Tick, tock motherf... erm, we mean, don't panic over GDPR Welcome back from the summer. Feeling refreshed? Good, now let’s talk General Data Protection Regulation from the European Union, due to swing into effect on May 25, 2018. You now have eight months to get your data infrastructure, tech policies and related procedures ship-shape. Not feeing so refreshed now, are you? Plenty of …
So, does anyone know when the first draft will be published (or is it accessible somewhere now)? BBC were saying it would be published today but it now seems that it was just a proposal that was published today. It had also been stated that it was due in September.
There are important nuances and ambiguities with the current EU GDPR wording that might be a bit clearer in the published Bill so it would be useful to get some idea of the actual wording before too long.
I see a new business opportunity. The creation of datasets of fictional (though plausible) individuals for testing purposes.
First line of licence "All names, characters, and incidents portrayed in this production dataset are fictitious. No identification with actual persons (living or deceased), places, buildings, and products is intended or should be inferred..."
Those who used to make character generation programs for RPGs (out of Basic and spreadsheets as I recall), it should be no problem. And possibly fun.
[Talking of RPGs - room for a quick plug for HumbleBundle's WHFRP offering ? ]
I don't see why I got a downvote?
Bob is a metaphorical term for any part of the the data that is identifiable so if I change any part such as name, address, ip address, customer id etc.. then once I analyse the data it is no longer PII therefore it is not covered by the GDPR.
If someone can tell me why this is wrong then I'm happy to see your viewpoint.
Thanks.
Possibly because a blunt instrument like that would likely destroy the data that needs to be analysed for many use cases. For example, if you're in the vegetarian meals business you might want to analyse your market presence with the Sikh population and that might mean using the surname "Singh" as a proxy. That doesn't mean data cannot be anonymised, but it needs to be a lot more sophisticated than brute forcing everything to a single value in many cases.
> Bob is a metaphorical term for any part of the the data that is identifiable so if I change any part such as name, address, ip address, customer id etc.. then once I analyse the data it is no longer PII therefore it is not covered by the GDPR.
[I am not a lawyer, etc etc]
As I understand, anonymising a dataset by stripping out PII is fine and unlikely to go too badly wrong. What you've got to be more careful with is pseudo-anonymisation (eg. hashing your PII such that you can still distinguish 'entities') - this can still be considered PII.
Oh and also, I know it was metaphorical, but changing everyone's name to Bob would be a bad idea - there's probably a real Bob in there somewhere and you'd still have PII. Just remove the relevant PII fields entirely and you're golden.
Given that it's been talked about in general terms for ages it's not really that new. Anyone who will have responsibilities under it and has been paying attention should have started planning for it a good while ago even if the final details have only recently been confirmed.
On the downside it'll only be Royal Assent that finally persuades some boards that it's a thing. And some will hold out until they're fined.
I have a question. Why are fines always an up amount? It's like a flat tax. Those are always hardest on those with a lower income. 20 million could ruin a mid-sized business but simply be a cost of business for a large one.
To rant on, I'd suggest that there should be no sale tax on anything. All taxes should be on income, but the only way to implement that without further crushing those in middle economic class would be to actually have Corporations and the wealthy pay taxes, again. Some of you will remember when they did. That significantly helped build the infrastructure and social systems we have today but can on longer even afford the upkeep on, even with migrant workers wages being less than the wages for which Citizen are often willing to work.
I'm JOKING, of course, we know that the extremely wealthy bought all the politicians they need to make sure this doesn't happen. :)
I have a question. Why are fines always an up amount?
In the case of GDPR, the reason that its upto €20m or 4% of global turnover is to make sure that even for a company that may not have any turnover, a fine can still be issued. Many companies have little or no turnover, either because they themselves don't trade as such, even though they handle data, some holding companies own trading companies, but may not consolidate the results up, property companies often make their profit from balance sheet transactions, and thus have little or no turnover. If you're a well capitalised startup, you may be rich as stink, but have minimal turnover. And a load of other instances.
But would you rather have a "not less than" fine? We use them all the time with people, and they're called fixed penalty notices, but they seem to be the sort of impact your tone is objecting to?
Yes, I agree with those of you who answered that I should have said "up to" and that it is the definition of NOT a flat tax.
I can only claim to little coffee before posting that :(
To clarify about what I consider the plight of migrant workers. I do not believe that it is right that they are paid less for the same work that Citizens might have done, but was only pointing out that they are in many cases and even with that cost saving (probably marginal in the big picture) it seems there is still not enough money to keep up existing infrastructure.
