Tag Archives: Y2K

GDPR is bigger than Y2K

Fishing at seaThe 25th May is approaching! That’s the date the EU’s new legislation aimed at protecting the private data of all EU citizens using the internet comes into force.

“GDPR stands for General Data Protection Regulation. It is a legislation that aims to protect the privacy of all EU citizens. GDPR forces organisations to make major changes in the way they handle their customers personal data, affecting their business processes as well as software. It’s a whole system of principles, rights and obligations which you will need to be familiar with. GDPR will apply from 25 May 2018.” That’s a quote from an excellent article explaining the legislation, and the obligations of website administrators, in simple language. The actual legislation, in typical EU fashion, is lengthy. Here it is, for your edification. Pardon me if I don’t wait for you to catch up.

This comes after many breaches of people’s privacy, not so much hacking incidents, but more where data such as email addresses have been collected and sold or given to third parties to be used for such things as spam. The recent furore over Facebook and  Cambridge Analytica, where Facebook sent users’ data on to another company without their knowledge, is a case in point. I’m sure all computer users would agree that collecting information about them and passing it on without prior consent is wrong. In very simple terms the GDPR requirements mean that if a person (eg me) uses a website, and that website collects any data about me, I need to be told what data, and why, and I have to consent.

Fine. But it turns out ‘very simple’ isn’t very simple.

The thing is, we willingly share information about ourselves if there’s something in it for us. Our phones tell use what the weather’s like where we are, or where to find a restaurant – if location tracking is on. Information such as your age and sex can be used to target advertising so you’re shown dating sites for the right age group. Amazon famously uses your (collected and stored) browsing and purchase history to suggest other items which might be of interest. But that’s on Amazon’s own website. If the company on-sold the data, it’s another story. Then there are online retail sites (including Amazon), which require names, phone numbers and physical addresses. And it could be argued that if you don’t realise Amazon and Facebook and Google and Microsoft are all collecting data about you, you’d better get out from under that rock.

Mind you, if I’m buying something like an ebook I resent having to provide a physical address. It’s not needed to carry out the transaction, and I’ve been known to walk away rather than divulge.

But that’s the obvious stuff. There are other items of data that are collected to make the wheels of the internet turn smoothly, or for quite inocuous, statistical reasons. Many sites collect data such as IP addresses for Google analytics so the administrators can see which countries their visitors come from (it’s just a count – nothing more).

If I want to leave a comment on a website, then typically I’m asked for my email address and maybe my own website. That information is stored on the site’s server, and is visible to the administrators. If I elect to follow a site, my email address is collected. If I join a mailing list, ditto – and perhaps also my name. Etc.

The GDPR regulations state that visitors should opt in to collection of their data. They should be able to opt out at any time, and be able to delete any information that may have been collected at a given site.

It all sounds wonderful, doesn’t it?

And that brings me back to Y2K.

In the mid-1990’s the IT world had an ‘oh shit’ moment. Back when computers were first developed hardware was very, very expensive, so every effort was made to use the bare minimum of resources such as data storage. For that reason dates were stored as 6 digits – DDMMYY everywhere but the US, where it was MMDDYY. Then somebody realised that when we reached the year 2000, all our date maths would be out the window. Let’s say you started a 10-year loan on 1/5/95. It would be due to terminate on 30/4/05. But if you subtract 95 from 05, you don’t get 10. This meant retrofitting a gazillion systems using 6-digit dates to 8-digit dates (DDMMYYYY). It was huge. It required a multitude of analysts (to find where the dates were used) and programmers (to fix the code). But it was done. The century rolled over with barely a hiccup – but at a cost of billions of dollars. ($100 bilion in the US alone)

But that Herculean effort pales into insignificance in comparison with GDPR.

These requirements don’t just affect websites in the EU, they affect all websites which could be used by EU citizens. That includes this site, gretavanderrol.com, my crummy little website where I list my books and prattle on about my last holiday (and a few rants). Please do not imagine for a moment that compliance is easy. WordPress, the software upon which my site is based, is a huge enterprise. Half the world’s websites (especially the small ones) are hosted by WordPress. At some stage the company will catch up with some of the requirements, and include them in its basic framework, but not before 25 May 2018, when the law becomes enforceable. Added to that, there are literally thousands of WordPress plugins, (apps if you will) specially written to fit into the WordPress framework. Some of them use cookies, or collect information about visitors, and if I use the plugins, I’m responsible.

Even for a simple little site like mine I’m expected to list any cookies that the software might place on a visitor’s machine. Here’s what WordPress says about cookies for people leaving a comment [1].

“When visitors comment on your blog, they get cookies stored on their computer. This is purely a convenience, so that the visitor won’t need to re-type all their information again when they want to leave another comment. Three cookies are set for commenters:

  • comment_author_{HASH}
  • comment_author_email_{HASH}
  • comment_author_url_{HASH}

The commenter cookies are set to expire a little under one year from the time they’re set.”

I have to make sure you can see a list of every cookie my site stores and what it’s for. You have to give consent before you can comment on my blog, and you must be able to remove your consent, and delete any information I might have stored about you, which means deleting your comments, and also deleting any record of your visit, such as your IP address.

Needless to say, enterprising software developers are writing plugins to help website owners cope with the requirements – some are free, some are not. I tried one plugin which checked for use of cookies. It was free for a site with less than 100 pages. I don’t have a lot of pages – but I use the site for my blog, and every post was counted as a page. That put me into premium class, and would have cost me $10 per month, which is frankly more than I pay for hosting the site. One plugin required me to make a change to the header in the HTML. I assure you most site owners wouldn’t know what that meant, let alone how to do it. And all the way through, there are disclaimers that this plugin will not make your site compliant. Perhaps you should talk to a lawyer, and hire a developer.

And if you opt to ignore the legislation? The penalties are (to say the least) substantial. Here’s a quote from GDPR Associates. “There will be two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.”

I’m glad I never bothered with a mailing list. Anyone with a mailing list must go back to all subscribers and have them either subscribe again, or be assumed to have unsubscribed.

A ‘contact me’ form must explain what you’ll be doing with the contactee’s email address. I’ve deleted my ‘contact me’ page. But I have copied a boiler-plate privacy policy. I cannot imagine how the EU thinks it’s going to police this policy, especially on non-EU websites like mine. But I do get visitors residing in the EU, and I suppose all it needs is for one person to register a complaint. Me, I’m collecting up my toys and retreating to the comfort of WordPress.com. Not only is it cheaper, it relieves me of some of the responsibility of complying.

The thing is, while I can see why it’s being done, I don’t think much thought has been given to the ramifications. It’s like a fishing boat trawling for sharks. Trouble is, it swallows up everything – dolphins, turtles, tuna, mackerel, whiting, sardines, clown fish – the lot. Guess which species I am?