Jump to content


Photo

New Data Protection Laws - GDPR - will affect us all. Here’s some help

Data Protection GDPR

  • Please log in to reply
261 replies to this topic

#46 mel2

mel2

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 4905 posts
  • Member: 6928
    Joined: 15-May 06
  • East Yorkshire

Posted 16 March 2018 - 16:53

It' s a nightmare. I've registered for the ISM webcast on Tues 20th and hoping that some people will ask the questions that have cropped up on here. Seems ridiculous to me for 4 students with first names and phone numbers in my diary, but ingenious officials will always find ways of extracting fees from the law-abiding. I shall not be volunteering any moolah until I'm certain I have to.


  • 2

#47 Aquarelle

Aquarelle

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 7806 posts
  • Member: 10531
    Joined: 05-April 07

Posted 16 March 2018 - 20:16

 

 

I thought the GDPR legislation came from the EU (from a brief look).

 

Possibly - I haven't been into it. I certainly haven't heard of any attempt to implement it here. So why are the British attempting to implement  EU legislation?

 

 

They are not. The GDPR is an EU Directive which is directly applicable to all EU Member States without the need to incorporate it into national legislation. This is why the UK cannot avoid it, even though we shall soon be leaving the EU. And I'm afraid you in France cannot avoid it, either, Aquarelle. It will come into effect throughout the EU on 28th May this year.

 

I simply don't understand that Hildegarde. Are you actually saying that Britain has to put this law into action simply because it's an EU directive when one year later EU directives won't apply? As for  it coming into effect here  at the end of May -I'm not that sure. President Macron  has recently said that France would not accept EU requirements which were more exacting than French law. The actual  context was agricultural but I daresay it could apply to other fields. What happens if the definition of a micro enterprise in one country is not the same as in another? The whole thing is unworkable, unnecessary and will probably be totally ineffective in protecting anyone.


  • 0

#48 Hildegard

Hildegard

    Prodigy

  • Members
  • PipPipPipPip
  • 1126 posts
  • Member: 887389
    Joined: 26-October 13

Posted 17 March 2018 - 06:06

 

 

I simply don't understand that Hildegarde. Are you actually saying that Britain has to put this law into action simply because it's an EU directive when one year later EU directives won't apply?

 

 

Yes, the regulation comes into effect in ALL member states on 28th May this year and does not require national legislation. This is what the EU itself says (my emphasis in red):

 

When is the GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018.

 

https://www.eugdpr.org/gdpr-faqs.html

 

I don't know under what power it comes into force without first having to be passed into national legislation (perhaps because it is considered to be an update to existing Data Protection Directive 95/46). Incidentally, the site referenced above suggests that the situation in the UK post-Brexit for people whose activities are limited to the UK is not entirely clear, but that the British government is expected to introduce similar legislation after we have left the EU. However, until the UK has finally left the EU, the regulations apply to us as much as to everyone else in the EU and fines can be imposed for non-compliance.

 

Without wishing to ignite a Brexit debate here, I have to say that this high-handed approach of just forcing new burdens on people and apparently bypasssing national governments in this way, is absolutely playing into the hands of the many in the UK who are determined that the UK must leave the EU. Brussels seems to be doing itself no favours.


  • 2

#49 Splog

Splog

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 3343 posts
  • Member: 460379
    Joined: 20-May 12

Posted 17 March 2018 - 09:20

Hildegard, very good point. I read somewhere many years ago,-  can't remember all the details, so this is of dubious validity - that when EU directives are passed, the UK is among very few countries to take them seriously and comply with them. The French particularly tend to ignore them where it is convenient to do so.

 

Perhaps we could hope that no-one is actually going to enforce these new rules? I mean how much is it going to cost to prosecute someone for not declaring that they keep a few email addresses on a computer? Especially when all those people have more 'dangerous' information such as the teacher's bank details, and are not subject to any privacy or security laws.


  • 3

#50 elemimele

elemimele

    Prodigy

  • Members
  • PipPipPipPip
  • 1240 posts
  • Member: 895612
    Joined: 17-July 16

Posted 17 March 2018 - 10:12

It'd be nice to get a more definitive viewpoint from someone who knows what's really going on (MU or something?). In at least some larger organisations, guidance appears to be trickling through to employees along the lines of:

You don't need to tell the organisation's data protection officer about data-sets you're keeping at work if (1) they involve less than 100 individuals, or (2) they're related to some hobby/charitable thing you're doing on the side, such as running a local choir or sports group. Now if a big organisation's data protection officer doesn't want to know about a database being kept on his/her organisation's computer system, effectively they're saying they don't believe it needs to be registered.

