But I actually think stock and flow is a useful metaphor for media in the 21st century. Here’s what I mean: Flow is the feed. It’s the posts and the tweets. It’s the stream of daily and sub-daily updates that reminds people you exist. Stock is the durable stuff. It’s the content you produce that’s as interesting in two months (or two years) as it is today. It’s what people discover via search. It’s what spreads slowly but surely, building fans over time.

The chaos manager is concerned with the credibility of the organization and ensures that positional authority is aligned with personal authority.  That the people in leadership are the ones people want to follow.  While the Marine Corps has a clear position hierarchy, they have a deep understanding of this idea.  Official authority is a function of rank and position and is bestowed by organization and by law. Personal authority is a function of personal influence and derives from factors such as experience, reputation, skill, character, and personal example. It is bestowed by the other members of the organization.…Official authority provides the power to act but is rarely enough; most effective commanders also possess a high degree of personal authority

Instead my approach now is to publish my thoughts more freely with less premeditation. Particularly in this space, which is mine, for me, by me.

First up for me is adding my reading notes to the site.

The second article is from Tom Critchlow titled Building a Digital Garden. What I really like about Tom's piece is his discussion of the idea of "non-performative blogging" in your personal space on the web.I love this idea. Instead of "content marketing" we can use our websites to get back to what made the web awesome while also creating better resources for ourselves and our users.

Personal websites can be so much more than a progression of posts over time, newer posts showing up while everything from the past is neatly tucked on “page 2” and beyond.

Hendrix, his wife and three kids moved into a 29-foot travel trailer. Aside from the flexibility to get up and go if they feel the need, their housing cost has dropped from $2,500 to $213 a month.

As a result, web browsers can provide only minimal assistance to humans in parsing and processing web pages: browsers only see presentation information.

As mentioned earlier in these guidelines, it is very important that controllers assess the purposes forwhich data is actually processed and the lawful grounds on which it is based prior to collecting thedata. Often companies need personal data for several purposes, and the processing is based on morethan one lawful basis, e.g. customer data may be based on contract and consent. Hence, a withdrawalof consent does not mean a controller must erase data that are processed for a purpose that is basedon the performance of the contract with the data subject. Controllers should therefore be clear fromthe outset about which purpose applies to each element of data and which lawful basis is being reliedupon.

If there is no other lawful basisjustifying the processing (e.g. further storage) of the data, they should be deleted by the controller.

In cases where the data subject withdraws his/her consent and the controller wishes to continue toprocess the personal data on another lawful basis, they cannot silently migrate from consent (which iswithdrawn) to this other lawful basis. Any change in the lawful basis for processing must be notified toa data subject in accordance with the information requirements in Articles 13 and 14 and under thegeneral principle of transparency.

Some vendors may relay on legitimate interest instead of consent for the processing of personal data. The User Interface specifies if a specific vendor is relating on legitimate interest as legal basis, meaning that that vendor will process user’s data for the declared purposes without asking for their consent. The presence of vendors relying on legitimate interest is the reason why within the user interface, even if a user has switched on one specific purpose, not all vendors processing data for that purpose will be displayed as switched on. In fact, those vendors processing data for that specific purpose, relying only on legitimate interest will be displayed as switched off.

Under GDPR there are six possible legal bases for the processing of personal data.

Individual Financial Planning

Visit my other web presences

users will not want to see data mining expanding across their WhatsApp metadata. But if that’s the price to maintain encryption, one can assume it will be a relatively easy sell for most users.

using SSH is likely the best approach because personal access tokens have account level access

Where I track capacity, appetite, & commitments. A place where I can stay organized while also allowing transparency for my teams & anyone else who is interested in what I’m currently focused on.

This starter takes advantage of Typescript and Emotion. This is a personal choice, and I'd encourage you to give it a shot. If you're interested in using plain ES6 and regular scss styling, see release v1 of this library.

learn how to be a data steward or data ally. Help organizations proactively think about what data they collect and how it is governed after its collected. Help organizations get their collective head around all the data they possess, how they curate it, how they back it up, and how over time they minimize it.

Services generally fall into two categories: Services related to your own data collection activities (eg. contact forms)Services related to third-party data collection activities (eg. Google Analytics)

Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.

Sure, anti-spam measures such as a CAPTCHA would certainly fall under "legitimate interests". But would targeting cookies? The gotcha with reCAPTCHA is that this legitimate-interest, quite-necessary-in-today's-world feature is inextricably bundled with unwanted and unrelated Google targeting (cookiepedia.co.uk/cookies/NID) cookies (_ga, _gid for v2; NID for v3).

A complete snapshot of the user’s browser window at that moment in time will be captured, pixel by pixel (!)

The mix of a fingerprint and first-party cookies is pervasive as Google can give a very high level of entropy when it comes to distinguishing an individual person.

Google encouraging site admins to put reCaptcha all over their sites, and then sharing the resulting risk scores with those admins is great for security, Perona thinks, because he says it “gives site owners more control and visibility over what’s going on” with potential scammer and bot attacks, and the system will give admins more accurate scores than if reCaptcha is only using data from a single webpage to analyze user behavior. But there’s the trade-off. “It makes sense and makes it more user-friendly, but it also gives Google more data,”

For instance, Google’s reCaptcha cookie follows the same logic of the Facebook “like” button when it’s embedded in other websites—it gives that site some social media functionality, but it also lets Facebook know that you’re there.

One of the GDPR's principles of data processing is storage limitation. You must not store personal data for longer than you need it in connection with a specified purpose.

Because consent under the GDPR is such an important issue, it’s mandatory that you keep clear records and that you’re able to demonstrate that the user has given consent; should problems arise, the burden of proof lies with the data controller, so keeping accurate records is vital.

This right only applies to personal data and as such does not apply to genuinely anonymous data (data that can’t be linked back to the individual).

The records should include: who provided the consent;when and how consent was acquired from the individual user;the consent collection form they were presented with at the time of the collection;which conditions and legal documents were applicable at the time that the consent was acquired.

Non-compliant Record Keeping Compliant Record Keeping

they are processed by a natural person in the course of a purely personal or household activity. Practically speaking, the only relevant exception is the latter: for instance, if you collect your friends’ personal data for your own personal phone-book you’re not bound to the GDPR.

there’s no need to send consent request emails — provided that this basis of processing was stated in your privacy policy and that users had easy access to the notice prior to you processing their data. If this information was not available to users at the time, but one of these legal bases can currently legitimately apply to your situation, then your best bet would be to ensure that your current privacy notice meets requirements, so that you can continue to process your user data in a legally compliant way.

Here’s why sending GDPR consent emails is tricky and should be handled very carefully.

they sought to eliminate data controllers and processors acting without appropriate permission, leaving citizens with no control as their personal data was transferred to third parties and beyond

Consent receipt mechanisms can be especially helpful in automatically generating such records.

With that guidance in mind, and from a practical standpoint, consider keeping records of the following: The name or other identifier of the data subject that consented; The dated document, a timestamp, or note of when an oral consent was made; The version of the consent request and privacy policy existing at the time of the consent; and, The document or data capture form by which the data subject submitted his or her data.

Where a processing activity is necessary for the performance of a contract.

“Is consent really the most appropriate legal basis for this processing activity?” It should be taken into account that consent may not be the best choice in the following situations:

“Until CR 1.0 there was no effective privacy standard or requirement for recording consent in a common format and providing people with a receipt they can reuse for data rights.  Individuals could not track their consents or monitor how their information was processed or know who to hold accountable in the event of a breach of their privacy,” said Colin Wallis, executive director, Kantara Initiative.  “CR 1.0 changes the game.  A consent receipt promises to put the power back into the hands of the individual and, together with its supporting API — the consent receipt generator — is an innovative mechanism for businesses to comply with upcoming GDPR requirements.  For the first time individuals and organizations will be able to maintain and manage permissions for personal data.”

CR 1.0 is an essential specification for meeting the proof of consent requirements of GDPR to enable international transfer of personal information in a number of applications.

Its purpose is to decrease the reliance on privacy policies and enhance the ability for people to share and control personal information.

It’s useful to remember that under GDPR regulations consent is not the ONLY reason that an organization can process user data; it is only one of the “Lawful Bases”, therefore companies can apply other lawful (within the scope of GDPR) bases for data processing activity. However, there will always be data processing activities where consent is the only or best option.

Under EU law (specifically the GDPR) you must keep and maintain “full and extensive” up-to-date records of your business processing activities, both internal and external, where the processing is carried out on personal data.

However, even if your processing activities somehow fall outside of these situations, your information duties to users make it necessary for you to keep basic records relating to which data you collect, its purpose, all parties involved in its processing and the data retention period — this is mandatory for everyone.

If you’re a controller based outside of the EU, you’re transferring personal data outside of the EU each time you collect data of users based within the EU. Please make sure you do so according to one of the legal bases for transfer.

you can think “sold” here as “shared with third parties for any profit, monetary or otherwise”

under most legislations you’re required to inform extensively about the processing activities, their purposes and the rights of users.

Full and extensive records of processing are expressly required in cases where your data processing activities are not occasional, where they could result in a risk to the rights and freedoms of others, where they involve the handling of “special categories of data” or where your organization has more than 250 employees — this effectively covers almost all data controllers and processors.

