
The Nightmare Letter: A Subject Access Request Under GDPR - jjp
https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis/
======
davidjgraph
Where's the problem? To me it shows what an excellent job the creation of the
GDPR was. It makes companies think in depth about the data they hold on me and
how they process it. It also provides clear ways to question and challenge it.

I've seen a number of articles trying to frame the GDPR as some kind of
shambles. The shambles is the way too many companies have abused and mis-
processed the data for too many years and somehow the EU lawmakers are
bureaucratic imbeciles. Yet, everyone I know is fully in favour of this as
consumers.

And, for context, I am the person who will have to deal with these at our
company. Our customers are absolutely entitled to expect us to process their
personal information is a responsible manner and I hope a number of these
letters are sent to every company, it's about time there was a power shift in
this area.

~~~
jcriddle4
About 50% of small business survive their 5th year and roughly 30% survive to
their 10th year. The concern is the drip/drip effect of more and more
regulation making those numbers even worse. In addition you may be saying to a
poor or middle class person that the money costs of starting certain types
business are not longer in reach due to much higher costs. A large well
established business is in a much better position to weather these costs so
the wealthy get wealthier. What are the costs compared to the benefits?

~~~
davidjgraph
You hear the advice for new startups; only recruit the best from the start,
cut away the fat from your task lists to only focus on the critical issues
that generate business.

Here's another, bake privacy into your company from the start. Create a
culture that takes it seriously and threads it through everything it does.
Once you have this culture you'll find it costs less than when you try to
retrofit it after 3 years.

In terms of the benefits, I can only assume you're American to ask this. In
Europe we view our privacy as a human right and that our lawmakers should
protect that right, it's that simple.

~~~
nitwit005
You can't engineer this sort of thing away. A business that gets 1000 of these
letters will have to hire someone to handle it, regardless of how good a job
they did designing things.

~~~
smartbit
If you don’t keep the records of your customers, you’d answer those requests
in no time.

Aldi has become extremely succesfull without knowing their customer. Ikea
probably the same.

~~~
vsl
Wrong. Even if I didn’t store anything besides absolutely necessary (does your
product involve usernames or emails - bam, _personal information_ ) and was
absolutely above board, it would take me hours to respond to this.

~~~
heavenlyblue
You see: you should have read the law before assuming that requesting this
information from the user is legal. It had to be stored in one, single place.
Therefore answering this question shouldn't take more than 5 minutes, if you
have anticipated GDPR.

------
geocar
If you get a letter like this, reply in plain language:

Given that the "requests are complex or numerous", I will be responding within
three months as recommended by the ICO[1]. Have a nice day.

You now have plenty of time to deal with it properly.

If you have a lot of data on someone, you can enumerate the categories (1) and
then request they break it down (specifically request 1c; see Recital 63[2] of
the GDPR for the exact language). Almost everything else should be in your
privacy policy anyway.

If you do not have a lot of data on someone, then three months should
certainly be enough time to properly respond to this.

Most businesses do not have any personal data on anyone beyond what you need
for an invoice. If you have a dedicated CRM that contains leads of potential
customers, or you use an online service like SalesForce, you can probably get
their support in complying.

[1]: [https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/individual-rights/right-of-access/)

[2]: [http://www.privacy-
regulation.eu/en/recital-63-GDPR.htm](http://www.privacy-
regulation.eu/en/recital-63-GDPR.htm)

~~~
nopriorarrests
Sorry, but ICO stands for "Information Commissioner Office", and they seem to
be UK organization, having .uk domain and all that. How can they recommend
anything with regard to EU-wide law? Or, stating differently, how their
recommendation hold any value at all?

~~~
kenbaylor
Each country will have a Data Protection Authority (DPA) which is the
regulator in the country. The ICO is the one in the UK.

The last letter of the GDPR is Regulation. A regulation is very different than
than a Directive (the pre-GDPR law is based on a directive). There is very
little wiggle-room with a Regulation, even between countries. The ICO also
works with other DPAs currently as part of Working Party 29, which ensures the
DPAs are working in Sync.

So the ICO advice is worthy of close study, especially if your local DPA
(assuming you have one) has not commented or given guidance on a certain
matter.

~~~
barrkel
To add, the difference between directive and regulation is in Article 288 of
the TFEU:

 _To exercise the Union 's competences, the institutions shall adopt
regulations, directives, decisions, recommendations and opinions.

A regulation shall have general application. It shall be binding in its
entirety and directly applicable in all Member States.

A directive shall be binding, as to the result to be achieved, upon each
Member State to which it is addressed, but shall leave to the national
authorities the choice of form and methods._

~~~
arrrg
Basically, a regulation is like a law. It’s directly binding as law.

A directive is something member states have to implement themselves, probably
also by passing a law using their own national process for doing so. As such
there can be (greater) differences in the different national implementations
of the directives.

------
cromwellian
It's not baking security/privacy in from the start that's the problem, it's
the need to have a "compliance officer" and have to handle these requests.
Small companies don't have time or resources for this.

Look at the American Disabilities Act, an act that has done enormous good in
many ways, but that has also lead to an entire industry of lawyers hassling
tiny businesses over insignificant infractions. (e.g.
[https://www.mercurynews.com/2016/04/10/serial-ada-lawsuit-
fi...](https://www.mercurynews.com/2016/04/10/serial-ada-lawsuit-filer-
striking-bay-area/))

Startups in the US won't have this hassle. You don't have to serve EU
customers to reach mid size/product market fit, you can concentrate on
iterating on your core product. When it's time to scale, then you can look at
GDPR. So limited resources stretch further.

But if the lawyers in Europe start becoming a nuisance to startups there, it's
just going to force more and more services to be located overseas, and more
and more government complaining about the dominance of overseas tech, a
problem they're probably going to make worse.

~~~
guitarbill
> Startups in the US won't have this hassle.

Startups in the US are what got us into this privacy nightmare in the first
place. Of course, they are no longer startups, but they still didn't fix shit
once they got bigger, so I don't see how this argument holds.

I like to think of privacy like internationalisation or security. When I
started programming, Unicode/UTF-8 was niche and not well supported at all.
Now, for new languages, it's a given. The same with decent crypto libraries.
Databases now offer pretty great unicode support (except for the old ones
where it had to be bolted on, __cough __MySQL __cough __). It isn 't
inconceivable that privacy tools become standard in databases and data
processing frameworks.

Personally, I see this as a brilliant opportunity for people/companies who
want to do the right thing for their customers (whether that's consumers
directly, or a company using them).

My prediction is you'll see this with cloud providers strongest. Some are
putting a lot of effort into GDPR, and a properly compliant provider will
become a huge value-add, and not a liability.

~~~
briandear
You don’t think BNP bank or AXA insurance play loose with sharing personal
data? I had my Peugeot dealer share my purchase information with a third party
“extended warranty” vendor without my permission. The vendor called me and
sent letters. I never told Peugeot that they could sell my data. I have never
given any business permission to call me — yet they do.

Blaming US tech is naïve. European companies have been engaged in non-digital
forms of privacy invasion long before Google even existed.

~~~
guitarbill
I agree, but people on HN don't seem to care about those as much as US
startups. Plus who is worried about car dealerships going under just because
they can't pass on your data to some scummy vendor? (Also, some countries have
laws close the the GDPR already, where this wouldn't fly.)

Having said that, shunning one car dealership is way easier than trying to
stop Facebook or Google slurping your data, even with ad blockers et al.

------
kenbaylor
The reason why this is such a great letter is because it questions the
competence of the recipient DPO. The data subject has a right to _some_ of the
information, but by no means all of it.

If the DPO complies with all of it, they will breach the GDPR (e.g. Request
9b). Of course a data subject also has no right to know what security controls
(request 8) you have in place, other than they are 'commercially reasonable'.

A regulator can require this information, but not a consumer (data subject).
This could be the basis of a great interview test for selecting your DPO.

~~~
number6
The request themselfs are legit. E.g request 8 is aiming at the ISO 27001
which state that the information policy is to made public to stakeholders.

Request 9b is a bit tricky since the regulator have to be informed but not per
se the data subject. Only if there is a risk for the data subject they have to
be informed.

The letter is carefully worded itself. The parts the data subject does not
have a direct right to know are friendly request (eg 4 vs 8b).

You can answer 8b just with one word: Yes. (Well or No)

The takeaway here:

If you give this letter to you technical personal you will get a detailed
overview of the infrastructure they use.

If you give the same letter to your lawyer you would get a very polite letter
with the bare minimum of information.

Example for 8b would be this: "We have technology in place which allows us
with reasonable certainty to know whether or not you personal data has been
disclosed"

~~~
hedora
> Example for 8b would be this: "We have technology in place which allows us
> with reasonable certainty to know whether or not you personal data has been
> disclosed"

Arguably, such technology doesn’t exist (at least when plugged into a computer
network). What penalties are in place if you lie in the response?

~~~
geofft
I'd expect "with reasonable certainty" to mean something different to pedantic
lawyers/regulators than to pedantic cryptographers. Although perhaps an actual
lawyer might suggest another phrase there, like "industry-standard measures"
or something.

~~~
number6
Yeah I think a lawyer would write something even more nebulous... We minimized
the risk according with our assessment with industry standard measures in
accordance with our threat model to a reasonable level of safety as defined in
the international standards taking in account user experience and the
requirements of our partners all in accordance with local and EU law...

------
retrac98
Technical types seem naively optimistic about how GDPR is going to work out.

Businesses will do enough to pass the sniff test of proper compliance with
GDPR, and no more. I've worked with enough to know most mid sized orgs are far
too reactive, too technically incompetent, and far too busy making money to do
a proper job on adhering. Most flout existing laws already, I don't think
they'll be scared of disregarding elements of this too.

~~~
donohoe
Maybe. Maybe not.

I know that there is a HUGE concern about the fines that can be used to backup
GDPR.

I know of US companies that have a EU presence legally (but with little income
from EU) that are considering just blocking EU traffic as a way to stay safe
and smallest over-head.

~~~
foobarbazetc
Or you could just run a semi-competent data operation...

~~~
jimktrains2
That really isn't the only reason the gdpr can cause headaches you'd rather
avoid.

~~~
guitarbill
That's fine, businesses have that choice. Hopefully, GDPR gives people a
choice w.r.t what happens with their data.

Many countries in the EU have a great standard of living by focussing on
individual's rights vs companies. Well, I say focussing. From our perspective,
it's just normal and a good balance. But if you live in a country where
companies can screw you over in a million ways ("at will" employment,
arbitration, NDAs, etc.), maybe such rights might seem a bit alien.

~~~
jimktrains2
No, I mean my understanding of the law is unclear because the law itself is.
It'll take a few court cases to hammer out most of the clearifications. Once
it's better understood or made to be like the pci that literally spell out
steps to take for minimum compliance it'll be a headache at best.

~~~
guitarbill
Fair enough, although how is this different from other laws? If laws were
obvious, there'd be no lawyers or judges.

And if you've tried to comply with the law, but unintentionally fail to handle
some edge-case with low impact, the sanctions are pretty light (e.g. a warning
letter). It's not draconian, as long as you don't cut corners.

~~~
jimktrains2
Most laws aren't so far reaching and the vast majority in terms of regulatory
scope have been flushed out. These same issues do happen with any new broad
far reaching regulations. This is one of the first that is both a significant
increase in regulatory burden and that deals with, ostensibly, the global tech
market.

Also, the fines here can be real money, which also isn't often the case. That
plus the lack of clarity are why people are concerned about it.

Basically they're worried that you can do everything right and still be wrong
because everything isn't well defined and is very difficult to define.

------
5h
Reading this actually makes me feel pretty good, my team & I have been working
on GDPR tooling for our app for the past couple of months & combined with the
fact-sheets we've prepared answering such a letter while complying with the
individuals rights would be pretty straightforward.

~~~
redleggedfrog
I was thinking the same thing. Wouldn't be too hard to give that to a support
person and get good answers. After the first one, a lot of it is reusable. And
then a lot of it is already in the marketing materials we use for selling our
services!

------
montrose
It seems to me that this letter is similar to a denial of service attack in
the way that, although a valid request, it places an impossible burden on the
recipient.

If so, the GDPR is similar to a broken protocol.

Maybe the people who designed it assume that it will never be misused. Anyone
with experience designing protocols could tell them how dangerously naive that
is.

