Jacques Mattheij

Technology, Coding and Business

So Your Startup Received the Nightmare GDPR Letter

Apologies for the typo in the url…

Some dumb lawyer figured it would be fun to give GDPR trolls a form letter to use to inflict maximum damage on unsuspecting companies. The reason why this is dumb is simple: the GDPR serves a legitimate need but by decreasing the signal:noise ratio handcrafted requests from users with a legitimate concern can get drowned in these ‘just because we can’ letters. It’s the legal equivalent of an exploit toolkit. In order to limit the damage somewhat I’ve worked up a recipe for an answer to such a form letter. The answer is made up of three parts: parts that you can automate (or should have already automated), parts that you can answer in a form letter of your own or through an update of your privacy policy and parts that you can refuse to answer because the requstor is placing an undue burden on you, the company. The GDPR is not meant as a means to harass companies any more than it is meant as a way to bankrupt them or cause them to spend a disproportional amount of time on dealing with it and this letter in part seems to aim to do just that ‘just because they can’.

Here is my example of an answer to this DSAR (Data Subject Access Request), and if at all possible you should probably automate this answer so it becomes a ‘self service’ affair, or at a minimum cuts down the overhead:

Dear Sir/Madam:

I am writing to you in your capacity as data protection officer for your company. 
I am a customer of yours

This would need some proof included with the letter, if that proof isn’t present you can mail back the recipient saying that they should include a customer id, handle or other way to identify them.

, and in light of recent events,

Would be nice if the letter writer cleared up this reference. But the law does not have any requirement for some ‘event’ to be present before a request can be made.

I am making this request for access to personal data pursuant to Article 15 of the 
General Data Protection Regulation. I am concerned that your company’s information 
practices may be putting my personal information at undue risk of exposure or in 
fact has breached its obligation to safeguard my personal information pursuant 
to <latest nasty cybersecurity event or thing in the news>.

Again, it seems as if the letter writer is fully aware that they are trolling, there is no reason to believe this absent evidence. So the letter writer is setting themselves up to be labelled ‘troll’ and then tries to mitigate that by handwaving.

I am including a copy of documentation necessary to verify my identity. 

That’s nice of them. if the information on the proof of ID is enough to identify the user in your systems then you can answer the letter. If not then that too is a valid answer (for instance: because you don’t store any data or because you can’t find the person in your systems).

If the person is a user of an online system then you could ask them to use some automated feature to answer their questions (which you now have a nice template for to anticipate such requests with), if not they will have to link their online identity in your systems with their presented ID through some other means (follow up email for instance).

If you require further information, please contact me at my address above.

So in case you can’t make the connection, send them an email and preferably provide them with an online tool that they can use to make a legitimate request from within the system which can then spit out the answer.

I would like you to be aware at the outset, that I anticipate reply to my request 
within one month as required under Article 12, failing which I will be forwarding 
my inquiry with a letter of complaint to the <appropriate data protection authority>.

30 days is a reasonable term for a request like this, but it is almost clear from the wording that the claimant hopes you won’t be able to answer in time, normally you would first expect the counterparty to simply answer your request, you might remind them near the deadline with a reference to the legal term and then when the deadline has passed you would inform them that you were going to contact your regulator. Also note that the GDPR has a provision to extend the deadline with another two months if you are overwhelmed with requests or if the requests is overly complex. This one would qualify for ‘overly complex’ so you can mail back the claimant telling them their request will take up to three months to process giving you some time to automate some of the elements.

The good news is that it is a form letter so the answers can be identical if you’ve been treating your users in the same way and the processes to recover the data are also identical. Eventually, if you don’t want people to waste your time this task should be automated as far as possible (should have already been probably!), and should be passed off to your support people once you have those.

Please advise as to the following:

1.   Please confirm to me whether or not my personal data is being processed. 
If it is, please provide me with the categories of personal data you have about 
me in your files and databases.

That’s an easy one if you do not process personal data of your end-users directly. For instance: if you’re a sub-processor the request is a fishing expedition and should be directed to the b2c entity that asks you to process the data on their behalf. And of course it goes without saying that you did not copy that data elsewhere. So at that point in time you can decide to cut the reply short with a reference to the DPA that you have with the controller and direct them there, or, alternatively, you could decide to continue to answer the letter in good faith even if you legally most likely would not have to. Realise that just answering the questions in good faith may open you up to potential trouble with the controller, so this might be a good time to decide on a joint strategy on how to deal with these requests directed at you. Note that in that case you don’t have a record of the data subject (the claimant) being a customer of your company (which they claimed in the opening part of the letter).

a.   In particular, please tell me what you know about me in your information 
systems, whether or not contained in databases, and including e-mail, documents 
on your networks, or voice or other media that you may store.

The database part should be easy provided the claimant really is a customer, and the email part I would resist if the communication wasn’t with the customer but internally. You are free to discuss your customers internally without those emails becoming part of a request such as this one because that would expose the privacy of someone else. Voice data is typically only recorded for a brief period of time and you can refer to your internal policy (which you will have to have documented anyway) with respect to the retention time of your switchboard. In your two man start-up I assume you have no such records at all so you can tell them that.

b.   Additionally, please advise me in which countries my personal data is stored, 
or accessible from. 

Again, that should be easy to answer if you know what you are doing.

In case you make use of cloud services to store or process my data, please include 
the countries in which the servers are located where my data are or were (in the 
past 12 months) stored.

That’s another easy one, in fact it is the same question as before. I’d answer only one.

c.   Please provide me with a copy of, or access to, my personal data that you have 
or are processing.

That should be easy too, and if it isn’t then you did not spend enough time on making your systems and policies GDPR compliant. This is one of the core rights that users get under the GDPR (and already had, under the DPD).

2.   Please provide me with a detailed accounting of the specific uses that you have
made, are making, or will be making of my personal data.

Excellent question and deserves a frank answer, for the first two parts. But since you don’t have a crystal ball there is no way to answer the third.

3.   Please provide a list of all third parties with whom you have (or may have) shared 
my personal data.

You should have this, and you should disclose this in your privacy policy.

a.   If you cannot identify with certainty the specific third parties to whom you 
have disclosed my personal data, please provide a list of third parties to whom 
you may have disclosed my personal data.

That makes good sense as a fall back, but you really should have the previous one answered.

b.   Please also identify which jurisdictions that you have identified in 1(b) 
above that these third parties with whom you have or may have shared my personal 
data, from which these third parties have stored or can access my personal data. 

This sentence is bullshit, but the gist is clear. The claimant wishes to know under what applicable law the transfers took place so wants to know which laws govern the transfers that you have made.

Please also provide insight in the legal grounds for transferring my personal 
data to these jurisdictions.

Exactly. They are anticipating that you transferred the data outside of their jurisdiction without their consent.

Where you have done so, or are doing so, on the basis of appropriate safeguards, 
please provide a copy.

This makes sense, but you don’t actually need to prove this or give them copies, in my opinion it would be enough to state unequivocally that you have been a good steward of their data, and that you have appropriate DPA’s in place with your sub-processors. If you want you could make a publicly accessible page on your website where you link to the DPA’s. You can then refer to that. If you did transfer their data outside their and your jurisdiction without their consent then you might be in trouble. You should not have done that in the first place but now that you’re there you will need to try to control the damage. You could attempt to force the recipient into destroying the data or you might own up to the fact and take your lumps. The results are much the same as a breach, let’s hope you at least still have a record of what was transferred, when it happened and what the recipient intended to do with it and who they were.

c.   Additionally, I would like to know what safeguards have been put in place 
in relation to these third parties that you have identified in relation to the 
transfer of my personal data.

Again, the DPA would be the document to refer to. You do have a DPA in place with all your subprocessors?

4.   Please advise how long you store my personal data, and if retention is based 
upon the category of personal data, please identify how long each category is 
retained.

This should be a standard answer in any GDPR query. You could cut-and-paste your retention policy here or you can update your privacy policy and spell it out. In general, if answers to this letter are already available in your privacy policy then you could also refer the claimant to your privacy policy. If you want to take some risk you could increase the burden on them by first pointing out that they could have known the answer to most or all of the questions that have nothing to do with their personal data and thus conclude that they are not really concerned at all (because then they would have definitely read your privacy policy first), and that they are placing an undue burden on you by refusing to do their own reading first and using a cut-and-paste form letter. I would advise against that route but it is an option.

5.   If you are additionally collecting personal data about me from any source 
other than me, please provide me with all information about their source, as 
referred to in Article 14 of the GDPR.

This should not be happening, but if you’ve been ‘enriching’ profiles with data from others (data brokers) then you will need to disclose this here.

6.   If you are making automated decisions about me, including profiling, 
whether or not on the basis of Article 22 of the GDPR, please provide me with 
information concerning the basis for the logic in making such automated 
decisions, and the significance and consequences of such processing.

Again, the customer relationship would indicate to the claimant whether or not they would have an expectation that such mechanisms are active, there are only very few situations in which that is ambiguous. The claimant is - again - trying to show that they are not a troll but in fact are on a fishing expedition. I’d still answer the question in good faith.

