At least, after Brexit, we won't have any more of this protection nonsense.
EU bods up GDPR ante: Threatens legislative laggards with ‘infringement procedure’
The European Commission has admitted readiness for incoming data protection rules is very varied across the bloc, with just two countries having adapted their national laws. With just four months to go before the General Data Protection Regulation comes into effect, the Commission has pushed out a mass of information, online …
COMMENTS
-
-
Friday 26th January 2018 10:44 GMT codejunky
@ anonymous boring coward
If we are lucky but thats unlikely for now. The good news being as the EU adds more and more restrictions and enforces them on the member states we will be a country which has an elected government instead of puppets. Anyone wanting to deal with the EU (@anothercynic) will need to follow EU rules but the rest of us wont be bound by them. Kinda like how we trade with countries outside the EU but dont have to adopt their laws locally.
-
Friday 26th January 2018 11:03 GMT Warm Braw
Re: @ anonymous boring coward
the rest of us wont be bound by them
I don't think it's a leap forward to move from a position in which our trade with the EU is governed by EU rules and our trade with non-EU countries is governed by their rules to one in which our trade with the EU is governed by EU rules, our trade with non-EU countries is governed by their rules and we have different rules for doing business inside Britain.
There is no such thing as "free" trade as will be underlined once more when the citizens of the countries whose leaders have agreed the revised TPP are finally allowed to know what trade rules they have been signed up to without their consent. I'm afraid that's how it works: there is no great shining upland of democratic accountability out there.
-
Friday 26th January 2018 11:27 GMT codejunky
Re: @ anonymous boring coward
@ Warm Braw
"I don't think it's a leap forward to move from a position in which our trade with the EU is governed by EU rules and our trade with non-EU countries is governed by their rules to one in which our trade with the EU is governed by EU rules, our trade with non-EU countries is governed by their rules and we have different rules for doing business inside Britain."
Really? So you think if we trade with China, the US or anywhere else in the world they should make laws to govern our country and how we do business even if it is only domestic? What do you suggest for the many conflicting restrictions/standards that each individual country has? How will we let them dictate to us how to do things?
The dumb idea that the EU must dictate our local rules even for trade with nothing to do with them is a dumb idea. Just as we dont do it for any other country in the world.
"There is no such thing as "free" trade as will be underlined once more when the citizens of the countries whose leaders have agreed the revised TPP are finally allowed to know what trade rules they have been signed up to without their consent. I'm afraid that's how it works: there is no great shining upland of democratic accountability out there."
Signed up by who? A democratically elected government or a supranational gov? A supranational government with a bad track record of dealing with crisis. With a record of creating crisis. One that is openly hostile to a member who is choosing to leave. One that is so unpopular that it is giving votes to non-mainstream parties as they are often the only alternative to pro-EU. Hell even the French president admitted the French would probably vote to leave the EU if they were allowed to choose. That sounds like we have already had more shining light of democracy than some other members.
-
Friday 26th January 2018 16:19 GMT Warm Braw
Re: @ anonymous boring coward
So you think if we trade with China, the US or anywhere else in the world they should make laws to govern our country and how we do business even if it is only domestic?
Have you even any idea what a trade treaty consists of? They are legally binding, take precedence over national laws and of course they govern "how we do business even if it is only domestic" because they prohibit us from doing things that would prevent trade partners from other countries being disadvantaged in the supply of goods and services to the domestic market. That includes things like standards for safety and animal welfare and financial support to domestic industry.
And if you're really concerned about "supranational governments", I suggest you read up on Investor-state dispute settlement.
All trade agreements result in a loss of sovereignty over domestic policy. Some are better/worse than others in that respect (depending on whether you believe in free trade or protectionism) but none offers "having your cake and eating it".
-
Monday 29th January 2018 14:08 GMT codejunky
Re: @ anonymous boring coward
@ Warm Braw
"Have you even any idea what a trade treaty consists of?"
Again, so you are saying the EU cannot be making trade deals because it would require the other country to dictate the laws of the trading countries? I look forward to seeing the EU dictate their free movement and ever closer union to Canada or Japan.
"And if you're really concerned about "supranational governments", I suggest you read up on Investor-state dispute settlement."
ISDS and supranational gov. Apples and oranges? You might want to explain your point. Supranational gov is about consolidating power, ISDS is about protecting people from governments. Something I believe the EU had issue with in their dealings with Japan who wanted ISDS but the EU wanted to be backward and host gov/private disputes in the accused country.
"All trade agreements result in a loss of sovereignty over domestic policy. Some are better/worse than others in that respect (depending on whether you believe in free trade or protectionism) but none offers "having your cake and eating it"."
Ok, that still doesnt explain the EU ruling us as a supranational gov in order to trade with them. Does Canada have the right to make their own deals or is the EU making theirs now? If Canada want to sell jam to the EU it must fit the EU specs but if they want to sell jam domestically it isnt restricted to what the EU dictates is jam.
-
-
-
-
Friday 26th January 2018 15:03 GMT Anonymous Coward
Re: @ anonymous boring coward
... we will be a country which has an elected government instead of puppets.
I am not sure that is such a good thing. The entire performance of the Tory party over Brexit does not inspire confidence and God only know what happens under Corbyn.
In my native country, Denmark, my "elected" government has taken it upon itself to reinterpret GDPR to: "We will slurp all of your data, store it forever, wherever we like, and use it for whatever purpose some random* minister deem appropriate - and we won't tell you about this, nor do we need any consent - except there will probably be a consequence for you if any of that data is wrong and then it is up to you to fix it".
If those scumbags get nailed to the table by the EU over this and get a good caning on top, I will like the EU quite a lot more.
*) Ministers does not have to be elected, they are appointed by the Prime Minister!
-
Friday 26th January 2018 16:03 GMT codejunky
Re: @ anonymous boring coward
@AC
"I am not sure that is such a good thing. The entire performance of the Tory party over Brexit does not inspire confidence and God only know what happens under Corbyn."
That is very true. Blair won successive victories by lying his arse off and selling out the country. Yet he did plenty in his attempt to become EU president. As bad as the political offerings can be in a country these are the same slime who are in the EU politics and even worse- they elect each other, we dont get to elect anything! So think of the worst example of leader and ask yourself if your happy for them to rule your country through a supranational gov you have no influence over. Be aware nothing is stopping them in the EU while in your country they need to be elected by the electorate.
"If those scumbags get nailed to the table by the EU over this and get a good caning on top, I will like the EU quite a lot more."
If and only if. This is the EU remember, and look at how effective they have been over Spain. France can break the financial restrictions of the EU and it is accepted. Greece can be sacrificed just to save the rich Euro countries. The EU exists to improve trade yet for petty politics the EU is screwing up a trade deal with the UK who's exporting businesses already follow EU standards and rules. The scum bags are politicians (I know this shocks few people) but people seem to forget the EU is a political union aka more politicians further removed from the people.
-
-
-
-
-
Friday 26th January 2018 09:13 GMT Cynical Pie
No arguably about it, your processing is illegal if you don't comply with the law and are processing the data of EU Citizens plus the new DP Bill currently going through parliament will implement the Regulation in full so the same principles will apply for the processing of UK only personal data.
-
-
Friday 26th January 2018 14:46 GMT Dodgy Geezer
Actually, before this, we had 1/28th of a say in where the line should be. You will not be surprised to hear that we have been outvoted more and more often in recent years. Initially we used to be in full agreement with the EU - now we disagree around 30% of the time. See http://www.votewatch.eu/blog/special-report-would-brexit-matter-the-uks-voting-record-in-the-council-and-the-european-parliament/
-
Friday 26th January 2018 15:12 GMT Paul 5
I checked the link. It says, "[the UK] has supported more than 97% of the EU laws adopted in the last 12 years," and adds that "the UK seems to have diminished its influence in the European Parliament in recent years, as a result of self-distancing of some of its own party delegations from the EU’s mainstream political families, as well as due to the results of the latest EU elections in the UK."
So there you go. We hardly ever (3%) get EU rules the government don't want (the working time directive would be one of those exceptions, and a good thing it was too). Even recently, we still "won" 86.7% of the time in the 2009-15 period. And the recent (but hardly catastrophic) loss of influence is down to UK actions and choices.
Of course it will get worse in about 18 months.
-
-
Thursday 25th January 2018 18:02 GMT Neil Barnes
It looks as if
it will also apply to things you wouldn't immediately expect it to - car owners clubs for one. Even for a small one with only a few members, there will be a lot of old data to sort out (names and addresses, etc).
Not that I've been able yet to find an authoritative guide to 'you are a small club, here's what to do'...
-
Thursday 25th January 2018 21:09 GMT Giles C
Re: It looks as if
I have just gone through with this as I run a car club.