~~~
edent
If you can't answer those questions in a few button clicks, then you probably
can't be trusted with my personal data.

We keep being told that "data is the new oil". It is. Not for money making
opportunities, but because you have to handle it responsibly and if it leaks
it will cost millions to clean up.

~~~
montrose
Or you are an early-stage startup with just a couple founders trying to do
everything.

~~~
detaro
What exactly about being a startup makes this a lot harder? I'd expect a
startup would in many cases have a fairly easy time answering requests like
this, since it won't have built years worth of legacy systems, half-abandoned
projects, weird cross-department data accesses etc that could catch a large
company here. You'll likely have fairly centralized storage and a reasonable
number of service providers you use for specific purposes. + the typical
startup has more or less the same relationship with every customer, so it
should be fairly easily repeatable once you've documented it once.

For the few small companies I've worked for, this would have been a bit of
work once (document the dataflows), and then a fairly easy set of queries to
be repeated each time.

~~~
gingerlime
It's not just about answering the questions. It's also about answering them in
a legal-safe way that won't put you in more trouble than not answering them at
all. And any small variation in the questions can require someone with legal
experience just checking this, which costs money.

To add to a sibling comment, Google can afford a big enough legal department
for estimated 0.00000x% of their turnover that deals exclusively with these.

For smaller organizations, this becomes more like 0.x% of turnover...

Not to mention the distraction and plain overhead when you're juggling so many
other things.

~~~
jopsen
> It's also about answering them in a legal-safe way that won't put you in
> more trouble than not answering them at all

By that logic don't you need a lawyer to handle all customer support
interaction?

Couldn't you get sued to fraud if you fail to document purchases in a legal-
safe way?

------
vasco
What provisions are there in place for a company receiving this type of
request to confirm the identity of the requesting party? Are companies
expected to be able to properly identify a citizen, in order to not disclose
possibly very sensitive information to someone else impersonating them? In a
lot of cases the company might not even have enough information stored in
order to know who the owner of a given account is. How do you prove
"abc123@example.com" is Mr. Smith, if your service doesn't ask them for names?
Or if it does, which Mr. Smith do you have on record? Email original senders
can be spoofed.

The first thing I'd do if I was a black hat type attacker would be to submit
GDPR information requests to all internet companies I could think of in behalf
of all my targets.

~~~
wickedlogic
I haven't seen this reasonably addressed in any of the discussions, or org-
based-presentations thus far. GDPR compliance itself basically ensures you
cannot collect enough information to even defend against this type of attack
vector.

~~~
smu
This is mentioned in the recitals: you can request additional identification,
in fact you should if you can't identify the subject [1] and if you can
demonstrate that you can't identify the data subject (with reasonable effort),
you don't have to comply to the request. [2]

[1] [https://gdpr-info.eu/recitals/no-57/](https://gdpr-
info.eu/recitals/no-57/)

[2] [https://gdpr-info.eu/art-12-gdpr/](https://gdpr-info.eu/art-12-gdpr/)
(point 2)

------
adamwathan
What frustrates me the most about the GDPR is that a single person building a
mailing list for a $19 ebook launch is just as affected and burdened as any
other company. A side-business that might make you $30,000/yr is now no longer
worth pursuing because of the costs of working with a lawyer to make sure you
are GDPR compliant and have all of the right policies in place.

It raises the barrier to entry for small one person businesses even more,
forcing out anyone who can't justify the costs of compliance.

~~~
jopsen
If you're building a mailing list for your ebook, won't you just need:

1) Allow people to login and view their personal information: name, email. 2)
Allow people to delete the profile.

And don't retain any data other than (1) or (2). If you want to track users to
see if they clicked links and what countries they are browsing from then: (A)
anonymize it or (B) make it visible in the profile information (1).

If all you record is name and email, you won't need a lot of infrastructure.
Your policy might say you transfer email addresses to AWS when sending emails.

------
cycop
The comments are an eye opening experience, amazed to see how so many people
think they don't have a huge responsibility to the owner of personal
information. More of a reason why GDPR is needed.

~~~
fogzen
I’m amazed people think they own personal information at all. As if writing
their name on something makes it their property.

~~~
PeterisP
While you may be amazed, this is literally now the truth in EU.

The right to control such information is established as a right of the
individual; and if you have possession of some information about me, then yes,
I have more rights to control what you are allowed to do with this information
in your hands than you, and that information can never in any way fully become
"your property".

As if possessing something makes it your property - property is a legal notion
and (in democratic countries) means just what people want it to be.

------
harshreality
If this kind of request is a "nightmare" or too much of a burden, they should
automate it.

"We put lots of engineering effort into mining your personal data and selling
bits to other people, but we can't be bothered to put any engineering effort
into disclosing on your profile or account-settings page what we're doing with
your data."

A lot of the questions are answerable generically (no differences between
users). You can't tell me that writing a data privacy FAQ with those answers
in clear, simple language, once, with a link on every page and on users'
profiles, is an excessive burden. These companies just _don 't want to_ have
even that minimal burden and process to ensure that changes in usage of
personal data get documented and updated on such a faq.

~~~
Silhouette
The GDPR applies as much to a startup or side business as it does to Facebook
and Google.

A letter like this would be a hugely disproportionate burden to a small
business like that. It would take many hours, if not days, to reply properly
to all of those points, even for a business that is doing nothing shady or
unusual.

You can't just write "automate it" as if that has no cost.

~~~
maxxxxx
This looks like a fantastic opportunity for startups to help automating the
process.

~~~
wyager
After this whole process of ineffectual, burdensome regulation followed by
inconvenient, expensive, mediocre regulatory automation, how much better off
is society?

~~~
lagadu
> how much better off is society?

We should ask that to the dozens of millions of Americans who have their
private data for sale even as I type this after the Equifax breach. Bonus: we
can literally buy it and use that data to contact them directly and ask :)

~~~
wyager
Are you willing to bet money on there being no data breaches from GPDR
compliant companies in the next N years?

------
bogomipz
There's a different "nightmare letter" in the US, one that ordinary citizens
receive. It comes from a credit agency or a company that uses a credit agency.
The letter informs folks that they have been the victim of a data breach and
that their personal data "may have been accessed." The nightmare letter
provides little meaningful detail beyond that.