If you have fewer than 250 employees, you only need to document processing activities that: are not occasional; or

Most organisations are required to maintain a record of their processing activities, covering areas such as processing purposes, data sharing and retention; we call this documentation.

it buys, receives, sells, or shares the personal information of 50,000 or more consumers annually for the business’ commercial purposes. Since IP addresses fall under what is considered personal data — and “commercial purposes” simply means to advance commercial or economic interests — it is likely that any website with at least 50k unique visits per year from California falls within this scope.

Lean Data Practices Staying lean and being smart about how you collect data can build trust with your users and ultimately help grow your business.

You must disclose how the add-on collects, uses, stores and shares user data in the privacy policy field on AMO. Mozilla expects that the add-on limits data collection whenever possible, in keeping with Mozilla’s Lean Data Practices and Mozilla’s Data Privacy Principles, and uses the data only for the purpose for which it was originally collected.

But now, I think there’s still some lack of clarity from consumers on exactly what they need to do

I think that the importance of people understanding what is going on with their data, and not having a surprised reaction that somebody has their information.

If the PIA identifies risks or high risks, based on the specific context and circumstances, the organization will need to request consent.

Privacy impact assessments or data protection impact assessments under the EU GDPR, before the collection of personal data, will have a key role

U.K. Information Commissioner Elizabeth Denham clearly states that consent is not the "silver bullet" for GDPR compliance. In many instances, consent will not be the most appropriate ground — for example, when the processing is based on a legal obligation or when the organization has a legitimate interest in processing personal data.

data processing limited to purposes deemed reasonable and appropriate such as commercial interests, individual interests or societal benefits with minimal privacy impact could be exempt from formal consent. The individual will always retain the right to object to the processing of any personal data at any time, subject to legal or contractual restrictions.

organizations may require consent from individuals where the processing of personal data is likely to result in a risk or high risk to the rights and freedoms of individuals or in the case of automated individual decision-making and profiling. Formal consent could as well be justified where the processing requires sharing of personal data with third parties, international data transfers, or where the organization processes special categories of personal data or personal data from minors.

First, organizations must identify the lawful basis for processing prior to the collection of personal data. Under the GDPR, consent is one basis for processing; there are other alternatives. They may be more appropriate options.

purposes are grouped into 5 categories (strictly necessary, basic interactions & functionalities, experience enhancement, measurement, targeting & advertising)

Other languages, German for example, are notorious for very long compunds like this and this, that are made up and written as one word directly. Perhaps the way your native language deals with compounds explains your (or other authors') personal preference and sense of "right"?

Before we get to passwords, surely you already have in mind that Google knows everything about you. It knows what websites you’ve visited, it knows where you’ve been in the real world thanks to Android and Google Maps, it knows who your friends are thanks to Google Photos. All of that information is readily available if you log in to your Google account. You already have good reason to treat the password for your Google account as if it’s a state secret.

The data is stored in log files to ensure the functionality of the website. In addition, the data serves us to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. The legal basis for the temporary storage of the data and the log files is Art. 6 para. 1 lit. f GDPR. Our legitimate interests lie in the above-mentioned purposes.

The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this the IP address of the user must remain stored for the duration of the session.

The collection of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f GDPR. Our legitimate interests lie in the above-mentioned purposes.

Asians favour a more crimson red than Western red

legitimate interest triggers when “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject

of the six lawful, GDPR-compliant ways companies can get the green light to process individual personal data, consent is the “least preferable.” According to guidelines in Article 29 Working Party from the European Commission, "a controller must always take time to consider whether consent is the appropriate lawful ground for the envisaged processing or whether another ground should be chosen instead." 

“It is unfortunate that a lot of companies are blindly asking for consent when they don’t need it because they have either historically obtained the consent to contact a user,” said digital policy consultant Kristina Podnar. “Or better yet, the company has a lawful basis for contact. Lawful basis is always preferable to consent, so I am uncertain why companies are blindly dismissing that path in favor of consent.”

Data has become a “natural resource” for advertising technology. “And, just as with every other precious resource, we all bear responsibility for its consumption,”

To join the Privacy Shield Framework, a U.S.-based organization is required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, the GDPR goes far beyond it.

To become compliant, organisations will need to either stop collecting the offending cookies or find a lawful ground to collect and process that data

Legitimate interest. When there is a genuine reason for processing personal data without consent. Interpretations of this legal ground may vary, but a good example would be risk assessment or checking children’s age, such as in an online liquor store.

Asking for consent when processing users’ personal data is one of the most important duties imposed on website owners by the GDPR.

The process of collecting and storing user consent from a technical perspective