back to article Your palms are sweaty, knees weak, arms are heavy – you forgot about Europe's GDPR already

Europe's General Data Protection Regulation scare season is in full swing and suppliers are pretty much saying "buy our stuff or risk fines up to four per cent of your annual revenues." If you haven't done any preparation yet, is it really that bad and what should you do? If you trade in or with an EU country and record …

  1. 0laf
    Pirate

    DPA+

    If you're doing ok under the current DPA and you're not misbehaving or playing fast and loose with your customers data then really you don't have much to fear.

    Yes there is lots to do especially around contracts and consent but if you're playing nice right now it's unlikely that the ICO is going to hunt you down like dogs. Really you've probably got another year before you'll be looked at. The ICO is short handed as it is.

    But you may be subject to challenge from grumpy customers and if you cock up in that time you'll be in for a harder time. But these are just risks. Do a gap find out where you're doing worst and work on that.

    According to some old hands at the ICO it was no different in 1998 when the DPA came into force. Same panic, same snake-oil being peddled.

    1. Anonymous Coward
      Anonymous Coward

      Re: DPA+

      Depends how you look at it, if its you have data and there're rules governing that then yes, but GDPR is a bit stronger than DPA+.

      Right to be forgotten, right to export data, rights to explanation, consent, specific processing... I'd be surprised if any organisation looking at this seriously just got the oily rag out.

      The ICO may be short-handed but its a gamble to say 'these are just risks'.

      1. Anonymous Coward
        Anonymous Coward

        Re: DPA+

        Somewhat ironic really! If you're doing your risk analysis, which is part of GDPR, you'll know whether you need to follow GDPR or not!

        I work for a consultancy doing GDPR engagements. All I will say is the lack of security these firms, large and small, have is worrying.

        GDPR can't come soon enough ad it is forcing these companies to take security more seriously.

      2. Adam 52 Silver badge

        Re: DPA+

        "Right to be forgotten"

        Not really. Right to withdraw consent, not the same thing.

        "right to export data"

        "rights to explanation"

        Subject access request by any other name.

        "consent, specific processing"

        Both required under the previous Data Protection Act.

        1. Anonymous Coward
          Anonymous Coward

          Re: DPA+

          Argue over the words but the implications and power of removing consent via the GDPR is a new thing that you need to account for.

          Right to export and explanation are not SARs by any stretch of the imagination. You want to check up on the explanation bit (and how you're going to provide explanation and costs) if you have any automated analytics.

          Consent and specific processing under the GDPR are different to the DPA. Compliance to DPA is not compliance to GDPR so good luck with your thinking. Let the suing shyster further down know your address, I'm sure he'd be interested in the people whose data you hold.

          Bloody amateurs.

          1. Adam 52 Silver badge

            Re: DPA+

            "Bloody amateurs."

            My current job title is "GDPR lead", I've spent most of last year with the lawyers and I've got a multi million £ budget to play with.

            "Argue over the words but the implications and power of removing consent via the GDPR is a new thing that you need to account for."

            Only if you're relying on consent as your legal basis. Almost nobody sensible is. Everybody I've met with is using "legitimate interests" where there's nothing better (like legally required). Until such time as a court decides differently the ambiguity works in our favour. Consent is much more important for the e-privacy directive changes.

            "Consent and specific processing under the GDPR are different to the DPA. Compliance to DPA is not compliance to GDPR"

            Never said it was, but if you were honest and honourable under old DPA - and we were - then you're OK under GDPR too.

            "the suing shyster further down"

            He is our biggest risk, but mostly as a time waster for our legal team - effectively a denial of service attack. So our approach is to automate dealing with him as much as possible. Because we've always been honest about what we do the damages he can claim will be minimal to none even if we've made a minor technical breach.

        2. Anonymous Coward
          Anonymous Coward

          "Right to be forgotten" - Not really.

          Sorry. Really. See https://www.eugdpr.org/key-changes.html

  2. Anonymous Coward
    Anonymous Coward

    "There is no black-and-white compliant/not compliant state"

    Actually, I believe it's a strength of the GDPR - they understood the landscape changes quickly, and any "checklist regulation" will be outdated soon, and big data controllers will be able to get around it.