The letter is sent via regular snail mail and arrives months after the actual
data breach occurred. The letter is largely devoid of any meaningful recourse
for the victim. It does however offer "free credit monitoring" for up to 1
year by the same agency that displayed complete disregard for security.

If compliance and accountability with people's data especially when they are
not permitted to opt out of such a system constitutes a "nightmare" then
perhaps those companies should rethink parts of their business model.

~~~
eadmund
That those practices are bad does not mean that something as simple & proper
as storing IP addresses in your logs justifies receiving a nightmare letter.

The GDPR is trying to do a good thing, but it goes too far.

~~~
geofft
Why are you storing IP addresses in your logs? The web server _my college
computer club ran_ made a point of not storing IP addresses. We would respond
to legitimate requests from campus police / the deans / other people who could
kick us out of the college (usually when someone was, like, making threats of
violence in the comments of a WordPress blog or whatever), but we would often
answer with, "No, we don't have that data, it never got logged."

If the GDPR is forcing businesses to abandon dangerous logging practices that
they don't really need, it is hardly going too far.

~~~
twunde
Most applications will log ip addresses by default. Why? 1) Many security
products rely on IP addresses in order to blacklist known malicious users
(including fail2ban) and/or detect hacking attempts. Monitoring for stolen
credentials b also will typically check IP addresses ie why is John showing up
as being logged in from an unknown IP address when he's in the office with me?
2) It can be useful for debugging. Are those requests going to the right
server? Is there one server where something isn't working correctly ie is that
server misconfigured? 3) Some businesses are required to prevent
screenscraping of certain data. Solutions to prevent that typically use and
store IP address information.

~~~
geofft
1 can be done by checking but not logging IPs, which we certainly did (we'd
tcpdump traffic and throw it in iptables) or logging IPs of malicious requests
but not of normal behavior.

2 is what this regulation is intended to stop: you shouldn't be trading off
"it might be useful in the future" for "it can be misused by authorized users,
or exfiltrated by hackers".

3 seems reasonable, but does that require a retention policy of more than a
couple of hours?

------
cycop
This is basic cyber security stuff and I get these questions from customers
almost daily. If you are going to be in the business of using peoples personal
information then you need to be prepared to answer these questions.

~~~
kodablah
Even if you're not in that business you need to be prepared to answer these
questions.

------
MarkMc
My business takes credit card payment information from users. But it doesn't
store that information - it just forwards it to Stripe.

So if a user asks me for details of all her personal information, do I have to
go to Stripe and say, "Please give me the credit card information you have on
Jenny Smith"? Or do I say to the user, "Please contact Stripe directly - your
Stripe customer ID is cus_34534985798243"?

~~~
creature
Neither, in this case. Under the GDPR, you'd be expected to reply something
like "As described in our privacy policy we use Stripe for processing
payments. The data you enter on our checkout is transferred directly to
Stripe, and is not stored by us." You're expected to make sure that third
parties your company works with are GDPR compliant, but that's just a case of
"ensure Stripe's privacy policy reads as GDPR compliant".

~~~
guitarbill
It's also doesn't seem like a huge stretch for a GDPR-compliant 3rd party
who's API you consume to add some GDPR-related API calls.

(Payment processors are probably a bad example, as they already have boatloads
of legal and contractual requirements to deal with. IF they're at all
reputable, the GDPR will impact them minimally. The flip side of this is ad
tech, who's scummy business model is almost painfully incompatible with GDPR -
at the moment.)

------
filoleg
Simple question: if I just want to not make my business available to subjects
that fall under GDPR regulation (so that I don't have to worry about it at
all), would putting up a disclaimer that you have to accept before entering
the website be enough? I was thinking about something similar to how many
sites that deal with alcohol content, for example, make you confirm that you
are 21 or older by clicking on a button before you get access to the website.

Please, refrain from sidetracking to things like "well, you wouldn't worry
about it if you built everything with GDPR in mind in the first place". That's
not what I was asking.

~~~
piotrkaminski
I believe it should be sufficient to:

\- Incorporate your business outside the EU.

\- Have no offices in the EU.

\- Reside outside the EU.

\- Not visit the EU (?).

\- Not employ any EU residents.

\- Not target any advertisements about your business to EU countries.

\- Only offer your site in your local language and/or English.

\- Don't register your site in an EU TLD.

At that point, as far as I can tell (and of course I'm not a lawyer), you have
no EU presence and even the GDPR admits that it doesn't apply to you.
Presumably these conditions apply to the vast majority of small businesses
where dealing with random claims of extra-territorial jurisdiction is just a
waste of time.

This being HN, I'm sure somebody will be ecstatic to correct me if the above
is wrong.

~~~
filoleg
I am sorry for the tone, but this is exactly the kind of answer I didn't need.
I didn't ask "how to work around GDPR without complying to it". My question
was "is putting a disclaimer and having to click and confirm that you aren't a
EU citizen enough to guarantee me no trouble from EU?"

~~~
piotrkaminski
I guess my implicit answer was "I think so -- in fact, you probably don't even
need to do that much". (Though you want to replace "EU citizen" with "EU
resident".) And of course nothing will _guarantee_ no trouble.

------
robin_reala
This is all good, and consistent with GDPR’s attempt to reframe data as a
liability rather than an asset. The first months and years are going to be
painful, but eventually companies will adapt to the new normal.

~~~
jimnotgym
As a PCI compliant company I already treat data as a liability. So much data
collection is unnecessary, or the the result of defaults, like logs left on
that nobody ever looks at.

------
jimnotgym
All those people who complied with the 1995 regulation and in the UK the
subsequent 1998 Data Protection Act that passed it into law must be feeling a
bit smug about this, as they will have this process in place already.

The new General Data Protection Regulation is a welcome incremental update,
which brings in much better methods of enforcement against the cross-border
nature of large data processors. Facebook of course were not around in 1995.

I also welcome the need for explicit plain language privacy terms. Any law
that pushes out legalese must be welcome.

------
Skye
...and how is wanting to know what a company has about you a bad thing? I'd be
worried if a company cannot answer this, because that means they haven't got a
handle on what data they store, which means that when they get hacked, they
wouldn't know what got taken!

EDIT: grammar (got -> get)

------
rstephenson2
One interesting part about this is that it's a letter, and the author never
explicitly mentions that it was sent in an email. Assuming this letter arrives
in the post one day, what do you do? Ask them to email you for verification?
Send you one of their 2FA codes? What if your site doesn't have a login? Can
they send you a screenshot of their IP address as verification?

I get why the EU didn't want to overly specify the method, but it creates a
lot of uncertainty about what processes are allowed/required. And with the
pressure of gigantic fines on the line, it seems like GDPR opens up a
significant vector for stealing other people's information via GDPR requests.

------
y0ghur7_xxx
Sorry, this is off topic, but I would really like to read the article but it
asks me to create a linkedIn account to read it and I am not comfortable with
that. Is that the only way to read it?

