nav search
Data Center Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes
BOFH
Lectures

back to article
GDPR: Do not resist! Unless you want a visit from the data police

Silver badge

"After all, nobody wants to be the first to get a €20m fine."

Is anyone running a book on who it'll be?

3
0
Silver badge
Joke

How about....

Talk-Talk for starters.

They've got form.

Last time out they were a clear winner by almost a furlong.

No need for Blinkers and more either.

5
0
Silver badge

Re: How about....

It will be the UK Gov. :)

2
0

Re: How about....

Probably the NHS

0
0
Anonymous Coward

I'd bet...

One of the big advertising tech companies. The GDPR definition of personal data covers ad-tech tracking and at the moment a lot of large advertising companies seem to be pretending GDPR doesn't exist or hoping it will go away.

0
0

The new PPI

There's no need to wait for the GDPR to come into force. Since the Court of Appeal disapplied Section 13(2) of the DPA, it's now possible to claim compensation against an organisation without having to demonstrate that you've incurred a financial loss as a result.

I'm in court tomorrow against Halfords because they refused to provide me with answers about how they process personal information fairly. First their solicitor told me that she had fully answered my questions but in her defence, she argued that she did not have to answer my questions.

Keep an eye our for that unwanted marketing and submit a claim. It only costs £50. Easier still once the GDPR comes into force. Most of the companies that we do business with are likely to be sitting ducks.

6
0
Silver badge

Re: The new PPI

Please let us know how you get on.

But be warned "First their solicitor told me that she had fully answered my questions but in her defence, she argued that she did not have to answer my questions." The two are not mutually exclusive and this sort of defence in depth is normal. If the court rules they didn't answer your questions fully they'll fall back on they didn't have to and vice versa.

4
0
Anonymous Coward

Re: The new PPI

I went to Halfords for a new windscreen wiper. In the old days there was a little book you'd use to look up make/model.

Now it's a tablet computer which requires you to enter your vehicle registration and there was no obvious privacy statement on how/if they'd use or store that data.

Needless to say I went elsewhere...

0
0
Silver badge

Re: The new PPI

Why?

Walk me through what an attacker could do with the information that a registration number exists, and is associated with $(make, model), and that you bought new wipers for it?

1
0
Orv
Silver badge

Re: The new PPI

That strikes me as oddly convoluted. In the US such devices generally only ask for the year, make, model, and sometimes trim level.

0
0
Bronze badge

Re: The new PPI

It's a 'joinder'. It links you to Halford's and your car and that you were aware of a problem with your wipers. On it's own it's not much but could be the key to supporting your prosecution for something.

1
0

Schools?

This seems like its going to be a nightmare for schools. We gather, process, and transfer data every day! The bureaucracy this will generate seems like it will make the lives of teachers very difficult.

0
1
Silver badge

Re: Schools?

I'd argue it's not something teachers should be doing. I work in the NHS, we have a Data protection officer who handles this and will handle the GDPR requirements too, not a single nurse will need to fill in a form.

It's up to the local council / Education authority and head teachers to ensure schools are ready. They can pass the buck all they want, the ICO won't care when looking to fine.

3
0

Re: Schools?

Yes, ask data compliance manager / DPO at local authority / Education authority that oversees your school. Don't forget, existing Data Protection Act already regulates gathering, processing and transfer of data.

2
0

Re: Schools?

I'd say that neither of you understand how schools operate day to day.

Data is used by staff all day everyday. Some departments in some schools sign up to third party education sites (eg. MyMaths) and set up users within those systems (this is especially the case in smaller schools).

Also, Academies are no longer anything to do with the LEA - it has to be dealt with in house, meaning the school has to pay for legal advice and set up their own compliance systems. That's a significant cost for a small academy, especially when budgets are worth less now than they used to be (inflation, unfunded pay increases etc...).

Most schools use a catch-all agreement for data usage/processing each year on the data-checking sheet sent to parents. That will have to change, in fact most data protection procedures will have to change.

So, as I said, it will make teachers lives more difficult.

0
0
Silver badge

Question

Does this mean that companies producing smartphone apps for use within the EU will have to toe the line and not slurp data willy nilly or face multi-million pound fines?

3
0
Silver badge

Re: Question

Legally yes, but I expect a lot of terms and conditions etc to be updated prior to that to try to wriggle out of it.

