Privacy News

The GDPR and our Privacy Statement

The dark grey clouds of uncertainty

Visitors to this website may have noticed a distinct lack of activity in the last couple of years regarding publications or indeed news of any kind from Simon Siabod Publishing. Which raises the question, what the hell have we been doing?

Well, soon after our last news item was posted in May 2016, we had the EU referendum and the prospect of the UK’s departure. This has meant a great deal of uncertainty for business which looks set to continue till the end of time. Will the UK finally exit, and what sort of arrangements will be in place regarding goods and services (including books and e-books), export controls, customs and tariffs and so forth? Nobody knows, including those who drew us into this mess in the first place. One would have thought that consequences might have been considered before holding such a referendum, but the idea of losing was obviously not on the guest list in the boys club minds of the Bullingdon Boys (aka Messrs Cameron and Osborne [1]). So government ministers are now debating what should have been debated two years ago, and “the clock is ticking.”

Which brings us to the lack of activity. We do have plans in place for future publications, including a move towards e-books, but these plans are currently on hold due to a combination of factors, not least of which is our limited resources. And for the last few months, our time has been taken up by the EU; ironically, not with the clouds of uncertainty surrounding future arrangements, but with the implementation of that piece of EU legislation known as the General Data Protection Regulation, or GDPR.

The General Data Protection Regulation (GDPR)

The GDPR came into force on 25th May 2018. The regulation is an 88-page document which has the full title of “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).” The full text is available as a PDF document from the EU website which you can read by clicking here (opens in a new window). The Information Commissioner’s Office (ICO) has provided guidance on the regulation which is available from the ICO website. For an overview, click here (opens in a new window).

The GDPR is essentially an update of previous EU legislation, including the 2002 legislation commonly known as the E-Privacy Directive (2002/58/EC), which was subsequently amended in 2009. The GDPR takes into account technological developments over the last decade and is more detailed in its requirements than past legislation. In summary, its aim is to give EU citizens more control of their personal data and to change the ways in which organisations handle such data. Personal data is defined in Article 4 as “any information relating to an identified or identifiable natural person (the “data subject”).” Processing is defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

As for the requirements, the GDPR says that there must be a lawful basis for collecting personal data. At least one out six conditions must apply for the processing of personal data to be deemed lawful, one of which is the informed and explicit consent of the data subject. Organisations are expected to operate a clear privacy policy and to produce a public statement, written in plain language, which explains the policy in concise and comprehensible terms. The statement should explain what data is being collected, who is collecting it, how it is going to be used, the legal basis for processing it, how long it will remain stored, and whether the data will be shared with any third parties.

The statement should also set out the data subject’s rights, which include the right of access, the right to rectification, the right of erasure (aka the “right to be forgotten” in cases where personal data is displayed publicly), the right to restrict processing, the right to data portability, and the right to complain. The statement should explain how the data subject can raise a complaint, and provide them with the means of withdrawing their consent to the use of their personal data and of requesting its erasure. All of this information should be easily accessible, transparent, and free of charge to the data subject.

So, in the interests of transparency, henceforth we will refer to the “data subject” as “Jill Bloggs.”

What does it all mean?

What does all of this mean for us as a tiny publishing operation? First, a lot more work. We have been deluged ad nauseam by emails from organisations seeking our permission to remain on their mailing lists, including emails from organisations whose last contact was decades ago, and mailing lists that have surprised us by our lack of awareness of ever being a subscriber. So much for the receiving end. As for sending out such emails, we do not possess a mailing list nor do we have any plans in that direction, and therefore this requirement does not affect us. So what does affect us?

We are still studying the documentation. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data [ETC] does not explain the legal requirements in plain language or concise terms. ICO started producing its guidance in January 2017 and has been producing updates ever since. There’s a lot of reading out there, and we’re still ploughing through it.

A New Industry

There’s also a lot of companies out there offering help and advice, as a search for “GDPR” on Google will verify. Law firms and pseudo law firms, always eager to assist organisations in need of legal guidance, have grasped the opportunity to create a new online industry, investing heavily in Google Adwords and selling consultations, templates and website audits for large sums, all geared to ensuring that your organisation is “GDPR compliant.” As for templates, which provide the basic essentials that your organisation needs to fill in as appropriate to produce the requisite Privacy Statement, why pay excessive amounts of cash for this service when you can download templates for free from the ICO website?

