(new data protection act stuff for anyone who hasn’t heard of it)

Just over 280 working days until its mandatory, and we’re just about to start scoping the solution we need to implement while the higher ups debate what we’re going to do about contacting around a million people to get appropriate consent.

Please tell me your tales of unawareness, unpreparedness and general disorganisation to make me feel better about the next year’s work.

Edit – wrong forum too, and autocorrect got the title wrong, it’s going really well.

Protecting data well.

Vague as **** thread

I’m ready for anything. Except this because I have no idea what you’re on about.

The flogging off of medical records data? Read this:

https://medconfidential.org/news/

I expect this will be top of my to do list when I go back to work after Easter

The General Data Protection Regulations which come into force in May 2018 and which require a much more detailed “opt in” consent for any organisation to be able to contact you. That means that any organisation that holds data on you – your bank, supermarkets, online shops, insurance companies, utility companies etc etc will need to get in touch with you before then to seek this consent.

I work for such a company and seeing that this is a hotbed of IT types it seemed reasonable that others on here would face the same challenges.

The fact that many of you haven’t heard of it suggests that there’s a lot of work to do to explain why we’re having to do all this asking for permission stuff that’ll be coming your way.

We are delivering lots of GDPR Gap analysis and remediation work and it’s going mental as people work out this thing has serious teeth 4% fines based on turnover
Mandatory reporting of breach/loss or a 2% fine.

Happy days for our business

Just for the record GDPR applies to all UK organisations regardless of size.

We’ve got a team onto it already. Impacts us in particular as consultancy because it means we have some additional responsibilities during any implementation projects and also if we provide post go-live support, even where someone else is hosting or even if it’s a SaaS solution we’ve implemented.

Actually applies to anyone that accesses and processes PII on any EU citizens irrespective of where they are or data is accessed from. New definitions of data controller and processors, right to be forgotten etc

Frankly, mild panic setting in amongst those twigging.

Fine will be rounding error of class action lawsuits a la PPI …. check what happened to Morrisons and that’s pre GDPR.

Avaialable for consultation any time at exorbitant rates !

I might start a REACH regulations thread to see if I can rival this one

NZcol has nailed it, shed loads of work out there, anyone with Info Gov skills looking for work needs to contact me.

Or me, and I even can offer you delights of Edinburgh, or Cardiff, or Bristol or Newcastle or (god forbid) Glasgow 😉

It’s an interesting bit of legislation in that a) its not actually complete and b) it contradicts a fair few UK legislations like tax laws etc.
But what could easily happen is I ask you to forget me and return all my records in a format I can easily read, then you email me months later along with another 100,000 people and we all sue you. You terrible people. Av payout is between 1k to 2k per record per instance (in settlements right now) – so the maths of 2,000 x 100,000 is, errr, not nice.

Yeah, just doing detail PIDs now, on boarding underway, gap analysis started.
It’s the Digital stream that’s giving us the jitters.

Hooray some more work to do. I passed a link to the business owner, we’ll be having a discussion on Tuesday.

Still got the flat earth types saying it will never happen… they will be the first in front of the ICO firing squad.

Been preparing for quite some time now, the sector I’m in seems quite at risk of income being hit. Which in some cases will reduce services and cost lives.

If you’re in financial services, insurance or asset management then SMR and SIMR mean someone has their neck in the noose !

Does this mean I’ll be able to charge those ***** who ring me about claiming PPI back £2,000 every time they contact me without permission ?

Please say YES ……..

Funny you should ask.

I work for a large company, 100k employees, and billions of consumers blah blah. Anyway, I am IT in HR and services so I’m only looking at the internal space in one specific area (travel agency management and travel expenses – yay). I’m trying to get my head around how to manage that from an “employee right to know where you got the data from” and managing countries like GERMANY. So imagine you’re going to book a trip through your corporate travel agency. Fair enough, the agency is responsible for your data. But then the data you give the agency also feeds into a global tracking system (ISOS for those who care), and that’s automatic at the travel agency side. So let’s hypothetically say one employee is happy to give data to the agency, but doesn’t want it to flow through to the 3rd party travel tracking company. This will break the whole corporate governance of travel services and security services. I have no idea how to solve it. “No, you can’t use the corporate travel agency because you didn’t agree to send it to a third party” probably won’t fly.

I’m in weekly meetings with the regional guy. We’re building teams in each country who will be the GDPR “squad” from the various functions, then rolling that up globally and then pulling in all the subject matter experts. It will be hundreds of people working this in our company, excluding all the external consultants (if there are any left!).

