Originally posted by quackhandle
View Post
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Reply to: GDPR
Collapse
You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:
- You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
- You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
- If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.
Logging in...
Previously on "GDPR"
Collapse
-
-
Originally posted by TheFaQQer View PostToday is day 38 since I submitted mine to Virgin Trains.
Two days to go and they've not even acknowledged it yet.
qh
Leave a comment:
-
I'm banking on GDPR keeping me in invoices for the next year at least. (As I work in Data Protection).
qh
Leave a comment:
-
Originally posted by SueEllen View PostIf you want to feck a firm of do a Data Subject Access Request.
Oh and I just got a Delivery Manager role through for GDPR changes.
Seems they are spamming anyone with "data protection" on their CV.
However do you think you will get much direction on what you are supposed to deliver as it seems that is the mystery right now (outside of the usual existing DPA requirements)
Leave a comment:
-
Originally posted by edison View PostI think the right to be forgotten or data erasure (under specific circumstances) could be one of the bigger impacts. Let's say I as an individual request this from an organisation. Presumably data held on me is stored in a backup somewhere. What happens if there is a need to restore data e.g. in a DR scenario? How does the organisation prevent accidentally restoring 'forgotten' data?
The new regulations also have a stricter definition of personally identifiable information I believe, where multiple pieces of information could potentially be pieced together to identify an individual.
How about right to rectification? The new rules state this must be done within a maximum time of two months. When I worked for a large public sector body, it was often a challenge to comply with DPA subject access requests. It's more admin and paperwork.
Oh and I just got a Delivery Manager role through for GDPR changes.
Seems they are spamming anyone with "data protection" on their CV.
Leave a comment:
-
Originally posted by TheFaQQer View PostI would suggest talking to Preterlex about it then - The GDPR - business, IT, and law in the privacy New World - PreterLex
Implementation of GDPR will require complex business process / practice and software level changes - particularly any company where they process data overseas (even more so if it is outside the EU). If companies process data in certain countries where the local laws conflict with GDPR then they will need to stop that happening completely.
I suspect that most companies will fall foul of the new laws because they don't understand what they have authority to do and what they don't.
Companies will need to have a fundamental look at how they deal with data, how they will deal with it in the future, and how they will ensure that everyone understands that. Systems and processes will need to be reviewed to ensure that they have the appropriate levels of control, access, removal, and metadata about what can be shared and what can't and with whom.
I had some experience of data protection projects when I worked for a big online retailer who was implementing a solution for their websites to comply with the then new EU 'Cookies Law' which was part of the Privacy and Electronic Communications Regulations.
Compared to GDPR, it was a lot more straightforward but I spent more time on the project in a room with Legal Counsel then I did with the techies. Ironically, the UK was given an extra 12 month dispensation to comply with the new law, partly due to the perceived technical complexity. Interestingly, a lot of online retailers didn't implement a technical solution by the given date as everyone was waiting to see what their competitors were doing. We developed a fairly good technical solution but in the end didn't turn it on as we were able to get away with some more tactical changes.
I suspect some organisations will be in trouble come early 2018 when the realise they have no hope of complying in time.
It's going to be a good time to be a data protection specialist, that's for sure!
Leave a comment:
-
Originally posted by MarillionFan View PostAlso additional processes around 'Right to be Forgotten' or 'Data Port Requests' form part of the new GDPR.
Imagine a company with 100's of systems who has customer data replicated everywhere. I can request that data be deleted, and failure to do so will result in a fine. 4% of turnover is scaring the crap out of companies. Clientco has setup a task force & I'm getting a lot of interest. It's going to be a little like Y2K as everyone panics coming towards May. Some money to be made in the short-term, especially around auditiing.
The new regulations also have a stricter definition of personally identifiable information I believe, where multiple pieces of information could potentially be pieced together to identify an individual.
How about right to rectification? The new rules state this must be done within a maximum time of two months. When I worked for a large public sector body, it was often a challenge to comply with DPA subject access requests. It's more admin and paperwork.
Leave a comment:
-
Originally posted by jas View PostHas anyone done any or thinking of doing GDPR training (i.e. to get some knowledge and get a contract role which is asking for GDPR experience)?
Is it a good idea of bad???
In my recent experience lawyers have been engaged to address the risks around GDPR.
Leave a comment:
-
Originally posted by TheFaQQer View PostI would suggest talking to Preterlex about it then - The GDPR - business, IT, and law in the privacy New World - PreterLex
Implementation of GDPR will require complex business process / practice and software level changes - particularly any company where they process data overseas (even more so if it is outside the EU). If companies process data in certain countries where the local laws conflict with GDPR then they will need to stop that happening completely.
I suspect that most companies will fall foul of the new laws because they don't understand what they have authority to do and what they don't. And the level of data privacy that could be required needs to be understood by everyone in the organisation - they need to know what they can and cannot process. For example, if I say to someone who works at Huxley "you can send my CV over to IBM" what is the data retention of my CV? What is my right to have that erased? How do they process those requests? If the agent finds out that they have to use a third party like Capita, do they have permission to send it? And if they send it anyway, have they committed a data breach?
Companies will need to have a fundamental look at how they deal with data, how they will deal with it in the future, and how they will ensure that everyone understands that. Systems and processes will need to be reviewed to ensure that they have the appropriate levels of control, access, removal, and metadata about what can be shared and what can't and with whom.
Also additional processes around 'Right to be Forgotten' or 'Data Port Requests' form part of the new GDPR.
