back to article What's GDPR? Survey suggests smaller firms living under rocks as EU privacy regs loom

The European Union's incoming General Data Protection Regulation (GDPR) has still not registered with more than half of small companies and a third of medium-sized firms, according to a UK government survey. The rules, which come into effect on May 25 this year, will affect all companies – not just EU ones – processing …

  1. DocD

    About Right

    Larger firms have more people so more eyes and ears who will see upcoming legislation like this (many of whom whose job it is to keep abreast of and deal with this kind of thing). Smaller firms tend to be fighting more immediate fires (such as chasing money owed to them by larger firms) and aren't really looking that far ahead. Larger firms tend to take longer to make changes so need to start sooner than smaller firms. All that said, as the article suggests, there's a lot of FUD marketing and BS around GDPR and in an era of 'fake news' people are becoming numb to the messages they're being bombarded with, even when they're about something important, because of it.

  2. imanidiot Silver badge

    The same here

    Pretty much the same rules come into effect here in the Netherlands and here too most people seem to be completely unaware of the impact the new regulations are going to have. Especially (sports)clubs and volunteer orgs seem to be completely unaware of the iceberg they're bearing down on. In the Netherlands I personally blame the government. There seems to have been NO information provided to smaller companies and organisations, even though this would have been rather easy through the Kamer van Koophandel (Chamber of Commerce/Merchants Register).

  3. Anonymous Coward
    Anonymous Coward

    I had the misfortune to spend 20 minutes or so with a webcast about GDPR until it became very clear it was about a vendors product and not best practice for an SME like ours.

    At least we've been aware of the term since last year, but so far all we've done is make our email list double-opt-in. We all know there is more to be done, it just doesn't seem to be very apparent what needs to be done.

    1. Adam 52 Silver badge

      Sigh.

      https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/

    2. post-truth

      "I had the misfortune to spend 20 minutes or so with a webcast about GDPR until it became very clear it was about a vendors product and not best practice for an SME like ours.

      At least we've been aware of the term since last year, but so far all we've done is make our email list double-opt-in. We all know there is more to be done, it just doesn't seem to be very apparent what needs to be done."

      @Anon. In response to your two paras (and assuming hypothetically you're in the UK):

      (1) there is no such thing as GDPR "best practice", and *never can be*. This is because all GDPR compliance is unique to the enterprise. Because in practice it's all centred around your Article 30 artefact which is unique to your enterprise. So the best you can do is adopt a methodology that will enable you to comply.

      (2) What to do?

      (a) build yourself an Article 30 artefact - like a dynamic "information-architecture-lite" populated by systems, datasets (meaning whatever you want it to mean in your own context, even recursively, don't go all IT-precise on me), and processes. Including shadow IT (yes I know, but there are products out there than can identify that for you). Then add to the process repository everything you need for Article 13/14 Notifications, starting with jurisdictions, data-protection-law attributes of the data, legal bases, and purposes, the results will tell you what else you need to add. None of these additions can be done by distinct IT people. Can all be done in spreadsheets and until you know what you're doing (most vendors and consultants have no clue) ought to be.

      (b) then urgently create your Notifications, which safely can be done only at this point.

      (c) perform any necessary DPIAs per Article 35. Guidance as to when and how in WP29's WP248 document. Remember to document *in advance* when and why you *don't* perform DPIAs for any given process.

      (d) do/plan the rest of your data subject rights processing per Articles 12, 15-21.

      (e) all other obligations, including security and data breach stuff, are relatively minor pieces of work and can be done in parallel.

      As Lord de Ramsey said not so long ago in the House of Lords, "semper in excretia sumus solum profundum variat": we're always in the poo, only the depth varies. Different context, same message, and that's the right attitude (I've even screwed up myself on some past Notifications). Don't be low-hanging fruit!

      HTH!

      Oops. I think I feel another blog coming on...

      [disclaimer: Yes, I've co-founded a GDPR consultancy and product vendor so I'm conflicted. Yes, I'm a data protection litigator and IT architect and teach this stuff so I'm conflicted. No, I am not here offering legal services and you may not treat any part of this communication as legal advice]

  4. andy 103
    FAIL

    Reminds me of PCI Compliance

    I've already posted something similar on another article but wanted to reiterate this:

    As per the title, this seems like the same old thing of PCI Compliance... I must have discussed it with over 100 different people and got varying views on what they think it is, what it involves, and what the (enforceable) penalties actually are.

