Thank you Douglas for the clarifying how encryption will solve most of the GDPR issues.
But I still have worries about the following GDPR other requirements involving handling of any user's data, and this is independent of how strong we have their data encrypted in our database.
I am quoting GDPR according rules in my own words for brevity here:
- any user may ask for information about what data is stored about him, for what purpose, how long
- any person (even if not a customer of you) has the right to a reply whether you are storing any data about him. So you must reply with "We have no stored data about you" , you can't simply ignore his question.
- any user may ask for full or partial deletion of his data, he can also ask you any time to modify his stored data (I suppose the modify regards only data that has error, however the law does not say this. It is still not clear for me what the law means by this, what would be the definition of an error, a misspelled name ? does this regard all 2548 instances we might have during a single customer's earlier activities?)
- any user may ask for restricting his data or any part of his data from sharing it with any selected 3rd party, he can do it as many times and any time he wishes, even if he has given opposite instructions before
- any user may ask for the handing out of all his stored data for whatever reason he wants it for (e.g. to carry away them to another company if he wishes)
- in a case of a data breach / loss / tampering you must notify the authorities and the affected users within a short time. You must inform them about the exact range of the affected data.
this all may sound obvious, and most of you would think 'No problem, of course we will do it'
...but I had a dream tonight: our Mary in the PR department (being a small company she's alone with us in that 'department', it is just a desk) replies the 578 daily requests typing reply emails, she types fast:
- 78 times each day she writes 'Dear Sir, We received your inquiry, we have no data stored about you' (you might think it is just copy-pasting email texts. No, she has to run 87 SQL queries on our 547 SQL tables in 12 different databases on 5 servers before each single reply, she manually inserts the person's name, possible nicknames, email adresses, IP addresses in those SQL queries WHERE clause. She does this manually because all our software guys and software vendors told us there's nothing they should improve regarding the new GDPR issues)
- she will reply 147 times each day like 'Dear Sir, upon your request we have deleted all data regarding your purchases before your divorce on 17th October 2017, but left intact all your data after this date you still wish to see in your Order History, so your current wife will not see the list of items you enjoyed with your earlier wives' (no problem, she will write those 59 custom SQL query sentences runs them on 5 servers with in a remote terminal window just as fast as she types emails)
- she will reply 194 times 'Dear Sir, we understand your concerns about company 'Lost Packages Co' inappropriate handling your data you have earlier given us consent to share, upon your instructions we are now revoking all data from them. At the same time upon your current request we are allowing company 'Safe Packages Co' to see your data but not your earlier purchases.
We have also received your request to retrieve a list of all your earlier purchases containing toiletry items you wish to share with 'Toilet Usage Analyzer Services Co', I am enclosing the requested data, it is a 5MB file in .csv .xlsx and a human-readable .pdf formats. At the same time we are allowing the Toilet company you chose to analyze your habits to access your future data online thru our website API, but this applies only to your purchases of toiletry articles. According to GDPR you may of course anytime change your preferences again'
(and Mary works fast, she modifies the 'MayShareWith' fields manually in 74 SQL tables like a breeze, writes the export queries and converts these files to any format our customers wish, although she is still learning how to manually binary code AutoCAD .dwg** files: a customer of us uploaded a drawing to our server in this format unfortunately with his full name and address (ie. GDPR-protected personal data) as vector-graphics he wanted us to print on custom-made toilet papers he ordered, now he wants us to change that name in the file we store in our system, and we can't afford buying AutoCAD for her to edit the file easier)
But she misses one incoming request, she does not reply with a simple (No, Sir, we have no data) to Herr Dr. Anwalt Abmahnung*, and this request turned out coming from our concurrent's lawyer,
now we are facing a hefty fine. Luckily another law-firm offered their services to clean up the mess and train our Mary to 'Better GDPR Practices'. The counselling alone will costs us 7500 EURs, I don't know how it should help us to avoid further GDPR breaches, but the software guys still keep telling us they can do nothing to help Mary.
...and then I woke up to realize it is not yet 25th of May.
What about a standardized GDPR Submenu covering all the necessary user's requests (general info, data deletion, modify data, allow/deny sharing with X/Y/Z, data export, etc. functions in all Customer UIs in all systems, So it could take the burden of it, or at least a standardized kind-of ticketing system would give our users the impression that everything complies to the law and we gain some time to catch-up manually.
I may seem to exaggregate this, (yes I did, for the sake of explanation) but I did not: we really do have a Mary in PR, and she does reply our customer's requests 'Please change the shipping address I have just placed an order to' or 'Please change the color of the cat-litter I have ordered 17 minutes ago to pink', etc. She does this now full-time, 8-9 hours a day.
To all her current duties will come all those GDPR-aware users who wish to protect their data from a future 'Cambridge Analytica', how many will have data-related requests regularly or occasionally from 275k customers? Can you tell it? Will they read some day something bad about 'Toilet Analyzer Co' in the news and 58k of them request to modify their stored data immediately on one single day? Should we hire two additional Marys now?
What are the risks now if Mary misses to change the cat-litter's color to pink? In worst case we will ship the order again, lose 2 x 3.90 EUR with the repeated shippings, I would not even tell her about the error if it would happen now. But what is she misses to act upon a GDPR request from one customer? We lose 20 millions? (I am exaggerating, but 2000 or 200 are also we cannot afford.)
*FYI: Abmahnung. A legal form of racketing your business for the smallest error, this technique is widespread in Germany bribing up to several thousands of Euros out of you pretending as these were legal costs. All this 'business' is backed up by German courts: when you receive an 'Abmahnung', it is already accompanied by the court's preliminary decision ordering you to pay the lawyer his 'work'. Usually receiving this letter is the very first moment you become aware of your violation, so you never have the chance to correct it at no costs. Many lawyers in Germany make their living proactively searching for the smallest errors, violations of law. (ranging from forgetting to show the price per liter when you are selling 100ml of something, or forgetting about battery rules, markings when you are selling anything for example with a 2mm lithium coin)
Earlier these lawyers had to work for it at least a little, nowadays they can just google the internet for prey, I think GDPR will be just another goldmine for them.
Don't get me wrong I am not a renegade against obeying the rules, just find it unfair to pay 2-3000 EUR for mistakenly not including the per-liter-price to one item in a 35k item webshop. There is even nothing that protects you from paying several different lawyers for the same small error they discover. And all this happens each day in the same country where a speeding ticket could cost you as low as 10 Euros.
The most fearsome in these GDPR regulations that ignoring a user's data handling request or even a delay to it is obviously visible from the outside, as I already tried to explain earlier.
** it is just half-a-joke, we really do receive and store .dwg and .eps .ai .jpg .png .pdf .tiff etc files containing sensitive personal user data (names, addresses, telephone numbers, email addresses) in one of the webshops we operate. We sell customized advertisement items, like pencils, pens, sweets, etc. with company logos, but very often names on them. Our customers upload these files and I see GDPR makes no exempt for these personal data we may 'store' in these files.