GDPR Talks

GRIMMCon 0x3

GRIMMCon 0x3 took place on December 30th. The virtual conference hosted 2 tracks (GRIMMCon) with questions being primarily shared in their discord server by hosts to the speakers. As with GRIMMCon 0x1 and 0x2, the conference was held using GoToMeeting which has an interface a fair bit different to Zoom.

Following my talk at Beercon2 and the received feedback, I wanted to provide a different perspective to GDPR. Rather than focus on implementations that may or may not have worked, I wanted to look at how different strategies whcih I’d seen companies take failed to work on a compliance or business level.

The CFP process was fairly simple: fill in a Google form with information about the proposed talk. The form included the option to be paired up with a mentor. Speakers were contacted in early December to confirm their selection, & rookie speakers received an additional email for the speaker-mentor pairing.

I was paired with a mentor local to me (same country) which made finding times to review content far easier than if we had been in opposed timezones. In my case, the content review was more focused on form rather than the actual content given our different specialisations.

Prior to the con I was given links to 2 GoToMeeting events, a green room and the conference. In the Green Room one of the GRIMMCon staff checked the AV settings, and we verified the procedure for sharing the slides. Once all was ready, and a couple minutes before the talk started I joined the main room and repeated the procedure. Perhaps due to user error on my side, when presenting, the video feeds from the hosts disappeared. It was a bit startling to talk at my screen rather than speaking to an audience but overall it went well.

Had the conference been in person I would have done the initial introduction, covering what GDPR is and who it protects and followed on with some wargaming, showing points of failure in various strategies the audience may come up with. Given the nature of the conference I instead presented the strategies in failure from the perspective of a tale, where the characters could always start again with knowledge of their past failures, and ending with the entire company training their teams on procedures & risks.

The strategies used were the following:
1. No strategy
2. Avoid / leave EU market
3. Have a lawyer review contracts with vendors
4. Get an audit
5. Purchase a compliance solution
6. Train the entire company according to their needs.

As was the case in Beercon2, the rookie track was absolutely incredible. The speakers brought some really good insights into their topics which made the talks particularly enjoyable. The rookie talks were recorded and should be appearing on the GRIMM Youtube channel soon.

GDPR Privacy

Horror Stories in Compliance

GDPR went live in 2018, which would lead people to believe that companies are finally getting their compliance strategies and training right. Sadly, this past week alone I experienced 2 companies failing completely to maintain compliance and with little strategy to regain it.

The first case involved communications with a hardware supplier based out of Germany. I needed to confirm some details for an order and in the message, requested not to be added to any mailing list / newsletter. In a perfect world, the sales rep would have replied with the answers to my enquiry and a simple confirmation no unsollicited sales messages would be reaching me. As you can imagine, my writing about this exchange is due to the situation being ever so slightly different.

Indeed, the sales rep’s reply answered my inquiries and promptly let me know I could unsubscribe from the newsletter through the unsubscribe button at the end of any of the newsletter messages. Now, I have 2 concerns with this reply.

  1. This means that sales reps, who are likely to use a CRM have no control over the data, or lack the training necessary for it.
  2. The CRM is most likely from an external provider, which means any data is now in the hands of a third party without my conscent.

While the external provider generates the highest risk to compliance, it is the lack of control or training which most demonstrates a companies lack of interest to their data governance. Indeed, a company sharing all their data with a 3rd party with no control on what is transfered nor how it is transfered, will have a difficult time obtaining verification that records are deleted by the provider. Furthermore, when a client unsubscribes from the newsletter, the probability of the email adress being removed from the recepients list is minimal compared to that of the adress being placed in a different table, along with those emails generating bounce errors.

The second ocurred after ordering a delivery. The online ordering process was relatively clear, and marketing opt-in was well organised. The order confirmation came through, followed shortly by a receipt/bill for the ordered goods. So far so good, until the next day where… “Welcome to [delivery place]” and “Thank you for ordering with [delivery place]”. Quick scan of the emails showed domain was not spoofed and links were not hiding multiple redirections.

While unsubscribing from the mailing list took all of 2 seconds, the experience demonstrated that this company had completely lost control of their customers’ data, as the emails explicitely mentionned that data was shared with an external CRM and provided links to the CRM’s data privacy policy. All this while explicitely avoiding creating accounts for faster orders in the future and checking no marketting opt-ins were selected.

So, what strategies can users take to avoid these types of issues in the future? Well, for starters using dedicated emails for each service will mean once transactions with any business are finished, the dedicated email can be autoforwarded to trash should any marketting arise from the transactions. The second, is to make any small orders by telephone rather than online, as this is a piece of information requested for online orders anyways.