Whilst many are applauding the new higher penalties available under GDPR or the UK equivalent, it is worth stopping to ask whether the actual fines will differ by very much from the current regime. A quick perusal of ICO enforcement shows that they have very rarely (maybe never) issued even the £500k fines that they could. The highest instances I could see over the past few years were to TalkTalk (£400k) and a similar amount to a spam caller, Keurboom Communications, who were wound up by the owner a month before the ICO slapped them with the penalty. And the "civil monetary penalties" just go back to the Treasury. So three points:
1) ICO haven't seen fit to reach the pretty low £500k even for the biggest UK breaches. If they aren't seeing those as even half-mill offences, why will a higher penalty ceiling make a difference? Even with a 4% or £17m maximum, what would the ICO actually fine say TalkTalk for their most recent screw? My feeling is of the order of what, £6-7m. Peanuts to them, still. I really don't think we'll see the 4% of global turnover actually used, which would be £70m for TalkTalk.
2) The bottom-feeders can be smacked with proportionately high fines, but they simply aren't going to pay them.
3) Government actually stand to make money from data breaches. That's wrong - the money should either be handed out to the victims (mere pence, but the cost of doling it out would be a huge overhead and massive and embarrassing admin task for the guilty); Or it should fund the ICO's operations, so that they can do a better job of policing the rules, such as proactive investigations.
So I think that post-GDPR it is business as usual for the likes of TalkTalk. GDPR breaches will be more expensive, and hopefully the threat and the publicity will provoke action, but I don't believe the actual fines will be of material significance to larger corporations. Government have talked about making directors personally liable for unpaid penalties, but unless the UK implementation of GDPR includes that clause, no new legislation will be coming forward, and we'll continue to see the scum evade the fines they are due.
it is worth stopping to ask whether the actual fines will differ by very much from the current regime
Maybe "dissuasive" as mentioned in the article will change this. I hope those issuing the fines will interpret this as "big enough to affect management's bonuses and too big for the board to hide from the shareholders".
The bottom-feeders can be smacked with proportionately high fines, but they simply aren't going to pay them.
Power to freeze bank accounts would be a useful addition.
Government actually stand to make money from data breaches. That's wrong - the money should either be handed out to the victims
The possible income should be an incentive to pursue cases more vigorously and more often. The fines shouldn't stand in the way of civil proceedings for compensation. The imposition of a fine should, if anything, make the burden of proof easier. The ICO could be given the power to compel a compensation payment but then it might block the injured from producing evidence of more substantial actual losses.
The fines shouldn't stand in the way of civil proceedings for compensation
I respect the concept, in practice it would be very difficult for most people to prove that they suffered losses due to a specific data breach. If you get defrauded or suffer costs from identity theft after a data breach that affected you, could you (to the satisfaction of a court) prove that the losses you incurred were down to a particular company and a particular data spill?
Companies have been so careless over the years, I suspect we've all been subject to several breaches that may or may not know about. How would you prove (a) which company was responsible for enabling the fraud, (b) that it wasn't your fault for being conned, and (c) that it was that company's fault?
Its worth noting that the government use quasi-judicial processes and "civil monetary penalties" to enforce a lot of regulation, specifically because they know that proving to the standard of a court will be a long winded, risky, and expensive process that will certainly be contested. Would you start an action against (eg) Talk Talk, who probably have a legal budget of the order of a couple of million quid? They'd initially tie up your lawyer with a range of mid-tier law firms, but if things looked like going against them they'd bring in an attack dog city law firm, and even get a QC in to really get heavy. Under current rules, a lawyer can't even take on your case commercially unless he's seen proof that you can afford it, and that includes paying the other sides costs if you lose. That's why so few people successfully sue banks. So I don't think that in the real world many people will ever be able to use civil proceedings against big companies.
"Would you start an action against (eg) Talk Talk, who probably have a legal budget of the order of a couple of million quid?"
Depending on the scale of the claim the small claims court might be the appropriate venue in some cases. That effectively wipes out the advantage of a large legal budget.
But what happens if
- the ICO finds there was a breach
- a victim loses their house as a consequence
- the ICO issues a flat rate £1,000 compensation?
Should the victim simply write it off to bad luck?
Should the ICO's finding assist in the victim establishing their case? Should there be a compulsory use of an independent arbitrator to assess compensation on a level playing field?
There has to be room for willfulness. So Talk Talk were heavily fined but it seemed to be for sheer incompetence.
The £500K fine would be for a company who made a decision to act recklessly or even criminally with data and were found out.
With the new fines I think there will be more emphasis on hurting the company's bottom line and will be relative to the size of the company but will still have a major element of whether it was premeditated or not.
Dave's comparison of big and small businesses set me thinking. It's not necessarily the big organisation that doesn't realise what it's doing with PII. If anything they may have better resources to carry out a formal analysis and pick up on such things whilst a more informally managed SMB might not.
But this line of thinking extends down to the purely personal holding of PII. What about personal friends and family phone and address books? Your Christmas card list? SWMBO's ladies group (definitely NOT part of the WI!)? Does sending Christmas cards escape by being counted as a transacton?
Is a line drawn anywhere and if so where? What about the email list of a group of friends who meet in each others' houses to play bridge? Or a larger group that hires the village hall? Or the village hall management committee?
I think this is going to be one of the big headaches. Say you're in a band that maintains a website where people can sign up to get email about forthcoming performances, new CD releases. Will you now have to put the whole GDPR infrastructure in place to allow people to (securely) log in and manage the PII you hold?
I can see a market for companies to provide "club sites" that look after this sort of thing, for a fee of course, much as eBay and Amazon Marketplace do for small traders. Some of those sites will be competently and securely run, but others will not. Fot those that are not, there's an opportunity for hackers to gain access to far more PII that would be put at risk by keeping a mailing list on your home PC, even though the latter could be a GDPR violation.
"the government says they’ll demand that: “Businesses must notify the ICO within 72 hours of a data breach taking place” (my italics); GDPR says notification must happen: “not later than 72 hours after having become aware of it”.
Keep that wording and whereas GPDR means you'll be fined for doing nothing after you find out a breach has occurred, the UK wording means that if a problem is notified to a company ten years after it happened, the company immediately closes the hole or takes remedial action they will still be fined because they didn't deal with the problem ten years ago despite having no knowledge of it ...
As usual, it's deliberate wording to create easy money for the Government. Fines are actually being used as stealth taxes.
"they will still be fined because they didn't deal with the problem ten years ago despite having no knowledge of it "
a) So the business's best approach is to make sure the breach doesn't happen in the first place and is promptly spotted.
In the words of the ICO "In light of the tight timescales for reporting a breach - it is important to have robust breach detection, investigation and internal reporting procedures in place"
b) "Failing to notify a breach when required to do so result in a significant fine UP TO 10 million Euros or 2 per cent of your global turnover" (my emphasis)
So genuine sloppiness could be punished harder than a serious of unforeseen consequences.
@Andy The Hat: It's probably a poorly-chosen paraphrasing by the person in the article (we know how politicians like to condense things down into soundbites). The ICO themselves say 72 hours from discovery: "there is a requirement for organisations to report a personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it."
https://iconewsblog.org.uk/2017/09/05/gdpr-setting-the-record-straight-on-data-breach-reporting/
I still don't see any clarity on what 'Identifiable' means.
A person generally cannot be 'identified' just by their name. But a person with a unique name can.
A name and address would make a person's home location identifiable, but what if it's just an address and there is more one person living there?
Name and email would tie to a single person, but not a location. Does that count? What about just email? What about name and IP?
Go read the regulations. Much is there. ICO already say an IP address could count as personal information under the regs, and so can pseudonymised data.
Eg Article 4
"‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person"
And
Article 9 "Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited."
"Companies all over the world are using real data on development and test platforms, and in our brave new GDPR world that’s hard – probably impossible – to justify."
The ICO have also been saying for several years not to do this:
“The ICO advises that the use of personal data for system testing should be avoided. Where there is no practical alternative to using live data for this purpose, systems administrators should develop alternative methods of system testing. Should the Information Commissioner receive a complaint about the use of personal data for system testing, their first question to the data controller would be to ask why no alternative to the use of live data had been found”
... has real faults in it, caused by real history and real past bugs.
I've built test data for a customer record system, run all the tests, everything passes. Do the live install, and it's exception city, flames, cats and dogs living together, etc.
Unless you can analyse and predict data patterns in your live data, a system will never be properly tested until it's seen the real database.
"Unless you can analyse and predict data patterns in your live data, a system will never be properly tested until it's seen the real database."
A recently reported example was where two girls had the same first name, last name, date of birth and they were born in the same city. IIRC, it was a student admissions system that got tripped up by that combination.
How can we talk about any compliance to either UK law or GDPR IF there is no a tool on market which would discover malicious hypervisor(s) planted in your system? Do the majority of security pros still consider rootkit hypervisor i.e. malicious hypervisor as a fake object thus not doing anything bad? Does not exist at all? Never saw it walking around? However, the key words are "hidden from any malware discovery tool". Not expected to be seen though ...
I'm not an expert in this area, but rootkits etc. might be able to fool the system (and thus the monitoring) on the system it has infected, but it still leaves traces. It talks to C&C devices, processor usage doesn't always match process usage of CPU (although that could be fudged as well I suppose if they're really clever).
One of you security layers needs to be able to analyse traffic from all the hosts on the network and spot anomalies*.
Each layer you can add makes the type of malware capable of bypassing *all* of them pretty rare. Never rely on one layer to tell you what's going on. Security is like Ogres :)
*This can also be fudged by well written malware of course.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
