nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Coming soon to a Parliament near you – UK's Data Protection Bill

Laymans terms..

This is quite a well discussed and anticipated piece of legislation which has the potential to affect many of us commentards. Would the team at El Reg consider putting together an article, or series of articles, written by an appropriate person, detailing the act in laymans terms? I'm sure it would be appreciated by the many of us who are self-employed, or small operators who don't have the luxury of corporate training departmenmts.

Does anyone else agree?

51
1
Silver badge

Re: Laymans terms..

Seconded. An excellent idea.

13
1
Anonymous Coward

Re: Laymans terms..

Hope they send "Real people" like (clueless) Amber Rudderless on corporate training course. Because she seems to have a total disregard for the privacy of data she holds on others. I'd like to see an inspection of her consituency office by ICO, before we start hounding others.

Most of it is common sense (she has absolutely none). Imagine your own data in place of the data you're storing on behalf of others. Look at the threats to that data, from outside and internally.

If it feels "wrong" or security feels "weak" it probably is.

11
0
Bronze badge

Conflict Wth IPA.....

Hi,

A quick check with the GDPR states :

Consent should be demonstrable – in other words organisations need to be able to show clearly how consent was gained and when.

So if i write a letter to the Home Office denying consent to have my data extracted and processed based on the IPA mechanism, then the Government will comply ???

Can the Government therefore be legally challenged ?

(I know, i know, there will be a exclusion clause for IPA).

Regards,

Shadmeister.

12
0
Anonymous Coward

Re: Conflict Wth IPA.....

No. Performing a regulated activity or being in government trumps the GDPR. For example your bank doesn't need your permission to gather information about you to perform anti money laundering checks either, because they're legally required to do so.

13
0
Bronze badge

Re: Conflict Wth IPA.....

Hi,

To some extent i would agree, but the Government must still follow GDPR rules ?. Else leaving a USB stick or unencrypted laptop with many peoples national insurance details would be a breach.

It states :

There will be a substantial increase in fines for organisations that do not comply with the new regulation.

Regulators will now have authority to issue penalties equal to the greater of €10 million or 2% of the entity's global gross revenue for violations of record-keeping, security, breach notification, and privacy impact assessment obligations.

So i assume consent is not required by the Government, but they must still follow GDPR rules and are therefore beholden to the rules.

Regards,

Shadmeister.

6
0
Anonymous Coward

Re: Conflict Wth IPA.....

Certain government functions are bound by the GDPR, just as they are today under the DPA. However those restrictions are principally concerned with what government bodies do with data after it is gathered. Specifically you can't use data gathered for statutory compliance for non-statutory purposes. You must still gather it to comply with statute if necessary. This usually manifests itself as one department or body being unable to share data with another department or body.

The main difference versus the current DPA is that there is a broad purpose "legitimate grounds" exemption that allows government to process data as long as there's a reasonable argument to do so, regardless of consent. The GDPR removes this exemption, which will require departments to justify non-consented processing* in terms of statutory compliance (as discussed above) or the much stricter public interest argument.

*Public bodies actually can't obtain free consent in most circumstances due to the imbalance of power between the government and an individual. It's hard to say "No" to someone that can put you in prison.

The GDPR does not change much in terms of who is allowed to do what with any given bits of data. It tightens up a few definitions of what constitutes personal data; updating it for the 21st century. Mostly the GDPR details what you must do while you process the data, specifically putting in place broad rules around transparency, security-by-design, mandatory reporting of breaches and so on.

5
0

Re: Conflict Wth IPA.....

"t will have to adhere to the GDPR for about a year"

So some non-govermental institution fails to follow GDPR, one takes it to court, and by the time it goes through the Data Protection Bill is active, and the court throws the case out as moot because the new law will allow anything to happen with any data under any circumstance.

Unfortunately all governments want organisations to collect everything, because governments want to categorise people as threat/non-threat to the state. Not "terrorism", just "effective dissent against the state" is the threat.

1
0
Silver badge

Re: Conflict Wth IPA.....

The GDPR does not change much in terms of who is allowed to do what with any given bits of data."

Yes, but to me the most important part of GDPR is increase in penalties applies to people who mis-use or don't properly secure the data. Something much needed. Although it remains to be seen how well and how strongly it's enforced.

2
0
Silver badge
Joke

Re: Conflict Wth IPA.....

"equal to the greater of €10 million or 2% of the entity's global gross revenue"

The ICO will get a nice little windfall when HMRC leave a USB drive on the train...

2
0

Re: Conflict Wth IPA.....

Nope, the £££ will go to the Treasury and the ICO will still be scratching about for funding

0
0
Silver badge

I've been thinking over the implications of various surveillance laws, including the possible demand for passwords to encrypted devices, seizure of servers etc.

