This blog post is about the General Data Protection Regulation (GDPR) of the European Union (EU). While I cover the basics of GDPR, the main focus is on how it impacts freesewing.org, and what we plan to do to in the 100 days that remain before GDPR goes into force.
This is a bit of a long read, so here's a table of contents:
I have a love/hate relationship with the European Union. I love what they do and what they stand for, I hate how they do it.
The GDPR is no different. It's an important piece of legislation that raises the bar for online privacy, which is great. But as I was reading up on the subject, I felt the urge to rage-quit because OMG bureaucrats.
Allow me to explain.
For better or for worse (I believe for worse) the internet has settled into a modus operandi where you pay for free stuff with your personal data. Some people call it people farming, and I think that's a great term.
The frightful five are vacuuming up ever more of our personal lives. Short of never going online, there seems to be precious little we can do about it.
This problem is too big to tackle by any of us. Who could possibly stand up to the combined power of the tech giants?
Well, how's this for a CV:
When it comes to tech giants, the European Union is all stick/ no carrot.
The General Data Protection Regulation enforces privacy policies that respect users' rights. It applies to all EU citizens, all the time, everywhere.
Doesn't matter if you're a silicon valley juggernaut, respect the rights of the EU citizens or face the wrath of the eurocracy:
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or 20 million euro (whichever is greater)
Four percent of global turnover is a very big stick.
The EU being the EU, the regulation is a mixed bag of lofty goals and ideals, watered down by lobbying groups, and further complicated by the compromise required to get 28 member states on board.
The intentions are great, it's a great idea, but they are doing a terrible job at selling it --- as usual.
The practical implementation is in the hands of the so-called Article 29 Working Party which is currently keeping busy designing icons (I am not making this up) It will change its name to the European Data Protection Board come May 25th, because you wouldn't want to get too comfortable with all this jargon now, would you?
If you're looking for expert advice on GDPR compliance, this is not the place for you.
But if you are curious about the GDPR and what it takes for a website like freesewing.org to be compliant, read on.
If you really want to know what GDPR is, the best thing you can do is read the damn thing. It ain't no rocket science.
If legislative texts make you run for the hills, the UKs ICO has easily one of the best guides on GDPR.
A few things you should know before we dive into GDPR:
The GDPR was adopted back in 2016, but it won't grow its teeth until May 25th 2018.
Until that day, you get a pass. After that day, it's for real. Which means we have 100 days left to get our house in order.
Organizations employing fewer than 250 people are exempt from some of the more bureaucratic aspects of the GDPR, such as a bunch of documenting requirements.
Essentially, while you still have to do the right thing, there's a lot less paperwork to fill out.
Freesewing employs zero people, so we're off the hook.
Body measurements alone are not sensitive data
The GDPR has extra provisions for sensitive data such as biometric data, profiling, and a bunch of other stuff.
This was cause for concern because we collect body measurements, and one of our questions was whether that qualifies as biometric data.
Turns out it doesn't. Biometric data is what you can use to identify a person, like a fingerprint or iris scan. Body measurements alone are not sensitive data.
To collect data, you need a so-called lawful basis for data processing. There are different types, but the one that applies to us (and to most online services) is consent.
In this scenario, your legal basis for processing the data is that you've asked the person to get their data and they've freely given it to you.
That is straight-forward, and makes sense. But the GDPR is really serious about making sure this consent is freely given, and not wrestled from you grudgingly.
To prevent companies from throwing up a big wall of legalese that people have to agree to, the GDPR outlines a number of principles this consent should adhere to. Here's a non-exhaustive list:
Looking at that list, I can't help but feel that legislation would be a lot simpler if lawmakers could just write don't be a dick and call it a day.
Remember, we can't just get blanket consent. We need to get consent for every type of data processing we do.
For freesewing.org, we have identified three different types of data processing:
For each of these, we'll need to get consent from the user, making sure it's real consent as intended in the GDPR.
Below is a mockup for what this could look like for each data type:
Please note that the mockups originally included in this post are no longer available. Instead, this functionality has been implemented in the website.
The GDPR states that you should ask for consent when the data is collected.
With our three types of data processing, that means that consent must be asked at different times:
This will (also) require some extra work to integrate this in the site.
