back to article Tick, tock motherf... erm, we mean, don't panic over GDPR

Welcome back from the summer. Feeling refreshed? Good, now let’s talk General Data Protection Regulation from the European Union, due to swing into effect on May 25, 2018. You now have eight months to get your data infrastructure, tech policies and related procedures ship-shape. Not feeing so refreshed now, are you? Plenty of …

  1. DaLo

    So, does anyone know when the first draft will be published (or is it accessible somewhere now)? BBC were saying it would be published today but it now seems that it was just a proposal that was published today. It had also been stated that it was due in September.

    There are important nuances and ambiguities with the current EU GDPR wording that might be a bit clearer in the published Bill so it would be useful to get some idea of the actual wording before too long.

    1. graeme leggett

      A newly drawn up law making things clearer, that'll be a change.

      Statutory Instruments and case law will be what makes it clearer and they come in light of experience

      1. DaLo

        Sure, but until you see where the grey areas are you can't tell whether you are sitting in them or not. Most companies can't afford to be the one who is party to the proceedings that create the case law.

  2. Anonymous Coward
    Anonymous Coward

    I don't see it being a problem. If I have to analyse any PII data I'll just change everyone's name to bob.

    1. graeme leggett

      I see a new business opportunity. The creation of datasets of fictional (though plausible) individuals for testing purposes.

      First line of licence "All names, characters, and incidents portrayed in this production dataset are fictitious. No identification with actual persons (living or deceased), places, buildings, and products is intended or should be inferred..."

      Those who used to make character generation programs for RPGs (out of Basic and spreadsheets as I recall), it should be no problem. And possibly fun.

      [Talking of RPGs - room for a quick plug for HumbleBundle's WHFRP offering ? ]

      1. Craigie

        There are plenty of tools that already do this.

    2. Anonymous Coward
      Anonymous Coward

      I don't see why I got a downvote?

      Bob is a metaphorical term for any part of the the data that is identifiable so if I change any part such as name, address, ip address, customer id etc.. then once I analyse the data it is no longer PII therefore it is not covered by the GDPR.

      If someone can tell me why this is wrong then I'm happy to see your viewpoint.

      Thanks.

      1. Doctor Syntax Silver badge

        "I don't see why I got a downvote?"

        Maybe someone thought you should have included Alice. But I suspect it was really Eve.

        1. Pedigree-Pete
          Joke

          @Dr S

          Who the f*ck is Alice? PP

      2. Lysenko

        re: I don't see why I got a downvote?

        Possibly because a blunt instrument like that would likely destroy the data that needs to be analysed for many use cases. For example, if you're in the vegetarian meals business you might want to analyse your market presence with the Sikh population and that might mean using the surname "Singh" as a proxy. That doesn't mean data cannot be anonymised, but it needs to be a lot more sophisticated than brute forcing everything to a single value in many cases.

        1. Dan 55 Silver badge

          Re: re: I don't see why I got a downvote?

          Not too sure about that, if BA used Singh as a vegetarian meal flag there'd soon be a media shitstorm that'd make any IT meltdown look like a walk in the park.

      3. JSTY
        Angel

        Re. Bob

        > Bob is a metaphorical term for any part of the the data that is identifiable so if I change any part such as name, address, ip address, customer id etc.. then once I analyse the data it is no longer PII therefore it is not covered by the GDPR.

        [I am not a lawyer, etc etc]

        As I understand, anonymising a dataset by stripping out PII is fine and unlikely to go too badly wrong. What you've got to be more careful with is pseudo-anonymisation (eg. hashing your PII such that you can still distinguish 'entities') - this can still be considered PII.

        Oh and also, I know it was metaphorical, but changing everyone's name to Bob would be a bad idea - there's probably a real Bob in there somewhere and you'd still have PII. Just remove the relevant PII fields entirely and you're golden.

  3. Doctor Syntax Silver badge

    Given that it's been talked about in general terms for ages it's not really that new. Anyone who will have responsibilities under it and has been paying attention should have started planning for it a good while ago even if the final details have only recently been confirmed.

    On the downside it'll only be Royal Assent that finally persuades some boards that it's a thing. And some will hold out until they're fined.

  4. Anonymous Coward
    Anonymous Coward

    I have a question. Why are fines always an up amount? It's like a flat tax. Those are always hardest on those with a lower income. 20 million could ruin a mid-sized business but simply be a cost of business for a large one.

    To rant on, I'd suggest that there should be no sale tax on anything. All taxes should be on income, but the only way to implement that without further crushing those in middle economic class would be to actually have Corporations and the wealthy pay taxes, again. Some of you will remember when they did. That significantly helped build the infrastructure and social systems we have today but can on longer even afford the upkeep on, even with migrant workers wages being less than the wages for which Citizen are often willing to work.

    I'm JOKING, of course, we know that the extremely wealthy bought all the politicians they need to make sure this doesn't happen. :)

    1. Anonymous Coward
      Anonymous Coward

      I have a question. Why are fines always an up amount?

      In the case of GDPR, the reason that its upto €20m or 4% of global turnover is to make sure that even for a company that may not have any turnover, a fine can still be issued. Many companies have little or no turnover, either because they themselves don't trade as such, even though they handle data, some holding companies own trading companies, but may not consolidate the results up, property companies often make their profit from balance sheet transactions, and thus have little or no turnover. If you're a well capitalised startup, you may be rich as stink, but have minimal turnover. And a load of other instances.

      But would you rather have a "not less than" fine? We use them all the time with people, and they're called fixed penalty notices, but they seem to be the sort of impact your tone is objecting to?

    2. Doctor Syntax Silver badge

      "Why are fines always an up amount? It's like a flat tax."

      Do you mean "up to"?

      Think about what "up to" means. Note that it's not the same as "at least".

      Then you'll realise that your "flat tax" comparison is the exact reason for "up to"..

    3. Anonymous Coward
      Anonymous Coward

      Yes, I agree with those of you who answered that I should have said "up to" and that it is the definition of NOT a flat tax.

      I can only claim to little coffee before posting that :(

      To clarify about what I consider the plight of migrant workers. I do not believe that it is right that they are paid less for the same work that Citizens might have done, but was only pointing out that they are in many cases and even with that cost saving (probably marginal in the big picture) it seems there is still not enough money to keep up existing infrastructure.

  5. Anonymous Coward
    Anonymous Coward

    Up to €20m includes the figure zero

    Whilst many are applauding the new higher penalties available under GDPR or the UK equivalent, it is worth stopping to ask whether the actual fines will differ by very much from the current regime. A quick perusal of ICO enforcement shows that they have very rarely (maybe never) issued even the £500k fines that they could. The highest instances I could see over the past few years were to TalkTalk (£400k) and a similar amount to a spam caller, Keurboom Communications, who were wound up by the owner a month before the ICO slapped them with the penalty. And the "civil monetary penalties" just go back to the Treasury. So three points:

    1) ICO haven't seen fit to reach the pretty low £500k even for the biggest UK breaches. If they aren't seeing those as even half-mill offences, why will a higher penalty ceiling make a difference? Even with a 4% or £17m maximum, what would the ICO actually fine say TalkTalk for their most recent screw? My feeling is of the order of what, £6-7m. Peanuts to them, still. I really don't think we'll see the 4% of global turnover actually used, which would be £70m for TalkTalk.

    2) The bottom-feeders can be smacked with proportionately high fines, but they simply aren't going to pay them.

    3) Government actually stand to make money from data breaches. That's wrong - the money should either be handed out to the victims (mere pence, but the cost of doling it out would be a huge overhead and massive and embarrassing admin task for the guilty); Or it should fund the ICO's operations, so that they can do a better job of policing the rules, such as proactive investigations.

    So I think that post-GDPR it is business as usual for the likes of TalkTalk. GDPR breaches will be more expensive, and hopefully the threat and the publicity will provoke action, but I don't believe the actual fines will be of material significance to larger corporations. Government have talked about making directors personally liable for unpaid penalties, but unless the UK implementation of GDPR includes that clause, no new legislation will be coming forward, and we'll continue to see the scum evade the fines they are due.

    1. Doctor Syntax Silver badge

      Re: Up to €20m includes the figure zero

      it is worth stopping to ask whether the actual fines will differ by very much from the current regime

      Maybe "dissuasive" as mentioned in the article will change this. I hope those issuing the fines will interpret this as "big enough to affect management's bonuses and too big for the board to hide from the shareholders".

      The bottom-feeders can be smacked with proportionately high fines, but they simply aren't going to pay them.

      Power to freeze bank accounts would be a useful addition.

      Government actually stand to make money from data breaches. That's wrong - the money should either be handed out to the victims

      The possible income should be an incentive to pursue cases more vigorously and more often. The fines shouldn't stand in the way of civil proceedings for compensation. The imposition of a fine should, if anything, make the burden of proof easier. The ICO could be given the power to compel a compensation payment but then it might block the injured from producing evidence of more substantial actual losses.

      1. Anonymous Coward
        Anonymous Coward

        Re: Up to €20m includes the figure zero

        The fines shouldn't stand in the way of civil proceedings for compensation

        I respect the concept, in practice it would be very difficult for most people to prove that they suffered losses due to a specific data breach. If you get defrauded or suffer costs from identity theft after a data breach that affected you, could you (to the satisfaction of a court) prove that the losses you incurred were down to a particular company and a particular data spill?

        Companies have been so careless over the years, I suspect we've all been subject to several breaches that may or may not know about. How would you prove (a) which company was responsible for enabling the fraud, (b) that it wasn't your fault for being conned, and (c) that it was that company's fault?

        Its worth noting that the government use quasi-judicial processes and "civil monetary penalties" to enforce a lot of regulation, specifically because they know that proving to the standard of a court will be a long winded, risky, and expensive process that will certainly be contested. Would you start an action against (eg) Talk Talk, who probably have a legal budget of the order of a couple of million quid? They'd initially tie up your lawyer with a range of mid-tier law firms, but if things looked like going against them they'd bring in an attack dog city law firm, and even get a QC in to really get heavy. Under current rules, a lawyer can't even take on your case commercially unless he's seen proof that you can afford it, and that includes paying the other sides costs if you lose. That's why so few people successfully sue banks. So I don't think that in the real world many people will ever be able to use civil proceedings against big companies.

        1. Doctor Syntax Silver badge

          Re: Up to €20m includes the figure zero

          "Would you start an action against (eg) Talk Talk, who probably have a legal budget of the order of a couple of million quid?"

          Depending on the scale of the claim the small claims court might be the appropriate venue in some cases. That effectively wipes out the advantage of a large legal budget.

          But what happens if

          - the ICO finds there was a breach

          - a victim loses their house as a consequence

          - the ICO issues a flat rate £1,000 compensation?

          Should the victim simply write it off to bad luck?

          Should the ICO's finding assist in the victim establishing their case? Should there be a compulsory use of an independent arbitrator to assess compensation on a level playing field?

    2. disgustedoftunbridgewells Silver badge

      Re: Up to €20m includes the figure zero

      My guess about the reason we haven't seen any/many max fines is because the ICO are working out the badness and applying the percentage to the maximum fine.

      That's 50% bad - £250k. After GDPR, 50% bad will be £10m.

    3. DaLo

      Re: Up to €20m includes the figure zero

      There has to be room for willfulness. So Talk Talk were heavily fined but it seemed to be for sheer incompetence.

      The £500K fine would be for a company who made a decision to act recklessly or even criminally with data and were found out.

      With the new fines I think there will be more emphasis on hurting the company's bottom line and will be relative to the size of the company but will still have a major element of whether it was premeditated or not.

  6. Doctor Syntax Silver badge

    Where does it all end?

    Dave's comparison of big and small businesses set me thinking. It's not necessarily the big organisation that doesn't realise what it's doing with PII. If anything they may have better resources to carry out a formal analysis and pick up on such things whilst a more informally managed SMB might not.

    But this line of thinking extends down to the purely personal holding of PII. What about personal friends and family phone and address books? Your Christmas card list? SWMBO's ladies group (definitely NOT part of the WI!)? Does sending Christmas cards escape by being counted as a transacton?

    Is a line drawn anywhere and if so where? What about the email list of a group of friends who meet in each others' houses to play bridge? Or a larger group that hires the village hall? Or the village hall management committee?

    1. Phil O'Sophical Silver badge

      Re: Where does it all end?

      I think this is going to be one of the big headaches. Say you're in a band that maintains a website where people can sign up to get email about forthcoming performances, new CD releases. Will you now have to put the whole GDPR infrastructure in place to allow people to (securely) log in and manage the PII you hold?

      I can see a market for companies to provide "club sites" that look after this sort of thing, for a fee of course, much as eBay and Amazon Marketplace do for small traders. Some of those sites will be competently and securely run, but others will not. Fot those that are not, there's an opportunity for hackers to gain access to far more PII that would be put at risk by keeping a mailing list on your home PC, even though the latter could be a GDPR violation.

  7. chivo243 Silver badge

    8 Months or 8 years

    or 8 decades. For some organizations it will never be enough: Either because they don't care, or because they don't understand. Ignorance of the law is no excuse?

  8. Anonymous Coward
    Anonymous Coward

    "to evidence" ???

    *sigh*

  9. heyrick Silver badge

    What's the betting...

    ... some companies will hold out and stick their fingers in their ears in the expectation that in a short while Brexit will happen and all this "European" stuff will cease to apply...?

  10. Andy The Hat Silver badge

    And here come the fines ...

    "the government says they’ll demand that: “Businesses must notify the ICO within 72 hours of a data breach taking place” (my italics); GDPR says notification must happen: “not later than 72 hours after having become aware of it”.

    Keep that wording and whereas GPDR means you'll be fined for doing nothing after you find out a breach has occurred, the UK wording means that if a problem is notified to a company ten years after it happened, the company immediately closes the hole or takes remedial action they will still be fined because they didn't deal with the problem ten years ago despite having no knowledge of it ...

    As usual, it's deliberate wording to create easy money for the Government. Fines are actually being used as stealth taxes.

    1. Anonymous Coward
      Anonymous Coward

      Re: And here come the fines ...

      "they will still be fined because they didn't deal with the problem ten years ago despite having no knowledge of it "

      a) So the business's best approach is to make sure the breach doesn't happen in the first place and is promptly spotted.

      In the words of the ICO "In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place"

      b) "Failing to notify a breach when required to do so result in a significant fine UP TO 10 million Euros or 2 per cent of your global turnover" (my emphasis)

      So genuine sloppiness could be punished harder than a serious of unforeseen consequences.

    2. Anonymous Coward
      Anonymous Coward

      Re: And here come the fines ...

      @Andy The Hat: It's probably a poorly-chosen paraphrasing by the person in the article (we know how politicians like to condense things down into soundbites). The ICO themselves say 72 hours from discovery: "there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it."

      https://iconewsblog.org.uk/2017/09/05/gdpr-setting-the-record-straight-on-data-breach-reporting/

  11. Craigie

    Identifiable

    I still don't see any clarity on what 'Identifiable' means.

    A person generally cannot be 'identified' just by their name. But a person with a unique name can.

    A name and address would make a person's home location identifiable, but what if it's just an address and there is more one person living there?

    Name and email would tie to a single person, but not a location. Does that count? What about just email? What about name and IP?

    1. Anonymous Coward
      Anonymous Coward

      Re: Identifiable

      Go read the regulations. Much is there. ICO already say an IP address could count as personal information under the regs, and so can pseudonymised data.

      Eg Article 4

      "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"

      And

      Article 9 "Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited."

  12. Anonymous Coward
    Anonymous Coward

    "Companies all over the world are using real data on development and test platforms, and in our brave new GDPR world that’s hard – probably impossible – to justify."

    The ICO have also been saying for several years not to do this:

    “The ICO advises that the use of personal data for system testing should be avoided. Where there is no practical alternative to using live data for this purpose, systems administrators should develop alternative methods of system testing. Should the Information Commissioner receive a complaint about the use of personal data for system testing, their first question to the data controller would be to ask why no alternative to the use of live data had been found”

    1. Missing Semicolon Silver badge
      FAIL

      Live data

      ... has real faults in it, caused by real history and real past bugs.

      I've built test data for a customer record system, run all the tests, everything passes. Do the live install, and it's exception city, flames, cats and dogs living together, etc.

      Unless you can analyse and predict data patterns in your live data, a system will never be properly tested until it's seen the real database.

      1. Wensleydale Cheese Silver badge

        Re: Live data

        "Unless you can analyse and predict data patterns in your live data, a system will never be properly tested until it's seen the real database."

        A recently reported example was where two girls had the same first name, last name, date of birth and they were born in the same city. IIRC, it was a student admissions system that got tripped up by that combination.

        1. Anonymous Coward
          Anonymous Coward

          Re: Live data

          Would this cover something like exporting the entire UK DWP database to Indian developers to work on?

          If the government gets the fines, but a government agency is charged with a fine, aren't they just shuffling numbers around?

  13. mutin

    What about malicious hypervisors?

    How can we talk about any compliance to either UK law or GDPR IF there is no a tool on market which would discover malicious hypervisor(s) planted in your system? Do the majority of security pros still consider rootkit hypervisor i.e. malicious hypervisor as a fake object thus not doing anything bad? Does not exist at all? Never saw it walking around? However, the key words are "hidden from any malware discovery tool". Not expected to be seen though ...

    1. Sir Runcible Spoon Silver badge

      Re: What about malicious hypervisors?

      I'm not an expert in this area, but rootkits etc. might be able to fool the system (and thus the monitoring) on the system it has infected, but it still leaves traces. It talks to C&C devices, processor usage doesn't always match process usage of CPU (although that could be fudged as well I suppose if they're really clever).

      One of you security layers needs to be able to analyse traffic from all the hosts on the network and spot anomalies*.

      Each layer you can add makes the type of malware capable of bypassing *all* of them pretty rare. Never rely on one layer to tell you what's going on. Security is like Ogres :)

      *This can also be fudged by well written malware of course.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019