FabSwingers.com > Forums > Politics > GDPR- are you ready for the 25th May?
GDPR- are you ready for the 25th May?
Jump to: Newest in thread
 |
By (user no longer on site) OP
over a year ago
|
General Data Protection Regulation
Any -every- company in the UK, charity and person holding details about anyone else will be required to store everything on the cloud, not hold any paper evidence at all or commit to to a three lock system and no server can store that information- it must be on the cloud.
It will take companies an age to do but they only have 12 weeks..... |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *LCCCouple
over a year ago
Cambridge |
DP can drive some organisations absolutely crazy, tying themselves in knots trying to be perfect, rather than reasonable. The only way to be perfect with data protection, is not to have any. |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *ara JTV/TS
over a year ago
Bristol East |
A lot of consultancy firms are talking this up as same huge and complicated change, in order to make lots of money out of it. It's not.
Business is already subject to the Data Protection Act. This is an updating of it. If you are compliant with the Data Protection Act, compliance with the new legislation is a small step.
The increased punishment for breaches reflects the number of businesses who in the past failed to protect the personal information of citizens.
|
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"General Data Protection Regulation
Any -every- company in the UK, charity and person holding details about anyone else will be required to store everything on the cloud, not hold any paper evidence at all or commit to to a three lock system and no server can store that information- it must be on the cloud.
It will take companies an age to do but they only have 12 weeks....."
Bollocks.
Nothing to do with 'the cloud'
-Matt |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"This will affect almost everybody. Non-compliance fines are up to 50% of turnover. ..bit of a nightmare."
Yes, and no. From a consumer point of view it is a great move. It gives the consumers much greater rights to know what data is being stored about them, and that the companies have actual documented procedures for how they handle that information and risk assessments and the likes.
From a government point of view they (the EU mainly) have pulled a masterstroke. By making the fines up to 50% of turnover it makes it much harder for large companies (the Googles, Facebooks etc) to just weasel their way out of it. The governments can sit them down and say 'So about you tax situation.... should we take a look at you GDPR procedures?' and low and behold you'll find a lot of companies might suddenly be a bit more willing to cough up some of the tax they owe.
For many smaller businesses, yes it will mean some more work for them, but as a lot of this should already be standard procedure under existing ICO rules, it should be too bad.
-Matt |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
That's not what I'm hearing from friends with small to medium businesses and the two remaining UK charities I'm involved with. They consider it a nightmare tbh |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"That's not what I'm hearing from friends with small to medium businesses and the two remaining UK charities I'm involved with. They consider it a nightmare tbh"
Most of what the GDPR covers for those kinds of companies is already covered by the DPA, so if they are already compliant with the DPA then they should be most of the way there. Considering the GDPR has been in existence now for around two years, and the ICO have have been publishing guidance on it for a year at least, it shouldn't be much of a surprise.
-Matt |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
I was thinking about how this would affect Fab. The whole thing is personal and sensitive data. Scary.
To the above, the maximum fine is 4% of sales of the parent company, or 20m Euro, whichever is higher. And, as said, having data in the cloud is irrelevant. |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"I was thinking about how this would affect Fab. The whole thing is personal and sensitive data. Scary.
To the above, the maximum fine is 4% of sales of the parent company, or 20m Euro, whichever is higher. And, as said, having data in the cloud is irrelevant."
Indeed. As fabbers, the GDPR is great news.
-Matt |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
"DP can drive some organisations absolutely crazy, tying themselves in knots trying to be perfect, rather than reasonable. The only way to be perfect with data protection, is not to have any. "
.
Ah the old double penetration, so tricky to get right first time  |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
"Any mods able to move this to the feedback forum so admin have more chance of seeing it?
