You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
So I know we have the GDPR legislation coming into force shortly, and I know that it means that data breaches can now be punished by enormous fines. What I can't easily work out is what actual, real-world changes will small companies need to do to comply? I sat on a webinar a few months back, and all it seemed to say was, we'll know there'll be changes but we can't specifically say what yet.
Have a look on the ICO website..
I’m implementing it now, it’s wide ranging.
There’s a thread on here with lots of chat, Kryton57 started it IIRC.
Quite a lot....
Use the ICO guidance, do a gap analysis, identify risks, create a remediation task list, create a plan (proper plan) and start fixing stuff.
My business delivers lots of GDPR Gap analysis and remediation. Not looking for work as we are flat out.
If you want a gap analysis format I can provide a template,
Pm your email address. I went on a conference not long ago and have some reasonable PowerPoint presentations.
The ICO commissioners blog is an excellent resource also.
Depends where you are now on your data governance/protection journey and what your company does. ICO should be the first port of call.
[url= https://www.lexology.com/library/detail.aspx?g=1426e18d-f687-45a0-b779-4aeb362a03ac ]THIS[/url] article isn't too bad for small companies.
Usually when people ask this question they're talking technical changes so the above and cyber essentials are great for a small company.
Depending on hat you do you will need to write some policies.
And check you only collect personal data that you legally need or have the right permission for.
A lot of this is still up in the air and bodies like the DMA are seeking clarification on a number of points. Remember that the key to all this is to hand control back to the consumer. Approach any change with this in mind. Also worth checking out “legitimate interest” depending on what you or your business does.
I work in IAAM. We’re making an absolute killing because of it. It’s largely another y2k excercise as a lot of the regs are duplications or restatements of the existing European and UK data protection legislation.
The big difference being that you can be more extensively done for non compliance, especially if you’re not based in the EU and handle EU citizens’ data.
Right to be forgotten will be the biggest change for web services. You’ll see more prominent “delete my account” buttons all over the place. If that service relies on other connected infrastructure like cloud services, or internal systems then that’s where IAAM comes in to anonoymise the identity upon provisioning and later on deprovision thoroughly.
PM me if you like, I’ve access to some bolloxing Presales lit on it, or if you’re bored / insomnia sufferer / like filling your mailbox with crap I’ve probabbly some more in-depth architectural info.
that’s Hilarious. The identity industry has been jumping up and down about this for two years. You have until 25th May to comply.a lot of this is still up in the air and bodies like the DMA are seeking clarification on a number of points
Try [url= https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/ ]https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/[/url]
I would be concerned for hot_fiat's customers if they take the advice given above.
There are also changes to the electronic communications regulations coming in at the same time, and many people lump those in with GDPR compliance; those are still being clarified.
The UK government has not yet decided (well it's decided but parliament hasn't voted yet) which of the opt-outs it intends to take up.
The effect on you depends a lot on your business model, and to an extent your attitude to risk. Facebook, Google and the big banks, for example, are preparing to argue the case for "legitimate business interests" to be interpreted widely. Others with smaller legal budgets and less need to process are happy to rely on consent and the complications that withdrawal of consent brings.
How much free SARs will affect you depends on how many customers you have and how much you hide from them already.
Is there a website with a simple explanation of this for a) the consumer and b) the confused employee?
I work for a US company and they don't care about anything outside of the US.
Right to be forgotten will be the biggest change for web services. You’ll see more prominent “delete my account” buttons all over the place.
My understanding is that the "right to be forgotten" relates [b]only[/b] to personal data. A forum login isn't personal data so this doesn't apply; if the forum held say your postal address then that would count.
It's my understanding that personal data would cover your email address, so a forum login [b]would[/b] contain such items. On this forum for example, my profile contains my name and rough location.
An IP address can also be deemed as personal data.
It's my understanding that personal data would cover your email address, so a forum login would contain such items. On this forum for example, my profile contains my name and rough location.An IP address can also be deemed as personal data.
Stuff like your name isn't data that's collected and processed though, it's information you've voluntarily supplied and can easily remove yourself. I'm not sure whether GDPR would apply in that case. The only mandatory 'personal' information required by STW for non-subscribers is a valid email address, and again you can mangle that on your profile. There's no address history held as far as I'm aware, so if you were to do that your old address would be gone forever.
IP address is a tricky one. Assuming it does qualify as personal information for the purposes of GDPR - and I expect it'll require a test case to ascertain definitively either way - there's provision for retaining data for statistical purposes.
Vast majority of IP adresses are leased from your ISP. They will have thousands and thousands and they are distributed at random, so how could that be identifiable?
Well, that's disturbing. Cheers for the link.
So, yes its only PII for the ISP, not the website/forum owner.
[url= http://singletrackmag.com/forum/topic/give-whos-ready ]Here[/url] is the earlier thread referred to above (I think). We're full steam ahead on the whole thing now, a lot of effort going into ensuring we have compliant consent for electronic comms in particular.
Overall I'd say getting ready for it is a good exercise for any business as it forces you to do a proper audit of how you source data, what you use it for, how you can be sure you're allowed to use it for what you do and how long you keep it once you've used it.
Even with 'guidance' from the ICO I'm still aware of different organisations taking different views on how they'll implement it - the regulations are full of words like 'reasonable', 'sufficient' and so on which won't get tested until the ICO starts prosecuting people who (they feel) don't comply and the legal folk get involved.
So get ready for 25 May but expect a few 'clarifications' to the regs after that which could be big or small depending on the stance you're taking now.
I suppose the crux there is, [i]"if the BRD has the legal power to compel the relevant ISP to disclose sufficient information to identify Mr Breyer, then Mr Breyer's IP address will be personal data in the hands of the BRD."[/i]
The BRD is the Federal Republic of Germany. I can't see many regular web forums having the legal clout to make such demands of ISPs.
The BRD is the Federal Republic of Germany. I can't see many regular web forums having the legal clout to make such demands of ISPs.
[i] If a business collects and processes IP addresses, but has no legal means of linking those IP addresses to the identities of the relevant users, then those IP addresses are unlikely to be personal data.[/i]
Thats how i read it also.
Chatting to a consultant about this last week and two things came up that i didnt know before and were quite interesting.
1. There is a whistleblowing clause, ie. its encouraged to dob your competitors in if you have sufficient reason to believe they are non compliant.
2. The DPO or DPR cannot be held accountable for failure to comply. In this situation the business is accountable for not employing a competent DPO or DPR.
Anyone who does web analytics or keeps webserver logs will be able to track an IP address to a login, and if the login email address identifies a person - which it almost certainly does to someone - then IP is personal.
The rules say "any information relating to an identifiable person ...directly or indirectly"
And that's ignoring that you can buy IP to person datasets from Experian et al.
It's any PII, and whether or not its given voluntarily doesnt change that. There is a lot of scaremongering consultancies out there muddying the water I'd say. Personally, as mentioned above, you should use this as an exercise to check against best practice. The ICO, it seems, are not expecting everyone to get sorted immediately, and thus, will work with the business rather than fine the business. But, there is lots of clarification needed and would strongly suggest that if you are going to make a change based on a spurious GDPR directive, you are better to get that clarification first and save yourself costs.
Collecting data moving forward is one thing, what you do with the data you have now is another as after May, your options will be limited.
Interesting Post meant to reply at the time, but busy time of year for me 🙁
I, like the OP have been to a few seminars but not sure what actual changes i really need to be making.
In fact i got the distinct impression the people running the seminar didn't really know either.
Everyone is focusing on marketing and collection of emails, to which the new legistlations seem logical and sensible to me. However feel its a secondary concern compared to the secure storage of customer data. Its hard to find a definitive list of best practices regarding this.
I work in the travel industry and whilst the right to be forgotten again seems sensible, i guess we can refuse this till the booking has departed (not that anyone would ask but you never know). More practially, as part of thier anual process our auditiors pick random bookings from the last 5 years and we need to supply full customer details. There must be a consent for this, just like i assume i can't ask the HMRC for the right to be forgotten 🙂
Seems to be a lot of people jumping on the consultancy band wagon and mudding the waters (even though i guess we will end up hiring one as we want to get it right)
Interesting to see a thread on here as you might get a more balanced view, perhaps!
As an aside, anyone recommend a method for storing/sharing passwords? we use internally hosted application at he momement but unsure about all these cloud services roboform, lastpass enterprse etc.
[img] 
[/img]
I work in the travel industry and whilst the right to be forgotten again seems sensible, i guess we can refuse this till the booking has departed (not that anyone would ask but you never know). More practially, as part of thier anual process our auditiors pick random bookings from the last 5 years and we need to supply full customer details. There must be a consent for this, just like i assume i can't ask the HMRC for the right to be forgotten
You can refuse until 5 years has past. You need the data for other legal/business reasons for five years (auditing). You do not need consent as they are your customers and you have a business contract with them.
Whats more important is that you can demonstrate to the ICO that you have put policies and procedures in place to secure the data. You also need a procedure to follow in the event of a breach.
