jm + gdpr   15

Template GDPR video request for CCTV images
in this case, to the ICBR anti-abortion protesters wearing bodycams outside Dublin maternity hospitals
hospitals  bodycams  icbr  abortion  gdpr  privacy  sar  cctv 
june 2018 by jm
Twitter thread regarding GDPR-compliance for append-only logs/event sourcing systems
Martin Kleppmann: "What’s current best practice for GDPR compliance (in particular, right to deletion) in systems with append-only logs/event sourcing/blockchains, which are supposed to keep history forever?"

Ben Kehoe: "Crypto delete. The immutable store keeps an encrypted copy, and the key is stored elsewhere. Forget me = throw away the key".

That seems to be the most practical suggestion in general in this thread.
twitter  threads  gdpr  compliance  law  eu  append-only  logs  blockchain  event-sourcing  architecture  storage  kafka  kinesis 
june 2018 by jm
Val on Programming: Making a Datomic system GDPR-compliant
Proposed solution: complementing Datomic with an erasure-aware key/value store.
In cases where Excision is not a viable solution, the solution I've come up with is store to privacy-sensitive values in a complementary, mutable KV store, and referencing the corresponding keys from Datomic.


This seems to be turning into a common pattern for GDPR compliant storage.
gdpr  privacy  clojure  datomic  data-protection  storage  architecture 
june 2018 by jm
Software Development and GDPR
You could think, as a developer, that the lawyers worry about this kind of fine-grained issue. They don’t. This is one of those situations where they say, well, here’s the risk, you have to make a decision, document it, and be ready to back that up in front of a judge should the soup hit the fan.

In this particular case it’s straightforward enough. Are you in control of the presence of data in your database? Yes. It’s up to you to delete it when requested. Are you in control of the data on your harddrive? Yes. It’s up to you to delete it when requested. Are you in control of the operating system implementation or database implementation of deletion? No. Could you get the data back if you wanted to? Yes – but that’s not part of your usual run of business, so why would you explicitly do that? What if some bad dude steals your harddrive and then rummages through it? Ok we are getting a little far-fetched here for most businesses that are not keeping special category data, but if this does happen, then you have failed in your security controls.

I guess my overall point here is that GDPR Compliance is a continuum, not a tickbox. You want to be doing the best you can with it and document why you can go so far and not further. The companies that will be getting the big legislative fines are the guys that are willy-nilly exporting special category data out of the EEA en masse without the knowledge of the people associated with that data. The rest of us just need to muddle along as best we can.

gdpr  privacy  dev  tech  coding  data-protection  law  eu  storage 
june 2018 by jm
How to revoke all ad permissions from Oath GDPR pages
in summary:
document.querySelectorAll('input[type=checkbox]').forEach(val => val.checked = false)


(via stx)
via:stx  oath  gdpr  privacy  tracking  ads 
may 2018 by jm
GDPR will pop the adtech bubble
Without adtech, the EU’s GDPR (General Data Protection Regulation) would never have happened. But the GDPR did happen, and as a result websites all over the world are suddenly posting notices about their changed privacy policies, use of cookies, and opt-in choices for “relevant” or “interest-based” (translation: tracking-based) advertising. Email lists are doing the same kinds of things.

“Sunrise day” for the GDPR is 25 May. That’s when the EU can start smacking fines on violators.

Simply put, your site or service is a violator if it extracts or processes personal data without personal permission. Real permission, that is. You know, where you specifically say “Hell yeah, I wanna be tracked everywhere.”

Of course what I just said greatly simplifies what the GDPR actually utters, in bureaucratic legalese. The GDPR is also full of loopholes only snakes can thread; but the spirit of the law is clear, and the snakes will be easy to shame, even if they don’t get fined. (And legitimate interest—an actual loophole in the GDPR, may prove hard to claim.)