~~~
robin_reala
I don’t have a LinkedIn account (and my email address is in their blacklist)
yet I was able to read it OK?

~~~
y0ghur7_xxx
I don't know. It redirects me to
[https://www.linkedin.com/authwall?trk=bf&trkInfo=AQH_V0VMQls...](https://www.linkedin.com/authwall?trk=bf&trkInfo=AQH_V0VMQlsQWwAAAWI0GwnQkikFevm0oWV5fgjniYjdZzKfOCSiBIdHwbtz5jaAJnIGDBU2bhmgDrOoDip-
nXu1s0ZX4Pigd_qIkcBIqxXcIOlkxNAMBODg3WBtguOQhk_ghJ4=&originalReferer=https://news.ycombinator.com/&sessionRedirect=https%3A%2F%2Fwww.linkedin.com%2Fpulse%2Fnightmare-
letter-subject-access-request-under-gdpr-karbaliotis%2F)

~~~
drewmol
I was gonna ask the same, Linkedin's authwall seems more difficult to
circumvent than the news paywalls I encounter. It would be unfortunate to have
to create a dummy account. If I do, I'll send them a copy of this letter ;-)

------
thinkingemote
How do you think Hacker News (this site) would react to such a letter, and
what do you imagine a likely response would be?

Would all a users comments be classed as personal data? Would just pointing at
the website be enough to satisfy the request for a copy?

~~~
geocar
> How do you think Hacker News (this site) would react to such a letter, and
> what do you imagine a likely response would be?

I suspect Hacker News would simply delete the user's information from the site
and explain that they control no data on the subject.

If they are clever they would include an invoice for £10 with that response.

> Would all a users comments be classed as personal data?

Probably not. A user name is probably not personal data. The name "John Smith"
might not even be personal data. The ICO explains:

 _By itself the name John Smith may not always be personal data because there
are many individuals with that name._

[https://ico.org.uk/media/for-
organisations/documents/1554/de...](https://ico.org.uk/media/for-
organisations/documents/1554/determining-what-is-personal-data.pdf)

Even if the user posts a comment containing what is undeniably personal data,
you still might not have to consider it personal data simply because Hacker
News search sucks; Recital 26 says:

 _To ascertain whether means are reasonably likely to be used to identify the
natural person, account should be taken of all objective factors, such as the
costs of and the amount of time required for identification, taking into
consideration the available technology at the time of the processing and
technological developments._

> Would just pointing at the website be enough to satisfy the request for a
> copy?

Yes, in fact recital 63 recommends "remote access" as a method:

[http://www.privacy-regulation.eu/en/recital-63-GDPR.htm](http://www.privacy-
regulation.eu/en/recital-63-GDPR.htm)

~~~
e12e
Most of this seems wildly wrong and naive.

What hn probably should do is offer a "takeout" option and a "delete me"
option on the account page. The former would export every comment and
submission along with vote counts, links to upvoted comments/stories profile
data etc. All in machine readable form (eg: s-expressions).

The latter would delete profile along with data. Or, possibly, simply
anonymize the posts.

I'm not entirely clear on the GDPR vs publishing - i don't think it's meant as
a tool for "book burning" \- and I've yet to see an interpretation vis-a-vis
public discourse. There certainly are laws governing public archives that
override parts of the GDPR in certain contexts.

So while hn would probably have an obligation to export all comments, I'm less
clear if they'd have an obligation to delete, under the GDPR.

If the ip is logged along with actions, that'd also be considered personal
data, and fall under the GDPR.

~~~
geocar
> What hn probably should do ...

The reason I think Hacker News would simply delete it has nothing to do with
the GDPR, but because they seem to have responded to requests to delete an
account and comments in the past:

* [https://news.ycombinator.com/item?id=2493474](https://news.ycombinator.com/item?id=2493474)

> i don't think it's meant as a tool for "book burning"

I think you've confused my statement of "I suspect Hacker News would..." to be
a legal/professional opinion about what Hacker News should do, or would be
compelled to do so under the GDPR.

That wasn't my intention.

> If the ip is logged along with actions, that'd also be considered personal
> data, and fall under the GDPR.

The ICO disagrees.

[https://ico.org.uk/media/for-
organisations/documents/1591/pe...](https://ico.org.uk/media/for-
organisations/documents/1591/personal_information_online_cop.pdf)

 _" A single household PC may have different family members using it under the
same login identity. As a result, the IP address and cookies cannot be
connected to a single user. Therefore it is unlikely that this information
will be personal data."_

That it may be personal data does not mean that it is personal data, nor are
you under an express obligation to attempt to unmask anyone that you might
have the ability to do so.

There is a risk/reward concept in the GDPR however. There are reasons that are
useful to users to keep their IP addresses in a database, and there are risks
with keeping their IP addresses in a database. This is why the ICO also
recommends you blank out the last octet of the IP address.

~~~
tzs
> There are reasons that are useful to users to keep their IP addresses in a
> database, and there are risks with keeping their IP addresses in a database.
> This is why the ICO also recommends you blank out the last octet of the IP
> address.

Note: If you are going to use that IP address for determining location (which
is common when dealing with the EU, because that is one of the things the EU
considers acceptable evidence to justify your choice of which country's VAT to
collect for an online sale), do the location lookup before blanking the last
octet.

