back to article Info commish: One year to go and businesses still not ready for GDPR

Companies are unprepared for the General Data Protection Regulation (GDPR) coming into force a year today, and some small businesses "might not even know" a new regime is looming, the UK Information Commissioner Elizabeth Denham has warned. Speaking at an event by WSJ Pro Cybersecurity titled How Executives Can Manage the …

  1. Anonymous Coward
    Anonymous Coward

    The problem is...

    This move by the EU is going to hit a lot of the wrong people. Smaller businesses... Mom and pop shops... They'll all get done! Whereas the multi-billion criminal outfits like Facebook / Google / Uber will play them like a tool. What we need here is the real-life NY prosecutor that TV's Billions is based off. Someone who gets the industry and knows how to whip them....

    1. EnviableOne Bronze badge

      Re: The problem is...

      Based on 2016 figures max fine for the following (millions of US$)

      Apple 8,625

      Amazon 5,439

      Google 3,578

      Facebook 1,105

      Uber 260

      Which is the sort of figure that makes boards pay attention, and if they want to do business in the EU they will make consessions

  2. Matt 70

    Pointless fines

    Fines are pointless and no deterrent to the companies. All that will happen is that the poor customers whose details have already been leaked will then be charged more to make up the fine shortfall. Make the executives criminally and financially liable themselves, with strong prison sentences and personal asset seizure.

    1. Halfmad Silver badge

      Re: Pointless fines

      I've been saying this for years but it also has to apply to public sector organisations, as right now they get fined - they go to government ask for a loan for that amount (since it's the government who essentially fined them anyway) and they are back to square one.

      Public sector are great at reporting themselves compared to private companies but they also have nothing personally to lose, we need to change that for directors and chief execs.

    2. Anonymous Coward
      Anonymous Coward

      Re: Pointless fines

      > "Make the executives criminally and financially liable themselves"

      The GDPR incorporates provisions for fines & custodial sentences for those responsible for more eggregious breaches, and mandates having CIO-type positions (which I assume will be where the finger will initially point).

  3. geascian

    And if the breach is down to having to use weak encryption because the Government wants to snoop on everybody all the time?

    1. Alister Silver badge

      And if the breach is down to having to use weak encryption because the Government wants to snoop on everybody all the time?

      An interesting point, but the fact is the majority of the data breaches that have happened are not down to encryption failures, they are down to easily preventable exploits like SQL injection, which should have been a solved problem years ago.

  4. 0laf Silver badge
    Big Brother

    Businesses not read?

    Government isn't ready either.

    Plus UK Gov hasn't produced all the derogations yet so no one knows quite what they have to be compliant with. They'll have to roll out a derogation sharpish to deal with Rudds encryption fuck-up-in-progress / pending-u-turn.

  5. Anonymous Blowhard

    Asset vs. Liability

    The root of the problem is that businesses see personal data as an asset; the more they have, the more they can monetise it.

    If there was legislation to make personal data a liability, something that costs you money, then businesses would think differently about it and try to minimise their holdings of personal data.

    So if businesses had to pay a levy of one pound per year for every row of personal data in every database they have then they would work to minimise that cost; they'd clean out personal data relating to old accounts as fast as possible, they'd think hard about the actual value of personal data to them. At the moment they keep as much as possible because "it's an asset".

    The levy could be used to finance the enforcement of data protection and for compensating victims of data theft.

  6. Chris Evans

    Missing link?

    A link to a guide about what GDPR is all about would have been useful (and good journalism)

    I've found the official ICO page: here

    and what seems like a better article with some useful links: here

  7. Anonymous Coward
    Headmaster

    "Under GDPR, the fines for a data breach will either be €20m (£17m) or 4 per cent of global annual revenue, whichever is highest."

    That's up to 4% or £17M.

  8. Alistair 1

    From GDPR:

    "If your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing, such as:

    • processing personal data that could result in a risk to the rights and freedoms of individual; or

    • processing of special categories of data or criminal convictions and offences."

    So if you are a (smaller) SMB, then you are possibly unaffected, and if you are- they you really should be following most of what's in the GDPR anyway, I'd suggest.

  9. Anonymous Coward
    Anonymous Coward

    "But with Brexit ..."

    "... we don't need to worry about that."

    Is something I've heard a couple of times. Worrying when it's board directors.

  10. Doctor Syntax Silver badge

    "Senior staff, heads of companies and the C-suite have to walk the talk. You can't put pressure on frontline staff to do training, without realising you may need to do training yourself."

    But - but - surely rules like that only apply to the little people, not to us.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019