- This topic has 36 replies, 18 voices, and was last updated 6 years ago by Sandwich.
-
Have we done new GDPR 2018 regs…
-
matt_outandaboutFull Member
http://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
We are having some ‘fun’ working out what some of this means – and it seems quite scary…
Anyone else know more about it…?
the-muffin-manFull MemberI’ve looked at a leaflet about it.
Might have a closer look in April next year! 😀
I wonder how many GDPR ‘consultancies’ will pop-up in the next 6 months!?
Kryton57Full MemberI know quite a bit about it, as I’m selling one of the worlds leading MDM / data location / data integration tools to help fulfil the IT requirement.
Email in profile if you want one 😀
tootallpaulFull MemberI’ve been working on it for the last year for a major charity…
It is scary.
😮
Feel free to drop me a line.
bikebouyFree MemberYip, neck deep innit, innit.
Rumour has it not all will comply by May18, two seminars last week had heads nodding but fingers crossed.
hjghg5Free MemberI also know quite a lot about it as I’m a data protection lawyer…
Do NOT leave it til April…
hjghg5Free Member(I agree that lots of people won’t comply by may but people who at least have a plan will be in a much better position than those who bury their heads in the sand)
flangeFree MemberI’ve recently completed the foundation certification in it (a little knowledge is a dangerous thing). My job is all about data so I didn’t have much choice but until I’d gone on the course I had no idea how far-reaching nor how big an impact it will have.
It’s pretty major and will hit pretty much any company that holds personal data on file, from customers to employees. Basically companies will have to contact each individual and tell them what data they have, what they use it for and ask permission to continue to hold it. If the customer says no, which most will, they than have to delete it.
In addition to this, it also uses the terms ‘controller’ and ‘processor’ where both can be held responsible should a data breach occur. A controller would be someone like (as an example) Tesco. Should Tesco host their infrastructure in the cloud (AWS, Azure) then AWS or Azure become a ‘processor’.
Apparently they’re looking to make examples of those that break the rules. There are 2 fine bands, depending on the severity of the rules broken. Lesser rule breakage will be 2% of annual turnover or 10 Million eurons, whichever is higher. The really naughty boys will get done for either 20 million or 4% of turnover, again whichever is higher.
I’m pretty certain that nobody has really taken this that seriously yet and there’s going to be an awful lot of panicking going on in April next year.
Oh and as an aside, apparently in N Power had been fined next year rather than this year for their recent breach, it would have put them into receivership..
Setting up a consultancy to deal with such things did cross my mind…
sadmadalanFull MemberI am kicking off out work next week – I have documents on my desk about it – one good way of putting you to sleep!
leffeboyFull MemberYep, all over it at the moment. It’s not too bad, you just have lots of decisions to make over your data and your reasons for keeping it
Overall I think it’s a good thing but it’s real work to deal with
bikebouyFree MemberI can provide a Scope and Approach plan if you need it 😀
At cost, Obvz.. consultancy you say.. by golly why a fabulous idea 😉
Anyone put the gitters up the Digital tech lads yet? 😆
matt_outandaboutFull MemberWe are on it – small organisation, one person been on training and starting to work through our compliance…
Its more scary from a ‘where we are now’ to ‘where we will be soon’ point of view.
I also know we are pretty good so far in comparison with many – we do have lots in place already. It is some of the small detail that seems to be causing us some hilarity. For example, I have yesterdays register from a course on my desk, it has been all morning. Apparently it should not be there, it should be locked away, being worked with, or shredded. No ‘leaving’ it for a couple of hours until I get round to it. In addition the statement at the top about us using their contact info and opting into our newsletter is not clear or broad enough etc etc (And we have a hundred forms like this…)
I wonder how many GDPR ‘consultancies’ will pop-up in the next 6 months!?
Who will put fear of God into folk about compliance, spread half truths and charge a freakkin’ fortune for the privilege.
I’m tempted – time to set up a new company – GDPR Compliance 4 you?Kryton57Full MemberRumour has it not all will comply by May18
Do NOT leave it til April…
In my experience most company’s are trying something to meet the high level requirements, but have left it too late to have a comprehensive solution. They’ll be lots of inward gasps at the first high profile fine, which will be challenged, as will many others. That will Galvanise people. I’ve heard statements like “we’ll never be allowed to have that fine applied, as doing so would remove a whole public service (budget) from our remit” from public sector.
And to a point they are right – a high level fine could make them incapable of say, emptying your bins weekly any more, so they’ll defend against it with lawyers like mad and it will go on for some time whilst you read “Euro data fine strips UK public of core sercvices” headlines in the Daily Express*
*other newspapers are available
40mpgFull MemberWe are currently reviewing this in relation to our mountain bike club!
swedishmattFree MemberI’m starting my new role as employee data manager in 5 days. Just in time for all the fun.
Kill/cure data assets internally (thousands)
Blockchain solutions
Contractual work
Clarity with suppliers and vendors on “are you the data controller”There’s a lot of focus. Otherwise – BEEELIONS to the EU 🙂
matt_outandaboutFull MemberIt is also some of the requests to see all the data held or be deleted that could cause massive headaches for us – we have hundreds of children on film/photo online and in print, and they can all at 18 ask to be deleted and removed…
Kryton57Full MemberMOAB – you need to be able to present that data upon request in an appropriate “single view” of which there is a definition, and also be able to manage the deletion without corruption of that data or partial pieces thereof upon request e.g.
a) I’ve requested all the data you hold related to me. you have 40 days (later to be 28 days) to do so.
b) Of that data, I want my data of birth removed, but I give you consent to store the rest. And you need to prove it – see a) above.
Imagine that in your local council, amazon, STW, NHS, etc…
flangeFree Memberand they can all at 18 ask to be deleted and removed…
And my understanding is that their parents can ask now and the responsibility is yours to find out who the parents are and contact them asking the questions.
flangeFree MemberMost companies don’t even know where they hold their customer data, or hold it in multiple places in various states of incompleteness. I reckon I’ve got contracts for the next two years if I want them! Mwahahaha
Interesting point – local councils won’t be allowed to call in 3rd party debt collectors anymore. So that unpaid parking fine will just have to sit there unpaid…
mogrimFull MemberMOAB – you need to be able to present that data upon request in an appropriate “single view” of which there is a definition, and also be able to manage the deletion without corruption of that data or partial pieces thereof upon request e.g.
a) I’ve requested all the data you hold related to me. you have 40 days (later to be 28 days) to do so.
b) Of that data, I want my data of birth removed, but I give you consent to store the rest. And you need to prove it – see a) above.
Imagine that in your local council, amazon, STW, NHS, etc…
Does (b) allow for the company to say “that’s technically impossible, but I can delete all your information for you”?
Kryton57Full MemberMost companies don’t even know where they hold their customer data, or hold it in multiple places in various states of incompleteness.
Ive got a solution for that 🙂 Fancy partnering with us Flange?
Kryton57Full MemberDoes (b) allow for the company to say “that’s technically impossible, but I can delete all your information for you”?
I’m not sure tbh, but that may also be technically impossible if you start to think about relational databases and related databases with data integration across a business.
tootallpaulFull MemberKryton- and don’t forget about Backups…
🙂
If you have a request to be forgotten, how are you going to remove all that data from that pile of backup tapes?
flangeFree MemberYeah – gimme a shout Kryton – the team building days should be a laugh!
Regarding deletion – as Kryton mentions, a lot of companies will struggle with ‘deletion’ in that in doing so they’ll break the referential integrity of the system that they’re held in. Perhaps a better method would be to mask the date of birth rather than removing it.
I know of one company that uses DOB as part of the customer key – try deleting that and see what happens.
whitestoneFree MemberIn my experience of people (not) reading forms there’s going to be a lot PPI like claims going on: “You never told me …”.
I went through the ICO summary (itself big enough) earlier this year and even for a small club with very limited data on members (no DoB or home address for example) I had a couple of pages of ToDo items.
matt_outandaboutFull MemberImagine that in your local council, amazon, STW, NHS, etc…
It could be a quick way of one company messing with another as well – batter them with multiple, complex GDPR data views, partial changes etc…
Kryton57Full Membera lot PPI like
The Government expert that came to brief us on GDPR explained it as exactly that – the new PPI…
trailwaggerFree MemberWe have been looking at this the last couple of months. Its still unclear to me what the scope of “personal data” actually is.
For example, are contacts on a mobile phone “personal data?
bikebouyFree MemberErm.. the company holding the data can refuse to uphold the request to “the right to be forgotten” if they deem it necessary to hold the Data.. for instance the NHS will need to keep certain Data, but Wiggle won’t.
One major point I’m finding is the Data held by Digitech companies, those that gather either for themselves or sell on.. the rules state the company selling Data have the responsibility to pass Data onto a company that comply with the new ruling.. so example: online bike bits retailer sells Data containing purchasing info (name, address, spending profile etc) to anOther company who aren’t compliant means the controller is liable still until the purchaser is compliant.. and that could be some while…
Anyway, all good fun.
But a lot of this stuff is basic DPA98 enhanced for the digital world..
oldmanmtbFree MemberWe are doing lots of Gap Analysis and remediation work for clients ranging from very large to SME.
Been working in this space for over 2 years, our background in PCI DSS, ISO27001, NHS IG Toolkit etc has helped us deliver against the needs of GDPR.
So much work it’s crazy
oldmanmtbFree MemberForgot to say don’t panic Matt most of its common sense, housekeeping etc. Happy to offer some guidance at no charge – not sure how you get in contact on here?
bikebouyFree MemberAnyone gone properly down the ISO27…… suite route?
Our lot haven’t, and I only know of one organisation in my field that is..
NorthwindFull MemberWe’re quite far into it already and, to be honest, absolutely terrified- with the best will in the world we’re an inefficient organisation with so many shadow systems and little homegrown spreadsheets and the like, it’s a nightmare for the poor sods that are dealing with it. My role so far has been to throw up about 10 million extra problems that they’d not thought of, and to provide no solutions, so I’m really popular.
matt_outandabout – Member
It is also some of the requests to see all the data held or be deleted that could cause massive headaches for us – we have hundreds of children on film/photo online and in print, and they can all at 18 ask to be deleted and removed…
I can’t be the only one itching to do a really horrible inappropriate joke here, can I?
SandwichFull MemberWe’re quite far into it already and, to be honest, absolutely terrified- with the best will in the world we’re an inefficient organisation with so many shadow systems and little homegrown spreadsheets and the like, it’s a nightmare for the poor sods that are dealing with it.
If it’s still the same leaky telecoms outfit your first fine under the new regime will serve as an awful warning to the rest of us. 😉
I have an employer that likes to hoard paperwork, he will be unhappy when we start firing up the shredder (PCI compliant) to delete data.
The topic ‘Have we done new GDPR 2018 regs…’ is closed to new replies.