Vocal Voices

[Suff]

Or are they unintended?

What am I talking about? GDPR, that wonderful legislation by the EU which will "protect" our data. All very good, all very laudable. All very BS. I know quite a bit about this, I have to because it impacts my world so much. GDPR comes into effect on Friday.

Go on, admit it, who's mailbox is filling up with "Our GDPR team recently reached out to you."? Mine certainly is. I've been watching the intensity build and am highly amused by it all in a morbid way. I have predicted, for a while now, that GDPR is going to make all our lives a hell of a lot harder and more expensive. Most people in the business simply didn't believe me or didn't think that it was that momentous. Well until they got the consultancies in to explain to them exactly what it meant.

So, today, I saw the very first indications of what GDPR is going to mean for the average person in the street. Safer data you might think? Actually, no, nobody is really saying your data will be safer, that is not quite what GDPR is about. What I'm talking about is this.

OK you say, but I don't play computer games so why is this relevant to me?

Well let's read some of the statements there.

The new regulations will require more overt explanations of private data being collected, how it will be used, and—in specific cases—the hiring of a Data Protection Officer to oversee compliance.

With me so far? It sounds quite good doesn't it.

As a result, the cost of doing business in Europe is about to go up. It costs to come into compliance with the new directives, and it’ll cost more to operate in Europe going forward.

Getting there, but here is the first indication that the writer of the article doesn't fully know what they are talking about.

Some companies are already feeling the burden. “I'm very sad to announce that Loadout's end of service will be on 5/24/2018,”

Predictable... Especially the blame on GDPR.

Now comes some of the fun stuff.

The GDPR requires companies collecting data have to make that data available to customers upon request within one month, totally free. If that customer wants their data deleted, the company must also be able to completely scrub them and all their data from its systems.

One month seems quite reasonable. Now let us say that you have 1 billion users and 10 million of them ask for ALL of their data.

The second part is more interesting. Completely scrub their data. Now back in 1998 I worked on the Philips Y2K email migration project. I totally re-designed their data storage and the cost, for the re-design, not the storage, was $3 million. Later in the project we realised that we had totally missed the entire backup architecture. We did a back of a fag packet cost structure on an infrastructure which could actually back it up. Philips had a standard of one fully copy on site and off site for every week, one fully copy monthly on site and off site and one full copy off site annually.

We estimated that the cost of providing that backup infrastructure was three times the entire hardware budget for the entire company. Which, at that time, stood at 360 servers and 30tb of storage made up of individual 9.6gb disks. Over 3,000 disks, 2,600 of them in one data centre in Eindhoven (it was quite large).

Now, after that long intro into what I just said, imagine you want to scrub 7 years worth of even 1 users data. Not just from the running systems, not from the running and disaster recovery systems but from your entire backup archive, your specialised indexing servers and their backups, from your legal databases and their backups.....

Even worse is when you realise that most systems are based on other systems....

Cohen said he can’t just update his old systems to work in the new system. “Loadout is dependent on legacy third party services that are being discontinued rather than overhauled for GDPR compliance,”

So why is everyone in a fuss, Data Protection has been there for a long time now, it's just another one isn't it. Big deal we'll just get our hands smacked if we get it wrong.

The potential penalties are astronomical—up to 20 million Euros per infraction or 4% of revenue, whichever is greater."

"per infraction"? Yep, panic...

And the impact continues

Loadout is far from the only game GDPR is killing. Free-to-play MMORPG Ragnarok Online is shutting down its European servers. The MOBA-style shooter Super Monday Night Combat is also shutting down.

Here we get into another little misconception too. Shutting down European servers.

Why do I say that? Because GDPR does not just impact systems and data on European servers. It impacts ANY system Anywhere in the World that contains data About a European Citizen.

This article is just the first act. What we are going to see, in the future, is that EU citizens are going to be locked out of International games and other systems to avoid DGPR impact. Making EU citizens second class citizens on the world stage.

Even more interesting is that the EU will be demanding that Every new trade deal can only be signed up if the country in question agrees to GDPR being implemented by the other country. Which, I expect, means that the EU's last large trade deal will be signed with the UK. I can't see China, Russia or the USA agreeing to those terms.

Unintended consequences? We shall see.

[cromwell]

That bit about "scrubbing the customers data" sounds like it will be used by politicians and other rogues to me.

Just like the "right to be forgotten" privacy laws; when they came in more than 70% of requests were from politicians (allegedly). You try finding out what Mandelson said about entering "the post democratic age" these days.

That's an interesting read Suff.

[Workingman]

Few of you will be surprised to learn that I have not one molecule of sympathy for the data miners and only a little bit more for those who have to don Marigolds and clear up their 'U' bends.

Data protection has been a concern since tha days of ledgers and day books but it is only in the past 60 years or so that it has been taken anything like seriously.

We even have our own version, the toothless Data Protection Act of 1998.

