Your data, your digital mirror

Came across this super interesting article on bbc about a researcher who decided to exercise their rights as a data subject. The exercise included 20 companies.

Although the article starts by drawing a picture on the sort of data which can be collected on us, while we live in passive ignorance… my words not hers 😉

Noh-Masks

My experience on both sides of the wall,, and I say ‘wall’ because despite the good intentions of the GDPR, it seems that in general organisations are NOT making it easy for you and I as private persons to exercise their rights.

There are 4 types of data subjects exercising their rights.. at least those I’ve had exposure to: 1) angry/upset/worried individuals, I call them “mr Angry from Radio 1“; 2) employees or ex-employees, 3) applicants for jobs, which have been refused, 4) interested individuals doing research, such as the one represented in this article. As to yet, I have not received requests from individuals who are purely exercising their rights, and are happy before starting the process.

There are 2 approaches by organisations: 1) organisations which see GDPR and the potential of additional interaction with their ecosystem, i.e. customers, etc., in a similar content to ‘social responsibility’ and are building into their branding message; the other extreme, 2) do the minimum required, and even make it difficult for the private person to exercise their rights.

In the process there are 2 parts when it comes the request itself: 1) the interaction between the data subject (requester) and the DPO, or the SARs specialist, and 2) interactions with the internal organisation required in order to respond… which is in these baby GDPR days complex.

So what’s my conclusion? We have a long way to go in reaching the GDPR Nirvana for the data subject exercising their rights IMHO 😉

Knock knock … join our religion -and btw GDPR doesn’t apply to us!

I just loved this case decision in Finland whereby Jehovah’s Witnesses must comply with GDPR, determined by EU court.  In 2013 Finland’s Data Protection Supervisor prohibited the Jehovah’s Witnesses religious community from collecting or processing personal data in the course of door-to-door preaching by its members unless Finnish data protection legislation was observed.

Jehovah’s Witnesses created maps from which areas are allocated between the members who engage in preaching and by keeping records about preachers and the number of the Community’s publications distributed by them. In essence they are collecting and processing personal data.

In its judgment, the European Court of Justice considered that the Jehovah’s Witnesses’ door-to-door preaching is not covered by the exceptions laid down by EU Law on the protection of personal data.

  1. There is the fact that the door-to-door preaching is protected by the fundamental right of freedom of conscience and religion enshrined in Article 10(1) of the Charter of Fundamental Rights of the European Union; but this does not,
  2. Confer an exclusively personal or household character on that activity because it extends beyond the private sphere of a member of a religious community who is a preacher.

For those newbies here, this is about something called ‘material scope’ in the GDPR. You can liken ‘material scope’ (and there is also ‘territorial scope’) as scoping parameters for the GDPR.

Think about it as a project scope … and it is almost cool to know that even legal documents have a scope just as any project you may have driven or been a part of. What this means is that all the legal text in the GDPR is only relevant if personal data falls within the scope defined in Articles 2 and 3.

Material scope (Article 2)

The GDPR applies to the processing of personal data wholly or partly by automated means and to manual processing if the personal data form part of a filing system or are intended to form part of a filing system.

Now back to the case.

  1. The Jehovah’s Witnesses used ‘household exception’, hence exempt from GDPR. This was overruled, stating that the JW organisation and those knocking on doors collecting personal data were joint controllers.
  2. What material scope also states is that data needs to be part of a ‘filing system’ of some kind, and it was stated that even though data was collected manually, just the ordering, e.g. by address during collection, which made retrieval easier, placed it in scope.

So there you have it… lovely example for the classroom IMHO 🙂

Follow your dreams…

I was out walking today with the dog (Nicaia) when she stopped at this mailbox. “Follow your dreams” is written in Swedish. The mailbox is looking rather worn and beyond any dreams, and it mirrored how I was feeling.

follow dreams

In Swedish one often says “if one dares”. I have dared, my whole life has been one of daring, in the mission to follow my dreams. Change the world, fight injustice, do what is right. This has got me into trouble countless times, when many are content to sit on the fence, I’ve jumped down and taken out whatever tools I have to ‘fight the good fight’ and do what feels right in my heart even though there are consequences.

I spent my younger years fighting my way out of the grips of insensitive government officials as a single parent living in a threadbare flat, single-glazed windows, no wall insulation, concrete floors. This is UK in 1980s. I was 17 years when I got my first child. It was freezing in winter-time, and I was often hungry and desperate. I lived in an area for 13 years where there was violence, drugs and prostitutes. I still remember vividly when I almost accepted one day a wrong road; when I had no food for my son, my cupboard was bare, and I felt so alone.

If I’d accepted to stay at home and draw on social security, take a boyfriend (a truck driver was the best, this is what my neighbour did) life would have been more comfortable. However, I didn’t. I worked, paying the ridiculous childminding fees, in order to keep some level of dignity and give my son a better future. I have cleaned public toilets, hospitals, worked behind bars and nightclubs. I went back to school to get some basic qualifications when I was 23 for 3 years full time, working nights. I was shunned as a bad mother; which I agreed with based on the values at this time. I had so low esteem that I believed it.

Fast forward 30 years. The postbox today brought back this to me in a bittersweet way. I followed my dreams which has lead me to where I am now, looking from the outside as successful, opinionated and somewhat arrogant thought-leader. I left a secure job at 50 years old, to follow again my dreams “make privacy accessible to all”, for this a product was needed.

However, during the last 5 years my integrity, and belief in humankind has meant that I’ve been too trusting and too naive. I burnt out in 2016. Made some bad recruitment decisions. Signed contracts without legal advice. In 2017 I sold some shares to help through a difficult period, which continued still until today. Privasee cannot pay me back as things stand now.

I now personally owe the Tax Authorities half a million kronor, and they are taking money out of a joint account my family use to pay our mortgage. It feels like financial rape. I’ve already been there, done it, escaped when I was young. But they have me again in a strong, greedy and insensitive grip, with no immediate escape.

I hate them as they try yet again to steal my pride from me, this time in Swedish. I hate how they are hurting my family, I have a 9 year old daughter. The failure I feel is immense. All because of a strong a driving force -which I am blessed or cursed with- which made me ‘follow my dreams’.

Published originally on LinkedIn, 4 May 2019.