    But the bottom line was always that there isn't such a thing as "yes or no" to the question "are we compliant?". It was always a "we have a procedure for X", "we store data in Y way". Right down to... "we're trying our best". As long as you were vaguely aware of what was going on, or could refer to some procedure/material that pretended to cover it, happy days.

    Totally unfit for purpose, totally unenforceable, total bollocks.

    But of course, something that people can and will get dubious fines for. Something that "consultants" will make money from for giving advice - and said advice will vary depending on who you speak to. The people who came up with it will have been paid handsomely.

    And the kicker? Absolutely no benefit whatsoever to the people it's aimed at protecting! Oooh there's now a double opt-in for that mailing list? There are *already* rules about having things like an "unsubscribe" link at the bottom of marketing emails (some companies don't give a fuck...because, oh yeah, nobody's enforcing it really). And clicking that, or having a second email address, wasn't exactly The Worst Thing Ever in my life. Yeah yeah it applies to more than just marketing emails. But not in a way that anyone is going to care about or see a noticeable positive difference in their lives. Feel free to give an example if you feel differently of course.

    1. israel_hands

      Re: Reminds me of PCI Compliance

      Totally unfit for purpose, totally unenforceable, total bollocks.

      I'm going to have to disagree with you there, chap. In fact I'd go so far as to say you're talking out of your arse.

      The rules are easily enforceable and have hefty penalties attached, especially for wilful breaches. The reason the rules may seem vague (and from your comments I'm assuming you haven't read any of the ICO recommendations for instance) is that they're legislating for an outcome and not against a specific business model, which is the most sensible way of framing legislation, especially in an area as broad as data protection.

      The reason you wont' find anything in the recommendations or legislation that specifically matches your use-case is because you're expected to do that work yourself. If you feel you need to hold data about a person the onus is on you to work out how to do so within what's legally permissible. I see that as a benefit and it avoids the whole stupidity of the EU cookie legislation which failed miserably because it didn't think far enough ahead to how people would implement it. GDPR is a lot more robust than that.

      And it's not about "double opt-in mailing lists" it's about giving people control over how and where their data is stored, for what purposes and who can gain access to it. And also, (and this is the part I particularly like) a company can't refuse service to someone if they won't share their data. That part is what's going to make it harder for Facebook et al to keep the data hoover turned on. They can create whatever "privacy tools" they like but the simple fact that they can't opt people in to data sharing should cause them a massive headache. Think of it like this: Day 1 of GDPR, Facebook has to untick all the privacy and data-sharing boxes for all users in the EU. Most people (even if due to inertia alone) won't be bothered to go in and opt themselves in to all that shite, so the boxes will remain unticked. And Facebook can't refuse them access to their account if they don't opt-in. They can only refuse a service without data-sharing if that data-sharing is essential to the service functioning.

      Now plenty of companies may think they can just get away with carrying on as before, but that just leaves them open to being hit with fines that should be a worry to any organisation, no matter how large or small.

      To use the cookie situation as an example, currently the rules are utter bollocks. You just get told they're using cookies and have to accept it or not use the site (or block them with varying degrees of success and lost functionality). Under GDPR they'll have to ask, you'll have to opt-in (pre-ticked boxes and opt-out boxes are outlawed) and if you don't you'll still get to use the site anyway.

      I see it as a massive step in the right direction. It won't be perfect but will be so much better than the current rules. And it should also help to reduce all the bullshit ad-targeting that goes on, and those shitty Facebook buttons that track everyone across every site they visit.

      So you asked for some counter-examples, and I hope the above gives you something to think about.

      1. Sir Runcible Spoon Silver badge

        Re: Reminds me of PCI Compliance

        Here's a good example of what GDPR will do for the man in the street:-

        I recently had a car insurance renewal that was a bit pricier than I'd hoped, so I went shopping around. Found a better quote on a like-for like basis and started the ball rolling.