2
0

Re: Question

GDPR is designed to protect EU citizens data wherever it is in the world. It is not possible to avoid compliance by simply contracting out of GDPR or changing the law. I imagine previous commenter Derichleau will be watching out for any attempt to do so!

2
0

Fines for companies etc... Yes!

But I don't believe schools or NHS/Trusts should be fined, it just takes money away they desperately need.

Notice the article didn't mention how many trusts have been fined over the years.

https://www.databreaches.net/chelsea-and-westminster-nhs-trust-fined-180000-for-hiv-newsletter-data-breach/

I remember this one.

0
2
Silver badge

Re: Fines for companies etc... Yes!

"But I don't believe schools or NHS/Trusts should be fined, it just takes money away they desperately need."

OTOH public bodies handling personal information, especially that from people who virtually have no option but to give it, should not get a free pass if they fail. It's a difficult issue and needs a solution.

7
0

Re: Fines for companies etc... Yes!

"But I don't believe schools or NHS/Trusts should be fined, it just takes money away they desperately need."

As Baldy50 says, we often don't have a choice to use public sector services so they should lead by example but taking away money from an entity funded by the taxpayer is not a great solution. In fact, the whole principle of fining has always struck me as dodgy. "You've committed a [data / road traffic / tax (delete as required)] offence but if you pay us money we'll forgive you."

Largest public sector ICO fine (and largest ICO fine ever until TalkTalk) was £325k against Brighton and Sussex University Hospitals NHS Trust.

https://www.theregister.co.uk/2012/06/06/nhs_trust_disputes_ico_fine/

0
0

Re: Fines for companies etc... Yes!

Fining schools or NHS etc is pointless. There should be a consequence to management, not the organisation. A fine for a school could bankrupt them, and all that'd do is disrupt the education of children.

No, make it apply directly to the person in charge - a personal fine, and loss of their job etc...

1
0

Re: Fines for companies etc... Yes!

Easy solution: fine the people not the organisation. Sequester the assets and garnishee the incomes of a few managers and Ministers and data protection will suddenly become a very important item on everyone's budget.

1
0
Silver badge
Coat

Keeping an eye on you right pondians

Don't envy anyone over there in IT.

Checks Hadoop data store guidance document. "All fields with directly identifying customer data shall be anonymized during the load process".

Not much. but its there.

0
0
Silver badge

Re: Keeping an eye on you right pondians

"Don't envy anyone over there in IT."

The core problem is often marketing wanting to gather too much information and then handing processing of it over to some friendly spammer digital marketing agency. Alternately it's top management wanting to scrimp on IT. In either case pointing out the possibility of €20m fines should give IT a useful line in to put in any powerpoint.

3
0

VG article.

Good quality stuff here. Should be mandatory reading for every CEO.

0
0
Silver badge

Re: VG article.

"Should be mandatory reading for every CEO."

CEOs reading el Reg?

Following on from my previous comment, and much as I hate powerpoint presentations, maybe the first chance anyone gets to do a presentation for upper management or marketing should start off with a slide saying in large letters:

IN MAY 2018 WE BECOME LIABLE FOR A FINE OF €20,00,00.00

That should get their attention.

0
0
Silver badge

To paraphrase Oscar Wilde...

Government... the stupid in pursuit of the ignorant.

0
0

The joke about all this is that while private companies risk £20m fines or whatever, the government (any government) will just carry on doing exactly as it pleases.

Call your bank to make some trivial query about your account and you get the ninth degree of security nonsense, but if the NHS wants to hand over your data to Crapita, that's just fine and dandy, they don't even need to tell you.

Data protection works for them against you, but not the other way around.

0
0

Impact of TISA?

Any analysis of the impact of the Trade in Services Agreement? Reports (not necessarily reliable) say that it outlaws any restrictions on sending data out of the country? Would this prevent the EU signing up? Or override EU rules?

After Brexit, if we retain GDPR-level rules (so we can exchange data with the EU) what would be the implication if we were then to sign up to TISA, or a bilateral trade agreement with similar text?

1
0
Silver badge

Re: Impact of TISA?

I'm not familiar with the agreement but it would appear the two would be mutually incompatible, especially if or, as I think we mostly expect, when the Privacy Figleaf gets torn down. I think the implication would be that it would have to go the courts to sort out the implications.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing