GDPR - anyone working in this area?
Discussion
ATG said:
From a system perspective, this is a non-problem. It is counter-intuitive, but it is pretty easy to be able to delete a customer's data and still at a later date answer the question "has this "new" person previously asked us to delete their data?". It turns out that there are ways of scrambling data that are irreversible. If you only store the scrambled version of the data, you cannot reconstruct the customer's data, but you can take a potentially new customer's data, scramble it and see if you've already seen the same scrambled result. If you have, then the potentially new customer is actually someone who has previously asked you to delete their data.
It's not as simple as that though. Usual way to do this is to use a hash function to generate a hash code. This works pretty well if the data is identical or nearly identical. However if the data is very different then it won't work. If the person who has requested deletion of their data has changed their address or gives a different telephone number then the hash codes won't match. From a GDPR point of view they are still the same person so you shouldn't add the record. Ironically the more data you can collect and store about a person actually increases the chance that you can identify them as having been previously removed from your system.
Edited by plasticpig on Tuesday 2nd January 16:10
0a said:
Out of interest, we had a company purchase another insolvent company in our industry "for the database" - I assume to market under the defunct company brand rather than under their own. Will anything be impacted here, given the customer data / website will be moved to the buying company's systems?
I don't see why this would be impacted by GDPR. If you give your consent to Company A, which is in turn acquired by Company B, there is nothing to stop Company B from using that data as long as the individual's rights are maintained.CzechItOut said:
I don't see why this would be impacted by GDPR. If you give your consent to Company A, which is in turn acquired by Company B, there is nothing to stop Company B from using that data as long as the individual's rights are maintained.
And that, my friend, is the kind of issue that will keep QCs in the style they are currently accustomed to for years to come. Bloom filters and hashes of a few bits of data per person (e.g. first name and surname initials and postcode, initials and phone number, e-mail) would give you a pretty effective, self-contained system. Someone would have had to change a lot of personal data before you'd fail to match on something. If there's some third party registry of "never ever contact me again, you b
ds, and here are my current contact details so you can identify me", then so much the better as the apparent catch-22 "I can't remember what I've deleted because I've deleted it" doesn't arise in the first place.
I'd imagine there are much bigger problems to solve than just filtering lists of prospects that have been bought in from a third party. I'd guess the are a lot of systems out there that by design never actually thoroughly delete customer data and just allow it to be flagged as hidden. Fixing that or migrating to a new, compliant system can easily become a complex and expensive project delivering bugger all added value to the business beyond compliance.
ds, and here are my current contact details so you can identify me", then so much the better as the apparent catch-22 "I can't remember what I've deleted because I've deleted it" doesn't arise in the first place.I'd imagine there are much bigger problems to solve than just filtering lists of prospects that have been bought in from a third party. I'd guess the are a lot of systems out there that by design never actually thoroughly delete customer data and just allow it to be flagged as hidden. Fixing that or migrating to a new, compliant system can easily become a complex and expensive project delivering bugger all added value to the business beyond compliance.
As this thread continues to demonstrate, there are more than a few areas of GDPR that appear to be open to interpretation or where viewpoints will differ. Until such a day where this legislation is a bit more "solid" I wonder if anyone has looked into getting some form of insurance cover that protects against investigations and any subsequent fines that could arise? Does such insurance cover exist?
Bikerjon said:
As this thread continues to demonstrate, there are more than a few areas of GDPR that appear to be open to interpretation or where viewpoints will differ. Until such a day where this legislation is a bit more "solid" I wonder if anyone has looked into getting some form of insurance cover that protects against investigations and any subsequent fines that could arise? Does such insurance cover exist?
DELETED: Comment made by a member who's account has been deleted. At the moment I am half heartedly working on a sort of hybrid D&O/Legal/Cyber product that would offer cover (excluding fines) it but it's slow work.
DELETED: Comment made by a member who's account has been deleted.
I haven't heard of a move towards such claims, but I have just asked someone who would know and will let you know. I suppose it will depend on what the level of compensation is. if it's going to be over the small claims limit on a volume basis I would think it's inevitable. Can I ask who the underwriter for your product is?
Not sure which TR has but I held this one for a while, same kind of thing:
https://www.iasme.co.uk/cyberessentials/automatic-...
https://www.iasme.co.uk/cyberessentials/automatic-...
wombleh said:
Not sure which TR has but I held this one for a while, same kind of thing:
https://www.iasme.co.uk/cyberessentials/automatic-...
I'm not convinced that Cyber Liability is sufficient - there are lots of way of breaching the rules that fall between gaps in cover.https://www.iasme.co.uk/cyberessentials/automatic-...
It's not a particularly easy sell though so it doesn't stay at the top of the pile for long.
desolate said:
I'm not convinced that Cyber Liability is sufficient - there are lots of way of breaching the rules that fall between gaps in cover.
It's not a particularly easy sell though so it doesn't stay at the top of the pile for long.
The intent of cyber liability cover is to pay for recovery if you get hacked. That's where iasme got the £25k figure as it's apparently average cost for SME breach recovery. Although the wording of that cover does include covering fines, the amount means most would need seperate cover.It's not a particularly easy sell though so it doesn't stay at the top of the pile for long.
Not clear whether things like spear phishing are covered either as they're not really breaches. Given that's the most common attack mechanism I'm suspicious of the worth of a lot of these policies.
wombleh said:
The intent of cyber liability cover is to pay for recovery if you get hacked. That's where iasme got the £25k figure as it's apparently average cost for SME breach recovery. Although the wording of that cover does include covering fines, the amount means most would need seperate cover.
Not clear whether things like spear phishing are covered either as they're not really breaches. Given that's the most common attack mechanism I'm suspicious of the worth of a lot of these policies.
Yes - know what Cyber Liability is designed to cover, which is why I don't think it's sufficient to cover the risks to a business and its directors.Not clear whether things like spear phishing are covered either as they're not really breaches. Given that's the most common attack mechanism I'm suspicious of the worth of a lot of these policies.
RicksAlfas said:
I struggle to get my head round the fact that in a business to business context, a person's name with a business address, business email and a business telephone number is considered "personal data". Will we need to sign a disclaimer when we receive a business card in the future? 
Technically yes.
DELETED: Comment made by a member who's account has been deleted.
Legislation for culture never goes well.From what I can see, the whole thing is so wide open to interpretation that ANY divulging of Anything in ANY context could be seen to be a breach.
Maybe we should ask people to close their eyes when someone hands them a cheque or uses a PIN machine. Postmen will have to do their deliveries blindfold
I really think this is going to totally and absolutely unenforceable in any meaningful and sensible way.
It will be interesting to see how this wide ranging set of rules will be applied.
Who will get prosecuted?
Who will get fined?
Who will go to jail?
Will they bother with small businesses and organisations or will they concentrate on the big guys?
How much should those of us be really afraid as to how vulnerable are to being pulled up before the beak.
It will be really interesting to see how it all pans out.
Who will get prosecuted?
Who will get fined?
Who will go to jail?
Will they bother with small businesses and organisations or will they concentrate on the big guys?
How much should those of us be really afraid as to how vulnerable are to being pulled up before the beak.
It will be really interesting to see how it all pans out.
DELETED: Comment made by a member who's account has been deleted.
If you are typical of the types of people who are trying to convince people how important this all is, you are doing a bloody awful job,. Throwing insults at me is not going to work.Really - I have not come across somebody as crass or as rude as you on PH is a very long time.
I see you call yourself a consultant. Do you talk to your clients in this way?
Gassing Station | Business | Top of Page | What's New | My Stuff