        Now, I personally like to pay my insurance in one go and have the auto-renew disabled, because that way there is no need for that company to keep my credit card details on their system. One payment - all done etc. Except when questioned the new broker told me that he couldn't disable the auto-renew until a month before (i.e. in 11 months time). When I asked if that meant they would be storing my CC details he went to a manager and came back saying 'we only store the last four digits and the expiry date'.

        So, when I asked him just how they would take a payment in 12 months time he kind of realised what I was driving at. He also told me that he *couldn't* delete my CC details from their system once it had been added!! When I asked him if he was aware of GDPR I got a 'wassat then?' response.

        In short, if I had actually paid them, and in June called them up to ask them to remove my credit card details from their system, they would have been in breach of GDPR and I could make an official complaint. If fined, they would probably go out of business.

        Please correct me if I've misunderstood GDPR in this context, because that's what I think it means.

        1. Adam 52 Silver badge

          Re: Reminds me of PCI Compliance

          I think they are likely to argue that you're wrong. The right to object to processing isn't absolute so they can refuse your request if there are compelling grounds.

          The headline fines are maximums. Initially fines are unlikely to be anywhere near the maximums.

          1. 0laf Silver badge
            Angel

            Re: Reminds me of PCI Compliance

            No he'd be right. They don't need to retain that data to provide the service he has contracted them for so in fact they would not be permitted to retain it in the first place without consent.

            And that consent must be informed and freely given and just as easy to remove as to give.

            For the consumer and the citizen the GDPR is a very good thing indeed.

    2. Domino
      Thumb Up

      Re: Reminds me of PCI Compliance

      [i]Absolutely no benefit whatsoever to the people it's aimed at protecting![/i]

      I got through checkout at PC World without being asked for any personal info. Was I wrong in chalking that up as a win for GDPR?

    3. Cynical Pie

      Re: Reminds me of PCI Compliance

      Spoken like someone who clearly a) hasn't bothered to look at the Regulation or the DP Bill currently passing through parliament and b) hasn't bothered to look for the wealth of advice from the ICO and other European DP regulators.

      Had you bothered you would know GDPR is quite prescriptive in its requirements unlike the old DP Directive.

      That said nothing UK wise is definitive until the DP Bill gets Royal assent in March/April

      1. Sir Runcible Spoon Silver badge
        Paris Hilton

        @Cynical Pie

        Who are you responding to?

  5. }{amis}{ Silver badge
    Alert

    Bug < Windscreen

    Even the companies that have heard of it seem to mostly be waiting to see how bigger splash the first company caught for violation makes.

    Working on the basis that most law is lightly enforced, wheres the scene in spending mega bucks if the outcome is a low probability of a manageable fine??

    Though the headline fine is scary it will all come down to how aggressively this in enforced.

    1. Doctor Syntax Silver badge

      Re: Bug < Windscreen

      "Working on the basis that most law is lightly enforced, wheres the scene in spending mega bucks if the outcome is a low probability of a manageable fine?"

      Remember that the ICO or equivalent in your jurisdiction isn't likely to come checking if you're compliant, they'll be responding to complaints from data subjects. So if you want to minimise your risks don't, as a company, stick your head above the parapet.

      Your biggest risk takers in this respect are likely to be your sales and marketing department. Historically such departments have failed to grasp the fact that what they call valuable marketing information when they send it out is regarded by the recipients as junk. If your S&M department has spent the last few years pissing off people in this way it's going to be payback time for those of use who they've pissed off.

      So go through all their digital assets with a fine tooth comb making sure they aren't holding any PII that they haven't obtained with explicit consent to use for marketing purposes. They'll probably complain that they can't do their job. Tell them that their job isn't putting your business in line for big fines. If you business is headed by somebody with the instincts of a double-glazing salesman it's best to start looking to jump ship now, especially if your job title or responsibilities include anything along the lines of compliance officer.

  6. LeahroyNake Bronze badge

    Personal information

    If anyone has a link that defines this with regards to B2B only transactions / customers I'm willing to give it a good read.

    For now we have just written procedures to deal with information requests from individuals. We have never had a request as far as I am aware but at least we know how to deal with it in the future.

    Anything else is just wait and see rather than splurge on a supposed expert that just wants to sell us some crap because #buzzword.

    1. Sir Runcible Spoon Silver badge

      Re: Personal information

      I'm going to bet my lunch that anyone prepared to actually read up on GDPR is going to be in a lot stronger position to know what it's about than these new 'egg-spurts'.

    2. israel_hands

      Re: Personal information

      Check out the ICO Guidance (sorry, can't be arsed to find the link right now but it's not hard to find).

      The main area it comes down to for B2B is, as far as I'm aware, if you're trading personal data you absolutely must get explicit consent to do so, explaining what data you're passing on, to whom, and for what purpose. If you're receiving the data then you need to put in some checks to ensure they've done the above (or make them sign something stating they have and accepting all responsibility if they haven't).

      The other side is that companies have to regularly (although the timeframe isn't explicitly defined it leans heavily towards what individual data subjects consider reasonable) check back and ensure they still have permission to store/use such data.

      So if you're receiving the data you'll at the very least need to have a way to remove specific elements of it upon request (which will be relayed by whichever company you're getting the data from). If you're passing it on yourself then you're on the other end of the transaction so should look at automating a way to send requests out to companies you pass the data to. And probably some sort of signed agreement from them to say they'll abide by deletion requests.

      I'm not an expert though, so for fuck's sake don't take the above as a policy statement. It's just an idea of what you'll need to be thinking about. The ICO site is a good place to start reading though.

    3. Adam 52 Silver badge

      Re: Personal information

      B2B was/is different under the current regulations. What was permitted under the rules (marketing to business email domains without consent) won't be any more.

      Unless you have an ongoing relationship with them, where it's reasonable to assume implied consent.

      Organisations have no additional rights under the new rules but the people within those organisations are now treated as people in their own right, not as parts of the organisation. Does that makes sense?

      That's how the lawyers explained it to me this morning when I asked!

      We are taking advantage of the current rules to ask for consent now - before we aren't allowed to even ask.

  7. Anonymous Coward
    Anonymous Coward

    Enforcement < Litigation

    The ICO can be expected to take a pragmatic view (especially early on)... but don't expect lawyers to be the same. Law firms looking for the next PPI are probably gearing up to hammer the soft targets from day one, the Subject Access Request compliance required by law being the only weapon they need for a fat payday if they can galvanise enough punters to buy in.

    1. Sir Runcible Spoon Silver badge

      Re: Enforcement < Litigation

      Are you suggesting that the plaintiff gets the proceeds of the fine?

      1. Adam 52 Silver badge

        Re: Enforcement < Litigation

        GDPR allows collective action for damages. So a law firm can try to collect, for example, damages for everyone who Facebook tracks without consent.

        These guys already exist to "manage" the ICO complaint process, but with GDPR their options are greatly enhanced. In my view they are the biggest risk if you have lots of disgruntled customers, not the regulator. Two billion subject access requests, all needing to be completed within one month could take out Facebook (I dream).

        Civil action for damages is completely unrelated to the fines.

  8. 0laf Silver badge
    FAIL

    GDPAhhh

    GDPR is the pork barrel and the W2k bug of today.

    Honest truth is that if you have been acting reasonably under the DPA (or European equivalents) you will probably manage just fine under GDPR. Ok you've got a bit of work to do but you're not likely to get dragged out into the street and shot by your regional ICO.

    If you've been playing fast and loose with data taking the £500k fine as an operational risk then you're probably deep in the shit and best start digging hard.

    This is possibly why I've heard of some banks paying mad money for consultants to do GDPR work.

    1. Destroy All Monsters Silver badge

      Re: GDPAhhh

      This is possibly why I've heard of some banks paying mad money for consultants to do GDPR work.

      Why would they want to do that (except that they always pay mad money and these consultants are actually lawyers). Banks would be ready for GDPR from day one, one would hope. Maybe not the Dogecoin bank..

      1. Sir Runcible Spoon Silver badge

        Re: GDPAhhh

        Here's a fun thing to do if you're bored..

        Next time someone says 'coz of the data protection act, innit!' to you, ask them which section applies in this particular circumstance. I will put money on them never having even read the title of the actual document, let alone know what the hell is in it.

        I've done this several times and they've tried to waffle their way out of it every single time.

        1. Kevin Johnston

          Re: GDPAhhh

          Ask to speak to their Data Protection Officer...always goes down well.

    2. israel_hands

      Re: GDPAhhh

      Honest truth is that if you have been acting reasonably under the DPA (or European equivalents) you will probably manage just fine under GDPR.

