back to article So the suits swanned off to GDPR events leaving you at the coalface? It's really more IT's problem

I spend a lot of time telling people that information security isn't the IT department's problem. And it's not: everyone in the business is responsible for making his or her contribution to the security of the organisation's information, and for protecting the personal data the organisation uses. I can't help thinking, though …

  1. m0rt

    The business I am in has a lot of contact with other businesses whose primary is not tech related. It is suprising just how many of those businesses are quite blasé considering the fact this is possibly the biggest thing to hit any kind of data processing since the introduction of the Data Protection Act. Or just reel off Legitimate Interest when asked about how they are going to sort out opt-in on their website and the various marketing tools, tracking tools, for starters.

    Going to be a fun time. GDPR I am quite for. I think that it re-addresses the balance that has been lost regarding sanctity of peoples data. On the other hand, it is also showing the issues that previously defined terms or situations relating to DP have never really been tested in UK Law and can be interpreted in so many ways. If you have ever approached the ICO for advice on how best to do something and remain compliant.....you will know exactly what I mean.

    1. wstrainer

      As someone who works (contracts) in central and local government - heavily involved with organisations that have to adhere to and actually police DPA and GDPR (soon) feel that I am well placed to offer my experience.

      Using a document and records management system users when saving a document, word, excel etc. are prompted for metadata - the default choice is 'none' (choose able) from a multiple choice dropdown box (contracts, legal, PII etc.) - let you guess what most users choose.

      In case you are wondering who check out m0rt's post

  2. No Quarter

    Meanwhile...

    ... across the channel outside of Germany and Scandinavia they will be doing absolutely nothing about this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Meanwhile...

      Why would you think that? Remember any EU citizen can complain to their own Data Commissioner, who can then conduct a prosecution even if the data is held in another EU country. I can certainly see German Data Commissioners wishing to make an example of Irish banks or French ones of US Cloud providers.

      As someone else commented the only place where data protection is going to be ignored is the UK, because Brexit means do whatever you feel like doing.

      1. Sir Runcible Spoon

        Re: Meanwhile...

        "because Brexit means do whatever you feel like doing."

        Whatever gave you that idea? If we want to do business with, and in, the EU then we are going to have to be compliant. Just as any US company will need to be in order to process EU citizens PII.

        1. Anonymous Coward
          Anonymous Coward

          Re: Meanwhile...

          > Just as any US company will need to be in order to process EU citizens PII.

          One of my customers has come to the conclusion that they simply have no way to know whether someone is German or not and so have no option but to basically assume they might be and treat all personal data as if the subject were German (Germany has the strictest set of rules) just in case.

          On the other hand the management people who are all in a panic about the new rules haven't got a clue about how things really work. "We must ensure everything is secure" yeah well all those protocols you are talking about aren't secure, now what do you want me to do? ARGH, oh and all these business processes you engage in, you'll need to re-engineer them, they violate the rules. ARGH.

          They seem very keen on being able to dump loads of stringent conditions on sub-contractors(Moi) and not very keen on dealing with the rest of their own company and putting their house in order.

          Still when every company has paid 10% of turn over as fine it will knock a big dent in all the government debt or at least it will do till everything goes tits up has business after business fails.

          1. Tom Paine

            Re: Meanwhile...

            Still when every company has paid 10% of turn over as fine it will knock a big dent in all the government debt

            Couple of things

            1. Fines are capped (in the UK) at £18m. Big news for a small car hire firm, say, or a T shirt designer whose customer list is dumped on Pastebin, but Facebook? Do me a favour...

            2. Fines are only levied on orgs someone's complained about, and which the ICO has resources to investigate, and which are found guilty of some non-compliance that lead to a "breach" of some sort -- if the org are silly enough to report it in the first place... Hint: do you know what the FCA regulates, and what it's annual budget is? OK, now do you know what the ICO's budget is?

        2. Anonymous Coward
          Anonymous Coward

          Re: Meanwhile...

          "Just as any US company will need to be in order to process EU citizens PII."

          I don't see where this law is limited to companies. How about web servers owned and run by individuals in the US? They may well have the personal data of EU citizens.

          Since most of these individuals have no idea what is going on in the EU, they will probably disregard this rule. It would be very difficult for the EU to extradite a US citizen, and they are unlikely to get much of a remedy in the courts over here.

