back to article Beware the GDPR 'no win, no fee ambulance chasers' – experts

The UK's incoming data protection laws could bring with them a wave of "no win, no fee"-style companies, experts have said. Much of the discussion about the impact of the EU General Data Protection Regulation – which comes into force in May 2018 – has focused on the fines regulators can impose. Although these are large – up …

Page:

  1. }{amis}{
    Unhappy

    Waiting......

    The impression i get is that a lot of companies are waiting to see what the first few test cases look like before jumping in and reworking their entire companies attitude to data, banking on the odds that they wont be in the first companies to fall afoul of GPDR.

    1. Tigra 07

      Re: }{amis}{

      Makes sense. They do that for everything. Warn 10 companies a tidal wave is coming and i bet less than half plan for it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Waiting......

      I suspect they're looking at other UK regulatory actions and fines against similar "10% of turnover" rules, and concluding that a big data breach is going to cost £4-10m in fines, so probably less than 20% of the clean up costs after the event, and ten to twenty times the ICO's current mosquito bite fines. Those sort of fines are a BAU cost for most big business.

      And the other thing is that the mindset exists in most companies that, having asked themselves a set of easy questions, been given reassuring answers that it is all under control, undertaken some token low cost measures, they conclude that they've done their bit, they are compliant, they are safe, and the directors can doze off again. Take the Equifax breach - they actually had in post a head of IT Security, they had patched most of their systems, they had a big IT budget, they used external advisers and security services. Unfortunately they hadn't patched Struts in the two months the patch was available (and how many big organisations would have a "patch first, ask questions later" regime?). I suspect Equifax would have passed a fairly thorough data security audit. In this respect, data protection is a bit like stopping terrorism - anything you stop or deter is just doing your job, but you have a vast attack surface, and it only takes one to get through.

    3. Doctor Syntax Silver badge

      Re: Waiting......

      "banking on the odds that they wont be in the first companies to fall afoul of GPDR"

      They're probably also banking on being able to get it all fixed in time when someone else falls foul of it first. Good luck with that!

    4. hmv

      Re: Waiting......

      A lesser known power the ICO gets when GDPR kicks in, is the power to instruct companies to stop processing data. Which may well have a much more significant effect than any level of fine.

  2. RFC822

    Dwarves???

    "Dwarves" is the plural of the _noun_ "dwarf".

    When using the _verb_, as in the article, it should be "dwarfs".

    I'm off to listen to Randy Newman's "Short People"...

    1. Doctor Syntax Silver badge
      Headmaster

      Re: Dwarves???

      The plural third person singlar, present tense of the _verb_, which is what is being used in the article, should be "dwarfs".

      FTFY

    2. Anonymous Coward
      Anonymous Coward

      Re: Dwarves???

      I think the plural of the noun is "dwarfs", too, unless you're Tolkien. In the title of Disney's 1937 film (one of Hitler's favourite films, I've been told) it's "dwarfs".

      1. Charles 9

        Re: Dwarves???

        No, in Disney it's with a V, and the spelling is consistent with elves (note that the plural of elf is also spelled with a V), unless you're saying it's supposed to be elfs as well (and for that matter, what about ourself/ourselves and all the related words, and what about wharf/wharves).

        1. Yet Another Anonymous coward Silver badge

          Re: Dwarves???

          Who cares how you spell it, bunch of B'zugda-hiara !

      2. Fazal Majid

        Re: Dwarves???

        Tolkien admitted as much:

        No reviewer (that I have seen), although all have carefully used the correct dwarfs themselves, has commented on the fact (which I only became conscious of through reviews) that I use throughout the 'incorrect' plural dwarves. I am afraid it is just a piece of private bad grammar, rather shocking in a philologist; but I shall have to go on with it. Perhaps my dwarf – since he and the Gnome are only translations into approximate equivalents of creatures with different names and rather different functions in their own world – may be allowed a peculiar plural. The real 'historical' plural of dwarf (like teeth of tooth) is dwarrows, anyway: rather a nice word, but a bit too archaic. Still I rather wish I had used the word dwarrow.

        The Letters of J.R.R. Tolkien 17: To Stanley Unwin, Chairman of Allen & Unwin. October 1937

  3. Loud Speaker

    Google sent me an alert yesterday, and I started reading up on the subject.