    So they established the user rights, and the principles you have to abide to - how is not specified, but if user rights are broken, you'll be fined, so it's up to you do deploy the needed tools and practices to avoid it, but you can't hide behind a pretended compliance just because a consultant was brought in and a checklist has been filled and signed - as it happen with many other regulations.

    Yup, executives and upper management may have to perform real work and be held liable, and that could be a novelty to some of them.

  3. Anonymous Coward
    Anonymous Coward

    Business apathy through non-understanding

    No names, no packdrill as the saying has it. Hence "anon". But from personal experience, mentioning the subject of GDPR to director got response along the line of "we'll wait and see what [other company] does". Where 'other company' is the firm that handles our payroll and accounts audit and is totally not in even the same sector of business as what our company does.

    Guess I'll stop smashing my head on my desk when he pulls his out of the sand.

  4. Anonymous Coward
    Anonymous Coward

    I have already registered a company

    to help people claim their GDPR rights.

    I'll take 20%.

    1. Anonymous Coward
      Anonymous Coward

      Re: I have already registered a company

      Great. Instead or working to fix the problem, profit from the screw-ups that the rest of us pay for. Akin to being a proctologist but without the fancy name. Or gloves.

      1. Anonymous Coward
        Anonymous Coward

        profit from the screw-ups that the rest of us pay for.

        If you spent a decent amount, you wouldn't have screw ups. This is payback for all the times I've highlighted data protection issues and been brushed aside in the name of "commercial viability".

        1. Anonymous Coward
          Anonymous Coward

          Re: profit from the screw-ups that the rest of us pay for.

          Yeah we've all been there (data, reliability, back-ups, security, UPS) but you're not helping stop the tide of s*ite, profitable crims or people finding out they've been exploited. Your 'profit' is just passed on to us as increased costs.

          Sure its a business model and legal but so is professional felching. Mmmm Salty!

      2. Doctor Syntax Silver badge

        Re: I have already registered a company

        " Instead or working to fix the problem"

        Whoooosshhh!

  5. Anonymous Coward
    Anonymous Coward

    This is good stuff for the consumer / not good for business

    Data now belongs to the human and they have rights over that.

    An organisation must have a clear reason for holding (with permission) and using a persons data - and they have a duty to look after it. No more hoovering or holding.

    Screwing up peoples data, getting it wrong, losing it has been seen as 'well there you go' with next to no cost. And that's bull as we all pay for fraud. That's starting to be fixed.

    And this thing about there's no definitive line to cross - a lot of people work in that world such as safety. Often the best you can get from a regulator is a 'statement of no objection' - no-one will indemnify your work. Stay on the game and understand what you're doing.

    Its not perfect but its something, finally, for the consumer.

  6. Doctor Syntax Silver badge

    What nobody's managed to say: you can have all the policies in the world but if one eejit clicks on the wrong thing in a booby-trapped email which leads to a breach it's all for nothing.

    So what do I make of a bank that causes an email to be sent out that looks exactly like a phishing email* with 12 clickable links in it and claims to be advice to say safe online? Clearly this was devised by a team** of numpties none of whom would see anything wrong with clicking links in spam let alone recognise a phishing email when it arrives in their in-box. Apart from training their customers to be phished they are imminent dangers to their employers because unless they have been safely firewalled off from the rest of the business they are liable to let any passing scam artist into the building.

    * It pretends to come from a bank but actually is from a 3rd party digital communications business spammer and the links also resolve to the same 3rd party.

    ** Nobody gets to spend the budget on their own, do they?

    1. 0laf

      If you've all the correct policies in the world, all your staff are trained (95% or higher), you're monitoring appropriately and you report as a conscientious business acting in the best interests of the affected data subjects THEN you probably don't have a huge amount to worry about again.The ICO isn't gunning for those sorts of business. Yes you might be investigated but you're not going to get hit with a massive fine.

      Now if you act inappropriately, are cheap with DP training, have sensitive personal data floating about everywhere and let your staff do what they like with it, have you scrimped on monitoring and did you avoid informing the ICO of any breaches for as long as possible whilst being evasive with the truth? Yeah you're probably looking at the fat end of a big fine unless you're a FB or Google with enough money to keep it in court for decades.