The problem in the digital age has been that the methods of misuse have outstripped the legislation, but finally someone has had the guts to say 'enough is enough' and that is spiffingly fine by me. Well done the EU. What is about to happen is so good that large parts of the RoW are going to sign up as well. Even we will keep the laws once Brexit is completed, though we will probably give them a British/UK sounding name to make them 'ours'.

If they had all behaved honourably with our data instead of making fast bucks from it none of this would be needed.

Ah, the unintended consequences of arrogance and unbound greed. Petard - own - BOOM!

[Suff]

Yes if you want to read the ramblings of that "personage", you have to go somewhere that the right to hide your shameful past has not been enshrined in "Diktat". Like America.

[Workingman]

Or you could type 'Peter Mandellson post democratic age' into your normal google search page here in the UK and be taken to many of the same articles as the above link, and the reason is simple.

The right to be forgotten (Art. 17 GDPR Right to erasure (‘right to be forgotten’)) has sod all to do with someone wanting to distance themselves from articles, books, speeches, interviews etc given/published at an earlier time. They are already in the public domain and there is not an article of legislation, or maybe we should say a 'Diktat', in the whole Universe that can put every single version back in the secret box.

[Suff]

The right to be forgotten is just a tiny little piece of GDPR, but it is an example of how things are going.

We're not saying the right to be forgotten will erase every trace. What we are saying is that the right of erasure has some interesting spin off's. Especially as it will be used by those, who we should be wary of, to hide themselves from a good 99% of casual searches.

However this is not a case of stupid stuff like politicians trying to re-invent themselves on the back of hiding their past deeds. This is about unelected bodies foisting legislation on us that we never asked for and did not want. With the stated aim of doing us a "service". This smacks heavily of the Soviet state. Oooh look we did "this" for you aren't we good! Never mind the fact that we didn't want it and we sure as hell didn't ask for it.

As I understand it, Every organisation that has your data, even be it an email address, must ask you if you still want them to keep said data. At Every Single Audit. Get ready for your store loyalty card companies asking you, every year, if you still want them to hold your data. Because they are no longer allowed to "assume", they have to Ask you to confirm. Be a bit of a bummer if all those loyalty points vanish because you forgot to respond to them in the allotted timeline and they cancelled your loyalty card; wouldn't it. Of course the stores would never do that to get back some of the astronomical sums of money they are going to have to pay out on GDPR... Would they??

Ah well. When the accusations and lawsuits start flying, it will certainly enliven the IT workplace. Because this is _entirely_ an IT thing.

It would be highly amusing if companies like Facebook, under extreme threat from the EU over GDPR, at risk of 4% of their turnover (not profit), for every single breach, simply took the step to lock out all EU citizens from their sites. Honestly I think I might have an aneurism laughing...

It's going to be like Un "reality TV" every month soon.

[Workingman]

There is conflation, here, between a person's personal data and a person's past events. That person's data (which they own) can be erased, should they so wish. Their past is a different matter as it is already out there and known. GDPR is not attempting to erase their past actions from history.

When it comes to unelected bodies foisting legislation upon us that we never asked for and did not want; that has always happened. We never asked for, and many did not want, seat belts, but few of us would now give them up. We did not ask for polio vaccinations, nor many other medical advances, but we got them anyway. Would any of us opt for going back to the days of yore?

It is also not an 'IT' thing, as such, although IT plays its part and has enabled it. It is a commercial misuse of a person's data, much of which has to be handed over in order to do business with these companies, in order to make a fast buck. If that comes back to bite them, and perhaps puts a few out of business, I will not lose so much as half a wink of sleep over it.

[Suff]

When it comes to unelected bodies foisting legislation upon us that we never asked for and did not want; that has always happened. We never asked for, and many did not want, seat belts, but few of us would now give them up. We did not ask for polio vaccinations, nor many other medical advances, but we got them anyway. Would any of us opt for going back to the days of yore?

Actually for a lot of things Yes I would. There was a very good reason for seat belts. Just check the statistics. Seat Belts are the single largest reduction in the loss of life on our roads. Bar none. Vaccine's like Polio? Not sure they were ever mandatory.

This "law" is not in those classes at all.

It is also not an 'IT' thing, as such, although IT plays its part and has enabled it. It is a commercial misuse of a person's data, much of which has to be handed over in order to do business with these companies, in order to make a fast buck. If that comes back to bite them, and perhaps puts a few out of business, I will not lose so much as half a wink of sleep over it.

Just businesses/commercial? Think again. NHS, not for profit, charities, ALL in scope of GDPR whether they sell your data or not.

GDPR is nothing more or less than power. The exercise of power. It is a first step on a long road and it is couched in terms which make out that we asked for it. WE didn't. Whilst it may be mildly beneficial, my experience in life is that these kinds of rules have negative consequences and they Always outweigh the benefits. Because they were never really designed to benefit in the first place. They were designed to get people used to this kind of exercise of power.

[Suff]

As I was saying.

It was entirely predictable.

[Workingman]

Good.

There is no reason for them to harvest, never mind keep, my data without my explicit consent.

Well done the EU.