It’s massive. Stupidly massive, and will really punish smaller businesses who can’t ramp up and at least attempt compliance. I’m thinking we have to cut internal services and/or re-design to meet some of the regulations.

I also think anyone who did budgeting and resource needs for the next fiscal year will have underestimated it by a factor of 10.

Btw I’m panicking because if you’re going to panic, make sure you panic first.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH

Oh and I’m changing roles in the company to manage all the employee data management globally so I’m going to be knee deep.

Question: Anyone looking to do the qualifications and are they worth doing?

It will be smashing for us “subject specialists” . It will take many years to become common practice and many fines ll of which will drive business for folks like us.

EU regulation. One word… Brexit.

Im selling a leading data quality, federation and integration tool with a wrapped up GDPR enablement capability / readiness assesment from a recognised Forbes global leader.

My diary has gone mad and im just public sector based.

I’m planning to have a quick Google on this next week and dash off our policy by Thursdsay. Or is this another Y2K thing and should I be demanding additional target bonuses? 😉

It’s gonna be a big change once finalised. Let’s just say, if you work for a company that buys in permissioned data, get as much as you can now, cos you won’t be doing it easily after GDPR takes place.

I’m a data protection lawyer 🙂 still at the stage of persuading clients that they do need to set aside time and budget for it but starting to see signs that people realise they have underestimated the task. Not complaining 😉

Deadkenny- head in the sand…

old man – can’t find you details, but please PM me as this is something I did with my last client, they understood but we couldn’t get our clients to see the risks (recruitment/staffing industry software supplier).

Will hit us for a year. By the time the EU brings cases against non compliance, we’re out. As a regulation that doesn’t require states to make it law, it sounds like it just goes away then. Unless we make it law. Depends how much hassle and cost the government see this is to UK business.

Fine if you’re never going to want to deal with EU citizens…

Deadkenny – except the ico (our good old British ico) has stated its adopting GDPR, has published initial guidance and will hopefully be publishing final guidance once they’ve clarified all the issues that people raised with the draft guidance.

And it won’t be the EU bringing cases, it’ll be Joe public flagging things that the ico investigate and then deal with accordingly. So its here to stay, brexit or not.

deadkenny – Member
EU regulation. One word… Brexit.

You know what they say about feigning intelligence?

ICO has taken about strengthening the GDPR once it’s into UK law not reducing it.

How do you pm on here?

thepurist – Member 
So its here to stay, brexit or not.

Aww, but Brexit means Bexit, we’ve got out country back, none of this EU rubbish any more, etc, etc.

Or so Brexiteer’s told us 😆

Though as a “Remoaner”, this isn’t one of those EU regs I’m keen on.

(and yes, I was stirring 😛 ).

oldman – in my profile is my email address, see nzcol also, yours isn’t

I went on a very detailed course yesterday with a very senior man whose involved in helping with GDPR.

It’s more scary than I thought, Any business or sub contracted business (Data owner or processor) will have to demonstrate data breaches, and data security in 72 hours of an event or face the fines – we all knew that. But that also include historic data and data management.

Any business – including STW for example – would have to remove all my data if I requested it, or face potential fines from goverment or legal approaches from me should I be refuse or even mentally afffected – stressed – by the outcome . Such is the untested and an metered reach of the law around this, our expert demonstrated that in his words “its equivelent to lawayers for you, they’ll be encouraging everyone to claim about everything – its the new ppi”

As we went through the detail I saw the ramifactions for business – any business where electronic data has been stored willingly or unwillingly is going to have huge administration problems. Its also going to be illegal to collect data by default – no more “I agree that XXXX will send me email regarding offers from time to time” tick boxes defaulting to “ticked” – it becomes an illegal practise. In additon this applies to any business globally who asks to store data about an individual or business within the UK or Europe. A US company with UK staf personell records for example as its passed under international law. Finally, it also applies historically to legal challenge – if a former disgruntled employee fired 10 years ago decides to request data deletion, is denied and gets “stressed” they can claim damages – holy cow

He also reckoned the UK is 15 years behind most of Europe in data protection practise, and is already behind the required curve to even think about how to manage GDPR. He said its going to be a single point of failure for masses of business as individuals and lawyers relaise they can make a fast buck BUT that those cases could go on for years as the vocabulary starts to be legally interpreted and word by word the GDPR regulation is cross examined.

Very scary stuff! Who is STW’s Data Governance officer anyway…? 😉