I had hoped that the first 24 would be sufficient to determine country, but
that is not the case. For example, here are current results from MaxMind's
GeoIP service:

    
    
      5.62.58.243 US
      5.62.58.244 US
      5.62.58.245 DE
      5.62.58.246 DE
      5.62.58.247 DE
      5.62.58.248 US
      5.62.58.249 US
      5.62.58.250 US
    

A couple weeks ago, BTW, 5.62.58.244 was identified as DE. This suggests that
it might be a good idea to keep the full IP address around at least until you
file your quarterly VAT MOSS documents, so that you can do another lookup then
and possibly get a more clear picture of who you owe VAT to for the sale.

PS: I have no relationship with whoever owns those IP addresses, as far as I
know. A few weeks ago I did GeoIP lookups on all 4 billion IPv4 addresses to
find all the ranges of US IP addresses (there were 22029 ranges) as part of
optimizing a filter that is supposed to reject non-US traffic from certain
reports. To get an example for this comment I looked through those ranges
looking for one where there were two different US ranges overlapping the same
/24, and 5.62.58.0/24 was the first one I noticed.

~~~
gruez
Those IP addresses belong to the same AS, have the same announcement[1], and
have very similar traceroute outputs (both have final hops around miami). The
only thing different is their reverse DNS, which I think is throwing maxmind's
algorithms off.

[1] [https://bgp.he.net/net/5.62.58.0/23](https://bgp.he.net/net/5.62.58.0/23)

------
janemanos
It will cost companies so much money and time to be compliant with GDPR. Maybe
even become a neck-breaker for some young startups

~~~
qw
The final law was finalised in 2016 and was expected since at least 3-4 years
ago when the agreement was made in the EU parliament.

 _Startups:_ It costs money to develop the systems to process personal data in
the first place. I don't see any unreasonable restrictions in GDPR. If new
startups plan for GDPR while developing the systems it should not add too much
costs. It is basically about managing data responsibly and documenting how you
utilise that data.

 _Established companies:_ I don't have much sympathy for existing companies.
They have exploited the slow reaction time of the legal system to make money
in an unregulated market. This has happened to other industries as well, such
as the tobacco industry who had to adjust to anti-smoking laws when the
politicians could no longer ignore the negative effects.

~~~
Silhouette
_I don 't have much sympathy for existing companies. They have exploited the
slow reaction time of the legal system to make money in an unregulated
market._

Some commenters in these discussions write as if all businesses deserve the
GDPR and all its attendant overheads as some sort of punishment for assumed
past transgressions. And yet I work with small businesses, and so
unsurprisingly I also know many other people who do, and not one of those
businesses operates with any sort of data-hoarding, privacy-invading model,
nor would any of us ever want to.

All that attitude teaches the next generation of startups is that they'll be
penalised whether they try to act ethically and responsibly or not, so they
might as well do the questionable things and make more money anyway. Surely
that is exactly the opposite of what should be happening?

~~~
qw
GDPR has been known for 3-4 years and was finalised in 2016. They should have
had 2-3 years to go through their systems. If a business can't do that, it
indicates that they don't have control of the information in the first place.
Most of the regulation is about adding routines, documenting the data
management and updating user consents. Smaller companies under can skip some
of the documentation.

The only major requirement that can not be fixed by documentation or updating
user consent, is the requirement to not store data more than necessary, which
depends on your business. If you need to store data for a longer time period
than absolutely required, you need to either anonymise it or delete. If you
run a business and need to store purchase histories to meet other legal
requirements, you have a valid reason to store it. If you use it to track
which purchases a specific user has done to optimise targeted advertisement
you will probably have to anonymise it.

This can of course be a complex task, but I don't think it is a good argument
against GDPR. Why should I lose control of my personal information just
because it costs money to process it responsibly? At some point a regulation
has to be implemented and some companies will unfortunately be impacted even
if their intentions were good.

~~~
Silhouette
_GDPR has been known for 3-4 years and was finalised in 2016. They should have
had 2-3 years to go through their systems._

Was it posted in their local planning department in Alpha Centauri as well?
Because to most people running microbusinesses -- which is most businesses,
remember -- it might as well have been.

 _If a business can 't do that, it indicates that they don't have control of
the information in the first place._

Not at all. It's quite possible that an organisation has been reasonable and
responsible about handling personal data and its staff know exactly what it's
doing and why, but that the formal documentation and automated processes
referred to throughout today's discussion aren't in place because they have
never been necessary before.

 _Why should I lose control of my personal information just because it costs
money to process it responsibly?_

The trouble is that different people will have different interpretations of
"responsibly". For example, I'm not sure it's _irresponsible_ to have been
storing and processing data for legitimate purposes and entirely with the
subject's informed consent for years, and also to be concerned about the cost
of updating or replacing all of those systems because the subject is now being
given a retrospective right to withdraw that consent that they didn't have
before. While this might be considered desirable in terms of reining in data
hoarders like Facebook or Google, it also imposes burdens on organisations
with different models and lower risks to data subjects. Some sort of balance
is needed between these competing priorities.

 _At some point a regulation has to be implemented and some companies will
unfortunately be impacted even if their intentions were good._

Right, but this is exactly why both unambiguous rules and proportionality are
important.

------
amelius
How do you reply _safely_ to such a data request? I mean, this could have been
written by an impersonator. And even if you can verify the identity, you still
need to send sensitive information somehow.

------
llao
That looks excellent. Handling personal data is something that services should
prefer not to do and if requests like this are a "nightmare" then hopefully
the web will become a better place again.

------
matte_black
Is it possible to conduct some kind of denial of service legal attack against
an unprepared business through the use of GDPR letters?

~~~
IAmEveryone
No.

Long answer: people actually tried to do it to Facebook, Google, etc. As a
response, they each started offering self-service tools to download your data.

~~~
xab9
First you have to implement a download data function. I might be pessimistic,
but with many sites requiring a login still on http and with the wonderous
amount of bugs in web apps this may not be as easy as it sounds. But then: let
them burn.

------
trothamel
I wonder if the the end result of all of this is going to be an increase in
the construction of data centers close enough to the EU to serve it properly,
but outside its jurisdiction entirely. In Africa, for example, or perhaps a
post-Brexit UK.

It seems that being close to Europeans without being subject to EU law is
going to be a big advantage going forwards.

~~~
kuschku
The GDPR specifically has a clause for those cases, it applies also
extraterritorially, and will be inforced, if necessary, by seizing your funds
via the SWIFT interbanking system.