      That's not even remotely close to being accurate. Under DPA you can get away with all sorts of stuff that are now explicitly outlawed. Automatic opt-in for one is extremely popular under DPA (and compliant) but an absolute no-no under GDPR. That's a single example and there are loads more changes that will make all sorts of stuff that is commonplace now extremely difficult. Selling data to advertisers is another good example. They have to get your permission for every entity they sell your data to. And explain who's getting it, what they're getting and why they're getting it. They also have to delete it upon request. And you can simply refuse.

      I do agree that it will generate lots of scummy companies taking advantage of the FUD regarding the legislation and selling people overpriced shit advice. But that's true of pretty much any situation like this, and I'd rather have to put up with them (and educate people to avoid them, idealistic, I know) than do without the protections GDPR is bringing in.

  9. JohnFen Silver badge
    Unhappy

    Still trying to figure it out

    I'm tasked with evaluating the technical requirements of the GDPR for my company. The whole thing seems pretty vague and seems to require an uncomfortable number of judgement calls. ,So while I'm aware of it, I still don't really know, specifically, what is required and thus whether or not we're in compliance.

    I just wanted to whine about this. Ugh.

    1. Doctor Syntax Silver badge

      Re: Still trying to figure it out

      "The whole thing seems pretty vague and seems to require an uncomfortable number of judgement calls."

      This isn't legal advice so just take it as a guide for your research.

      1. Have a valid reason for any PII you hold. Don't collect any PII other than what's necessary to deliver the goods or services you provide or to fulfil any legal obligations. For example, you'll need someone's name and deliver address if you have to deliver goods; you don't need to know the named of their spouse and/or children. You don't need to know their age unless that has legal implications for your business. Even if you need to know their age you don't need to know their birthday. Distinguish between needs and wants; however much someone in your business wants some information unless you need it, they can't have it. If your database currently holds data it shouldn't, getting rid of it between now and May would be a good idea. If what you read seems vague it's because nobody giving general guidance knows your specific situation. It's up to you to decide what's necessary for practical reasons, what's necessary for legal reasons and what's not necessary but the 4-year-olds in marketing insist they want. Remember also that employees are also data subjects so, with appropriate amendments, the above applies to information which HR hold. And holding information includes what's on paper - in files or in little black books.

      2. Only hold the information for as long as you need it, to deliver or to fulfil legal obligations. Again, you need to look at what this means in your situation.

      2a. If you are holding information longer than you need, delete it on demand unless there's a legal reason not to. You should review what you need to hold for accounting purposes; there's a need to retain some data for a long time but you still shouldn't hold more detail than you need It will be easier if you have a process in place. No, you don't need to delete if from backups but you'll need to retain the delete requests until the backup has been superseded in order to re-delete if you have to restore the backup. You can justify holding the request for that long as it's needed in order to ensure you can permanently execute the deletion.

      3. If you wish to use the PII for any purpose for purposes other than which it was collected you need explicit permission to do so. That includes passing it onto third parties. You can't refuse to provide your goods and services on the basis that a customer refuses such permission. Building that into your data collection now would be a good start. If you want to use existing data in this way use the time between now and May to seek such explicit permission. If you don't have that permission, make sure its tagged as not having permission. Sales and marketing and HR - this includes you.

      4. Have a means available to report on what data you hold if a data subject requests it, have a process available to apply corrections if they request it.

      I think the ICO site has detail but I'm not going to look for it to spoon-feed you. As I said, do your own research; the above is just a guide.

      1. Sir Runcible Spoon Silver badge
        Thumb Up

        Re: Still trying to figure it out

        Dr. Syntax, I believe we all owe you a banana :P That's an excellent summation, nicely done.

      2. JohnFen Silver badge

        Re: Still trying to figure it out

        "I think the ICO site has detail but I'm not going to look for it to spoon-feed you. As I said, do your own research; the above is just a guide"

        I have been researching, I have been all over the ICO site, and I already understood everything you've said. My issue is precisely what I said in my comment: there seems to be a lack of specifics. There is a lot of "this is what we want the end result to be" type of language, yes, but it's the specifics that actually count in the end. Too much is being left up to judgement calls, and I can't be comfortable that my judgement and the judgement of the authorities would agree.

