QCon 2018 – Data, GDPR & Privacy

Title: Data, GDPR & Privacy – Doing it right without losing it all
Speaker: Amie Durr

See the table of contents for more blog posts from the conference.

Goals: send right message to right person at right time using right channel (ex: email, text, etc)

One company handles 25% of all non-spam email traffic


  • We don’t trust brands with personal information. 2/3  overall. Nobody in room.
  • Employees at GDPR  compliant companies also don’t believe their company is

Recent thefts

  • Ticketfly – emails and hashed passwords.   Shut down their website
  • Panera – email, name, phone, city, last 4 digits of credit card number
  • MyHeritage – email and hashed passwords
  • Myfitnesspal – name, weight, etc

Need to consider

  • What do you store?
  • For how ong do you store it?

Data and privacy regulations

  • CASL
  • Privacy Shield – for data leaving Europe
  • GDPR – EU
  • Future: Germany, Australlia, South America
  • Not about specific regulations. Need to care about data an privacy. Part of   Brand. Customers will leave

Supply for data scientists far exceeds supply

Build trust without stiffling innovation

  • accountability – what do with data, who responsible, continuing to focus on data perception,  audit/clean data, make easy to see what data  have and how opt out/delete
  • privacy by design – innovate without doing harm, don’t want to get hacked, be user centric, move data to invididual so no storing, what is actually PII vs what feels like PII. Anonymize both

Remember user data. If the user types it in, could be anything in here

What they did

  • dropped log storage to 30 days. Have 30 days to comply with requests to delete data. So  handled by design for log files
  • hash email recipients
  • Remove unused tracking data
  • Communicated with customers
  • Kept anonymized PII data, support inquiries, etc
  • some customers feel 30 days is too long so looking at going beyond law

Can delete parts of data vs everything (ex:: stack overflow)

brand and pr vs actually keeping user safe [like what happened with accessibility and section 508]

My take

Good talk. I liked the level of detail and concrete examples. I would have liked a refresher of GDPR. But there was enough to tell me what to google. That helped with what didn’t know (or forgot).