GDPR - anyone working in this area?
Discussion
PixelpeepS3 said:
My other half is the registered DPO for her business and is the GDPR champion..
I am currently half way through a CBCI qualification with a mind to running parallel with iso:27001 with my company so plenty of overlap with GDPR.
If you take away the extortionate charges 'consultants' will charge using the threat of being bankrupt after a breach as validation i think this is a good thing and absolutely needed to happen.
You can't just store stuff on people and not care or spend any money protecting it.
ahem... NHS using WinXP 2 years after support ended ?!
DELETED: Comment made by a member who's account has been deleted.I am currently half way through a CBCI qualification with a mind to running parallel with iso:27001 with my company so plenty of overlap with GDPR.
If you take away the extortionate charges 'consultants' will charge using the threat of being bankrupt after a breach as validation i think this is a good thing and absolutely needed to happen.
You can't just store stuff on people and not care or spend any money protecting it.
ahem... NHS using WinXP 2 years after support ended ?!
Whilst I'm sure some companies will want/need the support of a consultant to prepare themselves for the necessary changes required by GDPR, the government (more specifically the ICO) have launched a free helpline for small business to help them prepare.
May be of use to some people - link below:
https://ico.org.uk/about-the-ico/news-and-events/n...
Edited to add, they also have a general guide which includes;
May be of use to some people - link below:
https://ico.org.uk/about-the-ico/news-and-events/n...
Edited to add, they also have a general guide which includes;
- a guide to the GDPR;
- a getting ready for the GDPR self help checklist;
- a GDPR FAQs document;
- a new advice service helpline for small organisations; and
- a ‘12 steps to take now’ graphic.
Edited by EddieSteadyGo on Tuesday 5th December 18:50
I think she's got a bit confused, I'd seek clarity.
Something about right to be forgotten possibly. My understanding is that if you hold records on me I can ask for them to be deleted, easy enough. However, to do that you have to be able to ID the record as mine. this is a problem for a lot of customers especially around call recordings (my area) as recordings are rarely tagged with the sort of detail needed to find them.
Something about right to be forgotten possibly. My understanding is that if you hold records on me I can ask for them to be deleted, easy enough. However, to do that you have to be able to ID the record as mine. this is a problem for a lot of customers especially around call recordings (my area) as recordings are rarely tagged with the sort of detail needed to find them.
Frimley111R said:
So, one of our team went to a GDPR seminar and was seriously spooked! 
One of the points she mentioned was keeping deleted records so that you do not buy or acquire them again. Whilst it makes sense to me GDPR does not allow this. What was she talking about?
Here would be my response - though TinRobot may be along soon to put it more eloquently!One of the points she mentioned was keeping deleted records so that you do not buy or acquire them again. Whilst it makes sense to me GDPR does not allow this. What was she talking about?
Data can be kept for as long as the processing (including storage) has a lawful basis. Once there is no lawful basis, it should be deleted. Assuming in this case, the lawful basis is consent, then if the user retracts consent and invokes their 'Right To Be Forgotten', then you should delete it. You will then not process their data again, as you do not have it. You should only buy or acquire or use data with a lawful basis for processing. So if you obtained it again legally, you would now have a more recent legal basis (such as consent) which you should have on record (Showing where you got it from, when and the legal basis for its use)
In the case where you have data a Data Subject, and use it for multiple purposes (for example as a customer, and to market to them), each processing activity will require it's own legal basis. Assuming one of the processing activities relies on consent as the lawful basis (such as the marketing), if the user retracts consent, you may still need to retain their information for other reasons - such as to meet a legal requirement. In this case, you would not be relying on consent, but would still have a lawful basis for retaining their data. In this example thoug, upon the retraction of consent, you should delete any information not required by the 2nd process.
Really sorry if that does does not read well..... I was struggling to make it more succinct.
Bullett said:
I think she's got a bit confused, I'd seek clarity.
Something about right to be forgotten possibly. My understanding is that if you hold records on me I can ask for them to be deleted, easy enough. However, to do that you have to be able to ID the record as mine. this is a problem for a lot of customers especially around call recordings (my area) as recordings are rarely tagged with the sort of detail needed to find them.
Similar to the above point - Before recording the call (and therefore potentially collecting PII), you should establish the lawful basis for doing so. Consent is a bit of a last resort, as it can be retracted, and causes the challenges you mention. If for example you are FCA regulated, and the law states you must record the call (and store it for x months), then you would use "6(1)(c) – Processing is necessary for compliance with a legal obligation" as the lawful basis, and not Consent. That way, it does not matter what a user asks, you have a different lawful basis and so do not have to delete the data.Something about right to be forgotten possibly. My understanding is that if you hold records on me I can ask for them to be deleted, easy enough. However, to do that you have to be able to ID the record as mine. this is a problem for a lot of customers especially around call recordings (my area) as recordings are rarely tagged with the sort of detail needed to find them.
If you do not have any other lawful basis other than Consent, and a user invokes their right to be forgotten, then you must comply. An organisation can refuse to comply with a request for where the personal data is necessary:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority (for instance, if required to by the Revenue Commissioners)
- for public health purposes or when it is in the public interest
- for archiving purposes which are in the public interest, such as scientific research, historical research or statistical purposes
- when the data is necessary for the exercise or defence of legal claims
Once again, I hope this is clear, and as ever, there is still a lot of room for interpretation. So I welcome input from others if they think I have mis-understood or mis-interpreted the rules!
Edited by Australiam on Friday 8th December 17:51
Was at a do last night and someone (not me, honest!) started talking about GDPR - a teacher there said they've been told they won't be able to take kids books home to mark as they can't guarantee their confidentiality, and information sheets, listing loads of personal data, allergies etc, which are made generally available to anyone who comes into contact with the kids, will become "illegal".
The general manager of the venue was with us at that point and he'd never heard of GDPR!
The general manager of the venue was with us at that point and he'd never heard of GDPR!
GPDR is easy - as long as you are willing to spend money, alter business processes and procedures, and know where everything is.
We are a multinational enterprise in insurance, investment management, and other financial services.
The biggest issue we faced is mapping where and what is accessing the data - finance, marketing, big data, HR, third parties,etc. it took a very long time - and we underestimated the effort required by a factor of 3.
It has taken significant investment, and in some cases meant that parts of the business were disbanded or merged as the ROI was nil or limited otherwise. That meant hiring and firing as applicable.
Much like PCI DSS.
We are a multinational enterprise in insurance, investment management, and other financial services.
The biggest issue we faced is mapping where and what is accessing the data - finance, marketing, big data, HR, third parties,etc. it took a very long time - and we underestimated the effort required by a factor of 3.
It has taken significant investment, and in some cases meant that parts of the business were disbanded or merged as the ROI was nil or limited otherwise. That meant hiring and firing as applicable.
Much like PCI DSS.
I've been in my profession for 42 years now. Over the decades I have confronted multiple changes of this type - and each time the bureaucracy changes, we get warnings such as we are getting with this along the lines of -
this time it's different
this time the consequences of getting it wrong will be worse
far more of you are going to fall foul of the rules
you need to spend money to get "with the programme"
I've heard all this before. And, in the end, all these extra rules have no real affect on anything. We all go about our businesses much as we did before. The bad guys will (mostly) still get away with things.
this time it's different
this time the consequences of getting it wrong will be worse
far more of you are going to fall foul of the rules
you need to spend money to get "with the programme"
I've heard all this before. And, in the end, all these extra rules have no real affect on anything. We all go about our businesses much as we did before. The bad guys will (mostly) still get away with things.
DELETED: Comment made by a member who's account has been deleted.
I'm tempted to agree with Eric. I think it is very poor that there is no accreditation. At least with PCI DSS there was a bar which had to be met.There is an awful lot of FUD with GDPR, precisely because there is no line in the sand which states what the appropriate response to the regulations are.
Any regulation which is as open to interpretation as GDPR is poor in my opinion.
Eric Mc said:
I've heard all this before. And, in the end, all these extra rules have no real affect on anything. We all go about our businesses much as we did before. The bad guys will (mostly) still get away with things.
There's some concern as the ICO has been staffed up considerably, including taking on former police officers, that they're going be out looking for people to hit with penalties to cover their costs.It was originally said the ICO's current registration scheme would end, as under GDPR there's no requirement to register. The ICO is having none of that, and has said firms will still need to register (and pay).
Frimley111R said:
One of the points she mentioned was keeping deleted records so that you do not buy or acquire them again. Whilst it makes sense to me GDPR does not allow this. What was she talking about?
From a system perspective, this is a non-problem. It is counter-intuitive, but it is pretty easy to be able to delete a customer's data and still at a later date answer the question "has this "new" person previously asked us to delete their data?". It turns out that there are ways of scrambling data that are irreversible. If you only store the scrambled version of the data, you cannot reconstruct the customer's data, but you can take a potentially new customer's data, scramble it and see if you've already seen the same scrambled result. If you have, then the potentially new customer is actually someone who has previously asked you to delete their data.I am hoping (perhaps too much of a hope) that this will stamp out some bad industry practice, and that by embracing the principles of GDPR it might actually be possible to gain a competitive advantage.
Out of interest, we had a company purchase another insolvent company in our industry "for the database" - I assume to market under the defunct company brand rather than under their own. Will anything be impacted here, given the customer data / website will be moved to the buying company's systems?
Out of interest, we had a company purchase another insolvent company in our industry "for the database" - I assume to market under the defunct company brand rather than under their own. Will anything be impacted here, given the customer data / website will be moved to the buying company's systems?
0a said:
Out of interest, we had a company purchase another insolvent company in our industry "for the database" - I assume to market under the defunct company brand rather than under their own. Will anything be impacted here, given the customer data / website will be moved to the buying company's systems?
I doubt it, whatever happens the GDPR rules apply to the data no matter where it is.Gassing Station | Business | Top of Page | What's New | My Stuff