Some links I thought worth reading the past few days

Some links I thought worth reading the past few days

Today I was at a session at the Ministry for Interior Affairs in The Hague on the GDPR, organised by the center of expertise on open government.
It made me realise how I actually approach the GDPR, and how I see all the overblown reactions to it, like sending all of us a heap of mail to re-request consent where none’s needed, or taking your website or personal blog even offline. I find I approach the GDPR like I approach a quality assurance (QA) system.

One key change with the GDPR is that organisations can now be audited concerning their preventive data protection measures, which of course already mimics QA. (Next to that the GDPR is mostly an incremental change to the previous law, except for the people described by your data having articulated rights that apply globally, and having a new set of teeth in the form of substantial penalties.)


My colleague Paul facilitated the session and showed this mindmap of GDPR aspects. I think it misses the more future oriented parts.

The session today had three brief presentations.

In one a student showed some results from his thesis research on the implementation of the GDPR, in which he had spoken with a lot of data protection officers or DPO’s. These are mandatory roles for all public sector bodies, and also mandatory for some specific types of data processing companies. One of the surprising outcomes is that some of these DPO’s saw themselves, and were seen as, ‘outposts’ of the data protection authority, in other words seen as enforcers or even potentially as moles. This is not conducive to a DPO fulfilling the part of its role in raising awareness of and sensitivity to data protection issues. This strongly reminded me of when 20 years ago I was involved in creating a QA system from scratch for my then employer. Some of my colleagues saw the role of the quality assurance manager as policing their work. It took effort to show how we were not building a straightjacket around them that kept them within strict boundaries, but providing a solid skeleton to grow on, and move faster. Where audits are not hunts for breaches of compliance but a way to make emergent changes in the way people worked visible, and incorporate professionally justified ones in that skeleton.

In another presentation a civil servant of the Ministry involved in creating a register of all person related data being processed. What stood out most for me was the (rightly) pragmatic approach they took with describing current practices and data collections inside the organisation. This is a key element of QA as well. You work from descriptions of what happens, and not at what ’should’ happen or ‘ideally’ happens. QA is a practice rooted in pragmatism, where once that practice is described and agreed it will be audited.
Of course in the case of the Ministry it helps that they only have tasks mandated by law, and therefore the grounds for processing are clear by default, and if not the data should not be collected. This reduces the range of potential grey areas. Similarly for security measures, they already need to adhere to national security guidelines (called the national baseline information security), which likewise helps with avoiding new measures, proves compliance for them, and provides an auditable security requirement to go with it. This no doubt helped them to be able to take that pragmatic approach. Pragmatism is at the core of QA as well, it takes its cues from what is really happening in the organisation, what the professionals are really doing.

A third one dealt with open standards for both processes and technologies by the national Forum for Standardisation. Since 2008 a growing list of currently some 40 or so standards is mandatory for Dutch public sector bodies. In this list of standards you find a range of elements that are ready made to help with GDPR compliance. In terms of support for the rights of those described by the data, such as the right to export and portability for instance, or in terms of preventive technological security measures, and ‘by design’ data protection measures. Some of these are ISO norms themselves, or, as the mentioned national baseline information security, a compliant derivative of such ISO norms.

These elements, the ‘police’ vs ‘counsel’ perspective on the rol of a DPO, the pragmatism that needs to underpin actions, and the building blocks readily to be found elsewhere in your own practice already based on QA principles, made me realise and better articulate how I’ve been viewing the GDPR all along. As a quality assurance system for data protection.

With a quality assurance system you can still famously produce concrete swimming vests, but it will be at least done consistently. Likewise with GDPR you will still be able to do all kinds of things with data. Big Data and developing machine learning systems are hard but hopefully worthwile to do. With GDPR it will just be hard in a slightly different way, but it will also be helped by establishing some baselines and testing core assumptions. While making your purposes and ways of working available for scrutiny. Introducing QA upon its introduction does not change the way an organisation works, unless it really doesn’t have its house in order. Likewise the GDPR won’t change your organisation much if you have your house in order either.