Some of these outfits seem decidedly dodgy, and no doubt there are countless scams out there, preying on people’s ignorance and anxiety about incurring a huge fine should they suddenly find themselves breaking the new rules. The quality of the free advice available on these websites is frequently dubious and sometimes contradictory if one digs deep enough to establish the facts, and is obviously geared to inducing further anxiety about breaking the rules. One wonders if these bods have actually taken the time to read the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data [ETC] and subsequent amendments, or are merely spreading falsehoods based on hearsay and rumour.

The latest update concerns Article 30, Paragraph 5 on exemptions for small businesses, which says that the obligation to keep a record of processing activities shall not apply “to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.” Which raises the question, do we need to be concerned about the new regulation? After all, what personal data do we collect, process and store?

Personal Data

The simple answer is not a lot. It is most definitely occasional and does not involve the categories of data referred to in Article 9(1) and Article 10. And it is hardly likely to result in a risk to the rights and freedoms of Jill Bloggs. The personal data we collect and process is sent to us via PayPal and is limited to name, postal address, email address and telephone number. This information is used solely for processing orders for printed books, because we need this data for despatch purposes and also for contacting Jill Bloggs if any relevant information is missing or if something goes wrong (such as goods lost or damaged in the post). The information is shared with PayPal; or, to be more precise, Jill Bloggs sends the information to PayPal who then share the information with us, so we are the third party in this transaction. The personal data is not stored separately from the email that contains it, which is then archived offline for our records. The non-personal elements of these records (i.e., data relating to books and prices) may be retrieved later for stock control and financial accounting. As for how long these records are kept in storage, we follow government guidelines. The UK Government says that “records must be kept for at least five years after the 31 January submission deadline of the relevant tax year,” as HMRC may need to “check your records to make sure you’re paying the right amount of tax.” So, as far as the legal basis for processing is concerned, the basis is threefold: Jill’s consent (she’s ordered a book); contractual (order fulfilment); and statutory (record keeping). We do not use this personal data for marketing or for any other purpose, as explained in our Terms and Conditions.

Website Visitors

The other question we are currently grappling with is: What does the GDPR mean for us as a website owner? In the definitions set out in Article 4, the definition of personal data continues as follows: “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” And in the preliminaries to the articles (the EU calls these preliminary paragraphs “recitals”), we read the following on page 6, recital 30: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Wow! Scary stuff! Profiling is used by search engines such as Google and social media platforms such as Twitter and Facebook for marketing and advertising purposes. As a user, we are constantly struggling to avoid such profiling as it skews the results of a search when we use a search engine for research purposes and not, as Google and others often assume, for online shopping. And as a website owner, we are not involved in any profiling activities or the use of cookies for tracking website visitors or indeed any other purpose.

However, we are able to obtain website statistics from our website hosts CWCS. All web servers monitor and log website traffic. In our case, this website sits on a shared server, and CWCS uses data from the server’s log files for statistical, administrative and security purposes. Our access to this data is limited to the data that involves our website and, from a data sharing perspective, we are again the third party. The kind of information we can obtain from this source is provided by an open source software program called Webalizer, which analyses the server’s log files.

These files capture basic information such as the IP address of the visitor, the date and time of the visit, the web page visited, and the amount of data sent to the visitor. This information is aggregated by the Webalizer to produce monthly reports on how many visitors the website has received, how they have landed here (the “referrer”), what pages have been visited, and the general geographical location of the visitor (such as the USA or wherever). Such data is commonly used by website owners to assess website traffic and the popularity of specific pages (which may be used to improve navigation) and for security purposes (which may include blocking unwelcome visitors).

In our case, most of our visitors seem to be search engines, web spiders, crawlers and bots, which scour the Internet looking for links, email addresses, usable or reusable content, and “back doors” that might enable hackers to access the site. The most popular page has often been our Terms and Conditions PDF. What does all of this tell us? First, that most of our visitors appear to be non-human. And second, the popularity of certain pages (the PDFs) and their subsequent re-appearance on websites that offer “e-books for free” confirms (as if we didn’t know already) that the Internet attracts a large number of freeloaders. The fact that certain visitors are looking for pages that don’t exist (such as a WordPress login page) tells us to beware of automated hacking tools and other security threats. And given past experience, some of our visitors are obviously agents that harvest email addresses, which then become recipients of phishing emails and countless other scams.

