For the interested British reader this is not about politics. It is about testing software so that it complies with the General Data Privacy Regulation or GDPR in May 2018.
For the people who are only concerned about money. It can cost your company 4% of the global annual income of your company or 20 million Euros. That is seriously a lot of money.
Thanks for your attention.
I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.
I am just a tester finding test ideas about GDPR.
Thanks for joining in advance.
Just show it to me
Suppose you have a cinema and a special web site. You can order tickets, drinks, and snacks in advance. This is a unique selling point.
A marketeer has a nice idea:
“Let’s make some profiles. We’ve got lot of sales numbers, so boost those numbers.”
“What do you have a mind?”
“We just tag customers: B movie, Friday night, first week, ..”
“Like ‘I want to see the movie in the first week after release.'”
If I would go to this specific cinema, all my actions are recorded.
Big Buyer is being watched too. This sounds creepy. This is my alarm bell as a tester.
My simple question is:
Is profiling allowed?
More accurately, is profiling of European citizens allowed for this cinema web site according to General Data Protection Regulation?
What makes someone a European citizen?
Let me give you a royal example. The Dutch queen has the Dutch nationality, but had Argentine parents and was born in Argentina.
Let me show some graphs:
- European Union
- People with no nationality
- People with 1 nationality
- People with 2 nationalities
I could make these 2D graphs:
I could try to stack them and squeeze them afterwards:
One more try:
So the best way to define an European citizen is that she or he is registered as an EU citizen in a Citizenship Administration in the EU. Now comes the difficult part: as a web site owner I have no access to this administration. Well. That is a good one.
How can I determine whether an European citizen is in my database?
In most cases I don’t. Because nationality or EU citizenship is not always registered.
“Is an address not sufficient?”
“What about An American in Paris?”
“Okay, email address.”
“What about firstname.lastname@example.org or email@example.com?”
“The nationality is registered.”
“Good. What about EU citizens with two nationalities? ”
Looking at the context: if no nationality or EU citizenship has been registered, then I would suggest to look at GDPR. Otherwise definitely use it.
But this is a premature advice. This is a warning. Please read on.
If there is one thing I hate about learning, it is memorising information for the sole purpose of memory. I like to have some fun in a good sense of humour.
Here’s where deliberate practice comes in.
Determine a strange situation and look it up.
On my search to the official GDPR document I quickly determined that my target was:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)Yes, it takes some time to read it.
And a natural person is human being. Like you and me.
I am well aware that English is not everyone’s native language. Now the EU has this little nice webpage with links to GDPR in your favourite language. Hopefully.
No Chinese, but maybe French?
Profiling and data subjects
Profiling can take place after informing the data subject, who has agreed to these terms for data processing. [GDPR 32, 42]
That is a lot of info.
Let’s go a step back to nationality. I warned you for this.
I am not familiar with the American laws. Remember I am not a legal expert.
Suppose profiling of natural persons is legal according to the American law. For example ‘s sake.
Take a case of an American woman who starts buying action movie tickets. My guess is that her new boyfriend is lucky. Piece of case.
It is very easy to make a profile of her boyfriend. Now this lucky guy happens to be British. And has some royal blood. It rhymes on What?!.
There is still no problem, because it cannot be traced back to some palace. Unless I would couple the data with the email address of a fortunate American actress. Oops intended.
Chain of Gift
The American woman is a data subject. All kind of data is collected, but there is an unpleasant side effect: her boyfriend or fiancee also ended up as a data subject. I doubt whether he would have given any permission. No thank you.
The Chain of Gift leads to interesting doodles. In orange is the American woman and in blue an European Citizen wearing something called a crown.
Quick explanation for the colours: the European flag is a blue flag with yellow stars. So the EU citizen is blue. For the American woman the colours white and red remain. Somehow these are not appropriate. So I chose orange.
So there is a difference between buyer and user. A man can buy movie tickets and give them to his children. ‘Finding Marlin’ and ‘Monsters Unlimited’ seem quite innocent pieces of data to share.
Is it possible to determine the birthdays of the children just based on hist cinema visits?
Not based on the movie titles. There is a better chance looking at the number of bought children tickets.
“When are we going to the cinema with my friends?”
“What do you think?”
“On my birthday?”
Another interesting case: a man who buys gifts for his grand grandchildren. Depending on the gifts I could guess gender, age, and hobbies. If those grand grandchildren live in the EU, you might have a major problem.
With a low number of children per family it is relatively easy to make a family tree.
I can guess that princess cookies are for 5 year old grand granddaughter and that superhero suit with XS size is for …
You get my points.
My best guess is to make a GDPR compliant approach for my whole customer base. There is no way to determine which European people you are profiling.
To be extended