Yep it's basically a torrent of companies trying to punt half baked 'compliance' tools and services. But ask them the simplest of questions and they really have no idea WTF they are trying to sell or what the legislation is all about.
I've livened up many a dull afternoon messing with these guys on the phone. Cruel but necessary. Rule #1 if you want to sell me something you'd better know more about the subject/product than I do.
In all fairness
"The Information Commissioner’s Office guidance says that the best way for organisations to tell if it is a legitimate interest is to ask if what they intend to do “is fair”. "
That's the sort of woolly thinking that causes arguments and problems. Why couldn't they have predicted this kind of confusion before they started and then been ready for it in a sensible manner?
Re: In all fairness
There isn't that much confusion. GDPR is on the order of 95% the same as the DPD - you can enumerate the key changes in 4 or 5 bullet points. The law isn't going to radically change. The penalties for breaking the law are. Organisations that are confused are organisations that have spent the last 20 years happily ignoring their responsibilities to their customers under the law.
Re: In all fairness
tell if it is a legitimate interest is to ask if what they intend to do “is fair”.
And how do you know it's fair ? just ask if it's a legitimate interest !
Re: In all fairness
"That's the sort of woolly thinking that causes arguments and problems."
Quite. Just what company is going to admit to itself that what it's doing might not be fair.
"She also noted that the ICO had yet to “invoke our maximum powers” - a £500,000 fine."
That's not something to boast about. Perhaps if the ICO did fine more companies the maximum amount they might be a little more careful with their customer's personal information.
Data controllers need to stop sending us direct marketing unless we specifically request it. Mailing list operators will have to call it a day and the companies that buy mailing lists should be prosecuted.
"Data controllers need to stop sending us direct marketing unless we specifically request it."
And where that request has been denied, absolutely must honour that denial, not disregard it and send marketing crap anyway (I recently lodged a complaint with the ICO about HSBC for doing exactly that).
"On some occasions, consent can be obtained contractually."
In such cases it must be clear and provide an opt out, not buried down on page 23.
Otherwise the unfair terms in contracts laws should apply.
But this is england, so they can get away with anything
" (I recently lodged a complaint with the ICO about HSBC for doing exactly that)."
the other no-no is to honour an unsubscribe (or opt out) and then opt the person back in again a couple of years later
I'm looking at YOU Asda.
had yet to “invoke our maximum powers”
Don't shout this too loud... This is acting as a great catalyst to get needed investment for security infrastructure.
Sitting pretty here!
MSFT have assured me that storing corporate data on OneDrive for Business means GDPR compliance so we're sorted. Simples!
Re: Sitting pretty here!
They forgot to mention the last bit - Its GDPR compliant for them!
I honestly hope your joking about that.. If not, then you've just been spoon-fed the biggest load of BS.. GDPR is not about where you store the data - it's about how the data is stored, why it's stored, how it used and who has access to it. If you incorrectly configure a permission on OneDrive, then I hope you have a couple of gallons of lube, as the company will get a royal shafting.
If you think you can palm off responsibility for storage onto M$, then think again, as GDPR explicitly states primary responsibility rests with the party who stored the data, not the service providers they were using (though there is some shared responsibility here).
Don't worry, you're not the only one, at least 90% of the FTSE 100 believe they can offload reputation damage and responsibility by outsourcing!!
Company after company is pushing "self-assessment" kits to prove how under-prepared organisations are, while others are selling various widgets, gizmos and services that claim to help them comply.
Given that so many companies have shown themselves to be unprepared to deal with what's already law and has been for a few decades not I'd have thought that anything which spurs them into activity should be considered a Good Thing.
Unfortunately there are a huge number of organisations that will be defrauded with incorrect "advice" and bunk reasons for "further training" or "consultancy". Largely due to scare stories pushed by the media and those that benefit, as in those that sell this "training" and "consultancy".
Monetise the FUD
It's never going to be as rewarding as the Y2K boondoggle !
Re: Monetise the FUD
Have to agree, when I was at Uni (1999) my neighbor was a Cobol programmer and contracting for one of the big banks.. He'd do an hours work each day and then head home, and he was clearing £1000-£1500 per day.
Saying that, I netted a nice £20k pay-rise by switching roles about 4 months ago.. moving from "infrastructure" to "security", so I dropped all user-fud, and now get to play with the cool security toys, deploy them and pass them on.. rinse and repeat, but no day is ever the same :)