The EU enshrines basic rights for its citizens that should be respected when processing data.
Let's look at each of these rights and their impact on freesewing.org.
You need to be transparent about how you use personal data. Why you collect it, how you use it, and so on.
Informing users is something we are still working on. If anything, this blog post is part of that effort.
While this will require some work, I don't expect any problems here.
People have the right to know their data is processed, and to access that data.
We are already compliant, as all data users enter on the site can also be accessed by them.
People have the right to correct their data if it's not correct.
We are already compliant, as all data users enter on the site can also be edited by them.
People have the right to have their data removed/erased.
We are already compliant, as users can remove their models, or entire account at any time.
This right means that users must be able to put a freeze on all data processing, without going as far as to delete their data.
We do not currently offer this possibility, and will need to add this functionality to the site.
People not only have a right to export all their data, that export should also be in a format that makes it easy for them to take their data elsewhere.
We are already compliant, as we allow users to export all of their data, and make it available in different standard formats (YAML and JSON).
The right to object applies specifically to:
- processing for public interests or by official authorities
- processing for direct marketing
- processing for science/historic research/statistics
In these cases, people can object to this specific processing.
This is going to apply to us when we start publishing anonymized model data, something that's on our roadmap.
The reason for publishing this data is that we want to make a dataset available of real body measurements, rather than the standard measurements that are typically used in the industry.
This is something we'll write about more at a later date, but essentially this falls under the scientific research/statistics category. And even though the data is anonimized, we still need to respect the right of users to object to this processing.
As such, we should add the possibility to object to this specific use of the data.
People have extra rights when it comes to profiling or decisions made by AI or algorithms without human involvement.
This is not relevant in our situation.
The EU isn't content with throwing up a couple of consent questions and respecting people's rights when processing data. It also wants to make certain that your privacy is (better) protected when things go wrong.
That's why it advocates for privacy by design. While it's a concept that's hard to pin down in legislation, the purpose is clear: They want everyone to consider privacy from the very start of their project/product/business, and not as an afterthought.
Things such as encryption (both in transit and for data at-rest), pseudonyms, and data expiry are suggested as things to keep in mind while designing.
Obviously, the EU is not going to come check your code to see whether you've taken privacy by design to heart. But it can (and probably will) have an influence when things to wrong.
Imagine two companies who have a data leak, one of them hasn't done much to safeguard the privacy of their users, whereas the other has taken privacy by design measures to mitigate the damage.
It seems obvious that the EU is going to come down harder on the company who didn't even try.
We already do a number of things that are driven by a privacy by design approach. For example:
There's some more info on this in this blog post: The choices I've made to protect your privacy. Or why you won't be getting any cookies.
These already form a very good basis for a privacy conscious website. But since we'll need to make changes for GDPR anyway, we're considering other options to further raise the privacy bar. Specifically, what can we do to limit the damage to our users in case there is a data leak.
Some of the most sensitive data we store today is the address and birthday of our higher-tier patrons.
However, the site does not need this information to function. We only need it for administrative purposes; Sending out gifts and birthday cards to our patrons.
As such, there's no real need to keep this data in the freesewing database. We could just as well write this information down in a notebook we keep on our coffee table.
So, as part of our GDPR-related changes, we will remove this information from the database, and store it offline.
We already encrypt all data in transit. But, we are currently considering to add encryption of data at rest.
The idea is to encrypt all data that could potentially identify a user. Such as:
This would add an extra layer of defense for our users' privacy in case somehow our database gets dumped.
While this change will be non-trivial to implement and come with a performance penalty, I feel it's worth looking in to.
While we still have some work to do, we are already compliant with large parts of the GDPR, especially when it comes to respecting users rights:
We are currently working on the right to be informed and have a plan for the changes required to respect the right to restrict processing and the right to object.
We'll need to add changes to the user on-boarding to make sure notices are presented at the correct time. Not to mention that we'll need to keep track of who gave their consent for what.
Seems like we've got a lot of work ahead of us.
It is my personal opinion that the GDPR is a good thing. But I want to hear from you about the changes outlined in this blog post.
So please reach out with your feedback and comments. It is after all your data we're talking about.