        So, at least right now, if I'm asked "are we in compliance", the only honest answer I can give is "I think so, but I'm not really certain."

        1. Sir Runcible Spoon Silver badge

          Re: Still trying to figure it out

          If the end result is provided, it's up to you to decide whether the steps you are taking will take your company to the correct place in terms of GDPR.

          I think the bottom line will end up being something like:

          1. Are you able to identify and isolate particular data in your repository

          2. Is it all justifiable in terms of your business (in terms of length retained and data type)?

          3. Do you have a working process that can remove data on request within a reasonable time-frame*

          *bit vague I know, but a large company with only a few requests this should be days, a small company with lots of requests could be a month or two.

        2. Doctor Syntax Silver badge

          Re: Still trying to figure it out

          "My issue is precisely what I said in my comment: there seems to be a lack of specifics."

          Of course there's a lack of specifics. The ICO don't know what sort of business you run or what sort of data you hold so how can they give you specific advice in their notes?

          Start with the section on principles of data protection. Look at them in the light of your business and your data. You have two choices: knuckle down and do it yourself or get someone in to do it for you.

          It's not legal advice but in your position this is how I, personally, would start, YMMV:

          1. Do an audit of the various PII data holdings in your business including who owns them,. Who owns them will probably be the manager of the department which uses the data. Establishing the owner is important because it will be they who higher management or the board will depend on to ensure compliance. (Anyone from BT who got lumbered with Argent a couple of decades ago will remember this one.) The data sets you'll need to look at aren't just customer data, they'll include supplier data (your people almost certainly have contact lists), HR and any data your business processes on behalf of others.

          2. One of the many things I disliked about ISO9000 back in the day was that although it documented what you did it omitted why you did it. Why you do things is as important to document as what you do. You start doing this now.

          Go through the lists you've collected and document why your business collects and holds such data, how long you should hold it and the reasons for that length. The sorts of reasons might include practical - what you need to deliver goods and/or services - regulatory, statutory or contractual.

          This is where you might need guidance but the guidance isn't going to be from some self-certified GDPR expert. If, for instance, you need to know what and for how long you need to hold stuff as an audit trail the person to ask is an accountant who can cite HMRC or whoever's rules to you. And make a note of the rules cited. Similar considerations apply to industry specific legislation or regulation.

          If need be take professional help outside of your business, especially if the internal advice is from someone who you think is playing safe and saying "keep everything": keeping everything might not be safe under GDPR. You might need a budget for fees for that. If you don't have one then ask. Document asking. If you don't get, document that. CYA.

          You might need to document down to column level if the need arises. You won't need to document the reason for each element of an address but if there's a column for gender you will certainly need to document why your business thinks it needs that.

          3. Go through your documentation and decide whether the reasons are valid, whether the durations for which you hold data are valid etc.

          4. Write out what needs to be done to eliminate the discrepancies thrown up in 3 and policies to say how this has to be done in future. As far as possible agree this with the data owner

          5. Present this, quoting your documentation, to higher authority. Write up reactions. You may need to be circumspect: say something like "In view $stuff I recommended $recommendation but $data owner responded $response. This was submitted to $bigwig who decided $whatever on behalf of the business". CYA.

          Why do I say have it all formally written down? You're trying to protect your company but also yourself. Hopefully the two will amount to the same thing but if they don't ensure your're protected. Proceed as if you might, at some point, have to defend your company or yourself against an ICO investigator or, worst case, in court. Having it documented will show that even if some decisions weren't right, you'd made a genuine effort to find out what you thought you should be doing and why and by whom the actual decision was taken. If you can show that everything was done with the best of intentions but some of it was wrong you're more likely to avoid a penalty and have it sorted out courteously if not affably with the ICO without it ever coming to court. And having it written down contemporaneously will go down much better than having it obviously cobbled together yesterday.

  10. BazzF
    Thumb Up

    Might be of interest if you're puzzled

    GDPR doesn't seem that complicated, really. Something good from the EU? Shock.

    Anyway, I'm mainly concerned with SQL Server, so here this I found

    http://www.sqlservercentral.com/articles/GDPR/165180/

    Seems pretty straight forward.

    1. JohnFen Silver badge

      Re: Might be of interest if you're puzzled

      I had already come across that article. I didn't actually find it very helpful for my situation -- it's basically just summarizing what the text of the GDPR says.

      1. israel_hands

        Re: Might be of interest if you're puzzled

        I really need to stop posting on this thread.

        @JohnFen: I highly recommend reading the ICO guidance on it. What you need to do is think about the outcome they're driving at (which largely comes down to only holding onto data for which you have explicit permission and a legitimate reason, regularly checking to ensure you still have permission, and not passing anything on without explicit permission). If you get the intent of the regs in your head, then you should be able to map out the data you hold and decide how to handle it. It's hard to be more specific without knowing your situation, but the comments I made above about why the regs seem so vague is true. You're supposed to do the work to fit in with the outcome they're legislating for. It may seem unreasonable to you, as a person, to get saddled with that, but from an outsider's point of view, it's not unreasonable to assume that a company will act within the new rules.

        Doctor Syntax gave some good advice above also, don't discount what he's saying.

        1. JohnFen Silver badge

          Re: Might be of interest if you're puzzled

          " It may seem unreasonable to you"

          I never said it seemed unreasonable. I was just whining because it puts me in a very sketchy position. If my judgement call turns out to be wrong, it's my head. So, when it comes to complying with the law, I strongly prefer that the law be very clear and specific.

          1. Doctor Syntax Silver badge

            Re: Might be of interest if you're puzzled

            " If my judgement call turns out to be wrong, it's my head."

            As per my previous comment. Proceed systematically and document it. You don't make judgement calls out of the blue, you make them on the basis of analysis of available specific information. If you've done that you're in a good position to make the right calls and even if you don't get everything right you stand a better chance of being heard sympathetically by TPTB. If what you recommend isn't followed and it all goes pear-shaped your arse is covered. That's a consideration if you're worried you're being set up as the fall guy.

            "So, when it comes to complying with the law, I strongly prefer that the law be very clear and specific."

            The law can't be specific. It can't say "don't steal such and such a specific thing", it just says "don't steal".

            Do you have some background in data analysis? I think that's needed because it really is going to be a matter of picking through the detail and making a set of mini-decisions based on what you find and a set of principles.

            1. JohnFen Silver badge

              Re: Might be of interest if you're puzzled

              Eh, I've decided to wash my hands of it and tell my boss that what he needs is legal counsel, not technical counsel. I'll just do what the lawyers say to do and be done with it.

              My situation is a bit unique because I'm an American working for an American company that does business worldwide. There may be a cultural aspect to this -- what I'm hearing from the comments here is that people have faith that the courts act in a reasonable fashion with things like this. My experience in the US gives me no such faith, so I get extremely nervous about making any judgement calls whatsoever when it comes to regulations.

              1. Doctor Syntax Silver badge

                Re: Might be of interest if you're puzzled

                "There may be a cultural aspect to this -- what I'm hearing from the comments here is that people have faith that the courts act in a reasonable fashion with things like this."

                Although there are comments here about the ICO not handing out big enough fines when someone is acting badly I think the tradition of the ICO has been to help do things right. Certainly that was my experience when the DPA Mk 1 came out. The then Information Commissioner was doing the rounds speaking at various events. I had a particular concern so I went along to his talk at the local University. Afterwards I was able to button hole him to ask his advice on my particular issue and found him very helpful. Your perspective might involve more than one regulator, however, and my experience is only with one. If anyone else is following this they might be able to weigh in on this if they've experienced other regulators.

                Legal advice may well be part of the evaluation that's needed but I'm not sure that a lawyer is the right individual to lead it. Certainly a large part of this is being able to grasp what data you are holding and analyse how it fits against data. Perhaps a business analyst or a data analyst is the right background. It also requires a person who is used to making decisions.

                From your reactions it sounds as if you weren't the right person for the job but I'm not sure that handing it over to legal is the ideal solution, or at least not the whole one; there is going to be a strong technical element to it.

                You are right about there being a different cultural approach. The European approach is to take privacy as a right and that doesn't seem to be the US attitude at all. For instance one thing we've read about here is concerns of equality in US corporations and the solution, govt. mandated IIRC, is to require reports of analyses of this which, of course, requires the recording of race and gender.

                That doesn't go down well here. As a straight white male I'd take great exception to being asked to fill that in on a form. I'd probably react by asking some pretty pointed questions about definitions of race (which, AFAICS are somewhat asymmetric in in the US) and if really pushed insist on being Elmetian on the basis that some research into DNA in England showed that those with roots in the area covered by the sub-Roman kingdom of Elmet showed variations from the bulk of England. I don't know how a US corporation with European employees is going to handle that situation.

        2. Anonymous Coward
          Anonymous Coward

          Re: Might be of interest if you're puzzled

          “(which largely comes down to only holding onto data for which you have explicit permission and a legitimate reason, regularly checking to ensure you still have permission, and not passing anything on without explicit permission)”

          Doesn’t “business interest” act as a valid reason by itself under GDPR ? If a business needs its IT department to restore a sacked ex employees emails from backup as part of a related legal investigation, and those emails contained PII data, would you also need to have explicit permission ? Surely not ?

          1. israel_hands

            Re: Might be of interest if you're puzzled

            You've answered your own question there. If there's a legal investigation ongoing and those e-mails form part of it then the reason for accessing the data isn't "business interest" it's "legal compliance".

        3. Ray Foulkes

          Re: Might be of interest if you're puzzled

          Sounds great - Experian and all the other credit scorers must shut up shop (NOT, they will have made sure that there are loopholes where they don't have to ask me about keeping details on me or indirectly on me by using my address).

      2. Doctor Syntax Silver badge
        Happy

        Re: Might be of interest if you're puzzled

        "it's basically just summarizing what the text of the GDPR says."

        But in geek-speak ;)

    2. Destroy All Monsters Silver badge
      Pint

      Re: Might be of interest if you're puzzled

      Pretty good.

      I think we can solve this with a couple of MongoDB instances in failover configuration and a React.Js + Redux based backend managed via Angular.

      1. nsld

        Re: Might be of interest if you're puzzled

        Whats the Devops angle?

  11. Kev99

    So that's what it means. I thought the whackos took over and wanted to resurrect the German People's Democratic Republic.

  12. Anonymous Coward
    Anonymous Coward

    'Facebook boasts tools to help users 'manage their data'

    Wonder how Facebook will manage to reconcile post-sharing / pm's / group-discussion etc, between GPPR / non-GDPR groups, that interact across borders etc... Either way, a lot of good this will do I fear, as the entire social media industry is built on insidious lies. Can GDPR ever fix this kind of stuff:

    Examples: Is Zuk...

    #1. Going to delete all the juicy behavioural data that was captured during Fake News season (as offered and sold to Cambridge Analytics etc)?

    #2. Going to stop using LIKE buttons on every internet site to slurp visitors, regardless of whether they're logged-in, never mind even an FB user?

    #3. Going to say sorry for lying about not being able to slurp WhatsApp data, and consequently kill off all that data?

  13. Byron "Jito463"

    Facebook helping to manage your data....isn't that like the fox helping to secure the hen house?

  14. Mike 137

    Strange that nobody's mentioned...

    Strange that nobody's mentioned the UK Data Protection Bill currently before Parliament. When we leave the EU (nominally March 2019) this will become the legislative basis for personal data processing in the UK.

    Equally odd that, 19 months into the two years granted to prepare for GDPR compliance, businesses of all scales are still wondering how to get started (with exactly five months left in which to act).

    1. Doctor Syntax Silver badge

      Re: Strange that nobody's mentioned...

      "Strange that nobody's mentioned the UK Data Protection Bill currently before Parliament."

      That's simply the local implementation of GDPR. Each EU country is going to have its own legislation to implement it. The real problem is going to be for businesses in non-EU countries doing business with the EU and not having a similar legislative framework. At least you know that if you're following the current Bill when it becomes law you should be compliant. If you're in an environment where your current legislation is counter to some provision of the GDPR you're between a rock and a hard palce.

  15. Anonymous Coward
    Anonymous Coward

    Great! No more spam!

    'cos obviously they'll be in breach of the regulations...

    1. Doctor Syntax Silver badge

      Re: Great! No more spam!

      As I said in a previous comment - for those of us who marketing have spent years pissing off it's going to be payback time. <Robs hands in glee>

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019