back to article Businesses brace themselves for a kicking as GDPR blows in

After years of dire predictions, the problems caused by weak identity management could be about to catch up with businesses across the UK. Their fears have not been caused so much by the criminals as by the bureaucrats, law makers and politicians who have spent years honing the General Data Protection Regulation (GDPR), the …

  1. Anonymous Coward
    Anonymous Coward

    Fines vs. Compensation

    Fines are all well and good, but it's an individual's data that has been let loose, but a fine goes where? Compensation goes to the individual, no?

    1. This post has been deleted by its author

    2. Charlie Clark Silver badge

      Re: Fines vs. Compensation

      You have to distinguish between civil and criminal cases, particularly as this is European and not US law. The fines are levied because the companies break the law. Compensation has to be applied for separately, ie. the law is not supposed to be invitation for class action suits.

  2. Korev Silver badge
    Stop

    Equifax?

    >OnlyID from FIS and Equifax, for example, allows customers to onboard or authenticate themselves to e-retailers that are part of the network.

    Equifax you say? Their cybersecurity record is exemplary...

    1. reprobate

      Re: Equifax?

      If Equifax is the Gold Standard of data protection and GDPR compliance, then I'm back to cheques and "over the counter" transactions. The world is finished!

  3. Lee D Silver badge

    I'm much more interested in something that I've been pointing out for years.

    The DPA has ALWAYS said that you should only have access to the data necessary for your job.

    Could you then please explain why call-centre agents have my entire records in front of them the second I phone up? I might not even need them to reference anything at all. I might be phoning to ask their sales number.

    I've been saying for years that call-centre software should literally give blank entries until the agent clicks the box to request that piece of information. And each click should be recorded and determined whether it's "necessary" or not.

    Immediately... you cut out "someone who used to work here stole our database" and "someone checked out the celebrities account and told the papers his home address", not to mention "let's crank-call the guy who was rude to us because we wouldn't help him" (never had it, but I know people who work in call-centres and it does happen).

    Such control was always needed under DPA but nobody ever had it. Now we have GDPR, still nobody has it. Can anyone explain why the agent needs my date of birth, home address (at all, I would argue... they can "Send Engineer" or "Print Letter" without ever needing to actually see my address at all!), telephone number (though should have a "Call User" button, and maybe even a way to tell that the CLI matches the account, but do they actually need to see the number, etc.)? I can see it might be *useful* but that can be just as useful *on request*.

    Here's hoping that in a few year's time, the case law will lay down the requirements more explicitly about what's "necessary to do your job".

    I deal with 1000 customers on a regular basis, and I work in IT. I have no need to know their phone numbers, home addresses or their actual email whatsoever, let alone anything else. I could do my job - with a properly designed system - without access to any of that information, except in rare circumstances where I need change it. So why does ALL the software built for my industry give me all that information by default, and let me wander into it willy-nilly, with almost no control at all?

    1. Anonymous Coward
      Anonymous Coward

      "a properly designed system"

      > "a properly designed system"

      You answered your own question.

      Proper systems design is not trendy enough these days.

      Gone are the days of (heaven forbid) talking to the system's intended users or other stakeholders in the business (such as getting legal advice on data handling practices).

      No, these days its all high-speed iterative development, with rooms full of latte-drinking millenials sitting on bean-bags sticking post-it notes on whiteboards. The whole software project is just now one big treadmill with no real design.

      And to go with this high-speed development, we have the featureset box-ticking mindset (our competitor has X, so we must have X).

      I'm not saying the old-school software development process was perfect. But there is a lot to be said of taking the time to sit down, talk and plan before the coders hit their keyboards.

      As they say, the 6 P's. Prior Planning Prevents P* Poor Performance.

      Remove great swathes of "prior planning" and you're left with the sorry state of today's software development.

      1. LeahroyNake

        Re: "a properly designed system"

        6 P's, you can do it without mentioning the process of evacuating urine.

        Prior

        Planning and

        Preparation

        Prevents

        Pathetic

        Performance

        ;)

        1. LeeH

          Re: "a properly designed system"

          Downvoted for the PC approach.

    2. no_handle_yet

      and ....

      I agree with everything you said. Plus, why do call centres call me up then expect me to prove who I am to them ? I can never seem to convince them that it is arse about face. They called me, out of the blue, uninvited, claiming to be my bank, phone provider, power company etc. Well I know who i am so it's not down to me to prove anything. It always ends with me hanging up.

      If they need to talk to me about anything non-trivial they can email, txt or write inviting me to contact them on a number that I'll lookup.

      1. eldakka
        Thumb Up

        Re: and ....

        I have this exact same argument when I get cold-called from my banks/utilities companies.

      2. Sanctimonious Prick
        Thumb Down

        Re: and ....

        That annoys the hell out of me too!

        My ISP called me on my mobile, which I answered with my first name. I was then asked my e-mail address and home address.

        No!

    3. eldakka

      > Can anyone explain why the agent needs my date of birth, home address (at all, I would argue... they can "Send Engineer" or "Print Letter" without ever needing to actually see my address at all!), telephone number (though should have a "Call User" button, and maybe even a way to tell that the CLI matches the account, but do they actually need to see the number, etc.)?

      Because, as dodgy as it is, those are the secret questions, and the answers, they use to identify you.

      That don't care what your actual DoB, address, etc. are, they've used that information supplied when creating the account automatically as the answers to the "secret questions". So when you contact them, they are reading their secret questions "What's your DoB? What's your Full Name? What's your address?" and matching your answers with the answers they have to those secret questions.

      You really aren't identifying who you are, you are really just confirming that you are the owner of the account that is being discussed. A pretty dodgy, easy to social engineer set of answers - if you provided real values.

      So if you sign up with random values for those questions, then you can keep using those random values to identify yourself as the owner of the account in question to them. Of course, if it's a legal contract - like a postpay telephone contract, then you have to supply the correct details as you are entering into credit contract.

  4. Anonymous Coward
    Anonymous Coward

    Income generator

    As soon as the government realises this is can be a cash income generator, they will use it just like local councils do with with any loophole they can find.

    Who pays when they eff up?

    Nothing for the victims again or did i miss that bit?

  5. Anonymous Coward
    Anonymous Coward

    They want GDPR in the US?

    I read that some US House/Senate members want similar GDPR laws!

    Seriously?

    Sorry, give a moment..... roflmfao....

    ...ok, corporate politicians voting to sting companies with massive fines...

    no, too much.... more roflmfao...!

    1. Anonymous Coward
      Anonymous Coward

      Re: They want GDPR in the US?

      There are some pro-privacy congressmen in the US who aren't owned by corporations. But they are few in number, so it would take a lot to see anything similar emerge here.

      I suspect we're more likely to see some of the corporately-owned politicians whining and screaming when the EU starts levying fines against US companies for violating the GDPR, because their corporate masters will be demanding it and because many of them have an aversion to anyone in the US being subject to the laws of others (but not so much the other way around)

  6. Charlie Clark Silver badge
    Stop

    As of January 2016, the US Federal Trade Commission took note…

    Sorry, I thought the article was about GDPR. If so, what does the FTC have to do with it? In Europe you'll have a lot more trouble trying to get SIMs activated over the phone as the article describes. Indeed SIMs, along with PINs and PUKs, were introduced in Europe partly to limit identity fraud.

    Will Americans ever understand that they don't have a monopoly on jurisprudence?

  7. SVV

    Hopefully they will start at the top

    Investigate and fine the big companies first, rather than pick the low hanging fruit of smaller organisations that may not have had the money or even the knowledge to get things sorted in time. The operation of HMRC gives no confidence that this is the way that things will be done.

    I have seen far too many examples of sizeable companies virtually offering open access to customer data to far too many people in the IT department, and have been brushed off many a time when raising the issue with managers who didn't want "the burden and unnecessary cost and effort" of having to bother themselves with any potential disasters that would have arisen had someone decided for any reason to exploit the lax state of affairs. Even talk of legal issues was sometimes met with a "yeah, whatever" attitude. Some nice publicised cases with resulting reputational damage may be the only way to properly stir these incompetents into meaningful serious action, which will actually be good for all of us in the end.

    1. VinceH

      Re: Hopefully they will start at the top

      "Investigate and fine the big companies first, rather than pick the low hanging fruit of smaller organisations that may not have had the money or even the knowledge to get things sorted in time. The operation of HMRC gives no confidence that this is the way that things will be done."

      Your lack of confidence is shared.

      Worse, I suspect what we'll see is pretty much more of the same when it comes to the size of fines issued to those who truly deserve it - don't forget the magic words in the amount they can be fined: "Up to".

      1. tfewster
        Facepalm

        Re: Hopefully they will start at the top

        Please, please start with the Credit Reference Agencies! Though they've wangled dispensations in what they can do with your data, a full audit would be lovely to see.

        *Ahem* I mean, both low hanging fruit and high impact if they lose data. You know it makes sense.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hopefully they will start at the top

      Investigating and building a case against large companies will take a lot longer than against small companies, and the stakes are higher for getting it right when there's a billion euro fine to be levied instead of a thousand euro fine.

      Even if they start actions against the bigger companies first, they won't be first to completion.

  8. Alan Brown Silver badge

    Even more incentive to bury it.

    Faced with the choice between admitting a breach and facing large fines, or covering it up, what do you think most companies will do - and have their lawyers advising them to do?

    Unless there's something like a x10 multiplier for getting caught after covering up, it's in the company's economic interest to do so. They've already broken the law, so another breach is neither here or there.

    1. bigtimehustler

      Re: Even more incentive to bury it.

      The fine is up to, i think you will find it will be the high figure if it is covered up, and much lower figure if it is owned up.

    2. Charlie Clark Silver badge

      Re: Even more incentive to bury it.

      Companies that suffer data protection breaches don't tend to be very good at keeping stuff quiet, sort of goes with the territory. In many cases seecurity breaches must already be reported and failure to do so can come with harder sanctions than those the ICO can offer, starting with a couple of nights in chokey.

      What GDPR does, as with much recent EU legislation, is establish the principle of being responsible for the behaviour of suppliers. This is going to be painful for many to set up but makes a great deal of sense because large companies will find it hard to wheedle their way out by blaming poorly chosen suppliers.

      If only we'd such principles in Seveso or Bhopal…

  9. Anonymous Coward
    Anonymous Coward

    Apropos of GDPR...

    https://twitter.com/fr3ino/status/1000166112615714816

    Because of #GDPR, USA Today decided to run a separate version of their website for EU users, which has all the tracking scripts and ads removed. The site seemed very fast, so I did a performance audit. How fast the internet could be without all the junk! 5.2MB → 500KB

    https://twitter.com/fr3ino/status/1000708906434392064

    The Verge shows a tracking-consent message when visiting the site from the EU. Most people will click "I Accept" to make it go away, but if you don't and hide the message via CSS, you won't be tracked and the site is way faster: 32 vs 5 secs load time 61 vs 2 JS files 2 vs 1 MB

    1. Anonymous Coward
      Anonymous Coward

      Re: Apropos of GDPR...

      Is he loading it over a 56K modem or something? I'm in the US and I just tried loading usatoday.com and it took about two seconds...

      1. Anonymous Coward
        Anonymous Coward

        Re: Apropos of GDPR...

        The test was done at 3G speed.

        1. Anonymous Coward
          Anonymous Coward

          Re: Apropos of GDPR...

          Whose idea of 3G speed? I was getting nearly 5 MB/sec off AT&T's HSPA 3G network when it was underutilized late at night, before they finally brought LTE to town a few years ago.

          1. Adrian Midgley 1

            Re: Apropos of GDPR...

            What rate did you get when it was overutilised at lunchtime?

  10. Anonymous Coward
    Boffin

    Yes!

    One of the first bits of unwanted EU red-tape we'll be well shot-of after Brexit along with bendy cucumber legislation!

    1. EnviableOne

      Re: Yes!

      Sorry JJ - its UK law (Data Protection Act 2018) and is fundemental to getting a data security equivalence decision to keep trading in the EU. Oh and by the way, GDPR applies to anyone world wide holding any EU citizen's Data.

      Personally, i feel the fines are a big enough deterent, if the DPAs hit one of the big boys hard early on. But i would have liked the DPA to go further and make directors criminally responsible for their companies privacy and security practice.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yes!

        "GDPR applies to anyone world wide holding any EU citizen's Data"

        No, not "anyone". GDPR does not apply to people processing personal data in the course of exclusively personal or household activity, otherwise your address book would put you out of compliance. Also you may have noticed that you haven't received a privacy notification from any of the various security services in Europe or elsewhere in the world for that matter. I'm not sure if it applies to the scum who are sending me lots of SPAM either. If is does they don't seem to care. I was going to say "they don't seem to know" but quite a bit of if is GDPR phishing.

    2. rmason

      Re: Yes!

      No!

      It is UK law. It will still be UK law post brexit. I can't really see why they'd be motivated to remove it. You'll probably want to calm down a tad, and get used to it being a thing.

      1. Version 1.0 Silver badge

        Re: Yes!

        After Brexit the data will be washed in Chlorine and passed to FB (next best thing to a whoremoan).

    3. Outski

      Re: Yes!

      Just me, or is there a flock of Whooshes flying around your post, there?

  11. Anonymous Coward
    Anonymous Coward

    Did i read the article and leave with the impression

    that if a criminal accesses my data its a breach? therefore hacking, phishing and other compromises become a data issue as well as a data/technical security issue?

    If I read that right companies have far more motivation to handle a data loss incident than they usually do by fobbing you off with "you must have given them your password or left it written it down"

    I must say I hadn't in my ignorance considered this angle but it seems it could get interesting...

  12. Webster

    Recital 64

    Eh? Recital 64 is just saying you need to be absolutely sure you have the right person before you give them any personal data under a subject access request.

  13. Norman Nescio Silver badge

    Improvement means deterioration

    I am, sadly, pessimistic about how effective organisations will be in assuring authentication before people access their own data. Given how the banks struggle with non-standard customers e.g. the visually impaired, or people who have more than one abode (which may be in different countries), I shudder to think how organisations will make life difficult - it's bad enough requiring original copies of utility statements when many organisations have gone 'paperless'.

    Some people will really struggle to prove they are who they say they are: many have no passport, and utility bills are all in their spouses name, some have no driving licence either. Not everyone is well known to someone on the list of professions that are allowed to witness that a photograph is a good likeness of the bearer: "be ‘a person of good standing in their community’ or work in (or be retired from) a recognised profession"

    I have always thought that a test of a good process is how well it handles valid exceptions. Unfortunately, many processes stop at the 'computer says "no" stage', leaving people with little recourse other than an inefficient and arduous complaints 'process'.

    It is also instructive to see how organisations handle recovering from mistakes. Admitting that a mistake can have been made is a good start - and some organisations have exemplary mitigation processes that give you confidence in doing business with them in future. Others, well, not so much. I currently have two financial organisations who have data problems. One pays me dividends approximately every 6 months from shares held in an ISA with them, but when I call them, claim to have no record of me, despite voluminous documentation supplied by me. The other is unable to prevent physical letters being sent out to me telling me that my account has not been accessed for <x>-months, even though the account has been in regular use. I am sure GDPR will not improve things.

  14. Anonymous Coward
    Anonymous Coward

    Had to obtain a SIM in India once

    Needed a passport scan, mugshot, visa scan and proof of residence for my stay.

    1. Dan 55 Silver badge

      Re: Had to obtain a SIM in India once

      That'd kill the second hand market stone dead.

  15. Anonymous Coward
    Anonymous Coward

    Does GDPR say anything about firm's responsibility for Blocking Malware?

    Examples - #1: Firms Hosting their own Public-Forums to promote / support their products. But failing to take down Bots posting Malware links quickly or not at all. #2: Firms with post-GDPR permission to send emails, but failing to filter / strip out Malware links or Malware attachments first...

  16. Graham Cobb Silver badge

    Not in my name

    I am very worried that some firms will use this issue as an excuse for storing (and subsequently losing) even more of my personal data! Including some quite sensitive stuff.

    For example, there is no need for a retailer to know my date of birth and I always refuse to do business with anyone who requires it (I know some people just lie but I choose who I give my business to). I could imagine that many sites might try to add DOB as part of their "verification/reset" process. If so, they won't get my business.

    The main reason for that is the general principle that given the strongly asymmetric power relationship with a commercial company, I need to make sure they know as little as possible about me. That minimises their chance to set prices based on my willingness to pay, or to exchange information with other companies.

    Another reason is that although I do not think the government is snooping on me, they do regularly snoop on people I rely on or support such as investigative journalists, trade union organisers, human rights lawyers, etc and those people need to be able to avoid being identified in many of their transactions.

    We need to make sure that the concern for data security does not throw privacy, particularly privacy from commercial organisations, out of the window.

  17. a_yank_lurker

    GDPR effects

    The primary effect will be to force companies to be more focused on user privacy and how much user information they collect directly or indirectly. Too many marketing weasels failed to grasp the cardinal of information security: "what you do not know/have you can not blab". So willy-nilly private data collection will stop once a few big boys get nailed by some eye-popping fines. If a company never really considered user data security seriously before they will have a rough time of it for awhile. But in reality they earned what they are getting. There was an old ad tag line may years ago in the US for a car oil filter: "Pay me now or pay me later". Either you pay up front to do things right or you pay much more later to fix the resulting problems.

    I have little sympathy for the complainers because they mostly ignored it until too late and they were offenders the law is targeting.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like