https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider/

https://www.theguardian.com/voluntary-sector-network/2017/may/05/gdpr-charities-prepare-eu-data-protection-changes-consent-fundraising

http://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018

We are having some ‘fun’ working out what some of this means – and it seems quite scary…

Anyone else know more about it…?

I’ve looked at a leaflet about it.

Might have a closer look in April next year! 😀

I wonder how many GDPR ‘consultancies’ will pop-up in the next 6 months!?

I know quite a bit about it, as I’m selling one of the worlds leading MDM / data location / data integration tools to help fulfil the IT requirement.

Email in profile if you want one 😀

I’ve been working on it for the last year for a major charity…

It is scary.

😮

Feel free to drop me a line.

Yip, neck deep innit, innit.

Rumour has it not all will comply by May18, two seminars last week had heads nodding but fingers crossed.

I also know quite a lot about it as I’m a data protection lawyer…

Do NOT leave it til April…

(I agree that lots of people won’t comply by may but people who at least have a plan will be in a much better position than those who bury their heads in the sand)

I’ve recently completed the foundation certification in it (a little knowledge is a dangerous thing). My job is all about data so I didn’t have much choice but until I’d gone on the course I had no idea how far-reaching nor how big an impact it will have.

It’s pretty major and will hit pretty much any company that holds personal data on file, from customers to employees. Basically companies will have to contact each individual and tell them what data they have, what they use it for and ask permission to continue to hold it. If the customer says no, which most will, they than have to delete it.

In addition to this, it also uses the terms ‘controller’ and ‘processor’ where both can be held responsible should a data breach occur. A controller would be someone like (as an example) Tesco. Should Tesco host their infrastructure in the cloud (AWS, Azure) then AWS or Azure become a ‘processor’.

Apparently they’re looking to make examples of those that break the rules. There are 2 fine bands, depending on the severity of the rules broken. Lesser rule breakage will be 2% of annual turnover or 10 Million eurons, whichever is higher. The really naughty boys will get done for either 20 million or 4% of turnover, again whichever is higher.

I’m pretty certain that nobody has really taken this that seriously yet and there’s going to be an awful lot of panicking going on in April next year.

Oh and as an aside, apparently in N Power had been fined next year rather than this year for their recent breach, it would have put them into receivership..

Setting up a consultancy to deal with such things did cross my mind…

I am kicking off out work next week – I have documents on my desk about it – one good way of putting you to sleep!

Yep, all over it at the moment. It’s not too bad, you just have lots of decisions to make over your data and your reasons for keeping it

Overall I think it’s a good thing but it’s real work to deal with

I can provide a Scope and Approach plan if you need it 😀

At cost, Obvz.. consultancy you say.. by golly why a fabulous idea 😉

Anyone put the gitters up the Digital tech lads yet? 😆

We are on it – small organisation, one person been on training and starting to work through our compliance…

Its more scary from a ‘where we are now’ to ‘where we will be soon’ point of view.

I also know we are pretty good so far in comparison with many – we do have lots in place already. It is some of the small detail that seems to be causing us some hilarity. For example, I have yesterdays register from a course on my desk, it has been all morning. Apparently it should not be there, it should be locked away, being worked with, or shredded. No ‘leaving’ it for a couple of hours until I get round to it. In addition the statement at the top about us using their contact info and opting into our newsletter is not clear or broad enough etc etc (And we have a hundred forms like this…)

I wonder how many GDPR ‘consultancies’ will pop-up in the next 6 months!?

Who will put fear of God into folk about compliance, spread half truths and charge a freakkin’ fortune for the privilege.
I’m tempted – time to set up a new company – GDPR Compliance 4 you?

Rumour has it not all will comply by May18

Do NOT leave it til April…

In my experience most company’s are trying something to meet the high level requirements, but have left it too late to have a comprehensive solution. They’ll be lots of inward gasps at the first high profile fine, which will be challenged, as will many others. That will Galvanise people. I’ve heard statements like “we’ll never be allowed to have that fine applied, as doing so would remove a whole public service (budget) from our remit” from public sector.

And to a point they are right – a high level fine could make them incapable of say, emptying your bins weekly any more, so they’ll defend against it with lawyers like mad and it will go on for some time whilst you read “Euro data fine strips UK public of core sercvices” headlines in the Daily Express*

*other newspapers are available

We are currently reviewing this in relation to our mountain bike club!

I’m starting my new role as employee data manager in 5 days. Just in time for all the fun.

Kill/cure data assets internally (thousands)
Blockchain solutions
Contractual work
Clarity with suppliers and vendors on “are you the data controller”

There’s a lot of focus. Otherwise – BEEELIONS to the EU 🙂

I’m doing my sailing clubs FOC…

It is also some of the requests to see all the data held or be deleted that could cause massive headaches for us – we have hundreds of children on film/photo online and in print, and they can all at 18 ask to be deleted and removed…

MOAB – you need to be able to present that data upon request in an appropriate “single view” of which there is a definition, and also be able to manage the deletion without corruption of that data or partial pieces thereof upon request e.g.

a) I’ve requested all the data you hold related to me. you have 40 days (later to be 28 days) to do so.

b) Of that data, I want my data of birth removed, but I give you consent to store the rest. And you need to prove it – see a) above.