I don't know where this sort of policy is coming from, but if it's coming from anywhere official, it's puzzling that large organisations would be operating to less exacting standards than small/one-person businesses.

 

In terms of what benefits the registration brings for you, the data-holder - well, that's simple: it does nothing. It's not there for the benefit of the person holding the data, it's there for the benefit of the person whose data is held. It's there because governments/administrations don't want to be yelled at for doing nothing, every time someone drops a USB stick in the street with 10,000 e-mail addresses and bank account numbers, or every time someone's computer system gets hacked and all their customer details sent off to a bunch of shady characters in some lawless corner of the world. Though quite how registering will actually reduce the risk of this sort of thing eludes me completely. From a European perspective, we have to remember that attitudes to personal data and privacy vary enormously. The Germans value privacy so highly that Google streetview (which shows only public spaces exactly as anyone can see them with their own two eyes) is unable to operate, while in the UK we tolerate pretty much uncontrolled CCTV wherever anyone wants to put a camera.

 

Come to think of it, it's not clear to me what anyone's going to do with all this data about who's holding data. It's just more data to lose. And what, if anything, is going to happen if you don't conform?


  • 2

#51 Alder

Alder

    Advanced Member

  • Members
  • PipPipPip
  • 670 posts
  • Member: 11952
    Joined: 09-June 07

Posted 17 March 2018 - 10:59

Having done the 'self assessment' check: Do I use CCTV? No. Do I 'process' information? Yes. Do I process it electronically? No.

 

...apparently I'm fine and don't have to register. Hooray for paper and ink!


  • 2

#52 ontheblackkeys

ontheblackkeys

    Advanced Member

  • Members
  • PipPipPip
  • 200 posts
  • Member: 895988
    Joined: 02-October 16

Posted 17 March 2018 - 13:11

Having done the 'self assessment' check: Do I use CCTV? No. Do I 'process' information? Yes. Do I process it electronically? No.

 

...apparently I'm fine and don't have to register. Hooray for paper and ink!

 

Interesting, thank you for this. I think with a few adjustments I could probably switch back to a paper-based system.  It would mean printing out my existing financial records and then deleting the files and keeping a paper list of phone numbers instead of saving them to my phone  (a pain, but not impossible to do) but for the number of pupils I have, this is entirely doable.


  • 1

#53 Piano Meg

Piano Meg

    Advanced Member

  • Members
  • PipPipPip
  • 407 posts
  • Member: 271350
    Joined: 14-June 11
  • T' North

Posted 17 March 2018 - 13:58

It occurs to me that most private citizens will process personal data electronically - everybody has email addresses and phone numbers with full names; many people keep birthdays on their phones; if you've sent a friend/family member money for their birthday, you've also 'processed' financial data. I can't imagine they're going to ensure 90% of the country registers. So is the key thing 'organisation'? I'm a sole trader, self-employed, running a business, but I'm not an organisation. I'd assumed I was lumped in with the rest, but perhaps not???

 

Edit: Nevermind, just found the exemption for 'domestic purposes'!

Edit 2: Just found an explanation of 'organisations' :' This form is for organisations (we use this term to include all data controllers, 'including sole traders, companies, and MPs) that need to register with the ICO under the Data Protection Act.


  • 0

#54 Piano Meg

Piano Meg

    Advanced Member

  • Members
  • PipPipPip
  • 407 posts
  • Member: 271350
    Joined: 14-June 11
  • T' North

Posted 17 March 2018 - 14:12

And yet there's a long list of exemptions...

 

https://ico.org.uk/f...ion/exemptions/

 

... including exemptions for:

  • 'organisations that process personal data only for:
    • staff administration (including payroll);
    • advertising, marketing and public relations (in connection with their own business activity); and
    • accounts and records;'

as well as (at the bottom of the page):

  • 'personal data that consists of educational records or relates to social work;
  • examination marks and personal data contained in examination scripts;'

 

Very confusing!


