undefined | Better HN

0 pointspartiallypro5y ago0 comments

I guess a problem is that some smaller offices use O365 and simple deduction could link the person back to the data O365 spits out. They should make the feature unavailable unless you have a certain amount of seats.

0 comments

3 comments · 1 top-level

skohan5y ago· 2 in thread

Yeah this is a major question. For instance, under GDPR rules, most restrictions relate to "personally identifiable information", which is defined as not only data which specifically identifies an individual, but any data which can be used to identify an individual. So for instance if you collect detailed information about usage patterns which includes country of origin, and you have exactly one user in Sudan, data privacy rules would apply because you would know exactly which user the data is referring to.

I actually wonder how this product would have passed GDPR at all.

jodrellblank5y ago

The GDPR doesn’t say you can’t know anything about anyone; “all” it says is that you tell people what data you collect and why, and delete it when you don’t need it.

As long as you’ve told your user in Sudan that country of origin is something you collect for marketing decisions, it’s fine.

skohan5y ago

That's not entirely correct. So for example, let's say I ask users about users' name and address, and I ask their permission to store this under GDPR. In a separate table, I store "anonymous" sensitive data, like which how many users in each country have a particular health issue, but it's "anonymous" so I never asked the user's permission to collect it. I am violating GDPR, because I can use my demographic data to identify some specific users who have some specific health conditions, and I never asked permission to do that.

j / k navigate · click thread line to collapse