GDPR - coming your way soon

Discussion in 'Current Affairs, News and Analysis' started by Victorian_Major, Nov 13, 2017 at 8:54 PM.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

  1. If you have to ask...

    First, a dit. I was a Lt or Capt when the Freedom of Information Act came in. There was a whole load of fuss about our information obligations in the event of FOI requests; how we had to behave and what we had to do.

    When it came down to it, most of the FOI requests I ever handled were handled sharpish into the bin with no apparent ill effects.

    Now, as a civvy, we have the General Data Protection Regulation coming in - legislation which (a bit like the US Patriot Act) applies very widely indeed. Therefore, it's pretty unaffected by Brexit.

    GDPR is currently a bluffer's paradise. The amount of traffic, heat and bollocks being written about it is wondrous to behold. By the way, I'm no expert - but importantly I recognise this and try to make sure that I've got SMEs on my team who can handle GDPR.

    Like many other businesses, mine is preoccupied with our customer wants and needs with GDPR; and our compliance obligations. On a good day we're also trying to work out what technology we might need to change to be compliant, and how we can apply automation and pseudonymisation (which is apparently a thing).

    My own view however is that the employee is the most likely to be the most demanding under GDPR. One of the central tenets is a 'right to be forgotten' which sounds catchy but is likely to be a total PITA. In effect an employee (any individual in fact but I am sticking with the employee as disgruntled ones are likely to be the hardest cases) can require that data held on them must be removed, and that this removal may have to be proven too. I maintain that anyone aged 14 and up is so data-compromised that this would be a pretty pointless exercise, but them's the (imminent) rules.

    So, back to my cavalier attitude to FOI, I can't do that this time.

    This is therefore a thread to swap thoughts, bon mots, and experiences as we all get to May 2018 with all of HMG and business as a whole totally compliant with GDPR. Or, alternatively, picking up a fine of 4% of annual turnover for not being compliant...
     
    • Informative Informative x 3
  2. It's going to be fun, before I retired I was FOI and Data Protection Manager for a group of secondary schools. Glad I'm well shot of it.
     
  3. Interesting how you match the right to be forgotten with the FDA/MHRA requirement to be remembered for at least 12 months beyond the expiry date of the drug you made. Methinks in this case the regulators will win. On the flip side over 10 years ago I was told by HR that the only things I should say about an employee were that they held the appropriate job position between dates x and y, anything else not being worth the future potential legal hassle. Personally as soon as the HSE and regulators don't require me to retain information I'll cheerfully erase someones record and respond to any request with the simple information that I cannot comment for legal reasons. Would you hire someone after that.
     
  4. Oh I didn't realise this one had teeth

    Although how are you supposed to prove you've erase them, surely if you've done your job properly the audit trails will just point to an id of something in db that you're systems have no record of anymore...
     
  5. Start flying again.
     
  6. seaweed

    seaweed LE Book Reviewer

    My employer in the afterlife also followed that principle - no references ever given, only certified the dates of employment with no other details. That had been SOP since ever, certainly since the 70s.
     
    • Like Like x 1
  7. This is a huge deal across the private sector right now.

    It's important to understand that it applies if you hold information on any EU citizen. Brexit will not save you (think, for a moment, of how many Irishmen there are knocking about). It is nailed on that whereever we end up, we'll have to either stay in it, or else ratify a separate treaty implementing the same rules. The Americans did this with the previous generation of rules; don't pretend we'll get away with doing less.
     
    • Like Like x 1
  8. My concern with GDPR is the (new from May 17) requirement to tell anyone whose data you lose or disclose in error, of the data breach. This includes your own staff as well as external customers, and will generate complaints and in some cases requests for financial compensation.
    For example, you send an invoice or a survey to a customer but you misdirect the email or letter, then it's a data incident and you are legally obliged to tell the customer that someone else received their data.
     
    Last edited: Nov 14, 2017 at 12:05 PM
  9. It is, indeed a dogs breakfast atm.
    I work in the education sphere and one point that came up in regards to 'The right to be forgotten' is that a pupil upon hitting 14 could request a school remove any data relating to them under GDPR as it was set out.
    This is being addressed and I know there is now a lot of work being done in education with the commercial education sector and the DfE now getting amendments/exemptions thought out.
    Otherwise it would be a total nightmare for schools.
     
    • Informative Informative x 1
  10. There's barely any bloody Lynx left. Certainly not one you can fly upside down. Only a gay one that looks like USN BDUs.
     
  11. GDPR is still a very grey area as there hasn't been a court action, but there are other issues that need to be taken in to consideration reference Tax, NI, and other HMRC issues. It not only applies to electronic data but printed documents as well which calls into question the security of cabinets and archived records, plus the destruction of any document that can identify an individual, that could be anything from a T&A number to a telephone number, must be destroyed and rendered unidentifiable.
     
  12. Not a fan of the GTI version then?
     
  13. So you wouldn't do this out of common courtesy, or to avoid looking an even bigger nob when the customer found out by other means. Sort of explains why the legislation was drafted.
     
  14. So then.
    If someone's been a complete and utter bellend on here, under this act they can lawfully demand that everything they have posted be removed?
     
    • Funny Funny x 1
  15. It's complex. There are factors to consider in my line of work like whether the person whose data is lost will kick off and beat up a colleague. This is something we're planning for.
    In a large business millions of letters are sent out and disclosures happen (a customer moves address and doesn't tell you, for example). Whether some businesses are resourced to deal with admin tail of the GDPR is open to question.