back to article How their GDPR ignorance could protect you from your denial

We may be leaving the EU, but some EU law – with significant consequences for the IT community – will carry on. One such is the General Data Protection Regulation (GDPR). We signed up to it before the referendum, agreed to persist with it after and, if businesses wish to continue to process data belonging to EU firms, as well …

  1. Duncan Macdonald

    Conflict of legal requirements ?

    The GPDR requires removal of personal data in some circumstances but audit and other legal requirements often require holding data for years. Audit requirements often need an unaltered copy of a database to be kept for several years. Which takes priority - legal requirements to keep records or legal requirements to delete records ?

    1. Hollerithevo

      Re: Conflict of legal requirements ?

      If someone says 'take me off your mailing list' you actually have to retain his or her data with a big flag on it (DO NOT EMAIL) so that he or she can't be added again by a newbie. You simply shift this sort of item to a different place or setting.

      1. edge_e

        Re: Conflict of legal requirements ?

        Since the only way that somebody should be added to a mailing is if they have given their explicit consent, how could they be added again by a newbie?

      2. BeCyberSure

        Re: Conflict of legal requirements ?

        Nonsense. You should have processes and procedures in place to prevent "newbies" loading up data for which you do not have consent. Don't blame your lack of governance for your lack of compliance.

      3. Anonymous Coward
        Anonymous Coward

        Re: Conflict of legal requirements ?

        > You simply shift this sort of item to a different place or setting.

        Your understanding of either the DPA or the GDPR seems dangerously deficient.

    2. edge_e
      Happy

      Re: Conflict of legal requirements ?

      I presume keeping data for the purpose of the audit takes presidence. The thing some companies fail to grasp is that just because they have the data for reason a, doesn't mean they can use it for reason b.

      1. Doctor Syntax Silver badge

        Re: Conflict of legal requirements ?

        "The thing some companies fail to grasp is that just because they have the data for reason a, doesn't mean they can use it for reason b."

        One way would be to have separate databases for a & b. It would avoids that category of error. Unfortunately it introduces a new one, that of keeping one of those databases up to date. The database that's used for trading needs to have its names and addresses up to date, the marketing database may well rot in isolation. However there's an effective solution: throw away the marketing database and add value to the business by stopping pissing off customers with unwanted mailshots and spam.

    3. BeCyberSure

      Re: Conflict of legal requirements ?

      The requirements of the GDPR are that you should have the consent of the data subject or another legal reason in order to collect, hold or process personal data. So the legal requirement to hold that information is fine. The point of the law is to prevent companies and others from keeping data just for the sake of it.

    4. Anonymous Coward
      Anonymous Coward

      Re: Conflict of legal requirements ?

      > Which takes priority - legal requirements to keep records or legal requirements to delete records ?

      Where there is existing legislation that introduces a legal requirement to retain data, some of which may count as personal, then the GDPR will be cognizant of it: either it will specifically remove or amend the relevant clauses in the previous legislation; or it will state that the GDPR does not apply in those circumstances.

      Often, companies introduce a *policy* of retaining data for N years, which gets corrupted into "It's a legal requirement to retain this data for N years" as old staff leave and new staff join. As always, the correct course of action is to make it your manager's problem by letting them know. :-)

      HTH

    5. Anonymous Coward
      Anonymous Coward

      Re: Conflict of legal requirements ?

      > The GPDR requires removal of personal data in some circumstances but audit and other legal requirements often require holding data for years.

      Can you give a specific example? Otherwise your question as stated makes no sense.

  2. tedleaf

    But none of it will.mean anything if the authorities don't bother to enforce it,just as the author pointed out in the article,this just reminds me of all the new strict banking laws bought in after the crash,but the system is still only staffed by two 18 year olds.

    I suspect that is precisely what will happen,thousands of cases in which companies etc should be prosecuted but won't be and it will only be the odd case that the authorities involved,probably because some firm pisses off the wrong person with connections..

