GDPR - anyone working in this area?

GDPR - anyone working in this area?

Author
Discussion

Eric Mc

121,776 posts

264 months

Thursday 26th October 2017
quotequote all
I'm not sure it will achieve any of those things. Are you saying current regulation is not sufficient as it is?

I have no problem giving the ICO more teeth regards prosecutions. But could that not that have been done by just making use of the current laws?

Bikerjon

Original Poster:

2,202 posts

160 months

Thursday 26th October 2017
quotequote all
Eric Mc said:
I'm just wondering what great benefit this set of regulations will bring.
I'm sure you're not the only one! I'm all for protecting genuinely sensitive information, but when half the nation seems to "share" their life on social media for anyone to see, it seems a bit hypocritical for businesses to tie themselves in knots protecting what in many instances will be relatively trivial data.

plasticpig

12,932 posts

224 months

Thursday 26th October 2017
quotequote all
DELETED: Comment made by a member who's account has been deleted.
Whilst I agree the old act is no longer fit for purpose I think the scope of GDPR is a bit too wide. Unless I am missing something then commercial email addresses will be considered personal data. If I store a list of contact names with DDI, company mobile number and email address against a company name and address that would constitute enough to identify a natural person in the vast majority of instances.

Even a generic email address (e.g. Sales@DomainName.com) could constitute enough to identify a natural person it it was for a one man band Ltd company.

There is a potential for conflict over what the individual wishes and what the commercial organisation wishes in terms of processing data. If the person tells me they do not wish their data to be kept and processed but the company tells me to keep the data and process it then what would I do?












wombleh

1,777 posts

121 months

Thursday 26th October 2017
quotequote all
Eric Mc said:
I'm not sure it will achieve any of those things. Are you saying current regulation is not sufficient as it is?

I have no problem giving the ICO more teeth regards prosecutions. But could that not that have been done by just making use of the current laws?
There was a previous directive but it was felt that euro countries weren't implementing it consistently enough hence the regulation. I'm not sure whether the UK was thought to be part of the problem.

Personally I think the DPA was good enough but the fines were a joke, was often cheaper to just pay them than fix the problem.

anonymous-user

53 months

Thursday 26th October 2017
quotequote all
Some interesting issues for companies that have tracking/telematics devices in cars that are used for personal use.

It seems as if people are finally waking up to that fact this is happening!

Bikerjon

Original Poster:

2,202 posts

160 months

Friday 27th October 2017
quotequote all
anonymous said:
[redacted]
Good example, although I have to say I rely on DPD a lot and have found them by far the best! 1 text and 1 email with an hour time-slot is a very welcome form of communication for me - bizarre you get 3.

Can't help feeling this is just part of modern life though. I know some people get very uptight about this, but I just wonder in the scheme of things if it really is that big a deal? By all means protect medical, financial, legal data etc with the appropriate legislation, but I really couldn't care less if a courier company retains my name and address for a bit longer than it should.


Eric Mc

121,776 posts

264 months

Friday 27th October 2017
quotequote all
wombleh said:
There was a previous directive but it was felt that euro countries weren't implementing it consistently enough hence the regulation. I'm not sure whether the UK was thought to be part of the problem.

Personally I think the DPA was good enough but the fines were a joke, was often cheaper to just pay them than fix the problem.
Just increase the fines then - nothing else required. Far simpler, far less bureaucratic and probably far less costly to implement.

Eric Mc

121,776 posts

264 months

Friday 27th October 2017
quotequote all
Eric Mc said:
Just increase the fines then - nothing else required. Far simpler, far less bureaucratic and probably far less costly to implement.
DELETED: Comment made by a member who's account has been deleted.
Of course it's right.

Will the GDPR make the wrongdoers do the right thing?

plasticpig

12,932 posts

224 months

Friday 27th October 2017
quotequote all
DELETED: Comment made by a member who's account has been deleted.
The actual situation I was thinking of is emails chasing for payment of an overdue invoice rather than email marketing. I won't assume that is a legal basis for sending out daily emails to the debtor but it should be IMO if it isn't.



Eric Mc

121,776 posts

264 months

Friday 27th October 2017
quotequote all
anonymous said:
[redacted]
Proof will be in the pudding.

Over the last 20 years, HMRC has gathered to itself more and more powers. Tax law has got harsher and harsher with massive fines and penalties accruing on those who misbehave and is more extensive than at any time in the history of this nation..

Yet, tax evasion is at a record levels.

I remain to be convinced that more and more harsh laws mean that suddenly everybody develops a conscience and starts doing things correctly.

Eric Mc

121,776 posts

264 months

Friday 27th October 2017
quotequote all
Would reputational damage not happen without additional legislation?

anonymous-user

53 months

Friday 27th October 2017
quotequote all
Eric Mc said:
Would reputational damage not happen without additional legislation?
Is there provision for consequential loss in the new rules?

Eric Mc

121,776 posts

264 months

Friday 27th October 2017
quotequote all
Eric Mc said:
Would reputational damage nop t happen without additional legislation?
DELETED: Comment made by a member who's account has been deleted.
Think you might have swallowed the compliance bible in one gulp.

In the real world, you don't need massive volumes of rules for an organisation to suffer a reputational catastrophe. Ask Gerald Ratner.



plasticpig

12,932 posts

224 months

Friday 27th October 2017
quotequote all
DELETED: Comment made by a member who's account has been deleted.
Good luck with a PECR claim. Although people have won they have also lost. Some people have won but been awarded no damages because the damage one spam email can cause is either not quantifiable or is very close to zero.

Eric Mc

121,776 posts

264 months

Friday 27th October 2017
quotequote all
DELETED: Comment made by a member who's account has been deleted.
If the measure of usefulness of a person is based on how willing they are to put up with over the top rules and regulations, then I would be glad to retire.

Indeed, if society is moving towards an era where complicity with over extensive government edicts and other state sponsored directives - then yes, retirement does have its attractions.

Unfortunately, I don't particularly want to retire just yet and I will need to put up with all this ste, just like I've been doing for forty plus years.

PixelpeepS3

8,600 posts

141 months

Friday 27th October 2017
quotequote all
My other half is the registered DPO for her business and is the GDPR champion..

I am currently half way through a CBCI qualification with a mind to running parallel with iso:27001 with my company so plenty of overlap with GDPR.


If you take away the extortionate charges 'consultants' will charge using the threat of being bankrupt after a breach as validation i think this is a good thing and absolutely needed to happen.

You can't just store stuff on people and not care or spend any money protecting it.

ahem... NHS using WinXP 2 years after support ended ?!

Flooble

5,565 posts

99 months

Tuesday 5th December 2017
quotequote all
How can you get a waiver on the law?

Perhaps what he means is that there's not really any such thing as "certification" for GDPR per se - there may be in the future - so at the moment if you can show you have followed good practices (e.g. encrypting data) then you are unlikely to have a problem. But that's not the same as a waiver.

I think this is perhaps the best and worst part of how GDPR has been put in. There's no "by the numbers" certificate to wave around, you have to have actually thought about your requirements. But that also leaves a big wodge of uncertainty - will passing an ISO27001 audit mean you aren't liable under GDPR? Maybe, maybe not ... a lot of the GDPR isn't really around IT stuff anyway and I've not seen many ISO27001 audits which went into that much detail on contracts beyond vendor audits and so forth.

Frimley111R

15,537 posts

233 months

Tuesday 5th December 2017
quotequote all
swerni said:
He's trying to imply that, as long as we are showing best endeavours and have a plan, we will be okay, rather than having a hard stop in May.
Yep, despite some ridiculous scare mongering this is basically about good practice and a common sense approach. IMO fines will really apply to companies who heavily flout the legislation/law

coldel

7,732 posts

145 months

Tuesday 5th December 2017
quotequote all
I have just started getting involved in meetings on GDPR with the company I work at (large data business) and its more than just a tweak to the DPA, its much more of a step change from the two meetings I have been to and shouldn't be underestimated.

We have brought in consultants and they are doing a fair bit more than just telling people to tighten things up. I wonder how many companies regularly delete all personal data regularly. CVs for instance have to be deleted unless you have express permission to store them, and even then you can only hold them for a certain length of time. I bet most businesses just dump them in a folder and leave them there.

If you get audited and are seen to be failing on multiple counts its a big issue - why take the risk, and to be quite honest where data breaches are becoming all too regular why put yourself at risk. GDPR actually makes a lot of sense.

JDuck

276 posts

180 months

Tuesday 5th December 2017
quotequote all
A company I know has something called GDPR Portal. We're using it ourselves and it looks really good to get us prepared.

https://www.gdpr-portal.com/

The video on the home page has a good explanation too.