Basically we culled all the old data we held.
Sent out renewal forms stating what we used data for and why will hold it.
Defined a data retention period (membership + 3 months)
You can see more at https://www.eatoc.org.uk/privacy.shtml
There is also a guide for football clubs (same principles) except car clubs are less physically active at https://www.muckle-llp.com/enews/gdpr-mean-grassroots-clubs/
We used that to sort out the details for us.
-
-
-
Thursday 25th January 2018 22:34 GMT Anonymous Coward
Re: Does anyone really know
> what it covers,
Yes.
PS: we have been ready since last year. In fact, aside from adding the word "portability" here and there, it turns out that we were already compliant. Then again, we've always made a point of treating personal data sensibly.
-
Thursday 25th January 2018 22:37 GMT Doctor Syntax
Re: Does anyone really know
Oh for crying out loud! GDPR is published. You can go and read it at the EU's site.
It has to be implemented in each jurisdiction. Th UK's version is going through Parliament and you read about it at https://services.parliament.uk/bills/2017-19/dataprotection.html In its progress through Parliament it's called a Bill. When it receives Royal Assent it'll become the new Data Protection Act.
You can read here what it currently looks like https://publications.parliament.uk/pa/bills/cbill/2017-2019/0153/18153.pdf and that will be the finished article give or take any amendments made in the Commons.
All these surveys seem to be right. Lots of people just aren't paying attention.
-
-
Thursday 25th January 2018 18:29 GMT MatsSvensson
Here in Sweden there is a complete blackout on information for us who actually is supposed to write the code for systems.
Q: What should I do to make my code GPDR-compliant?
A: Oh simple, just think about ordering the register, specify your tasks, and remember to assign plenty of time for the job, and bibetybop.
.... yeah yeah, thanks for the fucking advice!
-
-
Thursday 25th January 2018 22:52 GMT Doctor Syntax
This seems to be the general approach - lots of talk about abstract descriptions of processes without any "here's what needs to be done".
And why would it be different. People who are writing such descriptions don't work for you. They don't know your business. They don't know what data you hold. They don't even know if, to coin a phrase, you're holding it right. So how can they tell you how it specifically applies to you.
You're going to have to work that out with your knowledge of your own situation. (I'm going all Bob with italics here but the emphasis really is needed.)
The text was published long ago. The various legislatures are, presumably, at some stage of rolling out the local implementations; the UK Parliament certainly is. Sitting on your hands waiting for someone to come along and shout "Go!" isn't going to help you. You need to be up and running by now.
-
Thursday 25th January 2018 23:27 GMT Nick Ryan
Doctor Syntax: You're going to have to work that out with your knowledge of your own situation.
No, no, no. You have it all wrong. The best way is to run around screaming that the sky is going to fall in, that you have to contact everybody you may have possibly every contacted in the entire lifetime of your organisation and regularly check that you have explicit consent to do something or other but have yet to work out what it actually is that you do in order to check it or gain explicit consent for some reason. Then you need to throw lots of money at "training" companies who can kill you through death-by-powerpoint sessions and award certificates if you can remember utterly pointless bits of trivia about the GDPR (because we all try to do such things from memory) and didn't sometime slip into a coma during the training day. When this is complete you then waste more money employing external consultants for gap analysis reports which tell you nothing because they don't actually know how your organisation works. When you finally realise that this still does nothing you start throwing money at lawyers in the hope that a differrent external consultant will be able to get a more defintive answer despite still not actually knowing what your organisation does. This carries on getting more panicked and fever pitched the close to the 25th May 2018 that you get. The most examplary practicers of this then start giving advice to other organisations about how they may also run around and scream in the most appropriate, and expensive, and utterly pointless, manner.
/sarcasm
-
-
-
-
Thursday 25th January 2018 22:56 GMT Doctor Syntax
"Err, who else are you expecting to write your code other than you?"
Quite. But coding - if any only follows a decision as to what to do. I wonder if this is what Agile has brought us to. The specification (GDPR) exists. The first step is surely to start with that and then do some analysis of how it fits the situation. Then specify any changes and then get coding. It's Waterfall. And out there that seems to be so unfamiliar that people are gazing at it and seeing nothing.
-
-
Thursday 25th January 2018 22:37 GMT Anonymous Coward
Not sure if this’ll help: Guide to the GDPR.