      Nothing in the GDPR is rocket science, little is really new.

    2. yoganmahew

      @Herry Doctor Syntax

      "you can have all the policies in the world but if one eejit clicks on the wrong thing in a booby-trapped email which leads to a breach it's all for nothing"

      No, No, Noooooooooooooooooo!

      If it's possible to access private date of multiples in clear text from an employees email system, you're already doing it wrong and nothing will save you. That's not designed for safety, that's designed for disaster.

      1. Doctor Syntax Silver badge

        "If it's possible to access private date of multiples in clear text from an employees email system, you're already doing it wrong and nothing will save you. That's not designed for safety, that's designed for disaster."

        For high value targets the object of spear phishing isn't to grab the employee's email. It's to subvert that employee's machine as a beach-head to work their way into the system. If you don't allow for that you're doing it wrong.

    3. Rocket_Rabbit

      You're missing the point. No one in the security industry will offer you, with a straight face, impenetrable security!

      However, it's a war of attrition. These small things all add up to form a decent protective barrier. The policy, procedure, people, process and technology are all required.

      Yes, issues can still arise, but that is life and if you look at GDPR, take it seriously, and implement it appropriately, you'll be in a better place than you were...perhaps much better.

      And how can that be a bad thing?

  7. Nick Kew

    Red herrings

    If you've emailed me[1] on a matter of business, I probably have your personal details on record. Though very likely only in a long-lost backup[2] of my mail folders when I corresponded with you. And of course I have no idea whether any of your details from twenty years ago are still valid, or even if you're still alive[3]!

    Am I worried about GDPR in the context of this kind of electronic personal data in my mailbox? Nope.

    What about abuses of the system by people trying to attack a business (like a bogus DMCA takedown notice)? Not really, though it could be annoying.

    So how about snake-oil merchants, assisted by scare stories in the press? Hmmm.

    [1] obviously excluding spam.

    [2] isn't that how backups always work?

    [3] evidently this second person must be a rhetorical device.

    1. Anonymous Coward
      Anonymous Coward

      Re: Red herrings

      I am actually facing a dilemma with the new regs.

      I operate a small gps tracking service, when I ship out the units I do not keep a record of who was shipped which unit (only the type of unit). the person receiving the unit then registers on the service using details unique to that unit supplying an email address & password. the account they create is then tagged as being the owner of that unit.

      obviously I have no control over or knowledge of how or where the person will use the tracker, it could be in their car (in case it gets stolen), it could be in the wifes car (suspected of an affair), it could be attached to some stalker victims vehicle, all I would be able to find is the movements of a tracker owned by someone registered with the email address of "fred@bloggs.com" (not verified).

      if I am then contacted by "Mrs Smith" (not a customer / registed user) who has found one of our trackers on her vehicle (tracker identified via unique id number) I obviously can't share details of the units registered owner with her but it puts all of the data I hold from that tracker into a nasty grey area, if the unit was on her vehicle it was recording the movements of her vehicle (and presumably her) so the data is PI for her but I have it held as data belonging to someone else (the owner of the tracker).

      legally who's data is it? and who should or shouldn't have access to it or be able to request it's deletion

      1. John G Imrie

        Re: Red herrings

        This is easy

        You are a third party to a stalking case, tell her as soon as you receive a court order requesting the data you will be happy to comply.

        1. Nick Kew

          Re: Red herrings

          Heh.

          The dilemma is surely whether to get more proactive than that. As in, tell the police "I have this data set; I have reason to suspect it may be being abused".

        2. Anonymous Coward
          Anonymous Coward

          Re: Red herrings

          but am I acting legally by leaving the data that I now know (or have good reason to believe) relates to mrs smith available to mr bloggs?

          as I cannot tell mrs smith who appears to be the owner of the tracker she cannot give consent for the data to be shared.

          should this scenario have the effect that the data gets locked (not deleted) until the outcome is clear? and what should happen with any future data from the device (when active it sends updates ever 10 seconds), even if I tell the system to stop recording updates from it the data will still exist in log files.

          I have had a similar situation, a lady phoned in asking about a particular tracker (giving the id number from under the battery) I confirmed that the tracker was sold by us, she asked who to and I said I can't share that information, I can talk about the tracker in general but I can't give any precise details.

          she cottoned on and started asking about the unit's battery life, knowing the battery life and who had access to her car she was able to work out that it was placed by her husband (which of course I was unable to confirm or deny)

          1. John Jennings

            Re: Red herrings

            It would seem to me the following....

            the data subject is the tracked person.

            The data is being collected by a third party, without the consent of the data subject. This is a case for the stalked to take against the stalkee.

            I think you are the data processor

            When you know that data is being gathered without consent, you likely need to stop processing it. You may need to inform the ICO. If the owner of the device is registered with the ICO/using the data for corporate mischief (spying on staff/customers etc, without consent) then it is the ICO who will be dealing with them. If it is a stalker, then advice from the ICO needs saught.

            you likely should give the tracking information to the subject - though not who comissioned your gathering work - that would be given up upon request by the court, and you should advise the stalkee of this.

            Alternatively, you could make it clear in your privacy statement that surrendering any physical device is considered proof of ownership of the data, and in that case, the whole file would be shared (including original purchaser, account details (for your cloud service, etc). That may bypass the concerns - it will certainly discourage the stalkers (and you may loose sales) - though who reads the privacy statement!. It certainly lessens the creepiness factor a bit.

            In any event, if you know the work is potentially creepy, then stop doing it.

          2. Doctor Syntax Silver badge

            Re: Red herrings

            "but am I acting legally by leaving the data that I now know (or have good reason to believe) relates to mrs smith available to mr bloggs?"

            Like the man said, get proper legal advice. Like you should have done before setting up your business.

      2. Anonymous Coward
        Anonymous Coward

        Re: Red herrings

        If I was in your position I'd get legal advice pronto regarding this... (and by legal advice I mean not from the chat boards of el Reg, Slashdot, Stalkers.com etc)...

      3. Nick Ryan Silver badge

        Re: Red herrings

        IANAL, however not recording to whom you sold each individual unit could be an issue. By not recording this information you are failing to record the responsible party for a device that could potentially be used illegally and therefore opening yourself to being a party in this. If Joe Bloggs bought a unit from you then it is his legal responsibility as to how it is used and if you can demonstrate that you sold a particular device to Joe Bloggs and that he was informed that he must use it legally if he choose not to then it's his issue, not yours. If he transfers/sells the unit to another party then unless he has a record of this then he will likely be found to be at fault and not you. While I can appreciate that having a registration process saves you having to record the correlation of individually ID'd units with each sale, by not doing so for something like this you really are leaving yourself open to potential problems.

        Also very importantly, if you advertise or promote the product to target, in any way, any form of illicit use then you are opening yourself up to legal issues.

  8. andy 103
    FAIL

    Reminds me of PCI Compliance

    As per the title, this seems like the same old thing of PCI Compliance... I must have discussed it with over 100 different people and got varying views on what they think it is, what it involves, and what the (enforceable) penalties actually are.

    But the bottom line was always that there isn't such a thing as "yes or no" to the question "are we compliant?". It was always a "we have a procedure for X", "we store data in Y way". Right down to... "we're trying our best". As long as you were vaguely aware of what was going on, or could refer to some procedure/material that pretended to cover it, happy days.

    Totally unfit for purpose, totally unenforceable, total bollocks.

    But of course, something that people can and will get dubious fines for. Something that "consultants" will make money from for giving advice - and said advice will vary depending on who you speak to. The people who came up with it will have been paid handsomely. And the kicker? Absolutely no benefit whatsoever to the people it's aimed at protecting.

    1. Fonant
      Unhappy

      Re: Reminds me of PCI Compliance

      Yes, this.

      And the EU cookie directive. Perhaps a Good Idea in theory but a completely unenforceable, confusing, mess in practice.

      It's an additional burden on legitimate businesses that already take care and don't sell their contact lists to spammers. It's no burden at all on spammers (especially "foreign" ones) who will simply ignore the whole thing.

      1. israel_hands

        Re: Reminds me of PCI Compliance

        I think you're missing the point. It's not designed to stop the spammers, but it will hopefully stop their lists growing in future, as the penalties for someone sharing your e-mail address/contact details are going to be quite steep, especially if it was a willful infraction.

        A large point of GDPR is to stop companies hoovering up all your data with little ability for yourself to opt out of it. So, if an e-mail provider wants to offer you an account in return for, let's pick something unlikely and egregious, scanning all your correspondence in order to build a profile of your likes and interests to then sell on to advertisers, they can request your permission do so but that's about all they can do. They can't auto opt you in to it, they can't force you to accept it in return for accessing their service (with a few exceptions if it's an absolute requirement that the service cannot function without such permission), they can't be vague about who they're sharing your data with or why (so none of this "selected 3rd parties" nonsense, they have to be explicit about what they are sharing, with whom and for what purpose and you can refuse any or all of it).

        As to the comment about it being unenforcable, actually it's pretty easily enforced because of the way in which it's been written. Unlike the EU Cookie legislation, which was written in a very flawed way, they've actually drafted GDPR to produce the outcome they want, rather than specifying how it will work with various business models. This means that looking at the whole thing it can seem a bit of a mess, but in practice any given business will only need to worry about their own use-case/business model and how the rules apply to them. They've definitely learned a few lessons from the cookie debacle so hopefully we'll avoid a rerun of that pointless legislation.

        1. Anonymous Coward
          Anonymous Coward

          Re: Reminds me of PCI Compliance

          If you want to use Youtube or certain other Google services other than in private browsing mode they enforce that you go through an opt-in procedure. You can work your way through their settings to try to turn off everything, but ultimately I bet know one knows what they have actually allowed Google to do, or what data Google is collecting (and worse, you have to sign up to a Google account to get full access to consent settings and to see what data they have). It is effectively enforced compliance, because the service will block until you agree. It is possible to access services in in-private browsing mode without the consent screens. However, Google forces you to do the consent thing under all other circumstances - again it's enforced compliance, or you don't get the service. Other large companies will be doing the same, when actually what we want is access to services with an assumption of non-consent.

          Secondly, as I found recently, Google is tracking even if you don't consent, because a locked down device here which only uses private browsing for Google services, leaked information to a second device on Youtube viewing preferences and suggestions. Furthermore, it's impossible to find a contact point to complain or highlight the problem to Google - I couldn't find anything on how to contact their DPO to complain.

          And thirdly, if you send messages to someone using Gmail (or using Gmail behind a domain name service), implicitly you give Google access to your data without direct consent.

          Meanwhile for small businesses, the biggest change is the need to be able to demonstrate compliance. Not just to comply, but to have documentation and proof. So it doesn't get to the large companies who by their size and ubiquity essentially can enforce consent on their terms, but it does add a big burden to small and micro businesses who feel they should comply.

  9. Fonant
    Meh

    Does anyone know whether the GDPR applies to a micro-business with one person and a customer list? I'm presuming that the customer contact details are allowed to be stored as a legitimate part of doing business with them. I worry about all those plumbers, electricians, odd-job people, gardeners, etc who keep address books of their customers

    Next, does anyone know whether the GDPR applies to a mailing list? Or a Forum? In both cases people sign up, so there is some consent, and storing contact details is pretty-much required for these sorts of thing.

    I can see how the GDPR applies nicely to large organisations, but as usual micro-businesses seem to have been completely forgotten.

    And if I want to do business with someone in the EU after Brexit, who should I name as my EU representative?

    1. John Jennings

      yes, it does. - funnily enough, management of properties is one area you must register...Maintaintainance not so much.

      Yes, it does in some cases - for example, if you are an accountant with a list of clients, but not if you are managing a list for say a hobby or club... Marketing lists may not require registration with the ICO - it depends.....

      The ICO (busy boys and girls!), if you are deemed a controller or processor. (IE, you are providing services to someone in euroland.

      Useful worksheet here:

      https://ico.org.uk/for-organisations/register/self-assessment/

    2. This post has been deleted by its author

    3. Anonymous Coward
      Anonymous Coward

      "Does anyone know whether the GDPR applies to a micro-business"

      Yes, it does. But they have been taken into account, in several places it explicitly say to " take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation."

      AFAIK one of the reason also there are no mandatory processes, tools, etc, is exactly to take into account different realities.

  10. Giles C Silver badge

    It applies to clubs or groups

    I run a small car club (90 ish members), we knew this was going to affect us, and so rewrote the forms that people use.

    As a result it now states on the application and renewal forms how and why we will use your data, and basically if you submit this form you are accepting the above terms and conditions.

    Here is the text we used.

    TERMS AND CONDITIONS

    All information provided here will be used by EATOC to process your membership. By providing contact details (any of email address, telephone number, postal address) you are granting permission for the club to contact you by these methods.

    The information provided will be stored in the database for the period of your membership. If you resign from the club then the your information will be removed from the database within 10 working days of the club being notified.

    If a member has not informed us of their decision to resign and 3 months have passed since a renewal offer was sent out then their information will be removed.

    By submitting this form to the club you agree to these terms and conditions.

    END OF TEXT

    There is another section where we can share data with other club members and that requires a separate tick box to allow us to do that.

    It wasn’t hard and it proves we are complying with the rules. Just takes some thought.

  11. Anonymous Coward
    Anonymous Coward

    I may have missed something...

    ...but,

    "What is GDPR? It is meant to return to EU citizens control of their personal data, giving them, for example, a right to be forgotten, and the ability to ask suppliers: "What personal information of mine do you record and what have I consented* to regarding it?""

    Won't this mean that even more businesses will put customer data directly onto the Internet so that requests for what is held can be automated and sent to the applicant?....More private data onto "secured" servers simply means more data gets hacked because almost everything "secure" becomes insecure when something on the system changes. Sure they may get fined when it gets poorly managed but at the end of the day customer data still gets out, and then mis-used.

    Isn't it just a tax without any benefits to the end user? Maybe makes a few more businesses advising of compliance.

    Data Protection was the same, seemed like a good idea. Data still got leaked, and mis-used, but world plus dog used it as an excuse for "I can't tell you that because of data protection laws" and it became a barrier for getting hold of useful information.

    1. Doctor Syntax Silver badge

      Re: I may have missed something...

      Won't this mean that even more businesses will put customer data directly onto the Internet so that requests for what is held can be automated and sent to the applicant?

      Only if they're stupid. For the reason's you mentioned, of course. There's a primary requirement to take care of the data. Putting it "directly onto the internet" would be the opposite of that. That doesn't, of course, mean that stupidity in business management doesn't exist. Some people only learn the hard way. The increased fines just raise the cost of being stupid.

      Isn't it just a tax without any benefits to the end user?

      Tax? Complying - which is what they should always have been doing, is just a cost of doing business. And "end user" of what? What you should be thinking about is "data subject". And the data subject could be a customer, a supplier, a patient, an employee ... Everyone about whom you want to hold data. If doing things right is too expensive don't do it at all. Don't hold data that you don't need. That is and always has been one of the principles of data protection.

      Data Protection was the same, seemed like a good idea

      What do you mean "was"? It still is Data Protection. That's what the DP in GDPR stand for.

      world plus dog used it as an excuse for "I can't tell you that because of data protection laws" and it became a barrier for getting hold of useful information.

      I'm not sure if it's specifically dealt with but wrongful invocation ought to be an occasion for judicial remedies. A good reply to anyone trying would be "I've got the entire text of the Regulation on the computer in front of me. Could you please refer me to the passage to which you refer? If it helps I'll read the entire thing out and you can tell me when I get to the relevant passage".

  12. Anonymous Coward
    Anonymous Coward

    ' there is no one-size fits-all solution.'

    Won't this kind of ambiguity lead to widespread indifference / complacency & non-compliance? I want GDPR to work, US tech giants in particular are data-raping us. But it needs to be enforced... Is it true that law firms can sue big-time, and it'll be that which concentrates minds at Big-Biz here???

    1. Adam 52 Silver badge

      Re: ' there is no one-size fits-all solution.'

      There is a right to collective action. We don't yet know how watered down that'll be by individual countries. In theory a law firm could well take out a mass action claiming damages for, for example, everyone Facebook has ever tracked because if a "like" button. Whether that's more worrying to you than a fine depends on how naughty you're being.

  13. foxyshadis

    GDPR?

    I've had one wag tell me it stood for German Democratic People's Republic, a la the DPRK. Sadly, he couldn't find a way to shoehorn Socialist in there, but I'm sure it wasn't for lack of trying.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like