants to
talk to connect.facebook.net. I didn’t consent to that and it’s not required
to deliver their services. And I did give them fair warning.

~~~
leadingthenet
I hope people will be proactive about this. Even if regulators aren't all that
interested, users can do a lot to enforce GDPR, thankfully.

------
mtgx
They had two years to comply. But most weren't aware aware of it for the first
year, and then they only started looking into being compliant with it a few
months ago.

It's not the EU's fault then are not ready. I don't think announcing the law 5
years earlier would have helped many more companies to comply before the due
date.

------
trothamel
I think the EU just kind of tipped their hand when questioning Zuckerberg,
German MEP Manfred Weber asked whether the Facebook CEO could name a single
European alternative to his “empire”.

[https://www.theverge.com/2018/5/22/17380982/mark-
zuckerberg-...](https://www.theverge.com/2018/5/22/17380982/mark-zuckerberg-
european-parliament-meeting-monopoly-antitrust-breakup-question)

This sure seems like the EU trying to toss up arbitrary laws because they
can't compete with American companies.

~~~
Vinnl
I don't think the EU is such a monolithic entity as you seem to presume by
referring to a single MEP's comment...