Pat12 - I am not so sure you can refuse this, and would question your 5 year retention policy if I made such a request . If this is consent based processing (which it sounds like, and seems reasonable) then the right to erasure under Article 17 is engaged. You say that your auditors "need" personal data for the random cases they pick - I would challenge that under grounds of necessary and proportionate. You don't need to keep all that data on the offchance that particular case is selected.
This sounds like somewhere that pseudonymisation is your friend, see Article 4(5).
Pat12 - I am not so sure you can refuse this, and would question your 5 year retention policy if I made such a request . If this is consent based processing (which it sounds like, and seems reasonable)
It wouldn't be consent based, it would fall under "legitimate interests" i.e. "we require to do this processing in order to deliver whatever it is we have agreed on" and that could include keeping records for audit. Legitimate interests last for as long as those interests are legitimate - 6 years would seem an obvious length for anything financial.
This sounds like somewhere that pseudonymisation is your friend
Which is a trick used to circumvent financial checks and balances, including money laundering. Quite possibly not appropriate for financial audits.
Whatever the legal basis (condition, in old terminology) for the processing, we have now had consent, legitimate interests and performance of a contract mentioned.
My point was is it necessary or proportionate to retain the personal data for five years after the trip has been made. See Article 6(1)e and 6(1)f
And before we really have to start quoting Data Protection for Dummies - storage is processing.
As someone that runs a business in PCI DSS ISO27001 NHS Toolkit for over 15 years and now GDPR for close to 3 years I have never seen so many s**t consultant experts appear.
Buyer beware
P.S and what the German data protection supervisory authority (actually each state has a data protection authority in Germany) is important as it will likely be accepted into guidance by the Article 29 working party, the group who will become the European Supervisory Authority setting guidelines on for example, enforcement. ICO (the UK data protection supervisory authority) did have a seat on this, but that got voted away in June 2016, so this is yet another of those countless examples where we will have to comply but lost our say in what that looks like.
Whatever the legal basis (condition, in old terminology) for the processing, we have now had consent, legitimate interests and performance of a contract mentioned.
"Performance of a contract" is not a legal basis for processing. You could have a "legitimate interest" in processing in order to perform under contract. Consent could not be used because it must be freely given with no tied in conditions, "consent or we won't carry out our contractual obligations" would not be allowed under GDPR. One of the nice features of GDPR is that you will no longer have to get on somebodies crappy mailing list just because you buy something from them. The two must be separated.
My point was is it necessary or proportionate to retain the personal data for five years after the trip has been made. See Article 6(1)e and 6(1)f
6 years retention after any contract ends is easily justifiable. Either party could sue (e.g. sickholidaydotcom) for 6 years after you return. It is a basic principle of UK law.
If you throw away any identifiable record of your customer, how can you expect to defend a claim? That there is your legitimate interest in processing data for some time after the holiday.
"Performance of a contract" is not a legal basis for processing.
You might want to tell the ICO that as their [url= https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/#ib3http:// ]page[/url] says
What are the lawful bases for processing?The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
[b](b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.[/b]
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
"Performance of a contract" is not a legal basis for processing.
Our consultant has told us it is, as is the potential of a contract
What thepurist said.
Holding ALL customer data for 5 years because you MIGHT need a small percentage for audit purposes (that was the reason given) is not necessary or proportionate. Do you actually read anything grumpyscullion or just do a google search on keywords?
Here endeth the free GDPR advice....
I am also not providing free GDPR consultancy on this here forum.
Lot of sense and bollocks in this thread
Thanks all
As above, i have found most of these issues divide opinon so its hard for the layman to get a clear picture.
The audit was just a random example that popped into my head, Hopefully the auditors would adjust the process if i told them the requested customer record was erased.
What about accounting systems, sage etc
the ico says you can refuse to
comply with a legal obligation for the performance of a public interest task or exercise of official authority
surely we can store a customer name against a transaction for 5 years?
Whats more important is that you can demonstrate to the ICO that you have put policies and procedures in place to secure the data. You also need a procedure to follow in the event of a breach.
will they produced these guidelines for these policies soon? the ICO site suggests they are still working on them.
So many questions so few answers!
How do i find good consultant? Anyone here based in the south east?
Not looking for free advice. I have spoken to several experts in the last few months and not one could answer most of my questions, wait to see what the ICO say seems to be the goto answer.
Addressed the data security to one and he said i'd be fine if i was using SSL - might print out my Comodo invoice and stick it to the door, covered!
Holding ALL customer data for 5 years because you MIGHT need a small percentage for audit purposes is not necessary or proportionate.
I think you are right, however at present we don't get to make that choice (if we want to file audited accounts)