From the QA perspective on GDPR, it is perfectly clear why it has a moving baseline (through its ‘by design’ and ‘state of the art’ requirements). From the QA perspective on GDPR it is perfectly clear what the connection is to how Europe is positioning itself geopolitically in the race concerning AI. The policing perspective after all only leads to a luddite stance concerning AI, which is not what the EU is doing, far from it. From that it is clear how the legislator intends the thrust of GDPR. As QA really.

At least I think it is…. Personal blogs don’t need to comply with the new European personal data protection regulations (already in force but enforceable from next week May 25th), says Article 2.2.c. However my blog does have a link with my professional activities, as I blog here about professional interests. One of those interests is data protection (the more you’re active in transparency and open data, the more you also start caring about data protection).

In the past few weeks Frank Meeuwsen has been writing about how to get his blog GDPR compliant (GDPR and the IndieWeb 1, 2 and 3, all in Dutch), and Peter Rukavina has been following suit. Like yours, my e-mail inbox is overflowing with GDPR related messages and requests from all the various web services and mailing lists I’m using. I had been thinking about adding a GDPR statement to this blog, but clearly needed a final nudge.

That nudge came this morning as I updated the Jetpack plugin of my WordPress blog. WordPress is the software I use to create this website, and Jetpack is a module for it, made by the same company that makes WordPress itself, Automattic. After the update, I got a pop-up stating that in my settings a new option now exists called “Privacy Policy”, which comes with a guide and suggested texts to be GDPR compliant. I was pleasantly surprised by this step by Automattic.

So I used that to write a data protection policy for this site. It is rather trivial in the sense that this website doesn’t do much, yet it is also surprisingly complicated as there are many different potential rabbit holes to go down. As it concerns not just comments or webmentions but also server logs my web hoster makes, statistics tools (some of which I don’t use but cannot switch off either), third party plugins for WordPress, embedded material from data hungry platforms like Youtube etc. I have a relatively bare bones blog (over the years I made it ever more minimalistic, stripping out things like sharing buttons most recently), and still as I’m asking myself questions that normally only legal departments would ask themselves, there are many aspects to consider. That is of course the whole point, that we ask these types of questions more often, not just of ourselves, but of every service provider we engage with.

The resulting Data Protection Policy is now available from the menu above.

What this is

You are at https://www.zylstra.org/blog, which since 2002 is the personal weblog of me, Ton Zijlstra, its author. Although personal weblogs aren’t subject to the GDPR (the European personal data protection regulations), I do write about my professional interests here, and one of those is data protection. So I added a data protection policy anyway. My contact info is listed in the right hand column.

What personal data my site collects and why

When you visit this site, some technical data is automatically collected, such as your IP address. This is used for anti-spam, security and a few very basic analytical purposes. When you comment on a posting, a name and email address will be asked. When your own website alerts my website that you link to me (Webmention), your name and website address may appear in my comment section. In some postings other website’s content may be embedded (like a Slideshare presentation, a Youtube video, or an image on Flikcr), that track some of your data themselves.

Comments and Webmentions

When visitors leave comments on the site the data shown in the comments form is collected (name and email address), and also the visitor’s IP address and browser user agent string to help spam detection. The name you use in the comment form is shown publicly on the website once your comment is approved.

The email address you provided will not be published, but will be stored with your comment, for as long as that comment is published. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your Gravatar profile picture is visible to the public in the context of your comment.

Webmentions are an automatic way in which your own website alerts my website that you link to it. Metadata in your own website’s markup explicitly makes that data available to my website. I only publish metadata, such as your name, url or profile picture of your site, that you yourself submit, underneath my own postings. I only publish a link to your own website along the lines of “this article was mentioned on [your website]“, and no excerpt or fragment of your content will be displayed unless it’s a direct reply. I also use webmention to collect and display social backfeeds, which are mentions and likes on Twitter and Mastodon that are walled gardens and do not themselves support webmention. I use the WordPress plugin Webmention for this.

