The Nightmare Letter

  • Comments posted to this topic are about the item The Nightmare Letter

  • We do business (UK based) with the EU, theUS, the Middle East and Australasia. The issue of concern is what we happen reGDPR upon Brexit as with a lot of other issues related to Brexit things areunclear.

    I have kept of copy of the letter and feel tempted to send it to somerecruitment agencies. Since I was unemployed some for years ago my CV seems tohave been passed around randomly resulting in virtual spam e-mails aboutpotential positions despite me requesting to be deleted from their database.One young recruiter seems to have set up his own agency and taken my data withhim. Yes, I could have some fun!  🙂

  • Now I'm really feeling sympathy toward any IT staff that are affected by this. Happily, my company keeps their business firmly inside U.S. borders so it doesn't affect me or mine directly.

    However.

    It does bring up an interesting point. Our company is classifiable as an SMB (small and medium sized business) and we have an IT department that consists of me, myself, and I. 🙂 The question I have is how would a similar sized company subject to the GDPR handle this? The questions asked in that letter are (I assume) legitimate under the GDPR, which means they have to be answered--within the 30 day window. Or (and I'm assuming here) horrific fines that would force the company out of business would result.

    In other words, one single letter could represent an extinction level event for most SMBs.

    How could any SMB with a minimal (or non-existent) IT staff respond correctly to this letter? Even if they only had a customer's mailing address the rest of the questions represent more than a month's work for one person. Even assuming that most of the answers are applicable to all customers (so could be boiler plate language) assembling that boiler plate could take months of the IT staff's full time. Meaning everything else gets put on hold.

    Nightmare scenario? More like Game Over scenario...

  • For anyone who didn't know, Google have a self service data access point:
    google.com/takeout

    Apparently it runs to around 5.5Gb according to this from the Guardian:
    https://www.theguardian.com/commentisfree/2018/mar/28/all-the-data-facebook-google-has-on-you-privacy

    I wonder whether that is the best approach? Not everyone could afford to implement that presumably...

  • roger.plowman - Wednesday, March 28, 2018 7:01 AM

    Now I'm really feeling sympathy toward any IT staff that are affected by this. Happily, my company keeps their business firmly inside U.S. borders so it doesn't affect me or mine directly.

    However.

    It does bring up an interesting point. Our company is classifiable as an SMB (small and medium sized business) and we have an IT department that consists of me, myself, and I. 🙂 The question I have is how would a similar sized company subject to the GDPR handle this? The questions asked in that letter are (I assume) legitimate under the GDPR, which means they have to be answered--within the 30 day window. Or (and I'm assuming here) horrific fines that would force the company out of business would result.

    In other words, one single letter could represent an extinction level event for most SMBs.

    How could any SMB with a minimal (or non-existent) IT staff respond correctly to this letter? Even if they only had a customer's mailing address the rest of the questions represent more than a month's work for one person. Even assuming that most of the answers are applicable to all customers (so could be boiler plate language) assembling that boiler plate could take months of the IT staff's full time. Meaning everything else gets put on hold.

    Nightmare scenario? More like Game Over scenario...

    Fines are proportionate and built to defer non-compliance. Failing to answer in 30 days wouldn't be an extinction level event. Putting customer data on the Internet and not responding to notices to remove it might be. If you're trying to comply, but take longer, likely you'd get a warning if you showed that a process was underway.

    This isn't aimed at putting businesses under. It's aimed at getting them to take security more seriously and respect rights. If you're trying to do that, you'd be ok. Fines would likely be small, though grow if you continued to avoid compliance.

  • call.copse - Wednesday, March 28, 2018 7:17 AM

    For anyone who didn't know, Google have a self service data access point:
    google.com/takeout

    Apparently it runs to around 5.5Gb according to this from the Guardian:
    https://www.theguardian.com/commentisfree/2018/mar/28/all-the-data-facebook-google-has-on-you-privacy

    I wonder whether that is the best approach? Not everyone could afford to implement that presumably...

    Really? I'd think this would be easy to build as a part of any system. A simple API to pull in data from new databases, based on some sort of key. Then an export/download. While it's not a couple hours, it's also not likely weeks.

  • Steve Jones - SSC Editor - Wednesday, March 28, 2018 8:05 AM

    call.copse - Wednesday, March 28, 2018 7:17 AM

    For anyone who didn't know, Google have a self service data access point:
    google.com/takeout

    Apparently it runs to around 5.5Gb according to this from the Guardian:
    https://www.theguardian.com/commentisfree/2018/mar/28/all-the-data-facebook-google-has-on-you-privacy

    I wonder whether that is the best approach? Not everyone could afford to implement that presumably...

    Really? I'd think this would be easy to build as a part of any system. A simple API to pull in data from new databases, based on some sort of key. Then an export/download. While it's not a couple hours, it's also not likely weeks.

    I wouldn't want to be the first company to develop a system. I'd also like commercial tools to be available. Are the reporting requirements company wide or just for the data in the EU jurisdiction?