          1. Anonymous Coward
            Pint

            Re: Meanwhile...

            Bingo, that's my thought as well. I've already been in the process re-engineering cycle before so I don't have to imagine anything at all about the digital wreckage that is about to happen. This is the only reason I do click on the click-bait GPDR regulations. I spent a lot of time insuring that I wouldn't end up in front of a Courts Martial or the civilian equivalent. I'd rather avoid the EU equivalent, thank you very much.

            Beer'o'clock, although it's a vodka and ginger-ale here.

          2. Ken Hagan Gold badge

            Re: Meanwhile...

            "How about web servers owned and run by individuals in the US?"

            As long as those individuals aren't trying to do business in the EU, I imagine they can treat EU citizens the same way that they treat Iranian or North Korean ones: let's call it "benign neglect".

            The reason US businesses might care is that they might actually have some commercial footing in the EU, which would be "at risk" from adverse EU court decisions.

            Then again, the wrong decision in the MS v. Ireland case might mean that US companies stop being able to operate in the EU anyway.

          3. Anonymous Coward
            Anonymous Coward

            Re: Meanwhile...

            > I don't see where this law is limited to companies.

            Because it is not, unless you consider owning and running a public-facing web server "a purely personal or household activity"¹.

            ¹ Article 2, 2 (c), Regulation (EU) 2016/679.

          4. Tom Paine

            Re: Meanwhile...

            There's an applicability threshold. GIYF.

        3. Tom Paine

          Re: Meanwhile...

          *chuckle*

          It's the way you tell 'em...

      2. Teiwaz

        Re: Meanwhile...

        Brexit means do whatever you feel like doing.

        I thought Brexit meant doing whatever May and other half-wits blithely building the foundation for a near future Ing-Soc think

      3. Anonymous Coward
        Anonymous Coward

        Re: Meanwhile...

        You may want to read the Data Protection Bill 2018/9 going through parliamemt...it's a cut and paste of the GDPR legislation with a few tweaks.

        Brexit is renaming NOT killing GDPR.

    2. macjules

      Re: Meanwhile...

      Well, the French, Benelux, Spanish, Portuguese and Italians already have implemented GDPR and most of them have had it for over a year now. Not too sure about Eastern Europe or South East Europe and Malta is on about the same level as the UK.

      For my part, with just over 2 months to go I am busy preparing a briefing for senior management along the lines of:

      1) Our compliance team know Sweet Fanny Adams about GDPR.

      2) Our corporate governance team know all about GDPR but don't care as they have done nothing since the big GDPR junket to the Bahamas.

      3) The development team has everything ready to go - TFA, Customer Record reviews, full on-demand, personal data access and ability to delete or request deletion of personal data - just say go.

      4) Summary: Either you let us do our job or get to watch your profits disappear into ICO coffers

  3. BinkyTheMagicPaperclip Silver badge

    'If you've erased someone's data on request, does the tech team re-delete the data from the live system if they've had to restore from backup?'

    No, because that's the job of admin, not IT operations. The system to ensure it remains compliant needs to be specified, and created by development. It is absolutely not the job of IT operations to go through a checklist of data that should or should not be there, particularly as it would probably involve them needing to understand bits of the system that aren't their job.

    1. Anonymous Coward
      Anonymous Coward

      So, if you've got a few years of backups and someone requests that data is deleted do we have to go through all of the tapes... even more fun would be if its database backups.. restoring and then extracting the data from every tape would be a nightmare

      1. m0rt

        No.

        This has been an issue, regardless of GDPR and the ICO recognise that this isn't always straightforward.

        https://ico.org.uk/media/for-organisations/documents/1475/deleting_personal_data.pdf

        See page 4.

        So, outside of data kept for regulartory purposes which you have no choice over, and your normal backup policies (you do delete old backups, don't you? You don't keep them forever, do you?).

        So - scenario: You go back to back from yesterday beause something nasty happened. Yesterday after the backup was taken a set of records were removed. As long as you know, somehow, that theses were removed you can reapply the deletion. So the deletion process will be need to stay *live* for as long as you feasibly keep backups that may be used to restore from for your day to day running.

        It most cases, I would argue this is a week or so for most with Daily changing data. If it is a month, then you will need to keep the deletion process longer than that to ensure you can meet your duty. As long as *this is documented* the ICO should see that as endeavouring to comply with the spirit.