    I run a part-time, one-man company with fewer than 10 customers. However, there is no lower bound on company size for the GDPR.

    GDPR compliance could easily exceed my entire workload. It is beginning to look like the end for one-man companies unless something is done about this.

    Before the PC existed, I also ran a one-man company, processing mailing lists for multinationals. I had tens of thousands of names and addresses, all verified.

    Its not easy to say where the cut-off should be, but I would guess that it should have to do with the number of records, and whether they are accessible to outside users. If you only have 10 email addresses, supplied by their owners so you can email them back, and the addresses of people you have billed for goods and services supplied, or who billed you (retention required by law) you probably aught to be exempt.

    I predict a whole load of tax evasion (and worse) very hard to prosecute because the data/evidence was destroyed "because of the GPDR".

    1. DJO Silver badge

      I predict a whole load of tax evasion (and worse) very hard to prosecute because the data/evidence was destroyed "because of the GPDR".

      That would be blatant fraud and would be prosecuted as such (unless a director was a Tory MP).

      The GDPR expressly exempts data necessary for a business and for tax purposes. In a game of Top Trumps, Tax always beats GDPR.

      1. Doctor Syntax Silver badge

        "In a game of Top Trumps, Tax always beats GDPR."

        Except, of course, Top Trump.

    2. }{amis}{
      Holmes

      Automation

      I do empathise with your point, but i would also point at all of the belly aching that happened when the regs demanding that all companies regardless of size kept proper hr / employment records came in.

      At the time this was a major change / cost but after a few years it is now a automated system that you buy in for a few £ a year

    3. Doctor Syntax Silver badge

      "I had tens of thousands of names and addresses, all verified."

      Verified that they existed or verified that they wanted letter-box litter?

      1. Loud Speaker

        Verified in that "no one cancels a Reader's Digest subscription unless they actually live there". (This was in 1985). Yes we paid for the list of people who had cancelled a Reader's Digest subscription -i it was quite cheap. We also ran competitions in local newspapers - you don't enter a competition with a false name and address. Do not suppose selling address lists started with the Internet.

    4. Anonymous Coward
      Anonymous Coward

      "GDPR compliance could easily exceed my entire workload. It is beginning to look like the end for one-man companies unless something is done about this."

      Unless your company has been a bit fast & loose with handling data ... unlikely. I would suggest finding a really good summary (i.e. not anything published by the UK press), and reading it. It's really not that bad.

      "I predict a whole load of tax evasion (and worse) very hard to prosecute because the data/evidence was destroyed "because of the GPDR"."

      No. Some idiot may attempt to claim it, much like they do now with the DPA (the "no, we can't talk to your partner about your account even if you say we can, because the DPA says we can't"-type idiocy), but it's not the root cause.

    5. Anonymous Coward
      Anonymous Coward

      "GDPR compliance could easily exceed my entire workload."

      No - because GDPR doesn't require to perform specific activities, buy/rent specific software or hardware, etc. Even certification is not compulsory - and even there it explicitly says to take into account the need of micro and small businesses.

      GDPR sets out the principles of personal data handling - and the associated fines if something bad happens to data.

      Hope your customer data are handled with a modicum of security.... although I guess they're stored in some Google applications - and thereby the rules about such kind of transfer and processing apply. Surely Google is not happy at all about the rules, and will disseminate a lot of FUD.

      In most European jurisdiction, the handling of personal data is already regulated - for any business size, because what matters are the right of the owner of the data. I don't really care if you're a physician with only nine patients and you leak or store the wrong data (which may kill me later).

      And if you have data about tens of thousand people, I don't really care if you're a one man person, or Google. What matters is the impact of a mishandling of those data. Just, probably, 4% of your revenues will be far smaller than Google's one.

    6. Nick Ryan Silver badge

      GDPR compliance should be easier for you. There is, very intentionally, no lower bounds to the "organisation size" when it comes to GDPR appliance. If there were, this would be gamed by the unscrupulous within minutes, if not faster.

      What we already have is a new industry of GDPR ambulance chasing, even before GDPR kicks in - i.e. those organisations whose only interest is to promote their "training" or "certification processes" or "GDPR compliance applications". They have zero benefit other than draining cash and making GDPR compliance look considerably harder or "needing" legal advice repeatedly.

