So the suits swanned off to GDPR events leaving you at the coalface? It's really more IT's problem I spend a lot of time telling people that information security isn't the IT department's problem. And it's not: everyone in the business is responsible for making his or her contribution to the security of the organisation's information, and for protecting the personal data the organisation uses. I can't help thinking, though …
The business I am in has a lot of contact with other businesses whose primary is not tech related. It is suprising just how many of those businesses are quite blasé considering the fact this is possibly the biggest thing to hit any kind of data processing since the introduction of the Data Protection Act. Or just reel off Legitimate Interest when asked about how they are going to sort out opt-in on their website and the various marketing tools, tracking tools, for starters.
Going to be a fun time. GDPR I am quite for. I think that it re-addresses the balance that has been lost regarding sanctity of peoples data. On the other hand, it is also showing the issues that previously defined terms or situations relating to DP have never really been tested in UK Law and can be interpreted in so many ways. If you have ever approached the ICO for advice on how best to do something and remain compliant.....you will know exactly what I mean.
As someone who works (contracts) in central and local government - heavily involved with organisations that have to adhere to and actually police DPA and GDPR (soon) feel that I am well placed to offer my experience.
Using a document and records management system users when saving a document, word, excel etc. are prompted for metadata - the default choice is 'none' (choose able) from a multiple choice dropdown box (contracts, legal, PII etc.) - let you guess what most users choose.
In case you are wondering who check out m0rt's post
Why would you think that? Remember any EU citizen can complain to their own Data Commissioner, who can then conduct a prosecution even if the data is held in another EU country. I can certainly see German Data Commissioners wishing to make an example of Irish banks or French ones of US Cloud providers.
As someone else commented the only place where data protection is going to be ignored is the UK, because Brexit means do whatever you feel like doing.
> Just as any US company will need to be in order to process EU citizens PII.
One of my customers has come to the conclusion that they simply have no way to know whether someone is German or not and so have no option but to basically assume they might be and treat all personal data as if the subject were German (Germany has the strictest set of rules) just in case.
On the other hand the management people who are all in a panic about the new rules haven't got a clue about how things really work. "We must ensure everything is secure" yeah well all those protocols you are talking about aren't secure, now what do you want me to do? ARGH, oh and all these business processes you engage in, you'll need to re-engineer them, they violate the rules. ARGH.
They seem very keen on being able to dump loads of stringent conditions on sub-contractors(Moi) and not very keen on dealing with the rest of their own company and putting their house in order.
Still when every company has paid 10% of turn over as fine it will knock a big dent in all the government debt or at least it will do till everything goes tits up has business after business fails.
Still when every company has paid 10% of turn over as fine it will knock a big dent in all the government debt
Couple of things
1. Fines are capped (in the UK) at £18m. Big news for a small car hire firm, say, or a T shirt designer whose customer list is dumped on Pastebin, but Facebook? Do me a favour...
2. Fines are only levied on orgs someone's complained about, and which the ICO has resources to investigate, and which are found guilty of some non-compliance that lead to a "breach" of some sort -- if the org are silly enough to report it in the first place... Hint: do you know what the FCA regulates, and what it's annual budget is? OK, now do you know what the ICO's budget is?
"Just as any US company will need to be in order to process EU citizens PII."
I don't see where this law is limited to companies. How about web servers owned and run by individuals in the US? They may well have the personal data of EU citizens.
Since most of these individuals have no idea what is going on in the EU, they will probably disregard this rule. It would be very difficult for the EU to extradite a US citizen, and they are unlikely to get much of a remedy in the courts over here.
Bingo, that's my thought as well. I've already been in the process re-engineering cycle before so I don't have to imagine anything at all about the digital wreckage that is about to happen. This is the only reason I do click on the click-bait GPDR regulations. I spent a lot of time insuring that I wouldn't end up in front of a Courts Martial or the civilian equivalent. I'd rather avoid the EU equivalent, thank you very much.
Beer'o'clock, although it's a vodka and ginger-ale here.
"How about web servers owned and run by individuals in the US?"
As long as those individuals aren't trying to do business in the EU, I imagine they can treat EU citizens the same way that they treat Iranian or North Korean ones: let's call it "benign neglect".
The reason US businesses might care is that they might actually have some commercial footing in the EU, which would be "at risk" from adverse EU court decisions.
Then again, the wrong decision in the MS v. Ireland case might mean that US companies stop being able to operate in the EU anyway.
Well, the French, Benelux, Spanish, Portuguese and Italians already have implemented GDPR and most of them have had it for over a year now. Not too sure about Eastern Europe or South East Europe and Malta is on about the same level as the UK.
For my part, with just over 2 months to go I am busy preparing a briefing for senior management along the lines of:
1) Our compliance team know Sweet Fanny Adams about GDPR.
2) Our corporate governance team know all about GDPR but don't care as they have done nothing since the big GDPR junket to the Bahamas.
3) The development team has everything ready to go - TFA, Customer Record reviews, full on-demand, personal data access and ability to delete or request deletion of personal data - just say go.
4) Summary: Either you let us do our job or get to watch your profits disappear into ICO coffers
'If you've erased someone's data on request, does the tech team re-delete the data from the live system if they've had to restore from backup?'
No, because that's the job of admin, not IT operations. The system to ensure it remains compliant needs to be specified, and created by development. It is absolutely not the job of IT operations to go through a checklist of data that should or should not be there, particularly as it would probably involve them needing to understand bits of the system that aren't their job.
No.
This has been an issue, regardless of GDPR and the ICO recognise that this isn't always straightforward.
https://ico.org.uk/media/for-organisations/documents/1475/deleting_personal_data.pdf
See page 4.
So, outside of data kept for regulartory purposes which you have no choice over, and your normal backup policies (you do delete old backups, don't you? You don't keep them forever, do you?).
So - scenario: You go back to back from yesterday beause something nasty happened. Yesterday after the backup was taken a set of records were removed. As long as you know, somehow, that theses were removed you can reapply the deletion. So the deletion process will be need to stay *live* for as long as you feasibly keep backups that may be used to restore from for your day to day running.
It most cases, I would argue this is a week or so for most with Daily changing data. If it is a month, then you will need to keep the deletion process longer than that to ensure you can meet your duty. As long as *this is documented* the ICO should see that as endeavouring to comply with the spirit.
If you ended up using a backup from a while back, which may be the case in some scenarios, and some data was resurrected that shouldn't be, and this got out and the sh1t hit the fan, then it comes down to why, the impact, what procedures were in place etc.
There is no black and white answer to a lot of scenarios. You can't help seeing an IP address. And you can't know if this is a piece of Personal Identifiable Information (eg, fixed IP and you have the name and address of this person) or not (temp IP or company firewall). You can't dump this (if a breach you will need to go over your logs) and you can't anonymise it in most cases, or even be sensible to do so. So it comes down to what you do, how you document, don't generally piss take and *show evidence* of what and why you do.
Personal data should be sacrosanct. It is about time it is treated as such. By both the users of that data, and the general public who are, for the most part, pretty clueless. That isn't their fault mostly, it is just that industry has beguiled them with promises, free stuff and The Shiny™
So, if you've got a few years of backups and someone requests that data is deleted do we have to go through all of the tapes... even more fun would be if its database backups.. restoring and then extracting the data from every tape would be a nightmare
You will find that many "people" are still hopelessly confused by the unfeasiiblity of removing data from backups. Technically, it is possible, as in restore every backup to a machine environment capable of understanding the data structures (both in database and application terms including all business logic) and then removing the offending data and then rebacking up the data. Vaguely feasible for a single record, however muiltiply this by multiple indepedent executions and many backups and likely changing application environments over time and it rapidly becomes impractical. While there have been some clever-ish work arounds relying on each data row being encrypted independently and therefore all you have to do is to forget the key to lose access to the data, this then relies in separate backup schemes for backing up these therefore it just moves the issue - along with making standard data access impractical.
"Technically, it is possible, as in restore every backup to a machine environment capable of understanding the data structures (both in database and application terms including all business logic) and then removing the offending data and then rebacking up the data."
Alternatively, take m0rt's excellent advice, posted an hour earlier. Or mine saying much the same thing with less detail posted some weeks earlier. Why does this chestnut keep coming up? The solution should be obvious.
It should be, however this is GDPR and if there aren't idiot consultants running around fleecing companies of their cash and telling them just how hard GDPR should be it, would, well, be sensible. These goits also insist that the "right to erasure" should mean that there is no record whatsoever of the data subject left anywhere and this includes a "delete list" in case of restore from a backup.
Much of the advice, scare mongering and FUD about GDPR focuses on consumer data. One thing I can't find a clear answer on is the impact of GDPR on B2B businesses. Say you run outsourced IT support for other companies. On your help desk system you hold personally identifiable information on all the employees of each of your customers. Do you need to get explicit consent from each of those employees to hold their data? Do your customers' employees have the right to be forgotten with respect to your help desk system?
Has anyone seen an authoritative legal opinion on this specific issue?
"Do you need to get explicit consent from each of those employees to hold their data? Do your customers' employees have the right to be forgotten with respect to your help desk system?"
It might not be authoritative legal advice but CYA: assume "yes". The same thing applies to you customers, of course. Have they thought about such things? Have you prompted them to do so?
This is quite an easy one to answer: no, you don't need the consent of the individuals in this context. Your grounds for processing the personal data will be that you're doing so in order to satisfy a contract.
As the outsourced helpdesk entity you're a processor, and the company you're working for is the controller. Both parties are required by GDPR to ensure that an appropriate contract is in place, and if your customer has any sense he/she will ensure there's a right-to-audit in the contract so they can check up on you from time to time (monitoring of ongoing conformance is essential). As a processor you're bound by the constraints that state that you're only allowed to use the data for the purposes included in the contract. If you're based in a country that doesn't have an adequacy finding from the EU then your customer, as controller, should consider this and ensure that they take all reasonable steps to mitigate this, but again that's not an overly hard thing to do (unless you're based in Russia or somewhere equally dodgy, that is).
> This is quite an easy one to answer: no, you don't need the consent of the individuals in this context. Your grounds for processing the personal data will be that you're doing so in order to satisfy a contract.
This part is 100% correct.
> As the outsourced helpdesk entity you're a processor, and the company you're working for is the controller.
I understood the other poster to say that he runs some service company and he holds data about people at companies he does business with. And he was asking whether he requires consent from those people.
In this scenario, I refer to the first part of your answer, but I submit that he is *not* a data processor (for someone else's data containing personal information). Instead he *is* a data controller (for his own data containing someone else's personal information).
Apologies if I misunderstood, but that is what I get from the original post. That he is an IT services company is probably a red herring, since he doesn't mention his client's data, but data about his client's employees.
Where did you get that information from? If you didn't collect it directly from the individuals then you are not the data controller and you don't need to worry about consent. That's down to the Customer who provided it to you. In that scenario you are the Data Processor. You sill need to be complaint but the rules are slightly different.
Even if you are the controller you don't automatically need consent, that's just one of the possible criteria for the Lawful Basis for processing. You do need to work with those customers at a business level to ensure that they pass on the appropriate privacy notices to their employees that explain why you are holding their data an what you intend to do with it. You also need to be able to respond to SAR's from them and delete data under RtbF.
The first thing you should be doing is getting the Lawyers to give you a view on your status as Controller or Processor for the different data sets you hold (assuming you know what they are). Everything else follow from that.
well when we first mentioned it over a year ago mgmt said wont need to bother due to brexit..
six months later they start to panic and its my department (IT) to resolve all GDPR issues..
two months later told to stop working on it as it was nothing to do with IT
two weeks ago its back on my plate as they figure someone needs to be accountable (take the liability if we are in breach).. but senior mgmt go to the various sessions and conferences but IT dont as its "not relevant"
Easy way to sort this.
Get management to tell you who the Data Office is. If they feel they don't need one then they still need to nominate someone responsible. (Hint - it can't be a Board member).
Then when you get that person - scare the shit out of them if they don't take the responsibility seriously. Unless they name you as Data Officer, in which case you are now a legal person and you can tell them exactly how it goes down and they have to listen to you or they are breaking the law and you are forced, by law, to inform the ICO.
> two months later told to stop working on it as it was nothing to do with IT
So now you know when the "GDPR consultant" came knocking at the door.
Who is the DPO in your company? Looks like it may be a good idea to get them to nominate one whether strictly required or not.
We have always assumed that data is an IT problem but the GDPR actually moves the conversation on by making the business owners of its own data. IT was always the custodian but never had the knowledge or influence to classify that data, say when it could be removed or even say whether it was necessary in the first place. Putting a data owner in legal jeopardy for the information stored by their department should make for more mature conversations*.
*Except in the marketing analytics teams where all the toys are going out of the pram!
"Except in the marketing analytics teams where all the toys are going out of the pram!"
I'm firmly of the opinion that their toys should be taken away from them and only given back when if they can prove they can be trusted with them. That goes for the whole of marketing, not just analytics. Toys, of course, includes anything on which data might be stored, including phones and paper notebooks; note Mr C's comments about checking for unstructured data. And insist that any future projects be only granted funding when detailed plans have been scrutinised by a grown-up.
In Germany it is the case that IT staff cannot be the Data Protection Officer, although many companies, in my experience, ignore that and still appoint the IT Manager as their DPO...
The DPO can also not be fired in Germany, under normal circumstances, and the protection carries on for 1 year after they have ceased their role as DPO... That still doesn't seem to stop companies sacking their DPOs, which is usually very expensive for them, when it lands in front of a tribunal (I've been involved in or know of 3 cases, where the DPO was wrongfully dismissed and the company ended up paying dearly for not knowing their arses from their elbows!).
It was a joy for me to attend a presentation on GDPR by someone at Irwin Mitchell and hear that the IT Manager (me) can't be in overall charge of GDPR :D
That's a typical example of the level of stupid and incompetence that is flying around in the data protection space.
The real situation is that the role of DPO should not be given automatically to the IT Manager - it typically was in the old DPA scheme. The role of the DPO should be given to an individual who has a thorough understanding of how the organisation works and (and this is really important) has a thorough understanding of data protection. If this happens to be the IT Manager, then this is fine. If another individual is more suited then this is fine as well. One very important point is that the DPO must not be involved in the day-to-day processing of the dataset. Unfortunately this is where terminology stupidity comes in, because technically just storing the data, or facililating the storage of the data, means that an IT Manager is often seen as a processor of the data.
> It was a joy for me to attend a presentation on GDPR by someone at Irwin Mitchell and hear that the IT Manager (me) can't be in overall charge of GDPR :D
Your company may want to get their money back, and you may want to get an opinion from a knowledgeable source, because Mr Someone was talking utter bollocks.
PS: Unless they were referring to you, disco_stu, having specific knowledge of your skills and qualifications, notably if it was the case that you did not have expert knowledge of data protection law and practices or were not able to fulfil the tasks referred to in Article 39.
> What happens when an (ex) employee wants their details removed from any system logs?
System logs? Depends what those logs are. If your data in them are not needed to fulfil a critical business function and if they are not needed for regulatory or other reasons, it shouldn't be a problem, but there is no general answer other than "it depends".
Clause 15 of the GDPR excludes data that is not stored in a specified structure (reading and re-reading this clause can give you a headache) however the general intent is that just because a document contains personal data does not necessarily mean that it is covered by the GDPR.
Logs are an interesting one as they are a historic record of fact. If you process the data with the intent of filtering by user then in some ways they are covered by the GDPR, however if the logs are not structured in a specifed way (this is where it gets fuzzy) then they are not.
Based on a brief glance at these rules, they cannot possibly be implemented. Every computer everywhere is full of personal data as defined by the rules. There is no way practical way to remove or secure all of it.
I think the high-level managers who are just pretending to comply, without actually checking into what is really going on, may have the right idea.
So I worked for a bank in the Channel Islands and GDPR was raised by a newbie who had the best of intentions...He came from a strong security background, had get up and go and generally wanted to try to make things better. When he started asking questions about GDPR, training for IT, how we can contribute and potentially lead, the response was generally "keep your head down son, try not to get shat"...
IT manager did not want the responsibility of owning GDPR; Compliance were too blind to see the path ahead; Legal were in the pub talking Porsches and Maserati's with Treasury & the c level was now where to be found, or perhaps he forgot it was Monday....
Bottom line - this particular CI bank IT shop leader expected Compliance to lead, with input from IT -- not happening - this was recent. The belief was - "let’s wait and see who gets fined first, pray it's not us, then get something in place once the ink has dried on the legalities"
CI is certainly different to UK (as you know DC), but it's quite farcical how some large CI banks IT dept. are addressing the issue...
RS
Compliance teams, in my experience, don't do leading; they make policy and shift blame. That their policies are inconsistent and unimplementable is a bonus because it makes it really easy to blame someone else.
At the moment mine are telling me that we should keep customer data no longer than 6 months after the customer leaves; at the same time we're allowed to spam them for 3 years and are obliged to retain everything for over 7 years in case of legal action.
So whatever I do I'll be in breach, unless I just refuse to add any customers at all.
One of the onerous requirements is that people will be able to request a copy of all the data on themselves for free. Previously you could charge £10, which in many cases didn't cover the cost, but at least stopped spurious requests made just to annoy you. But now you have to respond within 28 days and at zero cost. You can only charge if the requests are excessive, e.g. someone requests it multiple times, or multiple copies etc. and the bar for this is set pretty high.
So anyone who hasn't built some kind of system to easily extract all data on an individual and put it in a text file or whatever is potentially going to need such a system pretty quick. I think requesting this data will quickly become the annoyance of choice for any disgruntled customers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