Subscriptions

You have the option to subscribe by e-mail to new postings. Those subscriptions are managed by WordPress.com. The e-mail addresses are not used for anything else. I do occasionally clean up the list removing e-mail addresses that are connected to spammers.

Contact forms

There is no contact form, so no data is collected there. My contact info is listed on the right hand side.

Cookies

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies stored on your own computer. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year. You can delete these cookies from your browser anytime if you want.

My blog does not set any other cookies.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos from Youtube, images from Flickr, articles and slides from Slideshare, etc.). Embedded content from other websites behaves in the exact same way as if you have visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website. Youtube videos that I embed are embedded in privacy enhanced mode, meaning they use a non-tracking Youtube URL (youtube-nocookie.com). However it is at the discretion of YT/Google if they adhere to their own promises on this. I also strip any script from Flickr embeds, resulting in as far as I can tell in no cookies and tracking being set, except for loading the image from your IP address. I no longer embed content from Slideshare / Scribd, and am self hosting such files.

Analytics

I don’t use specialized analytical tools. However data such as your IP address, and the pages an IP has requested are stored in the server logs of my web hosting company, Your-Webhost. Their data protection policy is at https://www.your-webhost.nl/whois/terms.html. Whenever there are server problems, I may ask my hosting provider to look into their logs to see what happened. The server logs are processed on my webserver into aggregated analytical data with a tool called Awstats, that is available by default from my hosting company. I never look at it, though that may change.

By default WordPress, the tool I use to make this site, does not collect any analytics data. Jetpack is a plugin by Automattic, the creator of WordPress, that is part of WordPress by default and does collect analytics data, but I have uninstalled it.

Who I share your data with

I don’t share your data (the little that I may have) with others, except for the plugins that I use for spam and malicious attack protection.

How I retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. The same is true for Webmentions. This is so I can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

If you subscribe to my blog by e-mail, I retain the e-mail address you used until you unsubscribe.

Aggregated statistics in Awstats are kept for 5 years maximum, although I usually delete them much earlier to free up space on my hosting account.

What rights you have over your data

If you have an account on this site (you don’t, only I do), or have left comments, you can request to receive an exported file of the personal data I hold about you, including any data you have provided to me. You can also request that I correct or erase any personal data I hold about you. This does not include erasure of any data I may be obliged to keep for administrative, legal, security or other legitimate purposes. You can also at any time request the removal of one or all webmentions originating from your website.

Where I send your data

Visitor comments and visitor’s IP addresses are checked through an automated spam and attack detection service. I use Wordfence and Akismet for this.

My contact information

You can contact me using the information on the right hand side. You can use encrypted email to do so.

How I protect your data

All interaction with this website is encrypted traffic, by using https. My webserver, on which all data for this blog is stored, is protected by my web hosting company Your-Webhost. I cannot circumvent or alter their protective measures, nor do so without breaching their terms of service. My own access to this website, the back-end at my hosting company, and the front-end WordPress, is protected with strong passwords and non-standard usernames. I use two plugins, Akismet and Wordfence to shield against spam and attacks.

What data breach procedures I have in place

If you think data on this site may have been breached please contact me. With my web-hosting provider I will look into it, and report back to you.
If I get notified about a breach by my web-hoster I will inform those that have commented, and will post an announcement in my blog itself.
If I suspect there may have been a breach I will notify my web-hosting provider and work with them to prevent futures breaches, inform those who have commented on my site and post an announcement in my blog itself.

What automated decision making and/or profiling I do with user data

If you submit a comment to this site, or if you try to gain access to this website’s controls, you may be automatically classified as spammer or a malicious attacker and automatically blocked or listed as permanently banned. If you submit a comment for the first time, or a comment that contains multiple weblinks, it will be automatically held for moderation, and will not be published until I have looked at it. If you have previously approved comments published on my blog, and I know you, you will be automatically permitted to do so again using the same credentials.

Some links I thought worth reading the past few days