Reply to: GDPR

I'm banking on GDPR keeping me in invoices for the next year at least. (As I work in Data Protection).

qh

Will you report them to the ICO if they don't respond?

qh

Today is day 38 since I submitted mine to Virgin Trains.

Two days to go and they've not even acknowledged it yet.

If you want to feck a firm of do a Data Subject Access Request.

If you want to feck a firm of do a Data Subject Access Request.

Oh and I just got a Delivery Manager role through for GDPR changes.

Seems they are spamming anyone with "data protection" on their CV.

I think the right to be forgotten or data erasure (under specific circumstances) could be one of the bigger impacts. Let's say I as an individual request this from an organisation. Presumably data held on me is stored in a backup somewhere. What happens if there is a need to restore data e.g. in a DR scenario? How does the organisation prevent accidentally restoring 'forgotten' data?

The new regulations also have a stricter definition of personally identifiable information I believe, where multiple pieces of information could potentially be pieced together to identify an individual.

How about right to rectification? The new rules state this must be done within a maximum time of two months. When I worked for a large public sector body, it was often a challenge to comply with DPA subject access requests. It's more admin and paperwork.

I would suggest talking to Preterlex about it then - The GDPR - business, IT, and law in the privacy New World - PreterLex

Implementation of GDPR will require complex business process / practice and software level changes - particularly any company where they process data overseas (even more so if it is outside the EU). If companies process data in certain countries where the local laws conflict with GDPR then they will need to stop that happening completely.

I suspect that most companies will fall foul of the new laws because they don't understand what they have authority to do and what they don't.

Companies will need to have a fundamental look at how they deal with data, how they will deal with it in the future, and how they will ensure that everyone understands that. Systems and processes will need to be reviewed to ensure that they have the appropriate levels of control, access, removal, and metadata about what can be shared and what can't and with whom.

Also additional processes around 'Right to be Forgotten' or 'Data Port Requests' form part of the new GDPR.

Imagine a company with 100's of systems who has customer data replicated everywhere. I can request that data be deleted, and failure to do so will result in a fine. 4% of turnover is scaring the crap out of companies. Clientco has setup a task force & I'm getting a lot of interest. It's going to be a little like Y2K as everyone panics coming towards May. Some money to be made in the short-term, especially around auditiing.

Has anyone done any or thinking of doing GDPR training (i.e. to get some knowledge and get a contract role which is asking for GDPR experience)?

Is it a good idea of bad???

I would suggest talking to Preterlex about it then - The GDPR - business, IT, and law in the privacy New World - PreterLex

Implementation of GDPR will require complex business process / practice and software level changes - particularly any company where they process data overseas (even more so if it is outside the EU). If companies process data in certain countries where the local laws conflict with GDPR then they will need to stop that happening completely.

I suspect that most companies will fall foul of the new laws because they don't understand what they have authority to do and what they don't. And the level of data privacy that could be required needs to be understood by everyone in the organisation - they need to know what they can and cannot process. For example, if I say to someone who works at Huxley "you can send my CV over to IBM" what is the data retention of my CV? What is my right to have that erased? How do they process those requests? If the agent finds out that they have to use a third party like Capita, do they have permission to send it? And if they send it anyway, have they committed a data breach?

Companies will need to have a fundamental look at how they deal with data, how they will deal with it in the future, and how they will ensure that everyone understands that. Systems and processes will need to be reviewed to ensure that they have the appropriate levels of control, access, removal, and metadata about what can be shared and what can't and with whom.

I understand that but lets take the Talk Talk example - how do they lose this data?

Was it just poor data management or did someone do something malicious to make it happen?

So yes poor data management is unacceptable and the is where the main focus of a lot of companies is - make sure your data is secure and you have control of it - pretty basic stuff really.

If it is someone doing something malicious then how do you stop that?

Then looking at the data sharing - the only reasons companies data share is to make money - but as GDPR comes in and this now becomes a bad idea - why would a company share data - the only reason is that the senior managers/execs feel they can make a fast buck and screw the risks.

So really that just comes back to the someone doing something malicious to break the rules.

To quote your example about PPI - banks did this to make a fast buck and it came back to bite them - this was an exec/senior level decision.

I am really just pushing the boundaries to try and find out where the problems will be as when I speak to consultants etc we just get vanilla wishy/washy responses - what I am looking for is some examples of how a company could fall foul of the GDPR stuff without trying to.

I am really just pushing the boundaries to try and find out where the problems will be as when I speak to consultants etc we just get vanilla wishy/washy responses - what I am looking for is some examples of how a company could fall foul of the GDPR stuff without trying to.

Yes, you're oversimplifying - this is going to be huge and expensive for companies. And lawyers are going to get rich from it. Imagine the volume of PPI calls and lawyers that cropped up - then multiply that at least tenfold.

The average EU-wide payout for a data protection breach to the individual is 2800EUR. With GDPR, the company will have to pay that plus a fine of up to 4% of their turnover on top of that. So imagine your telecoms company loses customer data for 1000 people (bear in mind how much more have been lost in the past). That's a payout to the victims of £2.8 million immediately plus a fine to pay.

Last year, Talktalk lost over 150000 customer data - that's a payout to the customers of £420 million if we take the average payout, plus a fine of up to £75million based on their turnover. They got a £400k fine instead.

The protections that you get as an individual also make interesting reading - you can prevent companies from sharing your data a lot more easily if there is no valid reason for them to share it. So you can stop your bank from disclosing your details to Experian (for example), because the bank has no reason to share that data. And they are not allowed to discriminate against customers / potential customers on the basis of the customer not sharing their data. Interesting times for the credit reference / database companies - if individuals prevent the banks from sharing their data, and the banks can't discriminate just because they cannot get your data to do a credit check, where does that leave the banks and the likes of Experian?

Also, the threshold for proving data loss gets a lot lower as well, which is good for the individual and bad for the company. This is going to cost businesses a LOT of money when it hits, there will be some massive high profile large fines early on, and there is little time to get your systems in place to do anything about it. My recommendation to clients would be to put aside 4% of turnover for a breach fine, or put aside 4% of turnover to get your systems in place to deal with the new laws - clearly the latter is more desirable than the former.

I know an expert in this area who runs a four day training course for £3250, but I can get a discount on that if anyone is interested.