  4. Anonymous Coward
    Anonymous Coward

    Let me understand...

    "companies were holding data they shouldn't"

    "firms often don't know what data they collect, or where it is held."

    "companies often try to hang on to data in the hope it will one day be valuable to the business"

    A they shouldn't pay for their mistakes when caught??? It looks to me GDPR is only opening the septic tank, and it's time to clean it.

    Most (if not every) companies have been very sloppy and grredy with their customers/users data. Now it's going to change - at last!!

    They can't blame the law - they can only blame themselves for having been greedy idiots, hoping nothing would ever change. If those data are valuable for them, it's clear they are also valuable for their owners, and any criminal who believes they can be exploited for profit.

    1. Derezed

      Re: Let me understand...

      100% agree with this.

      The wild West approach to personal data management at companies needs to end. Don't hate the player, hate the game.

      1. Doctor Syntax Silver badge

        Re: Let me understand...

        " Don't hate the player, hate the game."

        Why not both?

    2. Anonymous Coward
      Anonymous Coward

      Re: Let me understand...

      companies often try to hang on to data in the hope it will one day be valuable to the business

      Isn't that exactly what the "Big Data" analytics firms have been pushing - all that lovely data just sitting there waiting to be mined?

  5. ArchieTheAlbatross
    Coat

    At least we know now

    What all the PPI firms will be doing next.......

    1. I ain't Spartacus Gold badge

      Re: At least we know now

      The problem is that all the PPI firms have caused a massive embuggarance with spam calls and timewasting. But on the other hand, the banks have now been forced to pay out something like £25billion in compensation - so to some extent that's been worth it. Maybe that's a big enough sting - involving much pain, reputational damage, time-consuming clean-up and cold hard cash - that the banks will learn a few lessons.

      In an ideal world senior execs would have gone to prison, or at least had their lives ruined for a few years while being fruitlessly dragged through the courts before getting off on the difficulty of proving intent/individual responsibility. The mortgage backed securities thing was a collective mistake, the PPI thing was in large part an organised fraud.

      If the regulators aren't going to do their jobs, then maybe the fear of legal chaos is the only thing we can hope for, to concentrate a few minds.

      1. Anonymous Coward
        Anonymous Coward

        Re: At least we know now

        let me corect that for you:

        > the banks customers have now been forced to pay out something like £25billion in compensation

        1. TheVogon

          Re: At least we know now

          let me correct that for you:

          >> the bank's shareholders have now been forced to pay out something like £25billion in compensation

          And in some cases subsidised by the tax payer...

      2. Loud Speaker

        Re: At least we know now

        fruitlessly dragged through the courts

        Preferably feet first, and by galloping horses.

    2. Doctor Syntax Silver badge

      Re: At least we know now

      "What all the PPI firms will be doing next"

      And doing it to each other with any luck.

    3. Hans Neeson-Bumpsadese Silver badge

      Re: At least we know now

      What all the PPI firms will be doing next.......

      I wonder how well they'll be securing their database of potential clients...

    4. Flak

      Re: At least we know now

      "What all the PPI firms will be doing next......."

      ... with the database of clients they have built up through the PPI feeding frenzy!

      Perhaps they can conveniently augment that with green energy, double glazing and kitchen sales companies' databases.

      Keep those auto-diallers dialling!

  6. WookieBill

    In the recruitment industry the panic is just starting to set in.

    I customise CRM systems used in the recruitment industry for a living, The Business Analysis side of our company have been warning our clients about GDPR for ages, people are only just sitting up and starting to take notice.

    One issue is that many of the CRM systems used in the recruitment can't easily delete data.

    To maintain referential integrity when you delete a candidate, all that happens is that the candidate is given a deleted status and is hidden from the users, that data still remains in the DB along with the CV and all the lovely personal data goodies it contains. This is currently giving me lots of migration projects as people switch to supported CRM systems that can be made compliant.

    As well as the technical issues, psychologically, its difficult to get recruiters to delete candidate data, it's their product after all, when I was in house, it was quite a task getting permission to delete stuff from senior management (it usually involved lots of nagging and pointing out we hadn't spoken to people in a decade)

    I predict much wailing and gnashing of teeth in recruitment, as soon as a recruiter sends out a job spec to half the internet and lots of legally switched on types notice that they didn't give consent under GDPR and fire up the lawyers.