What the data doesn’t tell us is whether Jill Bloggs has visited our website.

Can an IP address be used to identify a “natural person”?

Hang on though! As an example of the sort of advice out there, tempting you to spend dollars on a website audit, one such firm says that the simple operation of storing an IP address on your web server constitutes the processing of a user’s personal data. Well! Pause for thought. Some of our visitors are listed in the logs simply as IP addresses. The question is, can we identify Jill Bloggs from an IP address?

At first glance, it seems glaringly obvious that the answer is No, because an IP address identifies the computer that has gained access to our website, and a computer is not a natural person. IP addresses are generally allocated dynamically by your Internet Service Provider (ISP). This means that when Jill connects to the Internet, Jill is directed to a web server from a pool of web servers in her locality managed by her ISP, which may cover a large area. If a web server is busy, its availability is limited. Similarly, Jill will be assigned an IP address from a pool of reusable IP addresses that have been designated for use by her ISP. If Jill disconnects from the Internet and then reconnects a few minutes later, she may not be connected to the same server and may not have the same IP address.

From the analytical perspective, we don’t even know whether an IP address represents a natural person. The Webalizer has been criticised for its inability to distinguish human visitors from robots, resulting in figures that greatly exaggerate the number of human visitors. An IP address may represent a natural person, but it could also be a computer program, a web crawler, or a number of different visitors if the computer happens to be a shared computer.

Bradford Barrett, the inventor of the Webalizer, has written a Simpletons Guide to Web Server Analysis which explains these problems in detail. The knowledge to be gained from web server analysis with any degree of certainty is limited, he says, and most of the statistics cannot be reported with accuracy. For instance, the “number of visits” is based on the assumption that an IP address represents a unique user, and various assumptions lie behind the rest of the statistics, such as how many users visit a site during a given period, the length of time a user spends on a site, entry and exit pages, and user paths. Even the country location is an estimate, based on the top-level domain of the visitor. This assumes for instance that a dot.com address is based in the USA, which is frequently not the case.

In short, though GCHQ may have more sophisticated software at their disposal, in our case it is not possible to identify Jill Bloggs from our Webalizer reports. For the avoidance of doubt, see Bradford Barrett’s Simpletons Guide to Web Server Analysis (opens in a new window).

PS: Our Privacy Statement

To conclude, the data gathered from our website visitors is essentially anonymous and, to the best of our knowledge, cannot be used to identify or track a natural person. On page 5 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data [ETC], recital 26 says that the principles of data protection should not apply to anonymous information, “namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.”

Given recital 26, it seems there is no need for us to keep a record of processing activities as far as website visitors are concerned. Which, as this is carried out by a program on behalf of our website hosts and all the clients who share the same web server, would be difficult in any case. And as the information for customers using the site is covered in our Terms and Conditions, paragraph 2.4, titled “Data Protection and Privacy,” we do question whether there is any need for us to publish a separate Privacy Statement.

In an attempt to answer that question, we are still ploughing through the EU and ICO documentation, which may take some time. Also, there may be further legislation on data protection given the UK’s ambiguous relationship with the EU and the Home Secretary’s recent pronouncements on data sharing, which at first glance appear to undermine the provisions of the GDPR. Consequently, it would appear that the production of a Privacy Statement will be an ongoing project, which could go on for months or even years. As a temporary measure, we would like to issue the following message of reassurance to our website visitor, Jill Bloggs: “Jill, we don’t know who you are, where you are, or what you’ve been up to, but your data is safe with us. (Unless you are trying to hack into our website, in which case hell knows no fury like a threatened webmaster)” (as a poet said) [2]. And if Jill wants to complain, she is welcome to contact us via the “general” email address on our contact page.

Notes

[1] “The Bullingdon boys want to finish what Thatcher began,” Seamus Milne, writing in the Guardian, 20th October 2010, following the coalition government’s Comprehensive Spending Review.

[2] “Heaven has no rage like love to hatred turned, nor Hell a fury like a woman scorned,” William Congreve, The Mourning Bride (1697), Act 3 Scene 8.

July 2018

Tweet


top