    1. GingerOne

      "But none of it will.mean anything if the authorities don't bother to enforce it"

      I think that is one of the reasons behind this. We are to be the ones who enforce it.

    2. Doctor Syntax Silver badge

      "But none of it will.mean anything if the authorities don't bother to enforce it"

      With the ability to issue fines on that scale of course they'll enforce it.

  3. Doctor Syntax Silver badge

    Reading the article I wonder if the banks will realise the risks that over-reliance on online and call centres will have brought them. I look forward to a wave of branch openings. I'll probably have to wait until a few of those large fines have been handed out so bring 'em on.

    1. GingerOne

      "Reading the article I wonder if the banks will realise the risks that over-reliance on online and call centres will have brought them. I look forward to a wave of branch openings. I'll probably have to wait until a few of those large fines have been handed out so bring 'em on."

      How so? it makes no difference how a bank interracts with it's customers, the data held will be the same.

      1. Doctor Syntax Silver badge

        "How so? it makes no difference how a bank interracts with it's customers, the data held will be the same."

        You have some problem you need to get sorted out.

        Scenario 1. You go into a branch, talk to someone, get it sorted. No data.

        Scenario 2. You try to sort it out on line Succeed or fail there's data recorded.

        Scenario 3. You ring up, maybe because you didn't succeed on line or you knew better than to try. "All our calls are recorded for training purposes...".

        1. Anonymous Coward
          Anonymous Coward

          > Scenario 3. You ring up, maybe because you didn't succeed on line or you knew better than to try. "All our calls are recorded for training purposes...".

          "... press 0 if you do not wish this call to be recorded."

          --- Austrian Airlines ☺

  4. Pen-y-gors

    What's the EU ever done for us?

    Well, apart from the roads and aquaducts, it looks like GDPR is going to be near the top of the list.

    Wonderful! Hopefully now we can nail spammers arse to the wall, financially at least!

  5. Whitter
    Thumb Up

    Customer-first doesn't mean cutting your bottom line

    Unless you are just an abusive tosspot obviously.

    For most companies, spending time and manpower contacting people with no interest in what you are promoting is a clear loss-maker. "Give me the good leads" as sort-of-said in Glengarry Glen Ross.

    If your system's design reflects what your customers want you to help them with (rather than "keep everything and screw them"), and you interact well with those customers, your odds of getting the good leads from that system will be improved. If you assume that customer data needs modifying and pruning on a regular basis, you'll find maintaining your data won't cause apoplexy as editing was designed in at the start, not as an afterthought.

    And as side-benefits, when your system gets breached (like we all know it inevitably will), if your setup was structured with customer privacy in mind, the impact of said breach will be lowered.

    You can make acting professionally a winning proposition: the question is, will you?

  6. Anonymous Coward
    Anonymous Coward

    Sounds line a nice earner to me

    So, when GDPR gets implemented we could all be on to a nice little earner.

    Whenever a spammer calls you, engage with them to get their details and then sue.

    Or, am I mistaken on who will get the case from the fines?

    1. Moog42

      Re: Sounds line a nice earner to me

      Ambulance chasers, please queue here. GDPR brings forth the world of individual compensation for damages and/or class actions. The next PPI, only rather than just paying out and it being the end of the matter, any inability on behalf of the technology/processes to stop processing of the data will just keep the matter revisiting the courts. Will make that €20m max fine seem like chicken feed if you have a large breach with tangible losses to the data subjects.

    2. GingerOne

      Re: Sounds line a nice earner to me

      Expect to see a whole new raft off PPI reclaiming-type comapnies springing up. Which will in itself be interesting to see how many of them get found to be in breach!

      1. Doctor Syntax Silver badge

        Re: Sounds line a nice earner to me

        "how many of them get found to be in breach!"

        All of them most likely.

  7. GingerOne

    Higher or Lower?

    "For some offences, the maximum penalty can be €20m or 4 per cent of global turnover."

    Whichever is higher or lower?

    1. Martin Summers Silver badge

      Re: Higher or Lower?

      Whichever is higher I believe.

  8. P. Lee

    Purging convictions

    What is this all about? Why would you delete the data? Just flag the currently online data as no longer valid. *Why* do you need to erase all traces?

    1. Anonymous Coward
      Anonymous Coward

      Re: Purging convictions

      To stop the misuse of the data?

    2. IamStillIan

      Re: Purging convictions

      I believe the view is that it's their data, and you're not entitled to hold it.

      Even if you aren't using it, you're still exposing them to risk as it could be disclosed, mistakenly used etc.

    3. DPPTrainer

      Re: Purging convictions

      To understand this you need to understand the principles of data protection. Start with principle 5, the requirement to keep data no longer than necessary - if you keep any personal data, even traces which can identify an individual, you breach this principle. That in turn means the data you keep will likely become inaccurate and out of date, a breach of principle 4. It also means data is likely to become excessive, a breach of principle 3. Keeping it is likely to be at odds with the purpose given for collecting it making it also a breach of principle 2. And breaches of principle 2 are inherently mean a breach of principle 1 - the need to collect and process data fairly, lawfully and in an open and transparent manner. Keeping data you don't need, even traces, which counts as personal data is essentially a breach of 5 of the 6 principles. The GDPR is clear, no need = you cannot keep it. And "just in case" is not a valid need - the law is very clear on that.

      Breaches like this will fall into the 4%/20 million euro category and a failure on that many principles is likely to increase the size of any penalty issued by the ICO.

      1. Anonymous Coward
        Anonymous Coward

        Re: Purging convictions

        > To understand this you need to understand the principles of data protection.

        What you say is correct, AFAICT, but the OP appeared to be asking specifically about the need to remove data from conviction records, which does not fall within the scope of current data protection laws or the GDPR.

        In the specific case that prompted the question, I cannot offer a reliable answer as I am not privy to neither the exact legal context nor to the exact nature of the actions that were taken. With that said, I judge it very unlikely that data protection would have come into play.

  9. Hargrove

    Praise be!

    "Consent must be freely given, which will not be the case where there is imbalance of power between data controller and subject."

    Somebody gets it.

    I'm not a lawyer, but my work did involve contracting and formal training in same. The quote above states one of what I was taught were the three fundamental conditions for a valid legal contract.

    The other two were a reasonably equitable quid-pro-quo, and a meeting of the minds (that is a common understanding of the terms and conditions.

    I have yet to see an IT sales or service agreement that doesn't violate at least two of these. The argument that I don't have to use a given IT product or service is not valid in today's world, where connectivity is a fundamental necessity. (The odds of finding a cell phone in the US if your life depended on it are between slim and none.) As for a meeting of the minds, I can't remember the last time I read an agreement that didn't include a provision allowing the seller to change terms and conditions at will, without notice,

    This kind of thing is not unique to the IT sector, as the recent United Air incident demonstrates. The companies have all the power; the customer is forced to accept the conditions or do without what are really basic necessities for a normal quality of life in a developed nation. The average person is powerless, and increasingly resentful. Brexit, the recent election in the US, are key bits of evidence of a deep dissatisfaction that those who govern are oblivious to.

    This creates a situation, where the stability of society is dependent on the populace's willingness to leave well-enough alone. History is replete with examples of how precarious that balancing act can be, and how catastrophic the consequences can be when those who govern get it wrong..

  10. NeilPost Silver badge

    Re-writing History

    Regardless of the merits or arguments on certain issues, deleting historical data because the law has changed smacks of a politically correct re-writing of History agenda, and deleting what are viewed as inconvinent facts.

    To my mind exposing the injustices of the past of a far more potent way of making people think about discrimination than deleting it. What would be unfair is that when processing it, any discrimination in light of current legislation is acted upon. You can't unconvict someone because the law has changed and you are retrospectively applying it, you can only do this at a re-trial and the conviction is thrown out as unsound.

    If not, perhaps I need to petition to HMRC for a retrospective rebate on all my historical taxes when recalaulcated to today's rates ... they'd laugh their arses off.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like