    1. Doctor Syntax Silver badge

      Re: In the recruitment industry the panic is just starting to set in.

      "I predict much wailing and gnashing of teeth in recruitment, as soon as a recruiter sends out a job spec to half the internet and lots of legally switched on types notice that they didn't give consent under GDPR and fire up the lawyers."

      And well deserved. One could spend time customising a screed for one particular gig only to have the pimp send it out for something quite different. I'm sure this must occasionally cost perople gigs they might otherwise have got so real money's involved.

      1. Alan Brown Silver badge

        Re: In the recruitment industry the panic is just starting to set in.

        "And well deserved. One could spend time customising a screed for one particular gig only to have the pimp send it out for something quite different."

        Not to mention the asswipes who reactivate your existence on their mailing lists a couple of years after you've told them to delete your data.

        (Not just recruiters. Asda have done this twice)

    2. Duncan Macdonald

      Re: In the recruitment industry the panic is just starting to set in.

      Unless the CRM system is completely stupid it will be able to do database exports and imports. If so then (if there is no better way) the deleted data can be removed by exporting the non-deleted records then dropping the database tables and recreating them from the exported records.

      Another possible alternative (depending on the database structure and the CRM programs) would be to overwrite the data in the "deleted" records - replace all the text with a load of XXXXXXXXXXX , change all personal names to "John Smith", change all NI numbers to "VV123456Z", change all company names to "Fake Company", change all phone numbers to "0123456789" and change all addresses to "House of Commons London SW1A 0AA" - this should remove the personal information.

      1. WookieBill

        Re: In the recruitment industry the panic is just starting to set in.

        Most CRM's are SQL based so stuff can be deleted with enough time/skill, but as recruiters are on commission (and thus tend to want to work weekends as well as normal office hours) bringing down the CRM for half the weekend while you do a manual delete via SQL does cause some stress.

        While its fine having an outage once in a while if your doing it every weekend for the latest batch of GDPR removal requests, its going to get old quickly. Not to mention, if I am working weekends cleaning out your data, frankly your going to be paying for it (either OT costs or TOIL). Unfortunately, some techie doing manual deletes on your CRM each week isn't really a viable business solution.

        Obfuscation of the data will work for some industries, the problem with recruitment, is that we deal with a lot of personal data in document form (CV's, Passport scans for legal compliance etc), all of that is going to have to be cleared off a record to put it out of use and although you don't generally run into any referential integrity issues with documents, unless the CRM has a real delete function in it for user level deletes, you are still paying people like me to go clear your data off at a weekend.

        Also, its not just about the CRM's, Email/Exchange, SMS facilities and Mass mailing systems (e.g. Dotmailer) all need to be cleared of identifiable data and usually they are not well integrated with the CRM and certainly not for delete functions.

        Its not that any of this is technically impossible, its that frankly doing all the analysis and development is a lot of work. In the same way that in Y2K it was easy to say, oh just store your dates in long date format, saying it is one thing, changing policies, procedures and systems is something very different and quite expensive.

        1. Anonymous Coward
          Anonymous Coward

          Re: In the recruitment industry the panic is just starting to set in.

          There's really no need to bring down a SQL database while you delete old records, or any application using them - unless you're deleting millions or billions of records.

          Sure, some old engines had issue because of lock escalation and the like, but a well coded application written by skilled developers knowing the database they use will minimize those issues.

          And that's not what you usually do "manually" - they should be automatic jobs that can also be run at night or when most people are on holidays. And may need to be run only a few time per year, maybe only one - unless you have specific delete requests. Which, again, should be processed by specific functions to avoid the classic "manual error".

          There was also a reason why I always advocated to store all data inside a database, and not scattered around in file shares or the like, for example - because in a database I could track where they were, and could ensure a full delete of them when needed.

          Data contained in other systems - and you know where they are, right - of course needs to be managed accordingly - technical solutions can help only up to a point.

          Actually, the real issue are archived data, like old backups. They can't be easily cleaned of no longer useful data only.

          But what you tell is exactly the problem the article illustrates: companies for a long time recorded data without any clue about how to manage them properly.