That's a very bad idea

------
red_admiral
Have I Been Pwned is going to hit 5 billion breached accounts any day now. If
the GDPR pushes back against this kind of thing, all the better.

If the GDPR makes it harder to found a startup for the sole purpose of
collating and monetizing people's personal data, I'm not too upset either.

If a company suffers a data breach and can not answer to all of point 7. in
the linked page, I'll leave it to the lawyers whether this is negligence but
I'm inclined towards "yes" myself.

The moment you want to process any credit card data, you're already bound by
regulations with teeth: the PCI-DSS. That's why in several recent data
breaches one of the first things you read on the breach notification was "no
payment card data was affected", suggesting that it's less important to the
company if they lost "only" personal data. Bring on the GDPR.

------
donttrack
How does the GDPR apply to governments storing data? Could I send a letter to
the tax authorities and ask them to delete my data?

~~~
ferongr
Obviously the state is exempt from such nonsense.

~~~
detaro
There are exceptions for some purposes, and I won't be surprised if
governments try to stretch those as far as they can, but in general GDPR
applies to governments as well.

~~~
dominotw
What about NSA can I ask them what data they have on me?

~~~
number6
They will tell you, that they are not subject to EU Law.

If you ask an EU equivalent they will just tell you that they don't have any
data. Or that they might have but can't disclose it because of security
concerns.

~~~
PaulKeeble
Actually if its data held on a EU national they are required to divulge it or
be in breach of this. They don't get to dodge it just because they are in the
USA, the law applies to any organisation storing data about an EU national.

~~~
Bizarro
_Actually if its data held on a EU national they are required to divulge it or
be in breach of this._

You people can keep on saying that this law pertains to any
entity/organization that has any info on any EU citizen, but we know this is
untrue. The rest of the world knows that the EU doesn't have this authority,
so I don't why you people keep on parroting this line.

Let's get something else straight. We know there's political motives behind
this law that are orthogonal to "we care about privacy", and other governments
know this as well, and will respond to the EU in kind if need be.

~~~
number6
This. If you don't have a location in the EU the court can't send you any
orders to comply with. This is how Facebook doged German privacy law. The only
reason why Facebook had to answer a EU court was their settlement in Ireland
wich they had for taxation reasons.

The EU want to implement something like a virtual settlement for Businesses to
extend their reach. Arguing that if you make profit in the EU than you have a
settlement there. But as long as your country isn't willing to help the EU
getting you there is nothing to fear.

At least I don't see what they could do. Ban your product... yes... But more
than that?

------
unicornporn
Most of this information could be made accessible to the end user via a
personal dashboard and knowledge base.

GDPR will have broad implications. If you're not designing your services to be
compliant there will be consequences.

------
unicornporn
Most of this information could be made accessible to the end user via a
dashboard and knowledge base.

GDPR will have broad implications. If you are not designing your services to
be compliant right now, there will be consequences.

------
fogzen
I’m surprised nobody has mentioned that being forced to provide personal data
on request does not in any way reduce the risk of personal data being misused.

What’s the damage consumers are being protected from, exactly?

~~~
wsxcde
Being forced to comply with GPDR forces companies to keep track of data, limit
usage, add data expiration policies -- all of this makes compliance easier and
definitely improves security.

A well-known researcher once joked to me that programmers are associated with
a company for a few few years, programs live only for a few more years, but
data lives forever.

~~~
fogzen
> and definitely improves security.

How? What procedure improves security?

Right now, people I don't know at various companies have access to databases
with my personal information. Those same people will still have the same
access and opportunity to misuse my personal information, but under GDPR I can
know what personal information is stored. I could also demand it be deleted,
but that doesn't apply to data that's already been shared or under control of
other parties.

~~~
lagadu
GDPR is far wider than that; you're just looking at it from the end user
perspective because GDPR isn't just allowing the user to enquire about their
data.

For a company to be GDPR compliant they also have to satisfy the regulators
and that includes limiting access to data to only those that need it, knowing
who those people are and putting measures in place in case of a breach.

------
a3n
Companies make millions and billions off data naively or knowingly given up
for free. So, I weep. /s

And if this becomes more than the odd request, build it into your processes.
If you can identify me "as me" to your advertisers and other data customers,
you can certainly do that for me.

Or just do what other businesses do: pay off a few legislators to change the
law, or a lobbying firm or association. If you have the money, pay to make
this a patriotic move. That's how democracy works. /s

------
MarkMc
I would be willing to pay $10 to see the advice of a lawyer about how to
respond to each question in the letter. Is this something that could be crowd-
funded?

Edit: Why are people downvoting this?

------
av501
Just because you are small does not mean not doing the right thing is
something you should get away with. I see lot of comments of how doing the
right thing can be a burden. However, I see it the other way. Not doing the
right thing is a burden you have to carry with you everyday. GDPR is helping
you with guidelines on how to shed that burden. I do not know how and won't
imagine it is easy, but I wish something in our existing socio-economic
systems would slowly edge towards making 'doing the right thing' a significant
variable that everyone has to care about for their own wellbeing and
prosperity.

------
mmaunder
This is a useful exercise and not as scary as I expected. I'll bet this will
be used as a template for requestors.

Which makes me wonder about these requests en masse as a form of activism.

------
ithkuil
> please provide me a copy of my data ...

How should I send the personal data?

~~~
geocar
Recital 63 gives some guidance here:

[http://www.privacy-regulation.eu/en/recital-63-GDPR.htm](http://www.privacy-
regulation.eu/en/recital-63-GDPR.htm)

It depends on what kind of data you have, how you keep it, how you know it is
their personal data, how long you keep it, and so on.

~~~
ThePhysicist
Providing a download link to a TLS-encrypted site that's only accessible to a
logged in user would probably be the easiest way to do that.

------
Radim
These type of SAR requests (even milder ones) are of course impossible to
handle manually. _Self-assessment_ , the way most companies decided to handle
GDPR, isn't much help here. How do you automate personal data discovery,
especially for already existing data?

Funnily, the biggest fear companies have regarding GDPR and SAR does not
originate from "Mr. I. Rate the customer", like in this article. It comes from
disgruntled employees ratting on the company. Employees know best where
personal data is stored (and often no one else in the company does), so they
can really do some surgical damage. GDPR introduces a whole new dynamic.