        If you ended up using a backup from a while back, which may be the case in some scenarios, and some data was resurrected that shouldn't be, and this got out and the sh1t hit the fan, then it comes down to why, the impact, what procedures were in place etc.

        There is no black and white answer to a lot of scenarios. You can't help seeing an IP address. And you can't know if this is a piece of Personal Identifiable Information (eg, fixed IP and you have the name and address of this person) or not (temp IP or company firewall). You can't dump this (if a breach you will need to go over your logs) and you can't anonymise it in most cases, or even be sensible to do so. So it comes down to what you do, how you document, don't generally piss take and *show evidence* of what and why you do.

        Personal data should be sacrosanct. It is about time it is treated as such. By both the users of that data, and the general public who are, for the most part, pretty clueless. That isn't their fault mostly, it is just that industry has beguiled them with promises, free stuff and The Shiny™

      2. Nick Ryan Silver badge

        So, if you've got a few years of backups and someone requests that data is deleted do we have to go through all of the tapes... even more fun would be if its database backups.. restoring and then extracting the data from every tape would be a nightmare

        You will find that many "people" are still hopelessly confused by the unfeasiiblity of removing data from backups. Technically, it is possible, as in restore every backup to a machine environment capable of understanding the data structures (both in database and application terms including all business logic) and then removing the offending data and then rebacking up the data. Vaguely feasible for a single record, however muiltiply this by multiple indepedent executions and many backups and likely changing application environments over time and it rapidly becomes impractical. While there have been some clever-ish work arounds relying on each data row being encrypted independently and therefore all you have to do is to forget the key to lose access to the data, this then relies in separate backup schemes for backing up these therefore it just moves the issue - along with making standard data access impractical.

        1. Doctor Syntax Silver badge

          "Technically, it is possible, as in restore every backup to a machine environment capable of understanding the data structures (both in database and application terms including all business logic) and then removing the offending data and then rebacking up the data."

          Alternatively, take m0rt's excellent advice, posted an hour earlier. Or mine saying much the same thing with less detail posted some weeks earlier. Why does this chestnut keep coming up? The solution should be obvious.

          1. Nick Ryan Silver badge

            It should be, however this is GDPR and if there aren't idiot consultants running around fleecing companies of their cash and telling them just how hard GDPR should be it, would, well, be sensible. These goits also insist that the "right to erasure" should mean that there is no record whatsoever of the data subject left anywhere and this includes a "delete list" in case of restore from a backup.

        2. katrinab Silver badge

          If you have a system that automatically deletes data from backups as well as from the live system, then you don't have a backup system, you have something similar to RAID 1 mirroring, which only protects against some types of hardware failure.

    2. Tom Paine

      What is this magical land where you live, and how do I apply for citizenship?

  4. Dr Who

    B2B vs B2C

    Much of the advice, scare mongering and FUD about GDPR focuses on consumer data. One thing I can't find a clear answer on is the impact of GDPR on B2B businesses. Say you run outsourced IT support for other companies. On your help desk system you hold personally identifiable information on all the employees of each of your customers. Do you need to get explicit consent from each of those employees to hold their data? Do your customers' employees have the right to be forgotten with respect to your help desk system?

    Has anyone seen an authoritative legal opinion on this specific issue?

    1. Doctor Syntax Silver badge

      Re: B2B vs B2C

      "Do you need to get explicit consent from each of those employees to hold their data? Do your customers' employees have the right to be forgotten with respect to your help desk system?"

      It might not be authoritative legal advice but CYA: assume "yes". The same thing applies to you customers, of course. Have they thought about such things? Have you prompted them to do so?

    2. JerseyDaveC

      Re: B2B vs B2C

      This is quite an easy one to answer: no, you don't need the consent of the individuals in this context. Your grounds for processing the personal data will be that you're doing so in order to satisfy a contract.

      As the outsourced helpdesk entity you're a processor, and the company you're working for is the controller. Both parties are required by GDPR to ensure that an appropriate contract is in place, and if your customer has any sense he/she will ensure there's a right-to-audit in the contract so they can check up on you from time to time (monitoring of ongoing conformance is essential). As a processor you're bound by the constraints that state that you're only allowed to use the data for the purposes included in the contract. If you're based in a country that doesn't have an adequacy finding from the EU then your customer, as controller, should consider this and ensure that they take all reasonable steps to mitigate this, but again that's not an overly hard thing to do (unless you're based in Russia or somewhere equally dodgy, that is).

      1. Anonymous Coward
        Anonymous Coward

        Re: B2B vs B2C

        > This is quite an easy one to answer: no, you don't need the consent of the individuals in this context. Your grounds for processing the personal data will be that you're doing so in order to satisfy a contract.

        This part is 100% correct.

        > As the outsourced helpdesk entity you're a processor, and the company you're working for is the controller.

        I understood the other poster to say that he runs some service company and he holds data about people at companies he does business with. And he was asking whether he requires consent from those people.

        In this scenario, I refer to the first part of your answer, but I submit that he is *not* a data processor (for someone else's data containing personal information). Instead he *is* a data controller (for his own data containing someone else's personal information).

        Apologies if I misunderstood, but that is what I get from the original post. That he is an IT services company is probably a red herring, since he doesn't mention his client's data, but data about his client's employees.

    3. NeverMindTheBullocks

      Re: B2B vs B2C

      Where did you get that information from? If you didn't collect it directly from the individuals then you are not the data controller and you don't need to worry about consent. That's down to the Customer who provided it to you. In that scenario you are the Data Processor. You sill need to be complaint but the rules are slightly different.

      Even if you are the controller you don't automatically need consent, that's just one of the possible criteria for the Lawful Basis for processing. You do need to work with those customers at a business level to ensure that they pass on the appropriate privacy notices to their employees that explain why you are holding their data an what you intend to do with it. You also need to be able to respond to SAR's from them and delete data under RtbF.

      The first thing you should be doing is getting the Lawyers to give you a view on your status as Controller or Processor for the different data sets you hold (assuming you know what they are). Everything else follow from that.

  5. Anonymous Coward
    Anonymous Coward

    Always changing goal posts

    well when we first mentioned it over a year ago mgmt said wont need to bother due to brexit..

    six months later they start to panic and its my department (IT) to resolve all GDPR issues..

    two months later told to stop working on it as it was nothing to do with IT

    two weeks ago its back on my plate as they figure someone needs to be accountable (take the liability if we are in breach).. but senior mgmt go to the various sessions and conferences but IT dont as its "not relevant"

    1. m0rt

      Re: Always changing goal posts

      Easy way to sort this.

      Get management to tell you who the Data Office is. If they feel they don't need one then they still need to nominate someone responsible. (Hint - it can't be a Board member).

      Then when you get that person - scare the shit out of them if they don't take the responsibility seriously. Unless they name you as Data Officer, in which case you are now a legal person and you can tell them exactly how it goes down and they have to listen to you or they are breaking the law and you are forced, by law, to inform the ICO.

    2. Anonymous Coward
      Anonymous Coward

      Re: Always changing goal posts

      > two months later told to stop working on it as it was nothing to do with IT

      So now you know when the "GDPR consultant" came knocking at the door.

      Who is the DPO in your company? Looks like it may be a good idea to get them to nominate one whether strictly required or not.

  6. Anonymous Coward
    Anonymous Coward

    ITs job but not IT's problem

    We have always assumed that data is an IT problem but the GDPR actually moves the conversation on by making the business owners of its own data. IT was always the custodian but never had the knowledge or influence to classify that data, say when it could be removed or even say whether it was necessary in the first place. Putting a data owner in legal jeopardy for the information stored by their department should make for more mature conversations*.

    *Except in the marketing analytics teams where all the toys are going out of the pram!

    1. Doctor Syntax Silver badge

      Re: ITs job but not IT's problem

      "Except in the marketing analytics teams where all the toys are going out of the pram!"

      I'm firmly of the opinion that their toys should be taken away from them and only given back when if they can prove they can be trusted with them. That goes for the whole of marketing, not just analytics. Toys, of course, includes anything on which data might be stored, including phones and paper notebooks; note Mr C's comments about checking for unstructured data. And insist that any future projects be only granted funding when detailed plans have been scrutinised by a grown-up.

    2. Anonymous Coward
      Anonymous Coward

      Re: ITs job but not IT's problem

      In Germany it is the case that IT staff cannot be the Data Protection Officer, although many companies, in my experience, ignore that and still appoint the IT Manager as their DPO...

      The DPO can also not be fired in Germany, under normal circumstances, and the protection carries on for 1 year after they have ceased their role as DPO... That still doesn't seem to stop companies sacking their DPOs, which is usually very expensive for them, when it lands in front of a tribunal (I've been involved in or know of 3 cases, where the DPO was wrongfully dismissed and the company ended up paying dearly for not knowing their arses from their elbows!).

      1. disco_stu

        Re: ITs job but not IT's problem

        It was a joy for me to attend a presentation on GDPR by someone at Irwin Mitchell and hear that the IT Manager (me) can't be in overall charge of GDPR :D

        1. Nick Ryan Silver badge

          Re: ITs job but not IT's problem

          It was a joy for me to attend a presentation on GDPR by someone at Irwin Mitchell and hear that the IT Manager (me) can't be in overall charge of GDPR :D

          That's a typical example of the level of stupid and incompetence that is flying around in the data protection space.

          The real situation is that the role of DPO should not be given automatically to the IT Manager - it typically was in the old DPA scheme. The role of the DPO should be given to an individual who has a thorough understanding of how the organisation works and (and this is really important) has a thorough understanding of data protection. If this happens to be the IT Manager, then this is fine. If another individual is more suited then this is fine as well. One very important point is that the DPO must not be involved in the day-to-day processing of the dataset. Unfortunately this is where terminology stupidity comes in, because technically just storing the data, or facililating the storage of the data, means that an IT Manager is often seen as a processor of the data.

        2. Anonymous Coward
          Anonymous Coward

          Re: ITs job but not IT's problem

          > It was a joy for me to attend a presentation on GDPR by someone at Irwin Mitchell and hear that the IT Manager (me) can't be in overall charge of GDPR :D

          Your company may want to get their money back, and you may want to get an opinion from a knowledgeable source, because Mr Someone was talking utter bollocks.

          PS: Unless they were referring to you, disco_stu, having specific knowledge of your skills and qualifications, notably if it was the case that you did not have expert knowledge of data protection law and practices or were not able to fulfil the tasks referred to in Article 39.

      2. Anonymous Coward
        Anonymous Coward

        Re: ITs job but not IT's problem

        > In Germany it is the case that IT staff cannot be the Data Protection Officer

        References, bitte?

    3. onefang

      Re: ITs job but not IT's problem

      "Putting a data owner in legal jeopardy for the information stored by their department should make for more mature conversations popcorn consumption."

      FTFY

  7. tim 13

    What happens when an (ex) employee wants their details removed from any system logs?

    1. Anonymous Coward
      Anonymous Coward

      > What happens when an (ex) employee wants their details removed from any system logs?

      System logs? Depends what those logs are. If your data in them are not needed to fulfil a critical business function and if they are not needed for regulatory or other reasons, it shouldn't be a problem, but there is no general answer other than "it depends".

      1. Nick Ryan Silver badge

        Clause 15 of the GDPR excludes data that is not stored in a specified structure (reading and re-reading this clause can give you a headache) however the general intent is that just because a document contains personal data does not necessarily mean that it is covered by the GDPR.

        Logs are an interesting one as they are a historic record of fact. If you process the data with the intent of filtering by user then in some ways they are covered by the GDPR, however if the logs are not structured in a specifed way (this is where it gets fuzzy) then they are not.

  8. Anonymous Coward
    Anonymous Coward

    Based on a brief glance at these rules, they cannot possibly be implemented. Every computer everywhere is full of personal data as defined by the rules. There is no way practical way to remove or secure all of it.

    I think the high-level managers who are just pretending to comply, without actually checking into what is really going on, may have the right idea.

    1. Anonymous Coward
      Anonymous Coward

      > Based on a brief glance at these rules, they cannot possibly be implemented.

      > I think [blah blah]

      And I think you should refrain from opining on things you know nothing about based on "a brief glance".

  9. rick137

    Let Compliance lead it, we're not taking responsibility...

    So I worked for a bank in the Channel Islands and GDPR was raised by a newbie who had the best of intentions...He came from a strong security background, had get up and go and generally wanted to try to make things better. When he started asking questions about GDPR, training for IT, how we can contribute and potentially lead, the response was generally "keep your head down son, try not to get shat"...

    IT manager did not want the responsibility of owning GDPR; Compliance were too blind to see the path ahead; Legal were in the pub talking Porsches and Maserati's with Treasury & the c level was now where to be found, or perhaps he forgot it was Monday....

    Bottom line - this particular CI bank IT shop leader expected Compliance to lead, with input from IT -- not happening - this was recent. The belief was - "let’s wait and see who gets fined first, pray it's not us, then get something in place once the ink has dried on the legalities"

    CI is certainly different to UK (as you know DC), but it's quite farcical how some large CI banks IT dept. are addressing the issue...

    RS

    1. HmmmYes

      Re: Let Compliance lead it, we're not taking responsibility...

      CI finance sector is rapidly dying.

    2. Adam 52 Silver badge

      Re: Let Compliance lead it, we're not taking responsibility...

      Compliance teams, in my experience, don't do leading; they make policy and shift blame. That their policies are inconsistent and unimplementable is a bonus because it makes it really easy to blame someone else.

      At the moment mine are telling me that we should keep customer data no longer than 6 months after the customer leaves; at the same time we're allowed to spam them for 3 years and are obliged to retain everything for over 7 years in case of legal action.

      So whatever I do I'll be in breach, unless I just refuse to add any customers at all.

  10. NerryTutkins

    requesting customer data

    One of the onerous requirements is that people will be able to request a copy of all the data on themselves for free. Previously you could charge £10, which in many cases didn't cover the cost, but at least stopped spurious requests made just to annoy you. But now you have to respond within 28 days and at zero cost. You can only charge if the requests are excessive, e.g. someone requests it multiple times, or multiple copies etc. and the bar for this is set pretty high.

    So anyone who hasn't built some kind of system to easily extract all data on an individual and put it in a text file or whatever is potentially going to need such a system pretty quick. I think requesting this data will quickly become the annoyance of choice for any disgruntled customers.

    1. Pete 2 Silver badge

      Re: requesting customer data

      > I think requesting this data will quickly become the annoyance of choice for any disgruntled customers.

      Or employees ....

    2. Anonymous Coward
      Anonymous Coward

      Re: requesting customer data

      > One of the onerous requirements is that people will be able to request a copy of all the data on themselves for free.

      There is nothing onerous about it. It was what passed for a data protection act in the UK that allowed businesses to charge for people exercising their rights, which was never the case in the continent. And guess what? We did just fine like that.

      > So anyone who hasn't built some kind of system to easily extract all data on an individual

      Anyone who doesn't know where to find an individual's data is not in a position to protect said data and is therefore being irresponsible and negligent.

      > I think requesting this data will quickly become the annoyance of choice for any disgruntled customers.

      The proper response to that is to not piss of your customers.

      1. Omgwtfbbqtime
        Pint

        Re: "The proper response to that is to not piss of(sic) your customers."

        Or piss on them.

        Icon because.

        1. Anonymous Coward
          Anonymous Coward

          Re: "The proper response to that is to not piss of(sic) your customers."

          > Or piss on them.

          That may well be a requirement in certain lines of business.

  11. Pete 2 Silver badge

    The end of the world?

    > The other thing you need to understand is whether there's a gap between how you think you work and how you actually work. My favourite example here is backups:

    Noooooooooooooooo!

    The absolute LAST thing that any business mangler wants is to "know" that the way they think their business runs is different from reality. They are all firmly convinced of several things:

    * Everything works perfectly, all of time, except when the I.T. dept. change something

    * Every I.T. person has a special key on their keyboard labeled The Answer they only have to press that to respond to any technical question in easily understood language - but they don't.

    * All problems happen because the techies are lazy, watching pr0n or are stupid

    * The reasons that "issues" take so long to fix, is the same reason problems happen in the first place (they are probably correct about that, but not for the reasons they think).

    * Most techies sit around all day (see above) and will fight for the privilege to answer the phone, if you ever call them.

    That is their world view. Even a second's exposure to reality would cause a nervous breakdown in even the most hardened and cynical manager. They would never be able to sleep again, talk in coherent sentences and it would utterly destroy their golf.

  12. Tom Paine

    Box ticking

    all the related events were attended by audiences almost uniformly comprised of business managers, compliance people and the like. That is, people who are responsible for operating and overseeing GDPR compliance. And they're defining processes, asking colleagues what data they hold, and getting the company lawyer to update standard contract terms and write privacy notices. But they can't really do all this stuff on their own.

    Oh, but they can, and they do. They don't need on-the-metal ground truth to get the job done - because the job isn't *actual* compliance, it's the ability of evidence that they went through the right magical passes, assembled the right docs,.. ticked the right boxes. Of COURSE their conception of where PII is stored and processed in their org comes from a review of the service catalogue or a list of apps on a PowerPoint slide, or the spreadsheet tracking officially, capital-P Procured systems and apps, rather than an Nmap scan. Compliance is too down. Monitoring and enforcement is bottom up: it means reading random Helldesk tickets, visiting users, chatting g to people in the lift or down the pub to find out what's *really* going on. Of course, no-one with any sense wants to do that, because they all know it'd be a can of Pandora's worms... The thin end of a slippery wedge....

  13. Tom Paine

    Naivity

    Sorry to post twice but...

    If you've erased someone's data on request, does the tech team re-delete the data from the live system if they've had to restore from backup?

    How will they, or anyone else, ever find out if you haven't? That's what management are thinking, and that's why no-one but the most obsessively over-regulated or bloated orgs are going to give a flying one about that, or many many other related issues.

    Maybe a few fines will change minds. I can't see it. How many orgs are there on the ICO's list of enforcement notices and fines? (Lots.) What percentage of active organisations does that number represent? A rounding error.

    1. Anonymous Coward
      Anonymous Coward

      Re: Naivity

      > How will they, or anyone else, ever find out if you haven't? [deleted their data upon request]

      Because if someone has gone to the trouble of requesting that their data be removed, there is a very good chance that they are actually going to check by making a subject data request at some latter point.

      If data then turns up, expect them to report you to their data protection authority, something which may trigger an audit, which may in turn uncover non-compliance in other aspects, causing you to end up in a much deeper hole than the one you started in.

      Would you like a shovel?

  14. Pen-y-gors

    Suits swanning off?

    Some years ago, the company I worked for invested in some '4GL' technology (4th generation language - actually a code generator called TELON). A couple of us got it all working, and then came the Global Conference in Texas. Who went to discuss the details of this new wizardry? The people who knew what it did, how it worked and could benefit from networking with other users? No chance, off go the managers.

    When they came back they were a bit shame-faced, as they hadn't really understood very much. Tell you what, they said, there's a European User Conference coming up in a couple of months. You guys can go to that. Yippee! Where is it? Paris, Frankfurt, Madrid? Scarborough!

  15. Anonymous Coward
    Anonymous Coward

    Techie?

    Isn't a job. It's a derogatory term used by people who can't be bothered to understand IT.

    1. Anonymous Coward
      Anonymous Coward

      Re: Techie?

      >Isn't a job. It's a derogatory term used by people who can't be bothered to understand IT.

      You're not far off the mark. I've worked with plenty of organisations, in the EU, who have decided that the various things that IT techies do are just functions, which can be performed by an Indian earning a fraction of what a local techie would earn.

      So we have the situation where a change control request is needed to plug in an Ethernet cable, another request is needed to enable the port, another to get an IP address, another to configure it, and so on.

      This is by design; restricting what people can do helps to protect against people screwing things up, whether accidentally, through incompetence or through malicious intent.

      The problem with this, at least in this context, is you can't expect any of them to be empowered to implement any aspect of GDPR. Of course, you could add a line to the process which ensures that people with sufficient privilege go through the various checks that need to be performed but in practice change controls will take so long to implement that either corners will be cut, business will be lost, or most likely, the process simplified, empowering skilled individuals, all at great cost.

      It's going to be interesting to watch.

  16. Colin Bain

    Its about communication

    Having "communicated" with IT over the years, I have noticed that we all speak a different language. And given the number of published examples of IT helpdesk idiot customers, there is a communication problem. Do you really think after having miscommunicated all these years the suits really want to tangle with IT? My experience that consulting IT help desk is saturated with them not appreciated just what is being communicated to them and not caring to understand. So when IT starts to approach with expertise, I'm less inclined to listen, never mind even hear what is being said. BOFH is not so far from the truth, even though I like to laugh at it. So when IT can really help, it is a perfect storm of imperfect understanding. And nobody is listening to anyone. And of course there is the next stream of joky idiot customer examples.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like