7.   I would like to know whether or not my personal data has been disclosed 
inadvertently by your company in the past, or as a result of a security or 
privacy breach.

a.   If so, please advise as to the following details of each and any such breach:

    i.    a general description of what occurred;

    ii.    the date and time of the breach (or the best possible estimate);

    iii.    the date and time the breach was discovered;

    iv.    the source of the breach (either your own organization, or a 
    third party to whom you have transferred my personal data);

    v.    details of my personal data that was disclosed;

    vi.    your company’s assessment of the risk of harm to myself, as a 
    result of the breach;

Your assessment is irrelevant, it is the users responsibility to assess the risk of harm to themselves but you could give an indication just to satisfy the question with a note reflecting on that.

    vii.    a description of the measures taken or that will be taken to 
    prevent further unauthorized access to my personal data;

    viii.    contact information so that I can obtain more information and assistance in relation to such a breach, and

    ix.    information and advice on what I can do to protect myself 
    against any harms, including identity theft and fraud.

I hope you have no known but undisclosed breaches. If you do then you probably should make a page where you publicly disclose these details and get in front of the story. If you are not aware that you’ve had any breaches then you can simply answer that.

b.   If you are not able to state with any certainty whether such an exposure 
has taken place, through the use of appropriate technologies, please advise 
what mitigating steps you have taken, such as

    i.    Encryption of my personal data;

    ii.    Data minimization strategies; or,

    iii.    Anonymization or pseudonymization;

    iv.    Any other means

All good questions, that you should have already answered in your privacy policy.

8.   I would like to know your information policies and standards that you 
follow in relation to the safeguarding of my personal data, such as whether 
you adhere to ISO27001 for information security, and more particularly, 
your practices in relation to the following:

If you’ve been ISO27001 certified that answer could take the place of all that follows in this section. But if you’re not certified then you probably should answer the questions in some detail, this may help clarify for yourself if you feel that you are doing a good enough job.

a.   Please inform me whether you have backed up my personal data to tape, 
disk or other media, and where it is stored and how it is secured, including 
what steps you have taken to protect my personal data from loss or theft, 
and whether this includes encryption.

You could answer this in your privacy policy, however I would not answer the ‘where it is stored and how it is secured’ in too much detail. For all you know claimant today is hacker tomorrow, besides, these things can change. Just give a general idea of your backup policy and whether or not the backups are encrypted.

b.   Please also advise whether you have in place any technology which 
allows you with reasonable certainty to know whether or not my personal 
data has been disclosed, including but not limited to the following:

    i.    Intrusion detection systems;

    ii.    Firewall technologies;

    iii.    Access and identity management technologies;

    iv.    Database audit and/or security tools; or,

    v.    Behavioural analysis tools, log analysis tools, or audit tools;

You can answer this in a generic way: “The actual implementation of our ISMS is confidential and we do not give out this information to our end-users, but obviously we take great care to secure your data and where applicable any or all of the above will be deployed.”

9.   In regards to employees and contractors, please advise as to the following:

a.   What technologies or business procedures do you have to ensure that 
individuals within your organization will be monitored to ensure that they 
do not deliberately or inadvertently disclose personal data outside your 
company, through e-mail, web-mail or instant messaging, or otherwise.

That’s a good question, the answer should be something along the lines that you have your employees and contractors sign a ‘data confdentiality’ agreement and that upon end-of-contract you make them sign a ‘non-retention’ agreement.

b.   Have you had had any circumstances in which employees or contractors 
have been dismissed, and/or been charged under criminal laws for accessing 
my personal data inappropriately, or if you are unable to determine this, 
of any customers, in the past twelve months.

Again, a good question, it’s a simple yes-no affair so simple to answer.

c.   Please advise as to what training and awareness measures you have taken 
in order to ensure that employees and contractors are accessing and processing 
my personal data in conformity with the General Data Protection Regulation.

Here you could refer to your onboarding and offboarding processes for employees, the annual privacy awareness refresher and oversight procedures.

Yours Sincerely,

    I. Rate

So, there you go, that should take the sting out of answering the ‘nightmare letter’, even if not all the questions are appropriate (or appropriately worded) you can answer the bulk of them in relatively short order and with automation you can take the sting out. If this is the worst you can expect under the GDPR then that’s not so bad, and the effect might actually be positive:

  • we get to know about a lot of undisclosed breaches

  • it will be clear who has their house in order and who hasn’t

  • if you don’t have your house in order just answering the letter will help you to get there

Note that this form letter makes your life easier in many ways, it’s a form letter so there can be a standardized process to answer it. A handcrafted letter would require a bit more work on your end to ensure it is properly answered.

HN Submission/Discussion
If you read this far you should probably follow me on twitter: