Right to Erasure

GDPR: The Right to Erasure Does Not Always Mean Forgotten

The title should actually be more in question form; Did you know that there’s even a difference between being erased and being forgotten?

Article 17 of the GDPR is “Right to erasure (‘right to be forgotten’)“, which suggests they are the same thing. They are not [quite], and I think the only reason the right to be forgotten was added in brackets is because everyone was already calling it that. But it’s just not accurate …enough.

The right to be forgotten is intended to allow an individual to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past.” For example; you may have been guilty of a minor criminal offence 30 years ago, which in the UK would likely make that offence “spent” (i.e. it should not be considered in any decisions against you related to insurance, employment, loans and so forth). However, if this criminal record has been posted online then duplicated in numerous forms all over the place, it will never go away. In other words, you’ve paid your ‘debt to society’ but it will haunt you for the rest of your days.

Continue reading

Information Security vs Privacy

Information Security vs Privacy, are the Lines Blurring?

My original title was “Data Security vs Data Protection[…]”, but an unfortunate number of people see these as pretty much the same thing, even interchangeable. Then I chose Cybersecurity instead of Data Security but that doesn’t cover all forms/formats of personal data, so I finally had to settle on Information Security.

As for Data Protection, it’s not, in and of itself Privacy, and so on…

But you see the problem already? If we can’t even agree on common terminology, how are we expected to ask the right people the right questions in order to solve our problems? But I digress…

For the purposes of this blog I have chosen the following definitions of ‘Information Security’ and ‘Privacy’: Continue reading

Technical and Organisational Measures

GDPR: Reporting Your “Technical and Organisational Security Measures”

You could almost be forgiven in thinking that words/phrases like; ‘pseudonymised’, ‘anonymised’, ‘access control’ or ‘encrypted’ are all that is required when reporting your technical and organisational security measures for Article 30 – Records of Processing Activities.

Almost.

The UK’s ICO themselves provided a sample of what records of processing should look like, and even included examples of content. Their column headed “General description of technical and organisational security measures (if possible)” contains just two examples; “encrypted storage and transfer” and “access controls“. So in the absence of more detailed guidance from any supervisory authority [that I have seen] just what are organisations supposed to do?

First, you need to understand that in Article 32 – Security of Processing, the phrase “technical and organisational security measures” is qualified twice by the one word that makes the whole thing not only clear, but very simple; “Appropriate”.

Article 32(1): “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”.

I’m not going to go into detail about how you define ‘appropriate’, I’ve already done that in GDPR: How Do You Define ‘Appropriate’ Security Measures?, but I am going to provide an example of what this would look like on the only medium that counts; paper.

Continue reading

GDPR Muppets

GDPR: Now We Know Who the Muppets Are

Well, here we are, close of business May 25th, and oh look!, the sun is still shining, the world is still spinning, and no one [decent] went out of business.

What we do have however is an indication of who the world’s biggest muppets are. For example:

…and:

…and the list goes on and on.

As if the barrage of ridiculous and utterly meaningless emails over the last few months wasn’t enough, the spectacular ignorance shown by these and many other organisations defies belief. The only good thing I can say about these weapons grade plums is that they are actually taking GDPR seriously. They DID something. The fact that they are needlessly damaging their reputations is apparently beside the point.

Continue reading

Enough

GDPR May 25th – Slow Down and Get it RIGHT!

If you hadn’t heard of the GDPR before the last month or so, you have now. You have all received at least one, and more likely dozens of emails from organisations with whom you have had some contact in the past. Most of whom you have probably forgotten about. e.g. I hadn’t used my Garmin account for over a decade but still received an email asking if wanted to ‘opt in’ to continue receiving its “many benefits”.

I wouldn’t mind so much, but every last one of these ‘calls for action’ is utterly, inexcusably, and embarrassingly wrong! Literally, not one that I have received has followed what amounts to a clear instructions from the many qualified sources available (i.e. ICO for the UK, Art. 29 WP for everyone else, numerous law firms etc.) on what to do.

Therefore both of the following are true:

  • The organisations looking for GDPR guidance had no idea what they were asking for from their ‘expert’ help, or whom to ask; and
  • The providers of the guidance had no clue what they were doing

I can also assume that no one in the respective organisations had actually read the GDPR, and the providers of guidance clearly learned just enough to fool all those who have remained clueless. Frankly these people deserve each other.

Here are some of my favourite vendor emails [paraphrased]:

  • “If you don’t respond to this email we will assume you want to keep receiving emails from us.”;
  • “Unless you read and sign our new terms and conditions we will cease all communication.”;
  • “Our database of customers’ email addresses, including yours, will be deleted.”
  • “If you don’t opt in to receive emails relevant to the services we provide you, we’ll stop sending them.”
  • “Our website is not available to any European member state…”

Continue reading