TIA
You might want to read here.
https://www.fabswingers.com/articles/Privacy_Policy"
It'd be interesting to find out what period of time passes before your data is deleted from Fab and it's systems after you delete your profile. Anecdotal evidence exists that it persists for some time and is used in decisions made about you on your return. |
Reply privately, Reply in forum +quote
or View forums list | |
"Any mods able to move this to the feedback forum so admin have more chance of seeing it?
TIA
You might want to read here.
https://www.fabswingers.com/articles/Privacy_Policy"
Thank you.
I'm surprised that no mods or admin has responded to this and provided the link. |
Reply privately, Reply in forum +quote
or View forums list | |
Why do moderators and administrators need to be involved?
What is everyone worried about?
What is wrong with the current bland privacy policy, that basically says that they will comply with the law? |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
"Why do moderators and administrators need to be involved?
What is everyone worried about?
What is wrong with the current bland privacy policy, that basically says that they will comply with the law?"
With the increase of breach and the more intelligent way of using data, the data protection act is outdated. It now allows you to have your data protected, inform you if there is a breach and give you rights to find out what data you have, rectify or to forget you.
Hefty fines for those organisations that do not follow. |
Reply privately, Reply in forum +quote
or View forums list | |
"Why do moderators and administrators need to be involved?
What is everyone worried about?
What is wrong with the current bland privacy policy, that basically says that they will comply with the law?
With the increase of breach and the more intelligent way of using data, the data protection act is outdated. It now allows you to have your data protected, inform you if there is a breach and give you rights to find out what data you have, rectify or to forget you.
Hefty fines for those organisations that do not follow."
And you had all those rights before! |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
"General Data Protection Regulation
Any -every- company in the UK, charity and person holding details about anyone else will be required to store everything on the cloud, not hold any paper evidence at all or commit to to a three lock system and no server can store that information- it must be on the cloud.
It will take companies an age to do but they only have 12 weeks.....
Bollocks.
Nothing to do with 'the cloud'
-Matt"
No data can be stored on a unit-based server. It must all be centralized ie, 'the cloud'. At least, that was the information our company was given. |
Reply privately, Reply in forum +quote
or View forums list | |
"General Data Protection Regulation
Any -every- company in the UK, charity and person holding details about anyone else will be required to store everything on the cloud, not hold any paper evidence at all or commit to to a three lock system and no server can store that information- it must be on the cloud.
It will take companies an age to do but they only have 12 weeks.....
Bollocks.
Nothing to do with 'the cloud'
-Matt
No data can be stored on a unit-based server. It must all be centralized ie, 'the cloud'. At least, that was the information our company was given."
That is absolute rubbish. Why would that ever be law? |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
"Why do moderators and administrators need to be involved?
What is everyone worried about?
What is wrong with the current bland privacy policy, that basically says that they will comply with the law?
With the increase of breach and the more intelligent way of using data, the data protection act is outdated. It now allows you to have your data protected, inform you if there is a breach and give you rights to find out what data you have, rectify or to forget you.
Hefty fines for those organisations that do not follow.
And you had all those rights before!"
No. Data protection was the right to hold relevant data at a relevant time. Doesn't cover breaches. Doesn't cover how you protect the data. Doesn't include more information such as IP and characteristics of you like race, eye colour etc.
GDPR is a buzz word but it's my job to understand the implications to our organisation. |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
"General Data Protection Regulation
Any -every- company in the UK, charity and person holding details about anyone else will be required to store everything on the cloud, not hold any paper evidence at all or commit to to a three lock system and no server can store that information- it must be on the cloud.
It will take companies an age to do but they only have 12 weeks.....
Bollocks.
Nothing to do with 'the cloud'
-Matt
No data can be stored on a unit-based server. It must all be centralized ie, 'the cloud'. At least, that was the information our company was given."
Depends on how you interpret it. In fact I would decentralise the data so if there is a breach it is minimal. However you may get asked by an EU citizen what data do you have on them. You have to answer that so centralised data makes it easy.