In the real world a company computer might hold information subject to various regulatory regimes including the DPA. Any agency gaining control of such data, either by interception or by physical seizure, usurps the role of whoever would have been responsible in the owner's organisation. This ought to transfer such responsibility to that agency.

Perhaps this Bill would be an opportunity to put such transfer into statute law rather than leaving the issue to be decided in court in the event of a breach.

5
0
Anonymous Coward

Can I ask a potentially daft question?

As I understand it processing of personal data where it can be identified by the IP address would require consent and the ability to withdraw consent.

Where does that leave websites as you would process the data to confirm unique visitors? I also believe that there is a caveat for not being a pre-requisite so how do you get consent if not by asking them for consent and only allowing them access after consent has been given?

5
0
Anonymous Coward

It's not a daft question.

If it's PII and you don't have explicit, free consent for a legitimate business function you *usually* may not use that information.

This is, technically speaking, the law as it stands now. The only difference in this scenario is IP addresses have been explicitly identified as PII (Recital 30) whereas previously it was a theoretical argument based on a court judgement only applicable in certain scenarios.

There's also not a whole lot you can do. Most techniques that would mask any other data simply don't work on IP addresses. You can't hash them because there's only 4 billion possible values. You can't truncate them because then they're useless to you. More fundamentally pseudo-anonymised data (i.e. where there is a 1:1 mapping) cannot be considered anonymised due to the proven ease of reconstructing an identity from metadata.

Now, I did say consent is *usually* required. There are, as always, exemptions. In fact, obtaining consent is just one of six grounds for processing PII set out in Article 6(1) of GDPR. Option "F" is what is called the "legitimate interests" argument. Put simply, if your interest in processing the data is normal, expected and necessary to performing your normal business functions you do _not_ need to obtain specific consent. Monitoring your own internal infrastructure for unique users, DDoS attacks and so on is an obvious legitimate interest.

In contrast harvesting billions of page views for 3rd party AdTech applications (which are then resold to other 3rd parties) without the user ever knowing about it is a much, much trickier application to justify as it has nothing to do with the business the person is interacting with. Though there is a specific mention of "direct marketing" being acceptable, so this one stays firmly grey.

10
0

EU again

So HM Gov registers EU citizens for "free movement" (says some random element of the cabinet), so has to comply with EU GDPR which they have no power to influence??

#takebackcontrol?????

Don't you just love this mess? Insert "Popcorn" icon here

3
6
Anonymous Coward

Re: EU again

GDPR applies to all organisations that handle any EU citizen's data or handles any person's data within the EU, regardless of where that organisation itself operates.

So yes it applies to us and we have no say in its enforcement.

But that has nothing to do with whatever you're on about.

3
0
Silver badge

Re: EU again

"takebackcontrol?"

Let me try and simplify this for you.

Taking back control was sold to the voters (or at least to those who bought into the idea) as allowing the UK people to take back control from some nefarious EU and its courts. It should have failed under the Trades Description Act.

What HMG, and particularly our Home Sec in residence and Home Sec in command, mean is that they, the govt., take back the control that the EU had granted to the EU people.

For instance every attempt by successive governments of whatever colour to undertake mass surveillance has foundered when it gets to court and is judged by those EU standards. When they take back control they can do what they want because they'll have removed themselves from the control of the court that exists to protect you.

Make no mistake, you don't get control; you get controlled.

15
0
Silver badge
Trollface

Re: EU again

We should try and find a way to get some kind of influence over EU laws and regulations, we should get a vote or something. Even better, then we'd be able to steer the regulations so that they benefited the UK!

Oh wait....

8
0
Anonymous Coward

Re: EU again

To put it another way.

We're spectacularly screwed and it's our own fault.

2
0
Silver badge

Re: EU again

@ phuzz

"We should try and find a way to get some kind of influence over EU laws and regulations"

Why? While we are conquering the EU and bending them to our will we also trade with the US. Shall we do the same with them? Or the Chinese, India, etc. We dont need to get down on our knees to please anyone else we work with so if the EU is so stuck up that it cant figure out a way to work then thats their issue.

Lets get off our knees and have some dignity and self respect

0
3
Facepalm

Gudiance

A lot of the guidance from the Article 29 working party is yet to be published so its going to be interesting to see how many changes are required in this bill before it truly meets the requirements of GDPR.

Of course this also crosses the Maybots red line regarding the ECJ as they will make rulings which the UK will have to comply with to continue to do business with EU nations. Its going to be interesting to see how they spin that.

Whichever way you slice and dice it we will have no voice or say, and if the EU decides on an arbitary basis that as a 3rd country we no longer meet the requirements then its game over for a lot of tech business. Any global business with half a brain is going to move its data processing operations to the EU27 rather than risk a negative determination as a third country which also means that UK citizens data will be housed in an area we have no say or influence over.

Apparently, when it comes to data 'taking back control' really means dropping our pants and wondering why everyone is pointing and laughing.

3
2

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing