GDPR BINGO

It’s the first week since the GDPR is now in force, and hopefully your inbox can relax after the stream of privacy updates!

If you are a citizen of the EU — do you feel different with your new found legal rights? I do.

I recently made a career change to become a Data Scientist, and completed an educational program studying Machine Learning, Deep Learning and Artificial Intelligence. Among other things I learned techniques which can be used to extract emotional sentiment from raw text, and happened to be learning these methods at the time the Gaurdian interview of Cambridge Analytica whistleblower, the Christopher Wylie was released.

“My name is Christopher Wylie, I am a Data Scientist.”
“I made Steve Bannon’s psychological warfare tool”

The scope and implications of his and Zuckerberg’s testimony (remember when the internet made funny pictures of Zuckerberg as an Android instead of discussing the issue?) and the overall impact is a complicated and deep subject. For now, let’s say that the timing coincided with my general feeling of unease regarding my personal privacy and how my information was being used for manipulation

All of this was then amplified by learning of the unprecedented changes and techniques occurring in the field of Artificial Intelligence. Data Science papers are being published now, which make work last year obsolete. Fast adoption of new techniques and technologies and low barriers to deployment make the future of privacy more uncertain than it has been in my experience.

Intent

With this as a basis, I wanted to better understand the 99 articles of the GDPR and how they apply to me personally and professionally, and to get a feeling for how companies are handling the new regulatory environment.

My intent is not to expose particular companies who are not in compliance with GDPR, as I believe most companies are unsure what compliance looks like, I am prepared to wait a while until we see some cases move through the legal system. I am not here to troll and overload small business owners with administration costs, and will not state any company names or communications.

The game

During high-school in Ontario, I volunteered several times at a Bingo hall, a smoky room where retirees can pass the afternoon in conversation over a 5 by 5 grid, hoping to connect 5 squares and yell BINGO! I thought of using this as the structure for my investigation. I have begun the process of submitting GDPR Subject Access Requests to 24 companies with whom I have an online account. These companies are randomly distributed over the BINGO card. A square is punched when the company complies with my request.

Subject Access Requests

In making my Subject Access Requests (SAR), I used the following overall structure for emails, forms, and letters;

  • [DATA] What personal data is stored by the controller or processor?
  • [PROCESSING] How is my data used to i.e. target ads?
  • [SECURITY] Is the data stored securely? Were there any breaches?
  • [THIRD PARTIES] Provide a list of 3rd parties

Each SAR was tailored to each company and communication format.

The game so far

To date, I have contacted less than 10 companies, each with varying degrees in ease of contact. Here are my darts (bad!) and laurels (good!) in my experience thus far;

  • Impossible to find a contact email, even after chatting with customer support :(
  • Responding with the same link to an online portal, even though I am requesting more information :(
  • Some clear non-compliance, one company failed to provide third party company information until I pressed them :(
  • An email address readily provided to contact their Data Protection Officer (i.e. in the privacy email or policy) :)
  • Response within 24 hours by personal email :)
  • An online data portal, where you can browse your information :)

Generally the challenge of the game right now is dealing with the big corporations. Some have a policy of not providing any direct email contact information, likely because responding to individual requests is expensive. In these instances, I will be sending letter to their corporate addresses, just like in the days of yore.

Let’s have a discussion

  • What crosses your comfort boundary in the new age of internet privacy?
  • Will anyone care about GDPR in a few months when the hype dies down?
  • Which types of companies will bust due to costs and liabilities of GDPR (not just claiming that’s the reason, but really making their business impossible)?
  • When will the first big legal case reach the ECJ, and what will it look like?
  • When will we have the first Deep Fake scandal? How do deep fakes impact the free press?

Stay tuned for an update in a few weeks and hopefully a BINGO!