    412-977-3526 call/text

  • Well, I'm not a clairvoyant. Better than that; I'm an engineer. What I can see "GDPR Consultant" as the new hot IT career title. What I also see are 3rd party companies sprouting up like mushrooms overnight, who for a fee will take care of the grunt work of blasting off GDPR requests to hundreds of organizations on behalf of customers. It won't simply be an individual sitting down and writing a thoughtful letter to an individual organization. We have to get out in front of this storm. So, if your organization doesn't currently have customer data mart containing all the pertinent data fields necessary for a GDPR request, then you'll want to get that in place soon.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell - Wednesday, March 28, 2018 9:02 AM

    Well, I'm not a clairvoyant. Better than that; I'm an engineer. What I can see "GDPR Consultant" as the new hot IT career title. What I also see are 3rd party companies sprouting up like mushrooms overnight, who for a fee will take care of the grunt work of blasting off GDPR requests to hundreds of organizations on behalf of customers. It won't simply be an individual sitting down and writing a thoughtful letter to an individual organization. We have to get out in front of this storm. So, if your organization doesn't currently have customer data mart containing all the pertinent data fields necessary for a GDPR request, then you'll want to get that in place soon.

    Ah, I LOVE the smell of cynicism in the morning! :laugh:

    Seriously, though, if a lawyer can find a way to sue, they will. And boy is this a triple-platinum opportunity!

    Adding to this perfect storm, in the early days *nobody* will know where the limits are, how the GDPR should be interpreted, and what company liability really is.

    EU, I hardly knew ye.

  • That seems like extreme over regulation, why shouldn't the answer to that request have to be anything more than "The same information you gave us"  That might not apply to companies like google or facebook that are cross comparing and compiling data from all kinds of data sources but for the average company that's just providing services this seems like overkill.

  • roger.plowman - Wednesday, March 28, 2018 9:15 AM

    Ah, I LOVE the smell of cynicism in the morning! :laugh:

    Seriously, though, if a lawyer can find a way to sue, they will. And boy is this a triple-platinum opportunity!

    Adding to this perfect storm, in the early days *nobody* will know where the limits are, how the GDPR should be interpreted, and what company liability really is.

    EU, I hardly knew ye.

    That is true. I'm sure there will be people trying to find ways to initiate lawsuits.

  • ZZartin - Wednesday, March 28, 2018 9:18 AM

    That seems like extreme over regulation, why shouldn't the answer to that request have to be anything more than "The same information you gave us"  That might not apply to companies like google or facebook that are cross comparing and compiling data from all kinds of data sources but for the average company that's just providing services this seems like overkill.

    Not really. Many companies also buy data. Or they collect data that you might not be aware of. For example, your cell phone tracks your location. Most people weren't aware that this data was stored and kept until recently. Same thing for other industries, there is data that might be aggregated or inferred, and this gives the data subject the right to understand what data your org has on them.

  • Steve Jones - SSC Editor - Wednesday, March 28, 2018 9:26 AM

    ZZartin - Wednesday, March 28, 2018 9:18 AM

    That seems like extreme over regulation, why shouldn't the answer to that request have to be anything more than "The same information you gave us"  That might not apply to companies like google or facebook that are cross comparing and compiling data from all kinds of data sources but for the average company that's just providing services this seems like overkill.

    Not really. Many companies also buy data. Or they collect data that you might not be aware of. For example, your cell phone tracks your location. Most people weren't aware that this data was stored and kept until recently. Same thing for other industries, there is data that might be aggregated or inferred, and this gives the data subject the right to understand what data your org has on them.

    It now reads like companies can only buy data that was previously consented to be sold. My opinion if I were in this environment, I would no longer sell data. I'd love to be a fly on the wall in Facebook / Europe meetings 🙂

  • Yes ,in the EU, companies need to get consent and be transparent.

    Going to be interesting.

  • After reading the letter, it seems to me like most, if not all, companies that get a request like this would simply be able to respond with the same canned response every time, for every user.  For example, Steve, what would you do if you got a request like this from a SQLServerCentral.com user?  Could you not use the following for everyone?  (Here would be my response to the first 5 questions in the letter.  Obviously I don't know the real answers as they relate to SQLServerCentral.com, but I just made up some stuff that I thought would sound reasonable.)  Sure it could be more complicated for different companies, but after they did one, chances are it would be applicable to many, if not all of their users.  Then, once an individual gets a response back, are you going to argue it?  How would the individual know what is correct, incorrect, or missing?

    1.   Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.


    Yes, kevin77, your personal data is being processed.
    1a. We have your Full name, and email address.
    1b. The information is stored in the United States of America.
    1c.  Your personal information can be found at: https://www.sqlservercentral.com/Forums/Users/kevin77

    2.   Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.


    Your email address is used to send out news letters every week day.

    3.   Please provide a list of all third parties with whom you have (or may have) shared my personal data.


    Redgate (www.red-gate.com)
    3b. Redgate is a parent company, so all legal grounds transfer.
    3c.  Data is transferred over HTTPS/SSL.

    4.   Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.


    Data is retained until you delete your account.

    5.   If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.


    No additional data is being collected.

Viewing 15 posts - 1 through 15 (of 21 total)

You must be logged in to reply to this topic. Login to reply