Privacy audits and GDPR observations
The introduction of the European privacy act known as GDPR seems to have caused a flurry of work in the web development business, but oddly and unfortunately enough I seem to have been immune to this development.
So I decided that I would go through the process of improving one of my own websites, just for practice, and see what I could learn from that. Here is what I found.
So the GDPR is a law from 2016 that builds on earlier attempts by the European Union to anchor privacy as a basic human right for all its citizens. It is an extension, in a way, of the EU’s attempts to turn itself into a vast, wasteful, undemocratic political entity that enormously exceeds its initial scope. Initially the EU was to be an economic union that dealt with things like standardising on electric outlets and shoe sizes.
What the GDPR added to earlier legislation was a bite. From now on, offenders could be hit with significant fines.
Proponents of the GDPR like to claim that the law is based on the principle of privacy-by-design, meaning you need to structure your systems and services in such a way that people’s private lives remain private, and that if you want more from them, you need to get explicit and freely given permission. Let us see how that pans out, shall we?
In the past few months, unless you have been living under a rock, you have been flooded with privacy related messages. These tended to take one of two forms:
- The weak: “Please, please, please, please, please let us keep spamming you. We are begging you.”
- The strong: “Here is what will happen. You will give us permission to sell all your personal data to the highest bidder, or we will stop our relationship here.”
If the service needs you more than you need it, you would have gotten the former request. But if you need the service more than they need you, let us say the Googles and Facebooks of this world, they get to dictate the terms under which they use your personal data. That doesn’t sound like privacy-by-design to me, that’s just plain old neo-liberalism and greed at work.
So that is what the GDPR is, but for the proprietors of websites it is much more important to know how to comply. The catch-all case for GDPR compliance is, as you have seen, express and explicit consent. A website owner needs to identify all his uses of personal data, explain to a visitor what those uses mean, and then ask permission for those uses.
Luckily there are a number of exceptions where the rights of the proprietors would be unnecessarily burdened if they had to ask for permission. One such exception is a technical necessity: a website would not work if your user had the option of saying no. For example, in order for a web shop to work, you have to be able to ask the visitor for billing and shipping information.
Another exception is freedom of speech. If you are writing an article about someone, you don’t have to ask them for permission before you publish the article.
Keeping data around for legal obligations is a third exception.
The above nicely lays out how you perform a privacy audit. You make three lists:
- Which personal data do you process?
- For each of these data, which use do you make of them?
- For each of these uses, what are your grounds for having them?
Apart from this audit, there are other things you need to do that are beyond the scope of this posting. For example, you also need to determine if you export personal data to foreign countries. (For example, if you are in the Netherlands, do you have Facebook buttons on your website? These buttons collect personal data and Facebook is an American company.) And you also need to determine for each item how long you are going to keep it, and so on.
The meanings of several terms seem obvious at first sight until you are going to perform your audit and then they become vague and confusing.
Personal data are data that can be used to identify a natural person. The logical conclusion might be that nothing then is personal data, because on the internet nobody knows you are a dog. That would make the law toothless and so judges have been using a much roomier definition in which anything that comes close to identifying you can be personal data: names, e-mail addresses, IP addresses and so on. Look out especially for combinations of data. You might argue successfully that an IP address by itself is not personal data, but IP addresses are rarely processed in isolation.
There is a special class of data that gets extra protection, things like gender, age, sexual orientation and so on.
Processing refers to anytime you touch personal data. Collecting contact information is processing personal data. Storing contact information is processing personal data. Sending this information to your e-mail address is processing personal data.
In other words, both ‘personal data’ and ‘process’ are pretty broadly defined.
The website I have been auditing, and for which I have subsequently written a privacy statement, is a Wordpress-based website. Not everything that goes for Wordpress will apply to your website, but I believe several of the lessons I learned could be relevant to any website.
I have identified five elements of a Wordpress website that come into play. If I missed any, please note them in the comments.
- Wordpress core
- Embedded content
Wordpress core is the base package that you get when you download and install Wordpress on a webserver. If all you used Wordpress for is publish pages and blog posts containing nothing but plain text, you would still be processing personal data.
Plug-ins are pieces of additional functionality created to plug into the Wordpress API (programming interface).
Themes determine the look rather than the functionality of your website.
Widgets are small, very specific pieces of additional functionality that run on top of Wordpress rather than hooking into it.
Embedded content is content hosted somewhere else, but mixed up with your own content. Lots of website owners will for example use the Twitter.com widget to quote tweets in their articles.
A web host is something your Wordpress site runs on top of, and web hosts can collect personal data too. For example, many classic web servers are set up to log every visit by storing the IP address of the visitor, the page they requested and the time of the visit.
There is a strong overlap between plug-ins, themes, widgets and embedded content, to the point where there really is not even that much difference under the hood between a plug-in and a template. The differences are mainly conceptual. For an audit, however, it is useful to treat these as different parts of your website, because your admin interface will typically present these four elements differently.
Now for me this is business and those are 23 hours well spent, time that will pay itself back in future projects. But what if you wanted a place on the web for your digital soap box, a place for your rantings and ravings? What if I told you that before you set all that up, you were legally required to spend three whole days figuring out in how many (often inadvertent) ways you were going to violate your visitors’ privacy?
What is more, you are exposed to the same multi-million dollar fines as large, wealthy organisations are. So far I don’t now of a country ogrish enough to impose million dollar fines on private bloggers, but hey ho, these are strange times.
Would you still go ahead with that website?
So the GDPR is a huge impediment to free speech, and not only that, but it limits the speech of smaller, weaker parties such as private bloggers far more than it does the speech of large corporations. The GDPR is certainly annoying to the latter, but ultimately acceptable.
But there are caveats to that conclusion.
Breaches of privacy are in itself also huge impediments to free speech. If you are afraid to speak because you are afraid someone will come after you, you may be scared in staying silent.
(The thing is though, will the GDPR make much of a difference here? I do not expect the GDPR to make any meaningful difference to the practice of doxing for example. Twitter is as a processor under no obligation to halt the practice, and the doxers themselves can claim a free speech exemption.)
Also, this is a new law and things need some time to settle in. Wordpress has just released a version of its software that comes with a built-in privacy statement and for which it has already performed the privacy audit part of Wordpress Core for you. If you install no other themes, plugins and widgets, you are almost good to go. (You need to add some info about how you are going to secure your site, how long you are going to keep certain data and so on.)
So there is some hope there.