Imagine that in your local council, amazon, STW, NHS, etc…

and they can all at 18 ask to be deleted and removed…

And my understanding is that their parents can ask now and the responsibility is yours to find out who the parents are and contact them asking the questions.

Most companies don’t even know where they hold their customer data, or hold it in multiple places in various states of incompleteness. I reckon I’ve got contracts for the next two years if I want them! Mwahahaha

Interesting point – local councils won’t be allowed to call in 3rd party debt collectors anymore. So that unpaid parking fine will just have to sit there unpaid…

MOAB – you need to be able to present that data upon request in an appropriate “single view” of which there is a definition, and also be able to manage the deletion without corruption of that data or partial pieces thereof upon request e.g.

a) I’ve requested all the data you hold related to me. you have 40 days (later to be 28 days) to do so.

b) Of that data, I want my data of birth removed, but I give you consent to store the rest. And you need to prove it – see a) above.

Imagine that in your local council, amazon, STW, NHS, etc…

Does (b) allow for the company to say “that’s technically impossible, but I can delete all your information for you”?

Most companies don’t even know where they hold their customer data, or hold it in multiple places in various states of incompleteness.

Ive got a solution for that 🙂 Fancy partnering with us Flange?

Does (b) allow for the company to say “that’s technically impossible, but I can delete all your information for you”?

I’m not sure tbh, but that may also be technically impossible if you start to think about relational databases and related databases with data integration across a business.

Kryton- and don’t forget about Backups…

🙂

If you have a request to be forgotten, how are you going to remove all that data from that pile of backup tapes?

Yeah – gimme a shout Kryton – the team building days should be a laugh!

Regarding deletion – as Kryton mentions, a lot of companies will struggle with ‘deletion’ in that in doing so they’ll break the referential integrity of the system that they’re held in. Perhaps a better method would be to mask the date of birth rather than removing it.

I know of one company that uses DOB as part of the customer key – try deleting that and see what happens.

In my experience of people (not) reading forms there’s going to be a lot PPI like claims going on: “You never told me …”.

I went through the ICO summary (itself big enough) earlier this year and even for a small club with very limited data on members (no DoB or home address for example) I had a couple of pages of ToDo items.

Imagine that in your local council, amazon, STW, NHS, etc…

It could be a quick way of one company messing with another as well – batter them with multiple, complex GDPR data views, partial changes etc…

a lot PPI like

The Government expert that came to brief us on GDPR explained it as exactly that – the new PPI…

We have been looking at this the last couple of months. Its still unclear to me what the scope of “personal data” actually is.

For example, are contacts on a mobile phone “personal data?

Erm.. the company holding the data can refuse to uphold the request to “the right to be forgotten” if they deem it necessary to hold the Data.. for instance the NHS will need to keep certain Data, but Wiggle won’t.

One major point I’m finding is the Data held by Digitech companies, those that gather either for themselves or sell on.. the rules state the company selling Data have the responsibility to pass Data onto a company that comply with the new ruling.. so example: online bike bits retailer sells Data containing purchasing info (name, address, spending profile etc) to anOther company who aren’t compliant means the controller is liable still until the purchaser is compliant.. and that could be some while…

Anyway, all good fun.

But a lot of this stuff is basic DPA98 enhanced for the digital world..

We are doing lots of Gap Analysis and remediation work for clients ranging from very large to SME.

Been working in this space for over 2 years, our background in PCI DSS, ISO27001, NHS IG Toolkit etc has helped us deliver against the needs of GDPR.

So much work it’s crazy

Forgot to say don’t panic Matt most of its common sense, housekeeping etc. Happy to offer some guidance at no charge – not sure how you get in contact on here?

Yeah how does this work with backups 🙂

Anyone gone properly down the ISO27…… suite route?

Our lot haven’t, and I only know of one organisation in my field that is..

We’re quite far into it already and, to be honest, absolutely terrified- with the best will in the world we’re an inefficient organisation with so many shadow systems and little homegrown spreadsheets and the like, it’s a nightmare for the poor sods that are dealing with it. My role so far has been to throw up about 10 million extra problems that they’d not thought of, and to provide no solutions, so I’m really popular.

matt_outandabout – Member

It is also some of the requests to see all the data held or be deleted that could cause massive headaches for us – we have hundreds of children on film/photo online and in print, and they can all at 18 ask to be deleted and removed…

I can’t be the only one itching to do a really horrible inappropriate joke here, can I?

Just you. 😉

We’re quite far into it already and, to be honest, absolutely terrified- with the best will in the world we’re an inefficient organisation with so many shadow systems and little homegrown spreadsheets and the like, it’s a nightmare for the poor sods that are dealing with it.

If it’s still the same leaky telecoms outfit your first fine under the new regime will serve as an awful warning to the rest of us. 😉

I have an employer that likes to hoard paperwork, he will be unhappy when we start firing up the shredder (PCI compliant) to delete data.