  • 1

#55 Latin pianist

Latin pianist

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 3700 posts
  • Member: 711500
    Joined: 01-April 13
  • Cotswolds

Posted 17 March 2018 - 14:12

This subject came up at our church meeting last week and we were told handwritten lists had to be dealt with in the same way as electronic ones.
  • 0

#56 jpiano

jpiano

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 2187 posts
  • Member: 1270
    Joined: 03-May 04

Posted 17 March 2018 - 16:07

Very very far from expert but what I realised a short while back is that I was confusing the need to register with the ICO with the need to abide by the new regulations. As I see it, all businesses, including sole traders, will have to follow the new laws- for example, to provide a privacy notice, only keep data that is necessary, keep data secure, and decide and record which legal basis they're processing the data for. But if no electronic data processing takes place then registration with the ICO isn't necessary- at least that's what the online self-assessment form told me! It wouldn't be feasible for me to run my business without electronic data processing of some sort.


  • 3

#57 Aquarelle

Aquarelle

    Virtuoso

  • Members
  • PipPipPipPipPip
  • 7806 posts
  • Member: 10531
    Joined: 05-April 07

Posted 17 March 2018 - 22:43

Well, I hadn't heard about any of this until I read this thread. So I have now done my homework. I have done  search to get an idea of how all this is going to be implemented in France. Ihave seen no mention whatsoever of having to register. I have found a number of articles referring to large "societies" - or enterprises . I can find nothing which covers my situation except for a short and fairly sensible digest, most of which I understood, explaining the main principles of how data should be protected - ie simple things like asking for permission from the owners of the data  to store it and seeing that it is safely stored. I always ask permission,  and I always ask permission if I want to pass on data to another person and as far as I know any data kept on my computer is as safe or  unsafe  as it would be on  any personal computer.

 

I did did also find the usual crop of advertisements from organisations offering to store your data for you or to give you training on how to manage your conformity   with the new laws. all of course wanting to be paid substantial amounts for their services.

 

What I read led me to understand that the attitude here is going to be more laid back than in the UK. It seems that as long as you are not a large enterprise and as long as you are taking sensible measures to respect and protect the privacy of the people whose data you hold and can prove this if necessary then nothing much changes for the small business person. Large enterprises run the risk of enormous fines if they don't properly protect the huge amounts of data they hold.

The attitude towards small enterprises seems to be pragmatic.

 

Of course, the French are,as Splog said, notorious for implementing EU rules by, so to speak,moving the goal posts to suit themselves. You can call that what you like - cheating or sensible pragmatism.


  • 1

#58 ma non troppo

ma non troppo

    Prodigy

  • Members
  • PipPipPipPip
  • 1385 posts
  • Member: 76027
    Joined: 23-September 09

Posted 19 March 2018 - 09:25

I intend to take no action and change nothing. I'll let you know if I am prosecuted. I'll post details of my 'go fund me' account when that happens. Don't hold your breath! ;)
  • 13

#59 LizzieT

LizzieT

    Advanced Member

  • Members
  • PipPipPip
  • 841 posts
  • Member: 6386
    Joined: 07-March 06

Posted 19 March 2018 - 10:45

I suggest all those concerned read section 8 of the following:

 

https://ico.org.uk/m...rs-20180221.pdf

 

It seems that if you only hold information for 'core business purposes' you don't need to register.


  • 3

#60 susiejean

susiejean

    Advanced Member

  • Members
  • PipPipPip
  • 672 posts
  • Member: 10392
    Joined: 29-March 07
  • Aberdeenshire

Posted 19 March 2018 - 10:46

I came across this on Twitter just 2 days ago. It was also the first I'd heard of it. 

I can understand (to a point) why data protection is important. I could also accept if they insisted we presented each new student with a form to sign, which highlighted how and when we used their data and that we needed the permission etc.

What I don't understand OR accept is the registration fee to an independent authority which has a CEO. What exactly are we registering to? What is it going to change, apart from the CEO's annual income? 

If people are going to be so obsessively uptight about things now, then I'm afraid they are going to have to stomach a rise in my fees to cover my precious time all this tripe will inevitably take up. Either that or as others have said I throw in the towel. There is so much red tape, legislation and hoops to jump through nowadays, it would be far easier and less stressful to go back to being an employee.


  • 4