GDPR - anyone working in this area?
Discussion
DELETED: Comment made by a member who's account has been deleted.
I'm well over myself, thanks very much.We shall see how all this works out. I predict fairly toothless legislation with just the odd case "pour encourage les autres".
And I'd hate to see you in action if you lost your patience.
DELETED: Comment made by a member who's account has been deleted.
It'll likely have the name of the school on too, so there's enough to make it PII. Of course there's also the addition minefield that we're talking about data on children.The bigger point that I picked up from this, and I've seen murmurings of it in our company, is this kind of thing plays right into the hands of the "I can't do this task because of XYZ reason" type of employee.
Eric Mc said:
It will be interesting to see how this wide ranging set of rules will be applied.
Who will get prosecuted?
Who will get fined?
Who will go to jail?
Will they bother with small businesses and organisations or will they concentrate on the big guys?
How much should those of us be really afraid as to how vulnerable are to being pulled up before the beak.
It will be really interesting to see how it all pans out.
I agree, it will be interesting to see how it pans out. Anyone who has been through the joys of Sarbanes Oxley had seen the hype, the FUD, the same old sales tactics rolled out.Who will get prosecuted?
Who will get fined?
Who will go to jail?
Will they bother with small businesses and organisations or will they concentrate on the big guys?
How much should those of us be really afraid as to how vulnerable are to being pulled up before the beak.
It will be really interesting to see how it all pans out.
We are in the excitement stage now. Lots of people out there in the purporting to be GDPR experts are giving OTT (and I suppose UTT - if that is such a thing) advice and people will jump through hoops until it becomes business as usual and boundries are set through clarifications, enforcement and/or fines.
bga said:
.... it will be interesting to see how it pans out. Anyone who has been through the joys of Sarbanes Oxley had seen the hype, the FUD, the same old sales tactics rolled out.
I think there is a serious point about how businesses use (and sometimes abuse) our personal data. The GDPR from that perspective makes sense - it is trying to stop abuses and aims to ensure our information gets the protection it deserves.
If we think about how technology is advancing this is going to become critical - take for example devices like Alexa which have an always-on microphone. In 10 years time all home appliances will be connected with voice control - microphones and cameras will be everywhere. It doesn't take a genius to think how tempting (and valuable) some of this personal information could be, unless there are laws in place to stop it being abused.
Having said that, I think Eric's broad point is correct - at this stage GDPR hype is more heat than light. From my own perspective, I will need to make some changes to my small business, but I don't think the changes are that complicated and certainly don't require external paid advice. It just needs a degree of common sense.
bga said:
I agree, it will be interesting to see how it pans out. Anyone who has been through the joys of Sarbanes Oxley had seen the hype, the FUD, the same old sales tactics rolled out.
We are in the excitement stage now. Lots of people out there in the purporting to be GDPR experts are giving OTT (and I suppose UTT - if that is such a thing) advice and people will jump through hoops until it becomes business as usual and boundries are set through clarifications, enforcement and/or fines.
There's certainly some concern that the ICO will seek to cover the costs of its boosted organisation by going out and looking for infringements. Especially as it's been noted that some of the new staff are ex-police officers. Small business's may well be the low hanging fruit.We are in the excitement stage now. Lots of people out there in the purporting to be GDPR experts are giving OTT (and I suppose UTT - if that is such a thing) advice and people will jump through hoops until it becomes business as usual and boundries are set through clarifications, enforcement and/or fines.
DELETED: Comment made by a member who's account has been deleted.
I presume you are referring to Boomerang Video who rent video games?If yes, it sounds like there were a right shower.
Using a weak Wordpress password, allowing public access to their decryption key, allowing access to encrypted data amongst a list of basic errors caused a big leak of credit card data.
If nothing else they would also have been massively in breach of the merchant account PCI rules. And VISA and Mastercard are now issuing very large fines to any retailer allowing card data to leak, regardless of mitigating circumstances.
Edited to add : in the instance where retailers are processing card data, they should be taking expert advice to ensure webservers, handling procedures etc are fully secure. The fines (from VISA and Mastercard) are now very high, and they will fine companies if card data leaks.
Edited by EddieSteadyGo on Tuesday 9th January 21:43
DELETED: Comment made by a member who's account has been deleted.
There is a clear conflict of interest between acting as a DPO and an external auditor, no regulator will take it seriously. I can see there being an argument that the role is congruent with some internal audit activities (both have the independence requirement). DELETED: Comment made by a member who's account has been deleted.
From an external audit perspective you are not external to the organisation if you are performing the DPO (or any other material operational) role.That is not to say that you aren't operating with independence, doing a great job etc.
Should the organisation ever have to defend an action and assert that they are externally audited then they would lose credibility immediately as their DPO is marking their own homework. Audited - yes, but not externally audited in the commonly accepted sense.
desolate said:
Can I ask who the underwriter for your product is?
DELETED: Comment made by a member who's account has been deleted.
I'm an IASME CE/CE+ Assessor too.I've always regarded the Insurance that comes with CE as a 'nice to have' but that's not the main point of getting the Cert. I've not checked into the policy recently but as I recall, it's a central helpline/remediation so you can't use your local IT MSP to sort out the mess after a breach. I've not looked into who they're using but if a client is expecting KPMG's cleanup team to come abseiling in through the windows then the £25k will just about cover them putting the kettle on!
As an aside - and getting away from GDPR into the realms of the Cyber side, I've recently come across a different AB that swears blind that servers need not be included in a CE+ audit. Madness!
We're having a lot of discussion about home offices & IoT. Thinking is that where people have a 'proper' home office but the house shares the same Internet then the house, CCTV & IoT devices really need to be VLANned off and that makes it a much more complicated fix for the average small biz.
Pot Bellied Fool said:
We're having a lot of discussion about home offices & IoT. Thinking is that where people have a 'proper' home office but the house shares the same Internet then the house, CCTV & IoT devices really need to be VLANned off and that makes it a much more complicated fix for the average small biz.
That's kind of similar to the teachers taking kids exercise books home I mentioned earlier. It was asserted it's dodgy as other people might see them.How far do you go - does the room used for the home office need to have secure entry? Years ago there was talk of my wife, then a civil servant, working at home, and there was going to have to be a security audit of the house.
Eric Mc said:
DELETED: Comment made by a member who's account has been deleted.
HOW DARE YOUThat sound so dictatorial;. What in God's name type of society are characters like you trying to create?
That is an absolutely DISGRACEFUL comment.
Sheepshanks said:
That's kind of similar to the teachers taking kids exercise books home I mentioned earlier. It was asserted it's dodgy as other people might see them.
How far do you go - does the room used for the home office need to have secure entry? Years ago there was talk of my wife, then a civil servant, working at home, and there was going to have to be a security audit of the house.
Well, that would drop out of the Information Asset Audit. What information do you have hanging around? How sensitive is it? (All information assets should be categorised as to risk, mostly a red/amber/green will suffice).How far do you go - does the room used for the home office need to have secure entry? Years ago there was talk of my wife, then a civil servant, working at home, and there was going to have to be a security audit of the house.
But yes, if you've got people's medical records for example on your desk then I'd expect your office to have a lock on it! It's a considered, risk based approach. What's the risk? What's the likelihood? How can we reduce the risk? Can we put any compensating controls in place?
Doesn't necessarily need armed guards & floodlights, just some basic physical security that in most cases is unlikely to be too onerous.
And I agree about the teacher books. Crazyness! GDPR needn't exclude common sense.
Though I notice my daughter's school has a notice board with pupils' medical details (the kids that have inhalers or other medications) on the wall for teachers' reference - pity it faces a window and is clearly visible to all & sundry...
I'm struggling to find any enthusiasm for this project, both from myself and other business owners. It looks like it could affect every legitimate exchange of data and in reality will not prevent illegal use of data.
Every single delivery marked for someone's attention; every business card; every email with contact details. It's crazy.
I fully accept that if you leave your phone number with a garage to ring when your car is ready, you don't expect that number to turn up at AnyClaimsWillDo.com. But at the same time there has to be a reasonable expectation that contact details will be exchanged and held by businesses.
At the moment all I can see is that an idea has been dreamed up without any thought how it will be used in the real world. This leads to scaremongering and fear as can be seen above. When it is deemed reasonable that a teacher can't take exercise books home to mark in case it violates someone's data, then it's beyond acceptable. I hope someone can convince me otherwise!
I have read the "12 Steps to Take Now" but in all honesty there needs to be a "3 Things You Need to Know Before you read 12 Steps". "12 Steps" has been written by someone with an in depth knowledge of all things Data. I haven't got that.
I would like to know in easy to understand, non-TLA'd language:
1 - what is data? Name only? Name with phone number?
2 - what activities are legitimate (lawful basis?) uses of that data? Wages? Quotations? Invoices? Delivery notes?
3 - if I only use that data for my own business i.e. I don't sell it or pass it on, do I need to seek consent to retain it?
Every single delivery marked for someone's attention; every business card; every email with contact details. It's crazy.
I fully accept that if you leave your phone number with a garage to ring when your car is ready, you don't expect that number to turn up at AnyClaimsWillDo.com. But at the same time there has to be a reasonable expectation that contact details will be exchanged and held by businesses.
At the moment all I can see is that an idea has been dreamed up without any thought how it will be used in the real world. This leads to scaremongering and fear as can be seen above. When it is deemed reasonable that a teacher can't take exercise books home to mark in case it violates someone's data, then it's beyond acceptable. I hope someone can convince me otherwise!
I have read the "12 Steps to Take Now" but in all honesty there needs to be a "3 Things You Need to Know Before you read 12 Steps". "12 Steps" has been written by someone with an in depth knowledge of all things Data. I haven't got that.
I would like to know in easy to understand, non-TLA'd language:
1 - what is data? Name only? Name with phone number?
2 - what activities are legitimate (lawful basis?) uses of that data? Wages? Quotations? Invoices? Delivery notes?
3 - if I only use that data for my own business i.e. I don't sell it or pass it on, do I need to seek consent to retain it?
Pot Bellied Fool said:
Though I notice my daughter's school has a notice board with pupils' medical details (the kids that have inhalers or other medications) on the wall for teachers' reference - pity it faces a window and is clearly visible to all & sundry...
Also as I mentioned before that was the other thing the teacher said - I didn't quite get this but basically there's a sheet that's supposed to be openly accessible and anyone who walks into the room can see it. They've been told they won't be able to do this, but no alternative solution has been suggested.Edited by Sheepshanks on Thursday 11th January 12:32
RicksAlfas said:
I would like to know in easy to understand, non-TLA'd language:
1 - what is data? Name only? Name with phone number?
Any data which can be used to identify a person, so name, address, telephone number, email, DoB, age, gender etc. Basically, the safest assumption is any data related to an individual.1 - what is data? Name only? Name with phone number?
RicksAlfas said:
2 - what activities are legitimate (lawful basis?) uses of that data? Wages? Quotations? Invoices? Delivery notes?
Any activity which is relevant to your business. There is nothing wrong with collecting and storing data, as long as you have a legitimate use for that data. So for example, if you pay people, you obviously need their bank account details. If you want to be about to contact an employee's next of kin, you can legitimately collect their emergency contact details.What you can't do is collect information you have no legitimate use for and/or retain data for longer than you need it.
RicksAlfas said:
3 - if I only use that data for my own business i.e. I don't sell it or pass it on, do I need to seek consent to retain it?
Yes. People have the right to be informed of what data you are collecting and why.Gassing Station | Business | Top of Page | What's New | My Stuff