Episode: 2560
Title: HPR2560: General Data Protection Regulation (GDPR)
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2560/hpr2560.mp3
Transcribed: 2025-10-19 05:36:45

---

This in HBR episode 2,560 entitled General Data Protection Regulation, GDPR and in part
on the series Privacy and Security, it is hosted by Ken Fallon and in about 19 minutes
long and carry a clean flag.
The summer is, the GDPR becomes enforceable today and can give an overview on what it is
and how it affects you.
This episode of HBR is brought to you by an Honesthost.com.
With 15% discount on all shared hosting with the offer code HBR15, that is HBR15.
Get your web hosting that is Honest and Fair at An Honesthost.com.
Hi everybody, my name is Ken Fallon and you are listening to another episode of HBR radio.
Today I want to talk to you about the General Data Protection Regulation, which has just
come into effect today.
Well it's been an effect actually since the 14th of April 2016 but it becomes enforceable
today.
And by enforceable what we mean is that there are fines of 20 million euros or 4% of annual
turnover if you fail to comply with this directive.
Now that has got the attention of a lot of people and those people have been sending you
updates to privacy policies for the last few weeks and no doubt you have been affected
by this.
Probably even if you live outside of the EU you've been affected by this because it's
probably cheaper if you implement this level of protection for all their customers regardless
of where they live because it is fairly sane and quite detailed law.
Now the reason for it, I would read the Wikipedia explanation but it basically is trying to
balance the, it's giving harmonizing individual rights so it's a science eight individual rights
which we'll talk about later to the citizen and it's harmonized for the companies, it harmonizes
all these regulation from all different countries around the EU so that you don't have to
deal with privacy laws in Ireland versus the Netherlands versus Germany versus whatever.
So it brings these things into harmony so you might not like it but at least now you're
instead of dealing with all individual states in each individual block you're dealing with
a block as a whole and the advantage to companies is if you adhere to this by and large you're
pretty okay for privacy in other countries as well because this is a fairly stringent
and actually quite sane. I'm going to link to the legislation itself which I advise you
all to read. It is not most difficult documents on the world to read, I've had to read more
difficult documents for my time and this one was actually it's well written it's clear and if
you have ever written read a Linux manual it should be perfect easy to follow so it's well worth
the read. If reading large PDF EU documents is not your thing then I'm also including several
PDFs summaries, two pages two from the privacy company under a CC by by attribution no derivative
license which means I can't refer to it here in this show and gives a good overview of the
general data protection regulation. Just shut the window here. It's basically a one page one
that you can put on the notice board at the coffee machine and the other one is a data protection
by design framework which is a two-pager but basically from a technical point of view tells you
what you need to do to cover the privacy by design aspect of this law. So I will also
be including another guideline which is by the information commissioners office in the UK
and basically the show is going to be a summary of what's in that document and it's released
under an open government license version 3.0 which is compatible with our our creative comments
here. So without further ado let's start. Now just give you some background about the privacy laws.
So this is this document though is going to be more about what a company needs to do. So
you have the idea of a controller and a processor. A controller is the person who
determines the person that purpose and means of personal information. So the idea behind
the personal data is any information relating to an identifiable person who can be directly or
indirectly identified by means of a reference identifier. So any personal information we're talking
for example the your phone number your name your address your email but it might also be
for example that you're the only person that lives in that street and a sensor has detected motion
on that street and it could only be you so therefore that is now personally identifiable
information. So you got to be very careful about that not to think that personal identifiable
information is just name and address or stuff like that. Then there's special categories of personal
information which you need to be aware of and those fall down those include race, ethnic origin,
politics, religion, trade union membership, genetics, biometrics where it's used for ID purposes,
health, sex life or sexual orientation if you're dealing with any of these things then there's
additional things that you need to consider when gathering or storing personal information.
So the idea is that you need to people when they're gathering information they are only allowed
to gather information about you under the following conditions consent contract legal obligation
vital interest public task or legitimate interest whoo what do you mean by all of those. So
you must have a valid lawful basis for processing the personal information you can't just decide
to do it and the person has to give you consent. Now there's a few caveats here it's not no longer
is it sufficient that you have a pre-filled tick box somebody needs to actively decide to give
you consent. So there has to be real choice genuine consent should be put to the individuals
in charge. So it says here it has to be positive opt-in don't use pre-ticked check boxes
explicit consent needs to be clear and specified and specified so it has to be separate from terms
and conditions and you need to be clear and concise you need to name the third parties that
are going to do it you need to make it as easy topped in as it is topped out so no more can
you hide your opt-out 15 levels deep into a menu under some obfuscated name it needs to be
right there clear and concise loved in an opt-out. You can collect data if you have a contract
so obviously if you're providing service to supply widgets to that person and you need to
deliver them to their house or then you need the address of their house and if they're paying
you first then you might need their bank account information so that's absolutely a reason why
you can. If there's a legal obligation on you to collect this information so if there's a law that
says well anybody buying widgets from you you need to register that information with the widget
control authority so that the spread of widgets is controlled and maintained then they
regardless of what you say if they have a legal obligation to do that then they have to do that.
