Why don't companies let users hold their own data.
Data compliance costs - minimal.
Why don't companies let users hold their own data.
Data compliance costs - minimal.
GDPR is closer to those than you might think (except 8, I'm with you there but GDPR can't help you!)
1. That is almost exactly what GDPR enforces, and the consent must be opt-in. They CAN use check boxes but they must be clearly explained.
2. GDPR goes further than that. When you withdraw consent (assuming you no longer have a working relationship with them, the council won't let you withdraw consent to bill you for council tax while you still live in their area!) it does all of what you say. Furthermore, if you ask for them to forget about you, (again, assuming you no longer have a working relationship with them,) you will be deleted from all records except for one that lists you as someone who wants to be forgotten. I know that sounds counter-intuitive but if you ask an employer to forget you a year after you leave and then 6 months after that try to take them to court for something they can then use the being-forgotten-log as mitigation as to why they no longer hold records on you.
3. That largely depends on what metrics you'd want granularity over. If you mean what can they use it for, that is included and they can't force you to give anything more than is absolutely required to do the job. An example at the council I work at is missed bin collections. Our web form for reporting those will only Require the house number, post code and which bin needs collecting. We can ask for a name and email/phone but we can't require it and we have to tell you why we want it. In this case, so we can call you to check the contractor did pick the bin up. We also can't keep it longer than needed (so the day the bin is recollected,) unless we ask permission and explain why. E.g. We'd like to store this data so we can see if some homes have bins missed repeatedly.
4. While GDPR does have a 'sensitive' category for data (medical records, politics, sexual preferences, bank details, disabilities etc.) it doesn't have a timeout. You can do it manually whenever you like but it doesn't do that.
5. In the legislation, the only exemption is national security. So while GCHQ might know your political leaning, they can't give it to anyone else.
6. Close, but no cigar. It can't be sent anywhere that doesn't have compatible laws of the same strength. That's WHY we're enacting GDPR even though we're leaving the EU, otherwise they'd refuse to share any data with us. In practice they'll still be able to store it in Ireland. Whether the yanks Privacy Figleaf (the replacement for safe Harbour,) will count is up for debate.
7. Already covered by others, the powers are there. Whether they'd ever be used to drive a company bankrupt I doubt.
8. Sadly not.
@spacein_vader
I remember reading the new rules a year or two back and, while the memory is a bit fuzzy, I seem to remember the principles you outline being caveated with phrases like "reasonable measures" and so forth.
While some such caveats are necessary to avoid having to somehow delete my records from every backup, for instance, the way they read to me was that while sounding good it wouldn't be hard to drive a legal coach and horses through them.
Then, there's another thing. Having a law is one thing. Enforcing it is another, especially if due resources aren't made available to whomever is supposed to enforce it.
Maybe I'm just overly cynical, but .... I'm waiting to see how well it works. My bet is .... not mucch difference.
As it stands now (the bill still could have amendments before its passed,) most of the reasonable measures stuff applies to things like security. So if you get hacked using a known exploit that you should of patched you're in trouble but a day 0 that was unknown and your patching was up to date would be reasonable.
The main area that is open to interpretation is on what counts as security services. So GCHQ can have it for stopping a terror attack but it could be interpreted as any plod force that fancies it can ask.
Beyond that it's pretty clear. Even the backups stuff (unorganised data) is now time limited.
My view from the front line is that the regulations themselves are pretty robust (security services backdoors aside) but it's how rigidly they're enforced by both ICO, the CPS and the courts that's the proof of the pudding. Denham seems pretty proactive but they may get leant on by government if she was looking at a fine that would send a form under (and cost jobs and therefore votes.)
The government will have the tools I'm just not convinced it'll make best use of them.
I think you are being overly cynical, it has caused a massive shake up in the IT Security sector, we are having CSOs and Heads of IT coming to us going "I've got a blank cheque, I need perimeter, solid endpoint and encryption, oh yeah and throw in one of those NACs over there and an HSM".
What you persistently throw your toys out about is legitimate companies using legitimately accessible data within the confines of the law when really you should care more about a company being breached and your data being stolen by malicious entities. You'll especially find your data is being sniffed off've public record information, as much as you think you've X-Directoried yourself and blacklisted, you are still a readable entity by third parties.
There are currently 1 users browsing this thread. (0 members and 1 guests)