How to Utilize Your GDPR Data Privacy Rights – GDPR 6 Months Later

Not too long ago, GDPR was the major topic in many conversations around business and technology.

It went "live" in May 2018, and since then, we haven’t heard much interesting news until recently, as a hospital in Portugal got caught with the first violation of the regulation.
Well, the first we know of, at least.

Also, some websites are no longer available from Europe, as the owners weren’t able or willing to implement GDPR regulatory strategies, even six months later. As they blocked me, it doesn’t affect me… but, my American friends, what do you think they do with your data?
From my point of view, coming from Europe, this behaviour is unacceptable as it shows disrespect towards the users. But on the other hand, GDPR might clash with the First Amendment in the USA.

SolarWinds, like any other company dealing with customers in Europe, should comply. And we do! Here is the statement.
I am quite happy that the company I work for provides so much insight into the whole GDPR process.

But on top of that, in my former role here as a Sales Engineer working out of the Rebel City in Ireland, I spoke with quite a few customers who needed assistance during the implementation of the GDPR and they checked to see if SolarWinds would have a product to help them.

In some of these conversations, I felt a little sorry because the IT pros had been left alone.
I heard one example where a legal department explained GDPR to the C-Levels, and the C-Levels then forwarded the whole task to IT with a deadline and no further planning or explanation.

On that note, what was your experience implementing GDPR at your company, if you don’t mind sharing?

What is the GDPR Right to Be Forgotten Process?

Quite recently, I asked myself how GDPR compliance looks now from the perspective of a user who wants to be forgotten, so I decided to run an experiment myself.

So, the actual task was to get in touch with companies and services that I no longer use and ask them to close my accounts, delete my personal data, and confirm. For the sake of efficiency, I used this opportunity to change my passwords everywhere.

The tools I used were simple: I used LastPassTm as the primary repository of all my account credentials (which I have done for ages), and a communication method to these companies that was either a web form or an email.

Oh boy, I didn't remotely expect the layers of complexity I was facing!
You basically deal with different corporations, policies, people, and a varying amount of creativity in the way GDPR has been implemented.

The first roadblock is to find contact information. Most companies put it into the privacy policy, legal info, or FAQ. If I could not find anything, I used their customer support. That happened quite often!

Some companies replied within a day or so with a simple confirmation like, "We initiated the process, but it can take up to 30 days until all your data is gone."

Sometimes it took a while for a response, but that is fine. Here’s how I imagine some of those GDPR processes look like:

A contact center works on the request first, forwards to someone who understands what it is about but not necessarily empowered to execute so that a ticket will be forwarded to IT, and IT starts the deletion, and the whole thing gets routed back.

Two organizations asked for reasons, and I replied with, "I would like to express my rights as a European citizen." (I am German, after all, no need to be overly friendly!) And that worked, no more questions asked.

Two companies asked for a verification of my identity, and sure, they are right!
GDPR includes not only the right to be forgotten, but also the right to retrieve a copy of all your data, and there better be a mechanism to ensure they only talk to authorized persons.

One of these two sent me a short PDF to sign and finally rang me. Quick and painless.

The other one, unfortunately, escalated quickly. The company asked for a copy of my passport, a utility bill, and required to return a questionnaire. Charming!

I Google searched a little bit and found websites explaining that companies, in general, need to verify who they are talking to, but the efforts should be in a healthy relation to the data already stored.
I consider my passport and my electricity bill of higher value than my name and one of my email addresses.

What to Do if a Company May be in Violation of GDPR

Each European country runs an organization dealing with privacy and data protection. For me, in Ireland, it is the Irish Data Protection Commission. I opened a concern with them, and we will see what happens next.

Now to a bad example!

I received a "newsletter" from a company and replied with my usual request. No response received other than another newsletter two days later.

On their website, I found legal@companyname.com, and I sent an email. They didn’t reply, but guess what? I received another newsletter a day later. Spam leads to anger, anger leads to…well, you know your Yoda.

So, I went to their website again and looked up the management team.

My next email went to firstname.lastname@ of the CEO, the complete board of directors, legal@, and abuse@.

Now guess what—I received a response within a day!
Not a friendly one, but it contained my requested confirmation, and I haven’t heard anything since.

This is an example of “no process in place” or perhaps even “oops, GDPwhat?”

The result of my test is that almost all companies appear to have done a good job implementing GDPR.
Some surely need finetuning, and I feel it definitely should be easier to find the responsible person or team to get in touch with them directly.

On a side note, I seriously improved my security rating over at LastPass.

Copyright 2018 SolarWinds Worldwide, LLC.  All rights reserved.

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates.  All other trademarks are the property of their respective owners.

Thwack - Symbolize TM, R, and C