“GDPR stands for General Data Protection Regulation. It is a legislation that aims to protect the privacy of all EU citizens. GDPR forces organisations to make major changes in the way they handle their customers personal data, affecting their business processes as well as software. It’s a whole system of principles, rights and obligations which you will need to be familiar with. GDPR will apply from 25 May 2018.” That’s a quote from an excellent article explaining the legislation, and the obligations of website administrators, in simple language. The actual legislation, in typical EU fashion, is lengthy. Here it is, for your edification. Pardon me if I don’t wait for you to catch up.
This comes after many breaches of people’s privacy, not so much hacking incidents, but more where data such as email addresses have been collected and sold or given to third parties to be used for such things as spam. The recent furore over Facebook and Cambridge Analytica, where Facebook sent users’ data on to another company without their knowledge, is a case in point. I’m sure all computer users would agree that collecting information about them and passing it on without prior consent is wrong. In very simple terms the GDPR requirements mean that if a person (eg me) uses a website, and that website collects any data about me, I need to be told what data, and why, and I have to consent.
Fine. But it turns out ‘very simple’ isn’t very simple.
The thing is, we willingly share information about ourselves if there’s something in it for us. Our phones tell use what the weather’s like where we are, or where to find a restaurant – if location tracking is on. Information such as your age and sex can be used to target advertising so you’re shown dating sites for the right age group. Amazon famously uses your (collected and stored) browsing and purchase history to suggest other items which might be of interest. But that’s on Amazon’s own website. If the company on-sold the data, it’s another story. Then there are online retail sites (including Amazon), which require names, phone numbers and physical addresses. And it could be argued that if you don’t realise Amazon and Facebook and Google and Microsoft are all collecting data about you, you’d better get out from under that rock.
Mind you, if I’m buying something like an ebook I resent having to provide a physical address. It’s not needed to carry out the transaction, and I’ve been known to walk away rather than divulge.
But that’s the obvious stuff. There are other items of data that are collected to make the wheels of the internet turn smoothly, or for quite inocuous, statistical reasons. Many sites collect data such as IP addresses for Google analytics so the administrators can see which countries their visitors come from (it’s just a count – nothing more).
If I want to leave a comment on a website, then typically I’m asked for my email address and maybe my own website. That information is stored on the site’s server, and is visible to the administrators. If I elect to follow a site, my email address is collected. If I join a mailing list, ditto – and perhaps also my name. Etc.
The GDPR regulations state that visitors should opt in to collection of their data. They should be able to opt out at any time, and be able to delete any information that may have been collected at a given site.
It all sounds wonderful, doesn’t it?
And that brings me back to Y2K.
In the mid-1990’s the IT world had an ‘oh shit’ moment. Back when computers were first developed hardware was very, very expensive, so every effort was made to use the bare minimum of resources such as data storage. For that reason dates were stored as 6 digits – DDMMYY everywhere but the US, where it was MMDDYY. Then somebody realised that when we reached the year 2000, all our date maths would be out the window. Let’s say you started a 10-year loan on 1/5/95. It would be due to terminate on 30/4/05. But if you subtract 95 from 05, you don’t get 10. This meant retrofitting a gazillion systems using 6-digit dates to 8-digit dates (DDMMYYYY). It was huge. It required a multitude of analysts (to find where the dates were used) and programmers (to fix the code). But it was done. The century rolled over with barely a hiccup.
But that Herculean effort pales into insignificance in comparison with GDPR.
Even for a simple little site like mine I’m expected to list any cookies that the software might place on a visitor’s machine. Here’s what WordPress says about cookies for people leaving a comment .
“When visitors comment on your blog, they get cookies stored on their computer. This is purely a convenience, so that the visitor won’t need to re-type all their information again when they want to leave another comment. Three cookies are set for commenters:
The commenter cookies are set to expire a little under one year from the time they’re set.”
I have to make sure you can see a list of every cookie my site stores and what it’s for. You have to give consent before you can comment on my blog, and you must be able to remove your consent, and delete any information I might have stored about you, which means deleting your comments, and also deleting any record of your visit, such as your IP address.
I’m glad I never bothered with a mailing list. Anyone with a mailing list must go back to all subscribers and have them either subscribe again, or be assumed to have unsubscribed.
The thing is, while I can see why it’s being done, I don’t think much thought has been given to the ramifications. It’s like a fishing boat trawling for sharks. Trouble is, it swallows up everything – dolphins, turtles, tuna, mackerel, whiting, sardines, clown fish – the lot. Guess which species I am?