This may be a good place to shamelessly plug a tech we developed (Show HN!)
for automatically locating personal data across corporate resources:
[https://pii-tools.com](https://pii-tools.com)

Personal data discovery is but a small piece in the compliance puzzle, but a
piece that is critical to understanding what sensitive data is even out there:
CVs with photos in backups? Scanned passports in attachments of email
archives? Names and addresses in database tables? How about S3, Azure, GDrive?

Let me also add that there's no shame in not having a comprehensive view of
all the corporate personal inventory. Larger companies grow their resources
organically, through acquiring other companies and separate business units
doing their own thing. It is a complex problem, but one where technology can
help.

~~~
discoursism
> How do you automate personal data discovery, especially for already existing
> data?

You attach an owner id to every record, and make sure all your systems can
dump all information they store according to owner id. To the extent existing
systems don't, you fix them.

~~~
Radim
Charming response :-) Entire industry dismissed in a single HN comment. Poof!

I'm not sure we understand "data discovery" to mean the same thing, but you
reminded me of "How To Draw An Owl":

[http://sethgodin.typepad.com/seths_blog/2014/01/how-to-
draw-...](http://sethgodin.typepad.com/seths_blog/2014/01/how-to-draw-an-
owl.html)

~~~
discoursism
Hrm, did you expect me to design the output of an entire industry in an HN
comment? I didn't say it was easy to do. But it is what must be done. My goal
was not to provide code, but an outline, a very rough sketch, rough to the
extent that it could fit in a pair of sentences. I guess in that sense the owl
metaphor is accurate!

We've had two years to work on this. At my company, we've had entire teams
spending significant fractions of their time over the last year prepping. As a
result, we'll be ready when the switch flips.

~~~
Radim
It's refreshing to see such responsible approach.

What you suggest is (as far as I understand you) orthogonal to automated data
discovery / inventory mapping, though.

~~~
discoursism
I agree we are not using the same definition of data discovery. In my use
case, you know a priori which user provided the data, you just need to plumb
the information through to all downstream systems. This seems sufficient for
GDPR as I understand it. I had not read your entire comment and did not
realize you were promoting a system to try to do something like this
automatically. I did not realize the initial question was rhetorical.

FWIW I would be worried about relying on such a system! But based on the
description it seems helpful. What does it do about derivative data that
doesn't directly contain any PII?

------
aazar
Hi Everyone, I am the Co-Founder of ECOMPLY.io. I thought about jumping in and
helping you all out.

First of all, you need to understand, do you have customers in Europe. If yes,
is data your everyday thing? If yes, then you need to comply with Article 30
first. Article 30 asks, how many processes of you have, how many of them have
personal data involved, and then tell you to answer purpose, legal basis,
category of personal data and deletion request.

I took an interview from Mailjet how they did it: [https://ecomply.io/how-to-
become-gdpr-compliant-insights-fro...](https://ecomply.io/how-to-become-gdpr-
compliant-insights-from-mailjets/)

Now, how to answer Subject Access Request, once you're done with article 30
i.e. records of processing activities, you'll know what, where and how you
obtained that data with the purpose and legal basis. This request will be
difficult to answer then:

Here are the 10 steps you need to do: [https://ecomply.io/10-critical-steps-
to-general-data-protect...](https://ecomply.io/10-critical-steps-to-general-
data-protection-regulation-gdpr-for-smes/)

It's a piece of cake then.

Plus, you need to change your way of doing sales & marketing in Europe:
[https://ecomply.io/pimping-up-your-sales-in-a-post-gdpr-
worl...](https://ecomply.io/pimping-up-your-sales-in-a-post-gdpr-world/)

------
Zigurd
This looks like the mirror image for the requirements document for protecting
PII. You may not need to be able to respond directly to every demand in the
letter, but you should be able to have a watertight explanation of why not.
"Burdensome" won't cut it.

------
amelius
Wouldn't it be fair if the GDPR allowed for a small administration fee, for
such requests?

------
jakeogh
I just had an awesome idea. Lets make keeping records of past information and
actors encountered illegal if they don't want you to remember, while at the
same time make it trivial for the same people to waste your time by demanding
free consulting.

------
chasb
Be aware, this article is not a list of GDPR requirements. It is, however, a
good list of questions that every business processing data in the cloud should
be aware of. You need to be able to answer these questions.

------
oliwarner
Just remember there is a "go away†, this request is too onerous" get-out
clause for GDPR requests. Just as there is a billable option for excessive
queries.

Both options have to be reasoned —and the person making the request and squeal
off to the ICO at any point— but in a letter like the linked one, I would find
it hard to justify forensically picking through years of historical access
data and not charge a fee for doing so.

Compliance regarding breach notification is forward-looking too, so all this
nonsense about "has this ever happened" is outside the GDPR, as far as I can
see, anyway.

† The GDPR contains no rules about being polite. If somebody made demands like
this at me, I would be considerably less polite than my example there.

~~~
mindslight
> _hard to justify forensically picking through years of historical access
> data_

If querying is so onerous, then _why the fuck are years of historical access
data even being stored_ ?

This desire to keep reams of nebulously categorized surveillance data "just in
case" seems to be one of the issues at the heart of this legislation. If it
has business value and a legitimate purpose, then formalize it. Otherwise,
delete it.

~~~
oliwarner
Obviously, most people might not but some will.

In some countries and sectors it's a legal or contractual requirement that you
keep audit trails for x years. I've worked on accounting systems where the
insurers and banks have both had separare requirements here.

Not that this is relevant here. My point was that if people demand
_retroactive_ notice of a breach —and you're not otherwise required to notify
them— even if you have that data, you can tell them to bugger off.

------
mirimir
> 3\. Please provide a list of all third parties with whom you have (or may
> have) shared my personal data.

I wonder whether this includes police and TLAs.

------
emilfihlman
I wonder what would happen if we send this to Brussels en masse.

~~~
number6
Why not - just send this letters out en masse. There should be a webservice
for this.

~~~
speedupmate
For every action, there is an equal and opposite reaction. If a customer can
ask anything then a company asked can ask anything in return and if you send
those out "en masse" you just become a subject to GDPR yourself.