          1. Loud Speaker

            Re: In the recruitment industry the panic is just starting to set in.

            a well coded application written by skilled developers

            So no need to panic then?

            1. Anonymous Coward
              Anonymous Coward

              Re: In the recruitment industry the panic is just starting to set in.

              Several reasons to panic, of course... the GDPR will make surface a lot of applications issues and bad database/storage designs. As written in another post, it's opening the septic tank.

              Requiring "by design" security and privacy will make clear what was written by competent and skilled people, and what was written by unskilled (and usually low paid) ones. It could be a good thing, because many will need to invest to clean the mess, or face the fines one day.

      2. This post has been deleted by its author

      3. katrinab Silver badge

        Re: In the recruitment industry the panic is just starting to set in.

        What if the candidate table is linked to your tax invoice table, which you are required to keep for about 8 years (6 years from the tax return deadline date, which for a company is one year after the end of the accounting period).

        Your tax invoice must contain a description of the product or service supplied, which would be the candidate.

    3. Anonymous Coward
      Anonymous Coward

      Re: In the recruitment industry the panic is just starting to set in.

      Good databases have been implementing cascaded deletes/updates for a long time. And even without, it could be implemented with triggers and/or stored procedures. Of course, developers using RDBMS as simple data dumps resembling file-based storage ignored good practices.

      The reasons behind not deleting a record could have been regulatory - i.e. if you need to keep payroll or invoice data you may need to keep those records in the database for some years, but not show them as active - or, as the article says, greedy ones - "those data could be valuable one day".

      The application I wrote when I was involved in such kind of applications had functions to perform cleanups every year, purging records that were no longer needed by law. Another way was to export them so they could be stored and timestamped on WORM discs if they was to be stored off-line.

      And as GDPR says, you have to track those records as well, and destroy them when they are no longer needed.

      I'm sure there's a lot of crappy software out there. It's not an excuse to keep, sell and make data vulnerable.

      1. WookieBill

        Re: In the recruitment industry the panic is just starting to set in.

        I agree, and actually, I think in some ways we have gone backwards.

        There is one CRM I deal/dealt with that was based on its own custom filesystem rather than SQL, it had a real delete function (but no referential integrity), its newer (not that new) replacement system is SQL Server based and has no hard delete function for users/administrators and the delete entity stored procedure that exists in the DB no-longer functions (they have added additional FK constraints to later versions of the CRM but not updated the USP).

        Now, I expect the company in question is planning to address this in a new release (and probably most other CRM vendors too) but that means an additional project for every firm that uses the software (test & deployment) and all that needs planning in, ideally now before its too late.

      2. Anonymous Coward
        Anonymous Coward

        Re: In the recruitment industry the panic is just starting to set in.

        "Good databases have been implementing cascaded deletes/updates for a long time. "

        All good databases do, yes. Sadly poor designers and shitty app coders, do not!

        Some very badly written apps still do all that pesky referential integrity in the app tier instead of letting the DB do what a DB does best, deal with maintaining and securing data. I remember the first time I peeked in a Siebel schema and just couldn't believe there was just a shed load of tables and indexes with nothing holding any of them together! You want to delete something and you don't want to use the app well you'd better get your cheque book out cos you're going to be calling in a Siebel tech at £1000 a day to do it for you!

  7. RegGuy1 Silver badge
    Thumb Up

    A good thing too

    This EU thingy seems pretty cool to me. They have worked out a way to get Google (and the rest) to pay more tax.

    What's that? We're leaving? Which pillock thinks that's a good idea?

    1. ToddRundgrensUtopia

      Re: A good thing too

      An awful lot of us do

      1. Cynical Observer
        Trollface

        Re: A good thing too

        @ToddRundgrensUtopia

        But can you explain why?

        1. John G Imrie
          Facepalm

          Re: A good thing too

          They want to leave because they don't want the hordes of Turkish immigrants entering the country just as soon as Turkey enters the EU. At least that was one of the reasons a friend gave me for voting leave.

          Oh what's that. Turkey is unlikely to enter the EU any time soon, and because we are leaving we want to do trade deals with any one including Turkey which will likely involve letting hordes of Turkish immigrants enter the country.

          1. ToddRundgrensUtopia

            Re: A good thing too

            Perhaps you have a stupid friend

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like