2019 01 GDPR

Location: Room 1300 — Conrad Grebel University College, 140 Westmount Rd. N. · Waterloo, ON N2L 3G6 (bottom floor, in the hallway that connects the main building to the Chapel-Residence building)
Date: Monday, 14 January 2019
Time: 7:00-9:00PM

Does your Non-Profit organization collect personal data on people? People in Europe? And what is Personal Data anyway? Does your organization have an office in Europe? Store data in Europe? Process data in Europe? What is the ”General Data Protection Regulation” (GDPR)? Does it apply to your organization? What policies does your organization need to have? What technical measures need to be in place? What’s the SysAdmin’s role in all this? Could a SysAdmin be liable?

Marc Paré will provide us with an overview of the GDPR, and outline some of the concerns for Non-Profit SysAdmins.

–Marc Paré & Bob Jonkman


  • Dutch government report says Microsoft Office telemetry collection breaks GDPR | ZDNet
    • Investigators said they’ve identified the “large scale and covert collection of personal data” through Office’s built-in telemetry collection capabilities.They said Microsoft engages in this telemetry collection covertly and without properly informing users.The report said investigators didn’t find any official documentation about what information Microsoft collects through Office and no way of turning Office telemetry off, raising a serious privacy concern for all current Office users, regardless of geographical location.

Talking Points

  • General Data Protection Regulation (GDPR)
    • European Commission
      • set the GDPR standards
    • Data Protection Agencies (DPA) (e.g. Information Commissioners Office ICO in the UK)
      • In charge of administering the GDPR in their respective countries
    • In force as of 25 May 2018
      • primarily applies to controllers and processors located in the European Economic Area (the EEA) with some exceptions
      • applies to any site servicing or selling goods to European users
      • all sites must adhere to GDPR except any personal websites
    • Types of data
      • clear reason for data collection
    • Consent
      • requires use of positive opt-in consent and NOT pre-ticked consent or use of double-opt-in
      • requires site’s statement of consent must be clear and explicit
        • cannot re-purpose consent to another statement
      • user ability to remove consent should be easily accomplished
      • requires storage of consent for possible future audit trails
    • Data Storage
      • clear defined use and length needed to store information
      • storage of personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes
      • data collection must be necessary
      • users have the right to access, rectify, erase, restrict, restrict portability of data
      • restricts the transfer of personal data to countries outside the EEA, or international organizations
    • Types of data collection groups (2)
      • Controllers and Processors
    • Data Protection Officers (DPO)
      • individual in charge of data storage and adherence/compliance to GDPR for companies over 250 employees or if collecting large personal sensitive data
      • DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level
      • DPO may be shared amongst multiple organizations
      • you must appoint a DPO if
        • your site requires large scale tracking
        • you are a public authority or body
        • your site collects data on criminal convictions/offences
        • appointing a DPO is suggested as best practice
    • Data Breaches
      • requires that data is stored securely
      • encryption is suggested
      • breaches reported withing 72hrs
      • keep record on any breaches
      • have breech policy
    • Non-compliance fines
      • up to 20 million euros or 4% of annual revenues
    • GDPR Certification
      • framework is still not available but forthcoming

GDPR and Canadian Privacy Laws

    • Personal Information Protection and Electronic Documents Act (PIPEDA)
      • aligns more or less with GDPR
      • updated as of 01 November 2018
      • mandatory reporting of breeches to users and to Privacy Commissioner
        • more fine grained reporting on breech policy and record keeping
      • fines up to $100,000
      • PIPEDA does not generally apply to not-for-profit and charity groups as well as political parties and associations
      • complaints may be sent to the organization in question or to the Privacy Commisioner
      • Privacy Commissioner may conduct audit if necessary


They said Microsoft engages in this telemetry collection covertly and without properly informing users.
The report said investigators didn’t find any official documentation about what information Microsoft collects through Office and no way of turning Office telemetry off, raising a serious privacy concern for all current Office users, regardless of geographical location.

Meeting Notes

  • Don’t take our words as legal advice!
  • Some websites closed down rather than violate GDPR
  • Each country in EU needs to appoint its own GDPR Commissioner
  • Started last year (25 May 2018)
    • People had several years to comply before 2018
    • But European commission is not yet up-to-speed on everything, still working on enforcement and compliance
  • Personal websites don’t fall under GDPR
    • Unless you’re selling goods or services to European markets
    • If you don’t expect visitors from Europe you should be OK
    • But GDPR exceeds boundaries, even non-European sites need to follow that law
  • Controllers: Collect the data, set standards to determine what data to collect (eg. Google)
  • Processors: Websites that don’t necessarily use the data, but collects data from other sites (eg. banner ads)
  • Even temporary receipt of data falls under GDPR
    • KWNPSA site might be under GDPR, WordPress requires cookies
      • Marc has added a cookie disclaimer to https://kwnpsa.ca
      • The cookie form cannot be pre-checked
      • Newsletter subscriptions require double opt-in (subscribe, then confirm)
        • We can no longer add people’s names without written permission, or subscribing with an opt-in
        • Marc & Bob gave a demonstration of the Mailman subsription process
    • Fines might be 20,000,000 Euros, or 4% of your profits
  • Could one entity cause trouble for another entity by reporting them to GDPR?
    • Compliance is largely self-adhering
    • Getting a whole website shut down isn’t really possible, as long as that entity is responsive to GDPR
  • Is there an agency that reviews incoming complaints, and finds those entities that don’t comply?
    • Not really defined, still setting up the framework for that
    • The European Commission will not fine people, but the individual states’ Data Protection Agencies do the enforcement
    • Foreign policies affect relationships between all countries, might trigger or be triggered by other events
  • GDPR was an answer to privacy and anti-competitive incidents with Microsoft, Google, Facebook, and Yahoo
  • GDPR provides a clear policy on data collection
    • Gives users a right to see and have corrected the data collected on them
    • Only applies to e-mail (and websites) that affect European users, not e-mail that stays within Canadian borders
      • But Canada has rules of its own, not as strict as GDPR
      • Canadian fines aren’t as high, only $100,000
    • In the US the only state that’s updating its rules is California
      • But other states are expected to follow California
  • GDPR rules just make common sense for the user
    • For website developers it’s more onerous
    • Also onerous for those people running secure browsers that clear the cookies allowing cookies…
    • Compliance is built into some frameworks like WordPress.
      • But we (KWNPSA) still need to write and publish our policies on cookies and data retention.
      • The current disclaimer text is no longer adequate, even for Canadian rules
      • GDPR and Canadian rules are moving towards requiring encrypted collected data storage
      • Organizations with 250+ employees must have a full-time, certified GDPR Data Protection Officer
        • But there is as yet no framework for this certification
      • Will there be a standard for encryption?
        • Probably as part of the framework for certification
        • All the usual encryption problems apply (decryption in the server, decryption between storage and transmission)
    • Political organizations, Charities, and Non-Profits don’t have to follow the Canadian PIPEDA regulations for mailing lists
      • But CANSPAM still applies (but there are tools and services to check if your fundraising letters are conformant)
  • There are stringent rules about publishing policies, reporting breaches, timeline for reporting breaches
  • Organizations that are too small to have a dedicated Data Protection Officer can share one between them
  • Marc shows some sites that are GDPR conformant, eg. IBM
    • IBM in Germany does not have a cookie popup.
    • Shell has a nicer cookie popup than most (small, unobtrusive box at the bottom)
    • Volvo has every cookie itemized in their policy (GDPR encourages that, Canada is likely to follow)
  • There are sites with sample policy wording that can be followed.
    • Do analytics companies like Piwik offer their own sample polices? No, because they could not make it specific enough for all regulations, too much liability
  • In Canada:
    • PIPEDA is the equivalent of GDPR, updated in November 2018
  • Ultimate goal is to restore people’s confidence in spending money on the Web
This entry was posted in GDPR, Past Meetings. Bookmark the permalink.

Leave a Reply