But it has nothing to do with the cloud. However, if you provide a service and it's on the cloud you need to protect it further. That organisation has more obligations than a company that sells a product that another company hosts. |
Reply privately, Reply in forum +quote
or View forums list | |
"Why do moderators and administrators need to be involved?
What is everyone worried about?
What is wrong with the current bland privacy policy, that basically says that they will comply with the law?
With the increase of breach and the more intelligent way of using data, the data protection act is outdated. It now allows you to have your data protected, inform you if there is a breach and give you rights to find out what data you have, rectify or to forget you.
Hefty fines for those organisations that do not follow.
And you had all those rights before!
No. Data protection was the right to hold relevant data at a relevant time. Doesn't cover breaches. Doesn't cover how you protect the data. Doesn't include more information such as IP and characteristics of you like race, eye colour etc.
GDPR is a buzz word but it's my job to understand the implications to our organisation. "
You are talking nonsense. Of course their were penalties for breaches!
The ICO fined the CPS - i.e. one Government agency fined an other £325,000.00, just yesterday for data protection breaches. That is just one example! And the new law is not in force yet. That is under the old law. |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"General Data Protection Regulation
Any -every- company in the UK, charity and person holding details about anyone else will be required to store everything on the cloud, not hold any paper evidence at all or commit to to a three lock system and no server can store that information- it must be on the cloud.
It will take companies an age to do but they only have 12 weeks.....
Bollocks.
Nothing to do with 'the cloud'
-Matt
No data can be stored on a unit-based server. It must all be centralized ie, 'the cloud'. At least, that was the information our company was given.
That is absolute rubbish. Why would that ever be law? "
No, it is not the law, but it may well be her company’s strategy for complying with the law. For example, if you have data stored locally spread amongst a number of computers and storage devices then it may be harder to deal with the lifecycle of that data, eg the deletion after a certain time frame.
One of the big rights that GDPR gives is the right to be forgotten. It is very hard for a company to implement that if they don’t know where exactly all the data is stored. So in this case it is likely that the company has decided to standardise on a single place to store that data (which happens to be a cloud-based service).
-Matt |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"Why do moderators and administrators need to be involved?
What is everyone worried about?
What is wrong with the current bland privacy policy, that basically says that they will comply with the law?
With the increase of breach and the more intelligent way of using data, the data protection act is outdated. It now allows you to have your data protected, inform you if there is a breach and give you rights to find out what data you have, rectify or to forget you.
Hefty fines for those organisations that do not follow.
And you had all those rights before!
No. Data protection was the right to hold relevant data at a relevant time. Doesn't cover breaches. Doesn't cover how you protect the data. Doesn't include more information such as IP and characteristics of you like race, eye colour etc.
GDPR is a buzz word but it's my job to understand the implications to our organisation.
You are talking nonsense. Of course their were penalties for breaches!
The ICO fined the CPS - i.e. one Government agency fined an other £325,000.00, just yesterday for data protection breaches. That is just one example! And the new law is not in force yet. That is under the old law."
The DPA mainly covered 'Data Controllers' and not 'Data Processors'. So, for example, Fabswingers would be a Data Controller under the DPA as they take our personal information. But the hosting company that hosts the website would be a 'Data Processor', and have little obligations under the DPA. Under GDPR the hosting company would also have obligations around the information it was storing on behalf of Fabswingers. It would be responsible for having documented procedures for how it deals with that data. For example the hosting company may take automated backups of the servers the Fabswingers site runs on for in the event of needing to recover from a hardware failure or malicious act. The hosting company would need to have a documented procedure for the way in which they handle and retain those backups. Are they kept for a week? A month? Who has access to them? Are they store onsit or offsite? How are they destroyed? Do they do so securely, or is there a risk that someone will find a backup tape in a skip and find all my private pics on it?
-Matt |
Reply privately, Reply in forum +quote
or View forums list | |
"Why do moderators and administrators need to be involved?
What is everyone worried about?
What is wrong with the current bland privacy policy, that basically says that they will comply with the law?
With the increase of breach and the more intelligent way of using data, the data protection act is outdated. It now allows you to have your data protected, inform you if there is a breach and give you rights to find out what data you have, rectify or to forget you.
Hefty fines for those organisations that do not follow.
And you had all those rights before!
No. Data protection was the right to hold relevant data at a relevant time. Doesn't cover breaches. Doesn't cover how you protect the data. Doesn't include more information such as IP and characteristics of you like race, eye colour etc.
GDPR is a buzz word but it's my job to understand the implications to our organisation.
You are talking nonsense. Of course their were penalties for breaches!
The ICO fined the CPS - i.e. one Government agency fined an other £325,000.00, just yesterday for data protection breaches. That is just one example! And the new law is not in force yet. That is under the old law.
The DPA mainly covered 'Data Controllers' and not 'Data Processors'. So, for example, Fabswingers would be a Data Controller under the DPA as they take our personal information. But the hosting company that hosts the website would be a 'Data Processor', and have little obligations under the DPA. Under GDPR the hosting company would also have obligations around the information it was storing on behalf of Fabswingers. It would be responsible for having documented procedures for how it deals with that data. For example the hosting company may take automated backups of the servers the Fabswingers site runs on for in the event of needing to recover from a hardware failure or malicious act. The hosting company would need to have a documented procedure for the way in which they handle and retain those backups. Are they kept for a week? A month? Who has access to them? Are they store onsit or offsite? How are they destroyed? Do they do so securely, or is there a risk that someone will find a backup tape in a skip and find all my private pics on it?
-Matt"
No it didn't! Both terms were in the 1998 Act!
|
Reply privately, Reply in forum +quote
or View forums list | |
In answer to the question...not quite but we will be...it's not difficult and as others have said if you are DP compliant this is an extension with a few knobs on....audit the data...delete what you don't need...safely store what you do need...have written policies....dont lose data...lots of people making lots of money out of this just as they did with Y2K. |
Reply privately, Reply in forum +quote
or View forums list | |
"In answer to the question...not quite but we will be...it's not difficult and as others have said if you are DP compliant this is an extension with a few knobs on....audit the data...delete what you don't need...safely store what you do need...have written policies....dont lose data...lots of people making lots of money out of this just as they did with Y2K."
Spot on.
|
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"In answer to the question...not quite but we will be...it's not difficult and as others have said if you are DP compliant this is an extension with a few knobs on....audit the data...delete what you don't need...safely store what you do need...have written policies....dont lose data...lots of people making lots of money out of this just as they did with Y2K."
Yes there is a lot of snake oil salesmen out there with this. But be careful to to then write off the entire thing with a generic hand wave. It does have additional obligations, and from an end use perspective this is a very real and warranted move.
-Matt |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"Why do moderators and administrators need to be involved?
What is everyone worried about?
What is wrong with the current bland privacy policy, that basically says that they will comply with the law?
With the increase of breach and the more intelligent way of using data, the data protection act is outdated. It now allows you to have your data protected, inform you if there is a breach and give you rights to find out what data you have, rectify or to forget you.
Hefty fines for those organisations that do not follow.
And you had all those rights before!
No. Data protection was the right to hold relevant data at a relevant time. Doesn't cover breaches. Doesn't cover how you protect the data. Doesn't include more information such as IP and characteristics of you like race, eye colour etc.
GDPR is a buzz word but it's my job to understand the implications to our organisation.
You are talking nonsense. Of course their were penalties for breaches!
The ICO fined the CPS - i.e. one Government agency fined an other £325,000.00, just yesterday for data protection breaches. That is just one example! And the new law is not in force yet. That is under the old law.
The DPA mainly covered 'Data Controllers' and not 'Data Processors'. So, for example, Fabswingers would be a Data Controller under the DPA as they take our personal information. But the hosting company that hosts the website would be a 'Data Processor', and have little obligations under the DPA. Under GDPR the hosting company would also have obligations around the information it was storing on behalf of Fabswingers. It would be responsible for having documented procedures for how it deals with that data. For example the hosting company may take automated backups of the servers the Fabswingers site runs on for in the event of needing to recover from a hardware failure or malicious act. The hosting company would need to have a documented procedure for the way in which they handle and retain those backups. Are they kept for a week? A month? Who has access to them? Are they store onsit or offsite? How are they destroyed? Do they do so securely, or is there a risk that someone will find a backup tape in a skip and find all my private pics on it?
-Matt
No it didn't! Both terms were in the 1998 Act!
"
Is that seriously the limit of your intelligence? I didn’t have high hopes after most of your Brexit comments. But this is a new low.
Yes the term is in the DPA. But if you actually read or know the act then you will see that data processors do not have any specific legal obligations under the act (unless they are also data controllers).
You have to actually understand the context in which a word is used. Just because I say the word ‘cock’ in this sentence does not mean this is a post about cocks. Come on. Please at least make an effort or don’t bother.
-Matt |
Reply privately, Reply in forum +quote
or View forums list | |
"Why do moderators and administrators need to be involved?
What is everyone worried about?
What is wrong with the current bland privacy policy, that basically says that they will comply with the law?
With the increase of breach and the more intelligent way of using data, the data protection act is outdated. It now allows you to have your data protected, inform you if there is a breach and give you rights to find out what data you have, rectify or to forget you.
Hefty fines for those organisations that do not follow.
And you had all those rights before!
No. Data protection was the right to hold relevant data at a relevant time. Doesn't cover breaches. Doesn't cover how you protect the data. Doesn't include more information such as IP and characteristics of you like race, eye colour etc.
GDPR is a buzz word but it's my job to understand the implications to our organisation.
You are talking nonsense. Of course their were penalties for breaches!
The ICO fined the CPS - i.e. one Government agency fined an other £325,000.00, just yesterday for data protection breaches. That is just one example! And the new law is not in force yet. That is under the old law.
The DPA mainly covered 'Data Controllers' and not 'Data Processors'. So, for example, Fabswingers would be a Data Controller under the DPA as they take our personal information. But the hosting company that hosts the website would be a 'Data Processor', and have little obligations under the DPA. Under GDPR the hosting company would also have obligations around the information it was storing on behalf of Fabswingers. It would be responsible for having documented procedures for how it deals with that data. For example the hosting company may take automated backups of the servers the Fabswingers site runs on for in the event of needing to recover from a hardware failure or malicious act. The hosting company would need to have a documented procedure for the way in which they handle and retain those backups. Are they kept for a week? A month? Who has access to them? Are they store onsit or offsite? How are they destroyed? Do they do so securely, or is there a risk that someone will find a backup tape in a skip and find all my private pics on it?
-Matt
No it didn't! Both terms were in the 1998 Act!
Is that seriously the limit of your intelligence? I didn’t have high hopes after most of your Brexit comments. But this is a new low.
Yes the term is in the DPA. But if you actually read or know the act then you will see that data processors do not have any specific legal obligations under the act (unless they are also data controllers).
You have to actually understand the context in which a word is used. Just because I say the word ‘cock’ in this sentence does not mean this is a post about cocks. Come on. Please at least make an effort or don’t bother.
-Matt"
Maybe read the 1998 Act and then you won't be quite so rude and won't look so stupid! |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"Why do moderators and administrators need to be involved?
What is everyone worried about?
What is wrong with the current bland privacy policy, that basically says that they will comply with the law?
With the increase of breach and the more intelligent way of using data, the data protection act is outdated. It now allows you to have your data protected, inform you if there is a breach and give you rights to find out what data you have, rectify or to forget you.
Hefty fines for those organisations that do not follow.
And you had all those rights before!
No. Data protection was the right to hold relevant data at a relevant time. Doesn't cover breaches. Doesn't cover how you protect the data. Doesn't include more information such as IP and characteristics of you like race, eye colour etc.
GDPR is a buzz word but it's my job to understand the implications to our organisation.
You are talking nonsense. Of course their were penalties for breaches!
The ICO fined the CPS - i.e. one Government agency fined an other £325,000.00, just yesterday for data protection breaches. That is just one example! And the new law is not in force yet. That is under the old law.
The DPA mainly covered 'Data Controllers' and not 'Data Processors'. So, for example, Fabswingers would be a Data Controller under the DPA as they take our personal information. But the hosting company that hosts the website would be a 'Data Processor', and have little obligations under the DPA. Under GDPR the hosting company would also have obligations around the information it was storing on behalf of Fabswingers. It would be responsible for having documented procedures for how it deals with that data. For example the hosting company may take automated backups of the servers the Fabswingers site runs on for in the event of needing to recover from a hardware failure or malicious act. The hosting company would need to have a documented procedure for the way in which they handle and retain those backups. Are they kept for a week? A month? Who has access to them? Are they store onsit or offsite? How are they destroyed? Do they do so securely, or is there a risk that someone will find a backup tape in a skip and find all my private pics on it?
-Matt
No it didn't! Both terms were in the 1998 Act!
Is that seriously the limit of your intelligence? I didn’t have high hopes after most of your Brexit comments. But this is a new low.
Yes the term is in the DPA. But if you actually read or know the act then you will see that data processors do not have any specific legal obligations under the act (unless they are also data controllers).
You have to actually understand the context in which a word is used. Just because I say the word ‘cock’ in this sentence does not mean this is a post about cocks. Come on. Please at least make an effort or don’t bother.
-Matt
Maybe read the 1998 Act and then you won't be quite so rude and won't look so stupid!"
I have.
The act is applicable to Data Controllers. Not Data Processors.
If you believe otherwise please point me to where in the act it states so.
-Matt |
Reply privately, Reply in forum +quote
or View forums list | |
Try Section 1(e) of the 1998 Act, where it defines Data Processors!
An Act that defines Data Processors in the very first section, but doesn't apply to them. Yeah right.
Maybe you should have read the Act as I asked you to, before allowing me to make you look like a total cretin! |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"Try Section 1(e) of the 1998 Act, where it defines Data Processors!
An Act that defines Data Processors in the very first section, but doesn't apply to them. Yeah right.
Maybe you should have read the Act as I asked you to, before allowing me to make you look like a total cretin!"
Again, I have read it. Yes it defines it.
So?
That doesn’t mean the act applies to Data Processors. In fact if you read beyond the first page (hint try s5) you will see that the act explicitly applies to Data Controllers.
Again, don’t call me a cretin just because you lack the critical reading or comprehension skills to understand that defining or mentioning a term does not mean that a law might apply to it. In many cases, such as this, you need to define something so that you can explicitly make clear what the law does NOT apply to.
-Matt |
Reply privately, Reply in forum +quote
or View forums list | |
Try reading the definition again!
Look at the 1st sentence of Section 1! What does it say?
How on earth can you possibly claim that the Act does not apply to data processors when the 1st sentence says that it does! |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"Try reading the definition again!
Look at the 1st sentence of Section 1! What does it say?
How on earth can you possibly claim that the Act does not apply to data processors when the 1st sentence says that it does!"
The 1st sentence of s1? This one you mean?
“In this Act, unless the context otherwise requires—
“data” means information which—
a)is being processed by means of equipment operating automatically in response to instructions given for that purpose,”
What about it? It has nothing to do with the definition of a Data Processor or Data Controller and what this Act applies to.
-Matt
|
Reply privately, Reply in forum +quote
or View forums list | |
Have you ever studied any law? Have you ever read a statute before?
Look at Schedule 1.
The whole Act is concerned with data processing and if you process data, by definition, you are a Data Processor!
It really is very simple! |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"Have you ever studied any law? Have you ever read a statute before?
Look at Schedule 1.
The whole Act is concerned with data processing and if you process data, by definition, you are a Data Processor!
It really is very simple!"
Hahahahahaha. See you really have no idea what you are talking about and just shown you haven’t read or understood any of it. Let’s try again in simple terms.
Data processing in general is a generic term and yes, this act applies to it.
However, the Act specifically defines three distinct parties to this:
- Data Subject - that is whom you are collecting data on
- Data Controler - that is who determines what data is to be collected, why and how.
- Data Processor - this is who processes or stores the data
The DPA 1998 act specifically applies to the Data Controller and NOT the Data Processor. So for example under the DPA and with regards to Fab:
- You and I and the other members are the Data Subjects
- The company that owns and runs Fab are the Data Controllers
- The 3rd parties such as the hosting company, the billing provider, etc are the Data Processors.
So under the DPA, Fab as the Data Controller have an obligation to keep our data safe and to process it in a safe way.
However the hosting company, or billing company are the Data Processors and are NOT subject to any obligations under the DPA
So, if, for example the system for paying for Fab supporter membership by SMS was hacked and everyone’s mobile number was leaked to the tabloids... that company (the billing company) could not be charged under the DPA as they are not the Data Controller. Only Fab could be, and only if they were deemed negligent. Which is this example would be unlikely as it was not Fab’s fault that the billing company got hacked.
Under GDPR, both the Data Controller AND the Data Processor have an obligation to keep data safe. So as of the 25th May, the company that bills us for Fab membership via SMS will also have to have documented procedures and policies for how they handle that data. So for example, how long will they retain my mobile number in their records.
Understand now?
-Matt |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
"Sounds like someone hasn't been attending the mandatory training!  "
More like they have a very fundamental problem reading and comprehending the act that they keep trying to use as an example.
-Matt |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *oi_LucyCouple
over a year ago
Barbados |
Just for clarification for anyone still reading this thread... GDPR goes well beyond what the DPA did. And this is a *good* thing.
Just some examples of scenarios where the GDPR would give protection *beyond* the DPA:
- If the billing company that Fab uses had a data breach, they would have to notify Fab of that breach with 72 hours.
- If you requested Fab remove all of your information then it would also be Fab’s obligation to remove that from any 3rd parties they had given access to (eg the billing company).
- If Fab started to process our data in an addional or new way, eg related to targeted advertising. Then they would be obligated to carry out a Data Privacy Impact Assesment first to establish what the impact of the action would be on our privacy.
Those are just a few examples, there are plenty more.
Just one example for outside Fab: if you were to apply for a loan to buy a car, the loan provider would need to let you know if any automated decision making process is used. Eg credit scoring. And give you a right to appeal a decision ie ‘computer says no’ can no longer be the final answer.
-Matt
|
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
"Sounds like someone hasn't been attending the mandatory training! "
Yep. Data processing is an action. Data Processor is a body. Context is king.
Anyway I work with lawyers with all our custoners with their interpretation of gdpr. The scary thing is they do not have many cases to refer to so are waiting for the first fines to then determine some of their actions. For example, pseudononanysation is hard thing to solve. But they believe in a few years machines will be powerful to crack encryptions. So they believe in anonynisation of data or complete deletion.
However, they do have the processes in place, the audit done, ready to inform their users etc. But the actual details they may get after cases begin to appear. |
Reply privately, Reply in forum +quote
or View forums list | |
|
By *LCCCouple
over a year ago
Cambridge |
"This will affect almost everybody. Non-compliance fines are up to 50% of turnover. ..bit of a nightmare."
The maximum fine is 4% of global turnover or €20m, which ever is higher. That's quite a long way short of the 50% you have claimed.  |
Reply privately, Reply in forum +quote
or View forums list | |
» Add a new message to this topic