If it's in a vital interest to protect someone's life so you arrive in hospital your medical
records are not allowed to be given by default but if you arrive in and they want to see oh
is this person allergic to something let me have a look at their medical records then of course
the doctors can open your medical records then there are another section called public tasks so
necessary to perform a task in the public interest which you might think ah there we have our
get out of jail clothes but no it actually needs to be very very specific and they have to prove
that they can't get the information in another way so for example you might say gas meters
or utility meters well I need to collect those in order to determine what the utility is but if
somebody could argue I'm not saying this is a legal case I'm not a lawyer in any of this you could
argue well if that can be done on a street level and then you have all the information you need
you why do you need it down on that granular level so and then legitimate interest and this one
is a bit hazy as it is for example if you're if you're going to be going into a law suit with
the customer whatever then you have a legitimate interest to keep it so and also there are other
special categories of data which are if you need to keep it for criminal offense and stuff but
that's more to do with public authorities now the individual rights that are being given to a
customer a citizen and it's important to realize here that this is a malgommation of what
what is what is accepted to be social norms in the in the malgommation of all the states so
the right to be informed so you have a right to be informed that your personal data is being
collected and you have a right so under that how long it's going to be kept who it's going to be
shared with and and you need to be informed of that at the time that has been collected
so and the description of why they're taking your personal data has to be in clear and plain
language so I think that one that was clear we can move on so the right of access this is a very
interesting one and was the one that actually I got interested in mostly I became interested
in the GDPR for this very reason because we have a right to access my personal data
and I can give this and they have one month to respond and they have to give it back to me
and they can charge a fee but it can't be an exorbitant fee there is then the right
directification so if any data about me is incorrect or invalid I have the right to have that
rectified so my name my address my email if I want some of that information removed that can
also be covered by this and the right to reage a razor or the right to be forgotten that means
that yes after a period of time I have the right to close my accounts and to be the right to be
forgotten now I know that there has been a lot in the press in the English speaking world
who predominantly are based on the sort of UK system in the cart and all the rest but within
the rest of Europe they're they legal system is basically based the Romans and while they're
compatible there are some differences involved in the approach to to so I imagine you have all
seen publicion and that fantasy we're talking about in the Netherlands what you can't
account to by the way the vast majority of that entire thing is completely invalid the police
do have all these rights and for the more except for the fact that yes they do cover french fries
in mayonnaise which actually is very nice but I digress so one of the strangest things I found
here was that if a criminal no matter how heinous it commits a crime then they have the right
not to be named in so no picture of them is allowed to be displayed nor is their name allowed to
be mentioned so in the case of Jan van Dyke it would be Jay van Dyke or Jan dot v or whatever
so whichever is the most common name would be used with a letter in the case of me
and Ken Fallon would be a fairly unique name in the Netherlands so therefore that would probably
abbreviate it to something else so that my anonymity would be maintained now this seems very very
strange and in fact there is a case of a public but the idea is that if if somebody goes and
the sentence to jail time then after they've done the jail time and the rehabilitated and
everybody thinks the rehabilitated then they can come back in society without prejudice and
become an upstanding system and you say both what about what about the dangers of that person
a pedophile or something going into the education well that's covered by those sensitive jobs
requiring certificates in order to have the job of education so obviously if I knew that was
the thing to apply in the first place but even if I did and then I would need to provide that
record from the plea to my job application so I ask them to back in my case it's it's clear
and then I have an employer and then that way we maintain the fact that that I don't have a
conviction while maintaining my privacy if I did so that that was a bit a bit strange but okay fine
that's just the norm and the idea is they write to be forgotten is a fairly valid thing if you
think now back to all the silly things I did when I was in college and now a lot of that stuff
is available on videos and whatever around the world so yeah it's a it's not as black and white
or as evil as people make it out as they as a right and specifically we'll come to it later on
but that also uh so we move back to the right to erasure which we're talking about the right
to restrict processing so this one is one where um you can either you can request somebody to
maintain your data don't delete it but don't process it so if you're in a legal battle but
somebody you can ask them to freeze the data where they would normally delete it after so many weeks
so that's a right you have a right to object to um to somebody using your data so for direct
marketing you have the right uh have the absolute right to stop their data have been used for direct
marketing so no more emails spam from people and say no way if you continue doing this then these uh
these come in and these rights that you have come into effect now the interesting one for
us here in HPR is you also have the right to automated decision making oh sorry i missed one