Toward the aftermath, the main question is What will be left of advertising—and what it supports—after the adtech bubble pops?
advertising  europe  law  privacy  gdpr  tracking  data-privacy 
may 2018 by jm
Europe fires back at ICANN's delusional plan to overhaul Whois for GDPR by next, er, year • The Register
So was it European law experts Hamilton that wrongly advised ICANN that it could request for a "moratorium" over the new law until it came up with a new solution?

It seems unlikely given their expertise and the fact it was them that first warned ICANN that it had wrongly persuaded itself that it was not affected by the new law. What seems more probable is that ICANN's staff and management board simply persuaded themselves that they could stall for time for no reason other than the fact that it would be convenient for them.
icann  fail  gdpr  whois  law  regulation  eu 
april 2018 by jm
Use the GDPR to find who has advertised to you on Facebook, and get them to delete your details
Sometimes you get ads on Facebook and you are just not interested in what they’re selling. This is a way to find out who has uploaded your email address into facebook to target ads at you, and then- if you’re in the EU- how to use the new General Data Protection Regulation to get those advertisers to delete you from their system.


Totally going to do this. roll on May 25
gdpr  facebook  privacy  ads  data-privacy  eu 
april 2018 by jm
A flaw-by-flaw guide to Facebook’s new GDPR privacy changes | TechCrunch
Overall, it seems like Facebook is complying with the letter of GDPR law, but with questionable spirit. Sure, privacy is boring to a lot of people. Too little info and they feel confused and scared. Too many choices and screens and they feel overwhelmed and annoyed. Facebook struck the right balance in some places here. But the subtly pushy designs seem intended to steer people away from changing their defaults in ways that could hamper Facebook’s mission and business.
gdpr  design  facebook  privacy  data-protection  data-privacy  social-networking  eu  law 
april 2018 by jm
Handling GDPR: How to make Kafka Forget
How do you delete (or redact) data from Kafka? The simplest way to remove messages from Kafka is to simply let them expire. By default Kafka will keep data for two weeks and you can tune this as required. There is also an Admin API that lets you delete messages explicitly if they are older than some specified time or offset. But what if we are keeping data in the log for a longer period of time, say for Event Sourcing use cases or as a source of truth? For this you can make use of  Compacted Topics, which allow messages to be explicitly deleted or replaced by key.


Similar applies to Kinesis I would think.
kafka  kinesis  gdpr  expiry  deleting  data  privacy 
december 2017 by jm
'Let’s all survive the GDPR'
Simon McGarr and John Looney's slides from their SRECon '17 presentation
simon-mcgarr  data-privacy  privacy  data-protection  gdpr  slides  presentations 
september 2017 by jm
GDPR Advisors and Consultants - Data Compliance Europe
Simon McGarr's new consultancy:
Our consultancy helps our clients understand how EU privacy law applies to their organisations; delivers the practical and concrete steps needed to achieve legal compliance; and helps them manage their continuing obligations after GDPR comes into force. Our structured approach to GDPR provides a long-term data compliance framework to minimise the ongoing risk of potential fines for data protection breaches. Our continuing partnership provides regulator liaison, advisory consultancy, and external Data Protection Officer services.
gdpr  simon-mcgarr  law  privacy  eu  europe  data-protection  regulation  data 
may 2017 by jm
[1606.08813] European Union regulations on algorithmic decision-making and a "right to explanation"
We summarize the potential impact that the European Union's new General Data Protection Regulation will have on the routine use of machine learning algorithms. Slated to take effect as law across the EU in 2018, it will restrict automated individual decision-making (that is, algorithms that make decisions based on user-level predictors) which "significantly affect" users. The law will also effectively create a "right to explanation," whereby a user can ask for an explanation of an algorithmic decision that was made about them. We argue that while this law will pose large challenges for industry, it highlights opportunities for computer scientists to take the lead in designing algorithms and evaluation frameworks which avoid discrimination and enable explanation.


oh this'll be tricky.
algorithms  accountability  eu  gdpr  ml  machine-learning  via:daveb  europe  data-protection  right-to-explanation 
march 2017 by jm

Copy this bookmark:



description:


tags: