General Data Protection Regulation - Heads Up

General Data Protection Regulation - Heads Up

Author
Discussion

AMG Merc

11,954 posts

252 months

Wednesday 22nd November 2017
quotequote all
I send out regular reminder messages to our contacts, have also added a countdown timer on a blog ( https://www.paceit.co.uk/general-data-protection-r... ) - but no one seems to be taking this seriously.

And, some think that Brexit means UK businesses don't need to comply - wrong! I thought the threat of a max Eur 20M fine would help, but no wink

plasticpig

12,932 posts

224 months

Wednesday 22nd November 2017
quotequote all
DELETED: Comment made by a member who's account has been deleted.
Don't think that is the case. They are providing a service for employers to look at the skill sets of existing employees. Mainly seems to be focused on identifying skill sets that the employer already has in house and employee retention.


DELETED: Comment made by a member who's account has been deleted.
The problem with this is a US court could tell Linkedin they had to allow scraping of all details as has just been done. It really requires a international treaty to sort this out rather than individual countries or blocks of countries making up their own rules as there will invariably be conflict without this.





DELETED: Comment made by a member who's account has been deleted.
Yes I know. I was referring to the shiny new PECR proposed directive and not the old one (Directive 2002/58/EC). The old one does not seek to give global corporations the same privacy rights as individuals when it comes to electronic communications.





Frimley111R

15,537 posts

233 months

Friday 24th November 2017
quotequote all
Interesting requirement for GDPR in shop cameras

https://www.ifsecglobal.com/face-pixellating-modul...

CzechItOut

2,154 posts

190 months

Wednesday 29th November 2017
quotequote all
Another bunch of companies to add to my ever growing SARs list post May 2018:

http://www.bbc.co.uk/news/technology-42065650

Sheepshanks

32,535 posts

118 months

Wednesday 29th November 2017
quotequote all
DELETED: Comment made by a member who's account has been deleted.
As a sales organisation I've no idea how we could function without dramatically changing the way we work and the relationship we have with associates, customers and suppliers. The open exchange of information between all parties is a pretty fundamental part of what we do.

anonymous-user

Original Poster:

53 months

Wednesday 29th November 2017
quotequote all
We've gone high tech -


AMG Merc

11,954 posts

252 months

Wednesday 29th November 2017
quotequote all
Breadvan72 said:
We've gone high tech -

I pity the person tasked with keying that lot into Salesforce laugh

Sheepshanks

32,535 posts

118 months

Wednesday 29th November 2017
quotequote all
DELETED: Comment made by a member who's account has been deleted.
A lot of people (at least in our firm!) seem to think that it won't apply to companies under 250 employees who don't process sensitive data. We're 25 people and we certainly don't keep anything other than the usual business contact information.

However pretty well everything you Google says this isn't correct!

CzechItOut

2,154 posts

190 months

Wednesday 29th November 2017
quotequote all
DELETED: Comment made by a member who's account has been deleted.
Some companies seem to be claiming "legitimate use" as a get out clause for collecting data without consent. I think soon after May 2018 there will be some test cases to determine whether companies need an individuals consent to collect and store their data and where the line of legitimate use lies.

CzechItOut

2,154 posts

190 months

Thursday 30th November 2017
quotequote all
Sheepshanks said:
A lot of people (at least in our firm!) seem to think that it won't apply to companies under 250 employees who don't process sensitive data. We're 25 people and we certainly don't keep anything other than the usual business contact information.

However pretty well everything you Google says this isn't correct!
Anything which can be used to identify a person falls within GDPR, this includes name, address, email etc. It certainly doesn't just have to be sensitive data.

anonymous-user

Original Poster:

53 months

Thursday 30th November 2017
quotequote all
The Government promises businesses light touch data regulation. At the same time it promises citizens strong and effective data control. Having cake and eating it is all the fashion these days

Sheepshanks

32,535 posts

118 months

Thursday 30th November 2017
quotequote all
CzechItOut said:
Sheepshanks said:
A lot of people (at least in our firm!) seem to think that it won't apply to companies under 250 employees who don't process sensitive data. We're 25 people and we certainly don't keep anything other than the usual business contact information.

However pretty well everything you Google says this isn't correct!
Anything which can be used to identify a person falls within GDPR, this includes name, address, email etc. It certainly doesn't just have to be sensitive data.
Right - but there are different levels. There's personal data, sensitive data (race, religion etc), data on children etc. The assertion by some is that under Article 30 of the Regulation, if the company is less than 250 people and isn't processing any sensitive data then small companies don't need to worry about it, other than being able to demonstrate that it doesn't apply to them.

Eric Mc

121,784 posts

264 months

Thursday 30th November 2017
quotequote all
Breadvan72 said:
The Government promises businesses light touch data regulation. At the same time it promises citizens strong and effective data control. Having cake and eating it is all the fashion these days
Don't they just.

Wasn't that Jim Hacker's first ministerial brief in "Yes Minister" back in 1981?

plasticpig

12,932 posts

224 months

Thursday 30th November 2017
quotequote all
Looks like one of the main challenges could be identifying where personal data is stored. Was speaking to an IT manager of a BtoC company. Not that big in the scheme of things with a turnover of around £40 million. They have just completed an audit and identified over 1/2 million documents which contain personal data. That's email, Word documents, PDF's and Excel sheets etc sitting outside of their core business software...









JakeT

5,406 posts

119 months

Thursday 30th November 2017
quotequote all
AMG Merc said:
Breadvan72 said:
We've gone high tech -

I pity the person tasked with keying that lot into Salesforce laugh
You did enter these as Opportunities, didn't you?



Slightly more on topic, my firm does quite a bit of GDPR work with marketing agencies of all sorts of firms. There's a lot of high level execs in companies that still don't really have a clue. Looking at recent Headlines, Uber don't either.

CzechItOut

2,154 posts

190 months

Thursday 30th November 2017
quotequote all
Sheepshanks said:
Right - but there are different levels. There's personal data, sensitive data (race, religion etc), data on children etc. The assertion by some is that under Article 30 of the Regulation, if the company is less than 250 people and isn't processing any sensitive data then small companies don't need to worry about it, other than being able to demonstrate that it doesn't apply to them.
This is what I can find:

Article 30 said:
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
Given the " rights and freedoms" under GDPR will be:

The right to be informed
The right of access
The right to rectification
The right to erase
The right to restrict processing
The right to data portability
The right to object

Therefore, it suggests that I can exercise my "right to access" the data you hold about me and the fact that you are under 250 employees does not mean you can deny me my rights.

That's just my opinion. As with most regulations, they are very much open to interpretation!


plasticpig

12,932 posts

224 months

Thursday 30th November 2017
quotequote all
CzechItOut said:
Given the " rights and freedoms" under GDPR will be:

The right to be informed
The right of access
The right to rectification
The right to erase
The right to restrict processing
The right to data portability
The right to object

Therefore, it suggests that I can exercise my "right to access" the data you hold about me and the fact that you are under 250 employees does not mean you can deny me my rights.

That's just my opinion. As with most regulations, they are very much open to interpretation!
yes The exclusion in article 30 concerns exemptions for maintaining records of processing activities and doesn't exempt companies from complying with the rest of the GDPR.



Sheepshanks

32,535 posts

118 months

Thursday 30th November 2017
quotequote all
CzechItOut said:
This is what I can find:

Article 30 said:
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
Given the " rights and freedoms" under GDPR will be:

The right to be informed
The right of access
The right to rectification
The right to erase
The right to restrict processing
The right to data portability
The right to object

Therefore, it suggests that I can exercise my "right to access" the data you hold about me and the fact that you are under 250 employees does not mean you can deny me my rights.

That's just my opinion. As with most regulations, they are very much open to interpretation!
It's a complete nightmare but I don't think those two "rights and freedoms" refer to the same thing. The first one talks about risk, and I read that as the risk to individuals of their personal data, especially special category data, being revealed. I've found if you try and pull information from two sources you can end up going around in circles.

The main thing I've seen queries about is what constitutes "not occasional".



Frimley111R

15,537 posts

233 months

Friday 1st December 2017
quotequote all
We have gone down the 'sort your database out in a common sense way' as a first step, deduping, deleting records with zero contact details on, calling our 'best records' etc as there is still ambiguity in GDPR regs.

The 'legitimate use' term is something we are going to take a common sense approach to. For example, records with no activity for X years will be deleted unless we speak to them or get some communication from them up until May.

GDPR sets out a lot of detail but fundamentally it's just a common sense way to manage your data and communicate with it.

CzechItOut

2,154 posts

190 months

Friday 1st December 2017
quotequote all
DELETED: Comment made by a member who's account has been deleted.
What's your definition of a "data breach" in this context?