Category Archives: Legal

May 2018 Testing

For the interested British reader this is not about politics. It is about testing software so that it complies with the General Data Privacy Regulation or GDPR in May 2018.

For the people who are only concerned about money. It can cost your company 4% of the global annual income of your company or 20 million Euros. That is seriously a lot of money.
Thanks for your attention.

Disclaimer

I am not a legal expert. So please have a look at my used sources. Or contact a GDPR expert.

I am just a tester finding test ideas about GDPR.
Thanks for joining in advance.

Just show it to me

Suppose you have a cinema and a special web site. You can order tickets, drinks, and snacks in advance. This is a unique selling point.

A marketeer has a nice idea:
“Let’s make some profiles. We’ve got lot of sales numbers, so boost those numbers.”
“What do you have a mind?”
“We just tag customers: B movie, Friday night, first week, ..”
“First week?”
“Like ‘I want to see the movie in the first week after release.'”

If I would go to  this specific cinema, all my actions are recorded.
Big Buyer is being watched too. This sounds creepy. This is my alarm bell as a tester.

My simple question is:
Is profiling allowed?
More accurately, is profiling of European citizens allowed for this cinema web site according to General Data Protection Regulation?

What makes someone a European citizen?

sketchnote with cradle, parents passport and database

Obvious candidates are:  parents, place of birth, passports.  I just stick to Citizenship Administration. I found this one while doodling in my head.

Let me give you a royal example. The Dutch queen has the Dutch nationality, but had Argentine parents and was born in Argentina.

Let me show some graphs:

  • European Union
  • People with no nationality
  • People with 1 nationality
  • People with 2 nationalities

I could make these 2D graphs:

One chart of part of Europe and three coloured graphs about number of nationalities

I could try to stack them and squeeze them afterwards:

One more try:

3D graph made of a chart of a piece of Europe and pieces of sticky notes depicting the number of nationalities

So the best way to define an European citizen is that she or he is registered as an EU citizen in a Citizenship Administration in the EU. Now comes the difficult part: as a web site owner I have no access to this administration. Well. That is a good one.

How can I determine whether an European citizen is in my database?
In most cases I don’t. Because nationality or EU citizenship is not always registered.

“Is an address not sufficient?”
“What about An American in Paris?”
“Okay, email address.”
“What about american@home-in.nl or william-to-be-married@my-awesome-wedding.com?”
“The nationality is registered.”
“Good. What about EU citizens with two nationalities? ”

Looking at the context: if no nationality or EU citizenship has been registered, then I would suggest to look at GDPR. Otherwise definitely use it.

But this is a premature advice. This is a warning. Please read on.

Finding GDPR

If there is one thing I hate about learning, it is memorising information for the sole purpose of memory. I like to have some fun in a good sense of humour.

Here’s where deliberate practice comes in.
Determine a strange situation and look it up.

On my search to the official GDPR document I quickly determined that my target was:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Yes, it takes some time to read it.
And a natural person is human being. Like you and me.

I am well aware that English is not everyone’s native language. Now the EU has this little nice webpage with links to GDPR in your favourite language. Hopefully.
No Chinese, but maybe French?

Profiling and data subjects

Profiling can take place after informing the data subject, who has agreed to these terms for data processing. [GDPR 32, 42]
That is a lot of info.

Let’s go a step back to nationality. I warned you for this.
I am not familiar with the American laws. Remember I am not a legal expert.
Suppose profiling of natural persons is legal according to the American law. For example ‘s sake.

Take a case of an American woman who starts buying action movie tickets. My guess is that her new boyfriend is lucky. Piece of case.

It is very easy to make a profile of her boyfriend. Now this lucky guy happens to be British. And has some royal blood. It rhymes on What?!.

There is still no problem, because it cannot be traced back to some palace. Unless I would couple the data with the email address of a fortunate American actress. Oops intended.

Chain of Gift

The American woman is a data subject. All kind of data is collected, but there is an unpleasant side effect: her boyfriend or fiancee also ended up as a data subject. I doubt whether he would have given any permission. No thank you.

Actrice gives something to a prince.

The Chain of Gift leads to interesting doodles. In orange is the American woman and in blue an European Citizen wearing something called a crown.

Quick explanation for the colours: the European flag is a blue flag with yellow stars. So the EU citizen is blue. For the American woman the colours white and red remain. Somehow these are not appropriate. So I chose orange.

So there is a difference between buyer and user. A man can buy movie tickets and give them to his children. ‘Finding Marlin’ and ‘Monsters Unlimited’ seem quite innocent pieces of data to share.

Dad gives movie tickets to children.

Is it possible to determine the birthdays of the children just based on hist cinema visits?
Not based on the movie titles. There is a better chance looking at the number of bought children tickets.

“When are we going to the cinema with my friends?”
“What do you think?”
“On my birthday?”
“Good girl.”
[Big smile]

Birhday party

Another interesting case: a man who buys gifts for his grand grandchildren. Depending on the gifts I could guess gender, age, and hobbies. If those grand grandchildren live in the EU, you might have a major problem.

Man gives gift to daughter, who gives it to her children.

With a low number of children per family it is relatively easy to make a family tree.
I can guess that princess cookies are for 5 year old grand granddaughter and that superhero suit with XS size is for …
You get my points.

My best guess is to make a GDPR compliant approach for my whole customer base. There is no way to determine which European people you are profiling.

To be extended

Sound check (and other interesting things in other backyards)

Xoun is a strange brand name to pronounce. The question is, whether this sounds right to shopping people. If you turn the picture upside down, you will read a known brand name in the Netherlands. (Which I associate with a mug with welcome warm soup after hours of sailing on the lakes in Friesland.) By taking a different view some things might need more attention than you might expect. In this article I will tell about three situations, in which non IT related information can be helpful for an IT engineer.

Granting a small favour

In the nineties my customer planned in a special activity to introduce internet to his employees. So I ended up talking with a woman from the legal department. She stated, that shipping information should always be mentioned. It would save her department and company a lot of time and money.

A few weeks later it was time for my courtesy call. I called the lady from the legal department. After a short introduction I came to the point: “I just discovered, that your company is selling products on the internet. I could not find the shipping information.” A silence followed, so I had to repeat the message. A muffled “Thank you” followed. A few days later the web shop was off line.

In case of surprise

A special meeting was planned and the project manager was constantly talking about Rbbit. After a while I figured out, that the Rbbit was not a nice white fluffy animal appearing in the magician’s hat, but a Big Bug in the software system. “Two weeks ago we had a Rbbit. Last week we had a Rbbit. What do you expect for next week?” I answered, that another Big Bug would show up. “What are we going to do?”. I spoke up again: “I would set up an emergency procedure.” The project manager was not pleased with the answer: “Do you expect, that I will restore the complete database?”

“If wrong information is sent to the customers, then a new mail must be sent to them, that they should ignore the information in the sent mail. You could also add information, when the right information will be sent. The next step is to investigate and solve the problem.” The project manager finally agreed: he needed phone numbers of people in the operations department and operational measures.

What’s it in for them?

As a software tester it is very tempting to use different plug ins in your browser to analyse web sites. During one of my trials I encountered a tool, which provided me much information. I did not understand, why the tool was given away for free. The web site for the plug in tool was basically stressing the benefits. At that moment I was doubtful, whether I had installed malware.

After more extensive searches on the web I discovered a related business web site, which offered information about websites. This information was gathered by users using the above mentioned plug in. So the business model was as follows: determine, which information is useful for IT people. Provide a free tool for collecting information and sell the gathered information with a nice profit.