Saturday, January 20, 2018

Don't be a knee-Jerk on the way to GDPR

Yesterday morning my inbox was littered with, essentially, spam. These were posts to a discussion thread in an online community which I had not subscribed to, that system sending me the messages anyway.

It seems, someone wanted to protect people like me from having personal data poached from group discussions and related pages they’re managing. We can understand that this is a valuable goal, and in fact is consistent with requirements under GDPR to protect Subject’s personal information. So in their system, they have redacted email addresses, replacing mine with gl…@gmail.com.  I’m thrilled my email address is not displayed in the clear on this site, and equally happy that a data breach or similar event won’t expose my personal details in the wild.

Or I would be thrilled, were my inbox not full.

Because somehow their system still sends notification to subscribers. In reality it looks like it is sending emails to everyone it knows whose email address matches the redacted pattern. Trying to send an email to a true subscriber, gl…@gmail.com, they seem to have sent an email to all gl…@gmail.coms. Including to me.

Many people got these emails, and putting it mildly, they’re not happy about it. My HR department won’t let me post many of their comments on the topic. Especially since, to unsubscribe from a thread they didn’t subscribe to, recipients were being asked to click through an acceptance of Terms of Service.  Bad form!

Were it in effect, and in absence of a less blunt instrument, I guess GDPR offers these subjects a recourse: Dear DPO, I’m gl…@gmail.com, please erase me.  How will that go?

Let’s see now, what’s 4% of gross revenue for any of the large developer community owners?

So yes, we need to protect Subject data, but unthoughtful knee-jerk redaction without concern for downstream impact isn’t the answer.