"After all, nobody wants to be the first to get a €20m fine."
Is anyone running a book on who it'll be?
Data was a hot topic last year and it's already big in 2017: Microsoft continues to resist the US government's attempts to get hold of data held in its Irish data centres. But just as it seems to be making progress, the government has won a favourable first instance ruling against Google forcing it to disclose data held outside …
There's no need to wait for the GDPR to come into force. Since the Court of Appeal disapplied Section 13(2) of the DPA, it's now possible to claim compensation against an organisation without having to demonstrate that you've incurred a financial loss as a result.
I'm in court tomorrow against Halfords because they refused to provide me with answers about how they process personal information fairly. First their solicitor told me that she had fully answered my questions but in her defence, she argued that she did not have to answer my questions.
Keep an eye our for that unwanted marketing and submit a claim. It only costs £50. Easier still once the GDPR comes into force. Most of the companies that we do business with are likely to be sitting ducks.
Please let us know how you get on.
But be warned "First their solicitor told me that she had fully answered my questions but in her defence, she argued that she did not have to answer my questions." The two are not mutually exclusive and this sort of defence in depth is normal. If the court rules they didn't answer your questions fully they'll fall back on they didn't have to and vice versa.
I went to Halfords for a new windscreen wiper. In the old days there was a little book you'd use to look up make/model.
Now it's a tablet computer which requires you to enter your vehicle registration and there was no obvious privacy statement on how/if they'd use or store that data.
Needless to say I went elsewhere...
I'd argue it's not something teachers should be doing. I work in the NHS, we have a Data protection officer who handles this and will handle the GDPR requirements too, not a single nurse will need to fill in a form.
It's up to the local council / Education authority and head teachers to ensure schools are ready. They can pass the buck all they want, the ICO won't care when looking to fine.
I'd say that neither of you understand how schools operate day to day.
Data is used by staff all day everyday. Some departments in some schools sign up to third party education sites (eg. MyMaths) and set up users within those systems (this is especially the case in smaller schools).
Also, Academies are no longer anything to do with the LEA - it has to be dealt with in house, meaning the school has to pay for legal advice and set up their own compliance systems. That's a significant cost for a small academy, especially when budgets are worth less now than they used to be (inflation, unfunded pay increases etc...).
Most schools use a catch-all agreement for data usage/processing each year on the data-checking sheet sent to parents. That will have to change, in fact most data protection procedures will have to change.
So, as I said, it will make teachers lives more difficult.
But I don't believe schools or NHS/Trusts should be fined, it just takes money away they desperately need.
Notice the article didn't mention how many trusts have been fined over the years.
https://www.databreaches.net/chelsea-and-westminster-nhs-trust-fined-180000-for-hiv-newsletter-data-breach/
I remember this one.
"But I don't believe schools or NHS/Trusts should be fined, it just takes money away they desperately need."
OTOH public bodies handling personal information, especially that from people who virtually have no option but to give it, should not get a free pass if they fail. It's a difficult issue and needs a solution.
"But I don't believe schools or NHS/Trusts should be fined, it just takes money away they desperately need."
As Baldy50 says, we often don't have a choice to use public sector services so they should lead by example but taking away money from an entity funded by the taxpayer is not a great solution. In fact, the whole principle of fining has always struck me as dodgy. "You've committed a [data / road traffic / tax (delete as required)] offence but if you pay us money we'll forgive you."
Largest public sector ICO fine (and largest ICO fine ever until TalkTalk) was £325k against Brighton and Sussex University Hospitals NHS Trust.
https://www.theregister.co.uk/2012/06/06/nhs_trust_disputes_ico_fine/
Fining schools or NHS etc is pointless. There should be a consequence to management, not the organisation. A fine for a school could bankrupt them, and all that'd do is disrupt the education of children.
No, make it apply directly to the person in charge - a personal fine, and loss of their job etc...
"Don't envy anyone over there in IT."
The core problem is often marketing wanting to gather too much information and then handing processing of it over to some friendly spammer digital marketing agency. Alternately it's top management wanting to scrimp on IT. In either case pointing out the possibility of €20m fines should give IT a useful line in to put in any powerpoint.
"Should be mandatory reading for every CEO."
CEOs reading el Reg?
Following on from my previous comment, and much as I hate powerpoint presentations, maybe the first chance anyone gets to do a presentation for upper management or marketing should start off with a slide saying in large letters:
IN MAY 2018 WE BECOME LIABLE FOR A FINE OF €20,00,00.00
That should get their attention.
The joke about all this is that while private companies risk £20m fines or whatever, the government (any government) will just carry on doing exactly as it pleases.
Call your bank to make some trivial query about your account and you get the ninth degree of security nonsense, but if the NHS wants to hand over your data to Crapita, that's just fine and dandy, they don't even need to tell you.
Data protection works for them against you, but not the other way around.
Any analysis of the impact of the Trade in Services Agreement? Reports (not necessarily reliable) say that it outlaws any restrictions on sending data out of the country? Would this prevent the EU signing up? Or override EU rules?
After Brexit, if we retain GDPR-level rules (so we can exchange data with the EU) what would be the implication if we were then to sign up to TISA, or a bilateral trade agreement with similar text?
I'm not familiar with the agreement but it would appear the two would be mutually incompatible, especially if or, as I think we mostly expect, when the Privacy Figleaf gets torn down. I think the implication would be that it would have to go the courts to sort out the implications.