Imagine a company with 100's of systems who has customer data replicated everywhere. I can request that data be deleted, and failure to do so will result in a fine. 4% of turnover is scaring the crap out of companies. Clientco has setup a task force & I'm getting a lot of interest. It's going to be a little like Y2K as everyone panics coming towards May. Some money to be made in the short-term, especially around auditiing.
Leave a comment:
-
GDPR Training
Has anyone done any or thinking of doing GDPR training (i.e. to get some knowledge and get a contract role which is asking for GDPR experience)?
Is it a good idea of bad???
Leave a comment:
-
Originally posted by original PM View PostI understand that but lets take the Talk Talk example - how do they lose this data?
Was it just poor data management or did someone do something malicious to make it happen?
So yes poor data management is unacceptable and the is where the main focus of a lot of companies is - make sure your data is secure and you have control of it - pretty basic stuff really.
If it is someone doing something malicious then how do you stop that?
Then looking at the data sharing - the only reasons companies data share is to make money - but as GDPR comes in and this now becomes a bad idea - why would a company share data - the only reason is that the senior managers/execs feel they can make a fast buck and screw the risks.
So really that just comes back to the someone doing something malicious to break the rules.
To quote your example about PPI - banks did this to make a fast buck and it came back to bite them - this was an exec/senior level decision.
I am really just pushing the boundaries to try and find out where the problems will be as when I speak to consultants etc we just get vanilla wishy/washy responses - what I am looking for is some examples of how a company could fall foul of the GDPR stuff without trying to.
They claimed it was a "sophisticated" attack when in reality it was a bunch of kids exploiting known loopholes with readily available scripts they downloaded from the web. The issues they exploited have been known about for years and anyone with a functioning security team in place should have been able to fix them long ago. It got to the point that CESG (now the National Cyber Security Centre) got involved and had to hold a briefing and issue a guidance note on what constituted a "sophisticated" attack. TalkTalk did not fall into that category.
Leave a comment:
-
Originally posted by original PM View PostI am really just pushing the boundaries to try and find out where the problems will be as when I speak to consultants etc we just get vanilla wishy/washy responses - what I am looking for is some examples of how a company could fall foul of the GDPR stuff without trying to.
Implementation of GDPR will require complex business process / practice and software level changes - particularly any company where they process data overseas (even more so if it is outside the EU). If companies process data in certain countries where the local laws conflict with GDPR then they will need to stop that happening completely.
I suspect that most companies will fall foul of the new laws because they don't understand what they have authority to do and what they don't. And the level of data privacy that could be required needs to be understood by everyone in the organisation - they need to know what they can and cannot process. For example, if I say to someone who works at Huxley "you can send my CV over to IBM" what is the data retention of my CV? What is my right to have that erased? How do they process those requests? If the agent finds out that they have to use a third party like Capita, do they have permission to send it? And if they send it anyway, have they committed a data breach?
Companies will need to have a fundamental look at how they deal with data, how they will deal with it in the future, and how they will ensure that everyone understands that. Systems and processes will need to be reviewed to ensure that they have the appropriate levels of control, access, removal, and metadata about what can be shared and what can't and with whom.
Leave a comment:
-
Originally posted by TheFaQQer View PostYes, you're oversimplifying - this is going to be huge and expensive for companies. And lawyers are going to get rich from it. Imagine the volume of PPI calls and lawyers that cropped up - then multiply that at least tenfold.
The average EU-wide payout for a data protection breach to the individual is 2800EUR. With GDPR, the company will have to pay that plus a fine of up to 4% of their turnover on top of that. So imagine your telecoms company loses customer data for 1000 people (bear in mind how much more have been lost in the past). That's a payout to the victims of £2.8 million immediately plus a fine to pay.
Last year, Talktalk lost over 150000 customer data - that's a payout to the customers of £420 million if we take the average payout, plus a fine of up to £75million based on their turnover. They got a £400k fine instead.
The protections that you get as an individual also make interesting reading - you can prevent companies from sharing your data a lot more easily if there is no valid reason for them to share it. So you can stop your bank from disclosing your details to Experian (for example), because the bank has no reason to share that data. And they are not allowed to discriminate against customers / potential customers on the basis of the customer not sharing their data. Interesting times for the credit reference / database companies - if individuals prevent the banks from sharing their data, and the banks can't discriminate just because they cannot get your data to do a credit check, where does that leave the banks and the likes of Experian?
Also, the threshold for proving data loss gets a lot lower as well, which is good for the individual and bad for the company. This is going to cost businesses a LOT of money when it hits, there will be some massive high profile large fines early on, and there is little time to get your systems in place to do anything about it. My recommendation to clients would be to put aside 4% of turnover for a breach fine, or put aside 4% of turnover to get your systems in place to deal with the new laws - clearly the latter is more desirable than the former.
I know an expert in this area who runs a four day training course for £3250, but I can get a discount on that if anyone is interested.
Was it just poor data management or did someone do something malicious to make it happen?
So yes poor data management is unacceptable and the is where the main focus of a lot of companies is - make sure your data is secure and you have control of it - pretty basic stuff really.
If it is someone doing something malicious then how do you stop that?
Then looking at the data sharing - the only reasons companies data share is to make money - but as GDPR comes in and this now becomes a bad idea - why would a company share data - the only reason is that the senior managers/execs feel they can make a fast buck and screw the risks.
So really that just comes back to the someone doing something malicious to break the rules.
To quote your example about PPI - banks did this to make a fast buck and it came back to bite them - this was an exec/senior level decision.
I am really just pushing the boundaries to try and find out where the problems will be as when I speak to consultants etc we just get vanilla wishy/washy responses - what I am looking for is some examples of how a company could fall foul of the GDPR stuff without trying to.
Leave a comment:
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Leave a comment: