No less an authority than Danny Baker . . . the comedy writer, born in '57? Or else who? How would he know about this?
Readit Newsdiscoursism commented on An employee whose job was to be sacked (2010) henrytapper.com/2010/01/0... · Posted by u/hodder
This is silly. We do not know that the overall construction methodology had anything to do with the bridge's collapse. Does the Nipigon River Bridge's collapse show how cable-stayed bridges can go wrong?
The author is a history professor, not an engineer, and it shows with the faffery about metonyms of ecological development in South Florida near the end. If the issue here was with the ABC methodology (as opposed to a misapplication of it), we'll soon learn, but I doubt it. In the mean time, the only person who stands to gain from this FUD is the author.
discoursism commented on Tech Giants Set to Face 3% Tax on Revenue Under New EU Plan bloomberg.com/news/articl... · Posted by u/adventured
It's not blame, it's complete lack of sympathy for tech corps' complaints about the tax.
Which tech corporations have complained about this tax?
discoursism commented on Tech Giants Set to Face 3% Tax on Revenue Under New EU Plan bloomberg.com/news/articl... · Posted by u/adventured
Or it’s now 10% cheaper to start an Australian gsuite competitor ;-)
90% of billions and billions of dollars is still billions and billions of dollars.
discoursism commented on The Nightmare Letter: A Subject Access Request Under GDPR linkedin.com/pulse/nightm... · Posted by u/jjp
It's refreshing to see such responsible approach.
What you suggest is (as far as I understand you) orthogonal to automated data discovery / inventory mapping, though.
I agree we are not using the same definition of data discovery. In my use case, you know a priori which user provided the data, you just need to plumb the information through to all downstream systems. This seems sufficient for GDPR as I understand it. I had not read your entire comment and did not realize you were promoting a system to try to do something like this automatically. I did not realize the initial question was rhetorical.
FWIW I would be worried about relying on such a system! But based on the description it seems helpful. What does it do about derivative data that doesn't directly contain any PII?
discoursism commented on The Nightmare Letter: A Subject Access Request Under GDPR linkedin.com/pulse/nightm... · Posted by u/jjp
Charming response :-) Entire industry dismissed in a single HN comment. Poof!
I'm not sure we understand "data discovery" to mean the same thing, but you reminded me of "How To Draw An Owl":
http://sethgodin.typepad.com/seths_blog/2014/01/how-to-draw-...
Hrm, did you expect me to design the output of an entire industry in an HN comment? I didn't say it was easy to do. But it is what must be done. My goal was not to provide code, but an outline, a very rough sketch, rough to the extent that it could fit in a pair of sentences. I guess in that sense the owl metaphor is accurate!
We've had two years to work on this. At my company, we've had entire teams spending significant fractions of their time over the last year prepping. As a result, we'll be ready when the switch flips.
discoursism commented on The Nightmare Letter: A Subject Access Request Under GDPR linkedin.com/pulse/nightm... · Posted by u/jjp
In this area, we have no idea which overheads are actually going to prove justified and which are just throwing money away. That's one of my main points here. As I've argued several times on HN recently, a big part of the problem is that if you're running a small business that isn't handling large amounts of personal data but obviously is going to be subject to the GDPR like everyone else, there is no clear indication of what you have to do to be considered reasonably compliant.
The GDPR itself is very heavy and has little in the way of moderation for small-scale data controllers/processors, so in practice it's going to come down to interpretation by regulators (and potentially anyone who has rights under the GDPR and wants to make trouble, as in the example we're discussing). If you don't do enough, you potentially face even greater overheads due to formal audits, financial penalties, etc. If you do too much, then as you rightly point out, you leave yourself at a disadvantage compared to competition who don't do as much (and this remains the case even if that competition is knowingly breaking the law as a result, and that in turn doesn't matter if they face no meaningful penalties for it).
> we have no idea which overheads are actually going to prove justified and which are just throwing money away
Life is risk. I contend that if you make a good faith effort to comply with this law (i.e. consult with a lawyer, once, to develop those eight documents you mentioned in another part of this thread) and generally practice good private information hygiene (wipe out old data, don't log private info, don't retain logs or emails too long, etc.), you're probably going to be fine. This is probably not going to be in the "inner loop" of risks your small business faces.
In every regulation, there are winners and losers. Some of the losers didn't do anything wrong, but are just losing because that's the nature of designing laws that factor in disparate interests. At this point, it's the law, and your only choice is how you're going to handle it. And my contention is that, if your small business is receiving letters like this with any regularity, calling a lawyer and spending half a day on it each time is not among the reasonable spectrum of risk-mitigating responses.
discoursism commented on The Nightmare Letter: A Subject Access Request Under GDPR linkedin.com/pulse/nightm... · Posted by u/jjp
You probably don't need a lawyer every time you receive such a letter.
For routine enquiries, maybe not. For a letter like this, from someone who is clearly intending to trip you up and cause trouble, our lawyer is the first call I'm making, every time.
And that initial conversation is already going to cost me hundreds of pounds and a half-day of work, even if I already have reasonable answers to anything we are actually required to respond with under the GDPR here.
> For a letter like this . . . our lawyer is the first call I'm making
/shrug It's your money. You could do that, or you could even light it on fire if you wish. It's no skin off my back. If your company is profitable enough to eat this self-imposed overhead, then its owners will just make less money. If it's not, then leaner competitors will replace it. I'm fine with either outcome.
discoursism commented on The Nightmare Letter: A Subject Access Request Under GDPR linkedin.com/pulse/nightm... · Posted by u/jjp
These type of SAR requests (even milder ones) are of course impossible to handle manually. Self-assessment, the way most companies decided to handle GDPR, isn't much help here. How do you automate personal data discovery, especially for already existing data?
Funnily, the biggest fear companies have regarding GDPR and SAR does not originate from "Mr. I. Rate the customer", like in this article. It comes from disgruntled employees ratting on the company. Employees know best where personal data is stored (and often no one else in the company does), so they can really do some surgical damage. GDPR introduces a whole new dynamic.
This may be a good place to shamelessly plug a tech we developed (Show HN!) for automatically locating personal data across corporate resources: https://pii-tools.com
Personal data discovery is but a small piece in the compliance puzzle, but a piece that is critical to understanding what sensitive data is even out there: CVs with photos in backups? Scanned passports in attachments of email archives? Names and addresses in database tables? How about S3, Azure, GDrive?
Let me also add that there's no shame in not having a comprehensive view of all the corporate personal inventory. Larger companies grow their resources organically, through acquiring other companies and separate business units doing their own thing. It is a complex problem, but one where technology can help.
> How do you automate personal data discovery, especially for already existing data?
You attach an owner id to every record, and make sure all your systems can dump all information they store according to owner id. To the extent existing systems don't, you fix them.
Except that the folks who'd write such laws...
Go ahead and have a glance at it. What would you remove from it that wouldn't cause a significant gap?
Some example clauses:
> For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.
(They have to put this. If they didn't, they would get sued by someone who shared a video and then was mad that other people could see it.)
> Facebook users provide their real names and information, and we need your help to keep it that way. Here are some commitments you make to us relating to registering and maintaining the security of your account:
>
> You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
(Not exactly dense legalese. It is good to ban impersonation, and it is right that they should include such a ban in their terms.)
> We’ll notify you before we make changes to these terms and give you the opportunity to review and comment on the revised terms before continuing to use our Services.
(Seems reasonable to me. Many years ago, people used to complain that the terms changed without notice, so FB committed to not doing that any more.)
I don't know. This whole "terms of service are impossible to read except by a lawyer" meme just doesn't hold water for me.