Privacy concerns everywhere, but don't panic!
Recently, my organization reached a big goal and we decided to celebrate by taking everyone out for dinner. What happened was a GDPR nightmare. Or was it?
We sent out a Google Form with three simple questions: 1. What’s your name, 2. Are you coming to the dinner? 3. Do you have any dietary constraints?
But wait!
According to article 4 of the GDPR, “‘personal data’ means any information relating to an identified or identifiable natural person”. Is the dietary constraints personal data? It certainly can be!
Julie wrote: “I’m a vegetarian”. That’s certainly personal information. Is it lawful to collect it? Jason wrote: “I’m allergic to shellfish”. That’s actually medical information. Fareed wrote: “I don’t eat pork”. Did we just collect data about his religious belief? Both medical information and religious beliefs are considered special categories of personal data, requiring stricter basis for processing.
But it gets worse: Google Forms doesn’t guarantee that the data is stored outside the US. As long as the US is a rogue nation, especially when it comes to privacy, article 45 will probably never allow for worryless transfer to the US. And I have to admit that when it comes to transfer to rogue nations, I really don’t know what to do.
So, what the heck, right? What’s going on here? Is the GDPR making everything impossible?
Not at all, we just have to start thinking in terms of common curtesy in a time when massive amounts of personal data is in danger of being misused. Let’s fix these problems!
The biggest problem is Google, and we’re all holding our breath on this one. Is Google going to provide sufficient control to comply with the GDPR after May 25th? We all hope so. If not, perhaps we need to find another place to collect the data. (Hey, Google! Norway is a great place for data centers - why don’t you leave the sinking ship that is the US?)
Second, collecting the data is lawful if we get the https://gdpr-info.eu/art-7-gdpr/consent of the data subject. Just add a checkbox saying “I consent that this information is used to pre-order the food”. We also have to provide transparent information to our hungry team members. “This information will be aggregated with the rest of the responses and used to place our order. It will only be read by Johannes. After the order is placed, the information will be deleted”. Remember to restrict access to the data as you promise and delete the data when you promise.
Yes, this means that you have to ask again for the next party. Don’t cry - that’s not that big of a hassle.
Finally, and most importantly, perhaps we should take a lesson from Data protection by design. Instead of asking if our members have dietary constraints, perhaps just ask the restaurant for the menu and ask everyone what they would like to order. A food order is (probably!) not personal data and then we sidestep the whole problem. Or we could just anonymize the dietary question.
What’s the point of this story?
Data protection is an everyday problem. It doesn’t just affect big IT systems. It affects all the small information streams within an organization.
But at the same time, data protection doesn’t require a project to carry out. It just requires you to follow a reasonable set of principles. It means you have to think about whether you have the consent of the person subject, whether you’re upfront about how the data will be used, whether you protect the data and that you consider whether you need personal information at all.
A huge disclaimer: I’m not a legal expert in any sense of the word. I may be grossly wrong in this article and I’d love to hear about it! Please comment!
Comments:
[jlous] - Oct 25, 2017
Interesting post. On a slightly off-topic note: do we ditch event sourcing entirely or do we start mutating our event logs? Or does that even make sense?
Johannes Brodwall - Oct 25, 2017
Uh oh! I think we have to really reconsider event sourcing, yeah.
Filtering the log (like git filter) is an option, but it may not be practical. Another option that kind of destroys the whole point is if the event log just contains pointers (possibly hashes) to data, the the real data can be replaced by a gravestone. But you still have to think about projections and replications of the event log.
I’m still waiting for a serious solution. But in the meantime, now is probably not the time to get started with event sourcing. :-/