From same site: “A Government Official Report covering the proposal of new national data protection legislation in Sweden was published on 12 May 2017 (SOU 2017:39). The new legislation, known as 'dataskyddslagen', will replace the existing data protection act and supplement the GDPR. According to the report, the aim of the new legislation will be to permit the processing of personal data to the same extent as is currently permitted under national law so as not to broaden or restrict current practices“
If the actual Swedish rules haven’t been published yet, guess the best anyone can do is familiarise themselves with GDPR itself, and wait for the national implementation to come into force.
-
Thursday 25th January 2018 22:59 GMT Doctor Syntax
"the best anyone can do is familiarise themselves with GDPR itself, and wait for the national implementation to come into force."
That's going to be too late. Look at the GDPR itself and start acting on it. The local legislation is going to have to be an implementation of what's already available give or take a bit of gold-plating so it's not as if there should be any surprises.
-
-
Thursday 25th January 2018 22:44 GMT Doctor Syntax
"Here in Sweden there is a complete blackout on information for us who actually is supposed to write the code for systems."
How's that? Has the EU site been firewalled?
"Q: What should I do to make my code GPDR-compliant?"
Wrong question. The question should be "How does my business handle data compliantly and what might I need to code to help that?"
A big hint as to how far off the mark you are: data held on paper in filing cabinets and in little black books is still governed if it contains personally identifiable information. Code won't help you with that.
Your best starting point is to get a business analyst looking at how you hold and process data and compare that with what the GDPR says - someone already posted a link to help you find out.
-
Friday 26th January 2018 00:17 GMT Anonymous Coward
Security by Design and default
Q. What should I do to my code GDPR compliant?
A. Your code should be based on a Software Design, that Software Design should be have been created with "Security by Design and default" as per GDPR. Coding is a function of translating the Software Design into a computer language which when executed meets the software design.
If you are providing Internet of Things code where devices connect to Internet servers, ensure that the connection is one direction so the IoT device polls the server only, no incoming Internet connection to IoT device is required. Secure the communication with unique certificates + unique identifiers using a minimum number of well defined ports (to simplify firewall administration) for control and data. Don't hardcode admin passwords, force password complexity.
Good programming would require you to make sure arrays with N elements are not referenced with N+Y indices. If you are using third party libraries, do they provide insurance if it causes a breach in your application and results in Data Loss. Has the third party library been interdependently tested for programming vulnerabilities
-
-
Thursday 25th January 2018 22:26 GMT Anonymous Coward
The IAPP reported that Nikolay told a conference in Brussels: "It’s not that homogenous in the EU yet. In some member states, the awareness for data protection is much more developed than in other member states."
Commissioners are expected to go on a GDPR-awareness campaign trail around some of the newer states, including Croatia, Bulgaria and the Czech Republic.
At least two of those three countries count amongst the most privacy conscious in the continent and in fact some aspects of the GDPR were inspired by national legislation of one of those countries.
Also, both Bulgaria and the Czech Republic¹ (as well as Romania. Croatia sort of arrived late to the party as it didn't join the EU until 2013) got into pretty hot water back in the day due to their constitutional courts striking down the implementing laws of the EU's glorious data retention directive. Which was itself eventually invalidated by the courts.
And now they want to go around teaching lessons?
¹ In the Czech case, it was the very same legislators who voted the implementing laws that, on the same day those were approved, challenged their own laws before the constitutional court. Successfully.
-
Saturday 27th January 2018 21:20 GMT Anonymous Coward
"EU's glorious data retention directive. "
To be fair it was Blair's glorious data retention directive that we, the UK, forced on to the EU. So much so that when it was ruled illegal we promptly introduced the same thing again as emergency legislation, when that was ruled illegal, we ignored that ruling, then pushed in yet more illegal legislation when the emergency legislation hit its expiry date.
-
-
Friday 26th January 2018 07:20 GMT streaky
2 Countries.
"just two countries having adapted their national laws"
The "R" in "GDPR" stands for "Regulation". Those 2 countries are ijuts because regulations don't require changing national law, they automatically apply and are supreme. If they wanted countries to change their own laws they should have made it a directive.
FML people are dopey. This is absurd on so many levels I don't even know where to start.
Nice to see people confusing directives and regulations - especially when it's the EU itself - it's always good for a laugh.