right to data portability which means you have you have the right to ask for your personal data
for your own services so for example this is how i got interested in this in the first place
and i wanted to fill out my hourly forms here to show what i'm 20 or a week and know what time i
leave the bus and i get on the bus and subtract minutes that it needs to get it worked and i know
how long i've worked and that particular day seems reasonable well the public transportation
system has the idea of a public transport where all your transaction recorded and kept forever
and they provided an absolutely horrible website uh which they change over time so i wrote a
saline login in python who scripted the website but every two weeks every three weeks or so it broke
so eventually i asked them for the data they said no i asked them for it in a more
public API they said no i contacted a journalist friend who exposed how weak their security was
part of the local log linux log group and he said gdpr is your friend and the key to that is
we have the right to get our information not just my name address not just my postcode not just
the information i put in but all the transactions every time i log in and log out if i go to my bank
i have the right to know how much it where i try if i'm on a social network i have the right to know
who i'm connected what their email addresses are now they also have rights as well so when i take
control of that information i become data processor there and it's not it's not just a black
malicious all of that but it means that you can become data portable and it says in the regulations
here they're encouraging to make this information available with an API so that you can pull it
down in a standard format they don't define the standard format but they make recommendations as
to what they should be csv jason xml that sort of thing and they're encouraging industry bodies
so if your european federation of widget producers and then those widgets decide
widget producers agree on a interchange format they're encouraging that sort of thing so that
proposes a format and you will because that benefits you you can get customers export your
commerce data so you're losing customers gain customers as well by pulling in their information
and all of a sudden boom they then you know those people are linked to those of the people so for
example if we migrate from a micro blogging service one and we go to my blog is two when my friends
also migrate then the connections could put back in place so as they appear online that
information will allow me allow the new service more ease to link to the link as well but it's
also useful for all the things like your gas your gas your electricity your banking and you should
be able to even by staying with a particular company if they offer an API you should be able to
monitor your data more easily and use it more productively and they want to encourage businesses
to build businesses are around these APIs and then finally this is an interesting one is the
right to revelation of automated decision making and profiling now this one so you if back to my
widget company if I decide to recommend you certain widgets when you log onto your website based
then I don't I have to tell you how I came to that decision if you ask if I reject your loan
based on then I have to be able to tell you how I did that and the low the directive says
you don't have to expose the intellectual property of it but you do have to do the explanation
of what it was how you came to that so for example I used your choice of color of widget and size
of widget to recommend you to recommend you other widgets in the widget line so that also makes it
easy so that when you migrate from one service to another you know the basis made these decisions
not saying there would be easy to replicate but it is possible to do so so those are the cool
things that are available to you as as an individual citizen within the you at least you can get
your data from this stuff you have more control over it you can get rid of spam now it remains to
be seen how how well that works so I'm going to skip over accountability and governance governance
but it is fair to say very very fair to say that there are a lot of oops let me bring this over here
there's a lot that a company will need to do to ensure that data is is collected and you also there
are let's see you need to maintain contracts and documentation you need to show data protection
designed by default so under the GDP GDPR you have a general obligation to implement technical
and organizational measures to show that you have considered an integrated data protection into
your processing activities what does that mean well no longer are you collecting everything about
everybody what you have to do is you have to think about what it is you're collecting why you're
collecting a document show the chain ask yourself well do I actually need this information can I
not just come out of my computer to say well I need to know do I need to know that Bob
bought this widget or is there enough to say that so many of these widgets have been purchased
so you need to think about that you need to try you need to put in minimize the amount of data try
and anonymize the amount of data pseudo anonymize if you count if you count anonymize which means
instead of having Bob name in have some random you you ID and then the linking between the random
you ID and Bob's name kept somewhere else on a different system encryption obviously do your
access control data protection by default so your access controls that you're monitoring only
people who are allowed access that stuff can access this stuff that you're that by default the
information gets cleared out and deleted after a period of time and that people are allowed to
come back and change all this stuff so yeah you need to be shown to be to be doing that
to facilitate that every company needs to implement a large companies and large
organization that small companies need to consider implementing or appointing a data protection
officer who is paid for by the company reports into the CEO but is separate and it doesn't
basically only reports to one person and that person is I'm not reading this from the documentation
here I'm just from my own head so take note of this with all of this is more or less a guide here
so you know do your own legal due diligence I'm not a lawyer and in anyway should this be
taken as legal advice is just an introduction to what's going on so data protection officer will be
the person responsible that when you notify them of an issue that they have so many days versus
there is one person they are known they have contact information and they are the person dealing
with that so code of conducts and certifications there's also a guide to data protection security
is a key principle so you need to do risk analysis there's also you have if there's a
data breach you have 72 hours to of becoming aware of the data breach to inform the supervisory
authority and you have to do that if it's likely to be high risk you have to do it without
undue delay so even if you delayed two hours or something I don't know if you delayed longer than
necessary even if it's less than the 72 hours you could still be in violation there is also you
need to have robust breach detection investigation internal reporting procedures in place and you
must keep a rest a record of personal data breaches regardless of whether you are required to not
notify them or not now then there's a list of exemptions so for example the military and certain
other things where you think okay for enough and children have particular a whole thing for
themselves in some cases children are defined as persons under the age of over under the age of
13 but in the majority of countries of 16 under the age of 16 so you are not allowed to
all the other rules apply you're not allowed to do any profiling on these children whatsoever
you need a lawful basis for processing their personal data consent is one possible lawful
basis for processing but is not the only option sometimes using your alternative basis provides
better protection for the child that was not correct about you not allowed to possess any
information but the restrictions are a lot higher you also need to you also need to write clear
privacy notices for children so that they are able to understand that what they're what's
happening to the personal data and rights that they have because this is so difficult and a lot of
companies are saying okay we're now they're going to do any services to children under the age of
13 or under the age of 16 what's up did that year medals or under the age of 13 they're all
you're just treated as a generic person there's no just your name and email address is all that
stored and folders and stuff are not stored so these are different approaches I've seen by
individual people so I think it's it's that's pretty much all I have to say about the GDPR
it's quite interesting because it is now if you're if you're working from from a customer point
consumer point of view the system is quite cool because now you will be able to legitimately ask
that spammer not to spam you you can legitimately ask somebody for example I booked a room automatically
opted me into the email list again they then asked me to create an account they also then emails me
the password for the the the local council has in order to report a streetlight your options are
you can walk into them and say streetlight but bad is broken so sure no problem however if you do
that on the website you're required to fill in your name your post-school your date of birth
your your address your telephone number all this information is not necessary for the task so
you have a lot of tools here to protect your privacy but I think there's cool opportunity for
especially for open source projects as well that we'll have all this data that will suddenly
come open that you're you also will become more aware of all the data point so now looking back at
my public transport history since the launch of this card for been at least four different to
eight different data points for me so I can tell you know when I went to work when I was on the
boss and I can even tell when I went to IKEA to buy something because I stopped at that metro station
so the amount of information that's available is massive so I can now gather that information which
is useful and interesting for me because it tells me exactly what I was doing but I can also request
okay you you know you've finished processing this information I've paid you this this money
you can now get rid of that if they have the ability they are allowed to pseudo run them take
that data use a generic that so many people traveled to IKEA in on that particular day yes they can
use them to use but they don't need to know that was specifically me so that's kind of cool
and it should spur more cool uses of technology and hopefully it'll stop spanned as well
so lots more information about that is available here linked in the show notes for this
episode and I hope you found this interesting are you personally did and if you're interested I
would recommend that you read the directive itself it is fairly easy to follow and it's hard to
know how it plays out it's unlikely that you know immediately somebody starts sending you spam and
they're going to get 20 you know get fined 20 million euros overnight it's more likely going to
take a while for norms to evolve and for these things to panel but it is interesting and I do have
a few emails ready to rock for later on today okay well tune in tomorrow for another exciting
episode of hacker public radio
you've been listening to hacker public radio at hackerpublicradio.org we are a community podcast
network that release the shows every weekday Monday through Friday today show like all our shows
was contributed by an hbr listener like yourself if you ever thought of recording a podcast
and click on our contribute link to find out how easy it really is hacker public radio was found
by the digital dog pound and the infonomican computer club and it's part of the binary revolution
at binrev.com if you have comments on today's show please email the host directly leave a comment
on the website or record a follow-up episode yourself unless otherwise status today's show is
released on the creative comments attribution share a light 3.0 license