-
-
Friday 26th January 2018 19:31 GMT streaky
Re: 2 Countries.
because European politics and machinations are so transparent
I'm regularly downvoted on 'reg for speaking truth about the EU but this is one of the few areas of clarity. Regulations automatically apply and don't need transposing into national law, states *can* if they chose to but they don't have to, it just supersedes any law in conflict.
-
-
-
-
Friday 26th January 2018 19:36 GMT streaky
Re: In the words of Sir Humphrey
Couple of fixes: the Germans will continue to pretend their courts are supreme to EU law they don't agree with (protip: they're not), the Irish can't afford to enforce it despite being the state where it matters most, the Italians are too busy drinking espresso to notice it and we (the British) are off. That said it's going into national law anyway - and we resent it because it's half-baked, like most things that come from the EU.
-
Friday 26th January 2018 23:04 GMT streaky
Re: In the words of Sir Humphrey
Just in case nobody gets that quip about the Germans, I direct your attention here. The last time it came up the German courts backed down to avoid being ruled against; but still uphold their belief that the German courts have primacy when they don't. Basically the German courts don't understand that the rules apply to them too, which is why they [Germans] enjoy being in the EU so much when other states that are around their GDP/Capita don't.
-
-
-
Friday 26th January 2018 12:12 GMT EnviableOne
Get with the Program
GDPR was finallised and published on 28th May 2016 and enforcement was suspended for two years.
as of 28th May 2018 (one year and a bit before Brexit in March 2019) GDPR Comes into force and anyone holding Data on ANY EU CITIZEN must comply with the regulation.
The main changes between the two from an IT point of view are not really about controlls, because if you're doing the DPA stuff right, you probably do it all already.
The issue with GDPR is you need the monitoring and reporting to prove it.
-
Friday 26th January 2018 15:40 GMT ngpsaki4
My question from this side of the Pond is this:
I see the regulation, have read it, and understand that it makes certain mandates.
I see that the mandates will be enforced by Data Protection Authorities.
What I seem to lack, still, is the standards that will allow us to ensure we comply with the mandates. We can't seem to find "What 'right' looks like."
Example: The U.S. Federal Information Security Modernization Act of 2014 makes numerous updated mandates in law, appoints the Secretary of Commerce to over see implementation, and the Commerce Secretary directed the National Institute of Standards and Technology to develop the standards for implementation. This tells us how to comply with the law, and on what criteria we may be audited for that compliance.
I cannot seem to find the standards documentation to ensure compliance with the GDPR, which seems to leave it at the potentially arbitrary hands of the DPA to determine compliance. Subjective vs. objective criteria (eye of the beholder) is a great way to ensure the EU starts to reap some significant windfall to the tune of potentially 4% gross revenue.
-
Saturday 27th January 2018 21:24 GMT Anonymous Coward
You will not face a fine at all if you demonstrate you are taking data protection seriously, you will receive a warning informing you what is wrong and needs fixing, unless of course you were doing sod all to start with. The maximum fine will most likely never be applied, not even close to it, not even for Experian style cock ups.
-
-
Saturday 27th January 2018 09:12 GMT Anonymous Coward
GDPR and Intel
Given that GDPR mandates "Security by Design and default". Is it possible to build a cloud platform on servers with known CPU flaws, particularly where the vendors are not recommending the patches supposed to fix the issue should not be applied!
For organisations using these cloud services now in the light of the cpu disclosures reported in The Register are now in the position that continued use opens up the organisations and decision makers to financial penalties. The organisation while patching their systems is a requirement who have completed a security review and shown that continued use meets the GDPR "Security by Design and default" requirement.
If AMD patched Ryzen/Epyc CPUS are not vulnerable to any Spectre variant as been reported, then continued use of flawed Intel CPUs fail both Meltdown/Spectre then failure to meet GDPR's "Security by Design and default" is a problem for every European organisation or organisation that provides services to Europe.
So unless you can show that continued use of Intel CPUs does no effect on security which some appliance vendors can because their appliance only runs their own code and does not permit external software to execute on the CPU then you have a problem.
-
Tuesday 30th January 2018 11:12 GMT FidotheFrightful
GDPR
I'm afraid someone is sadly mistaken, look at the number of Irish living in the in the UK. Add into that Brits with Irish grandparents ho can claim Irish/EU citizenship.. The GDPR applies to all EU citizens wherever they may be living. Read the GDPR, also the forthcoming Data Protection bill which incorporates quite a lot of the GDPR. See :
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/644634/2017-09-13_Factsheet01_Bill_overview.pdf
for the HMG overview