back to article GDPR: Do not resist! Unless you want a visit from the data police

Data was a hot topic last year and it's already big in 2017: Microsoft continues to resist the US government's attempts to get hold of data held in its Irish data centres. But just as it seems to be making progress, the government has won a favourable first instance ruling against Google forcing it to disclose data held outside …

  1. Doctor Syntax Silver badge

    "After all, nobody wants to be the first to get a €20m fine."

    Is anyone running a book on who it'll be?

    1. Steve Davies 3 Silver badge

      How about....

      Talk-Talk for starters.

      They've got form.

      Last time out they were a clear winner by almost a furlong.

      No need for Blinkers and more either.

      1. m0rt

        Re: How about....

        It will be the UK Gov. :)

        1. The First Dave

          Re: How about....

          Probably the NHS

    2. Anonymous Coward
      Anonymous Coward

      I'd bet...

      One of the big advertising tech companies. The GDPR definition of personal data covers ad-tech tracking and at the moment a lot of large advertising companies seem to be pretending GDPR doesn't exist or hoping it will go away.

  2. Derichleau

    The new PPI

    There's no need to wait for the GDPR to come into force. Since the Court of Appeal disapplied Section 13(2) of the DPA, it's now possible to claim compensation against an organisation without having to demonstrate that you've incurred a financial loss as a result.

    I'm in court tomorrow against Halfords because they refused to provide me with answers about how they process personal information fairly. First their solicitor told me that she had fully answered my questions but in her defence, she argued that she did not have to answer my questions.

    Keep an eye our for that unwanted marketing and submit a claim. It only costs £50. Easier still once the GDPR comes into force. Most of the companies that we do business with are likely to be sitting ducks.

    1. Doctor Syntax Silver badge

      Re: The new PPI

      Please let us know how you get on.

      But be warned "First their solicitor told me that she had fully answered my questions but in her defence, she argued that she did not have to answer my questions." The two are not mutually exclusive and this sort of defence in depth is normal. If the court rules they didn't answer your questions fully they'll fall back on they didn't have to and vice versa.

    2. Anonymous Coward
      Anonymous Coward

      Re: The new PPI

      I went to Halfords for a new windscreen wiper. In the old days there was a little book you'd use to look up make/model.

      Now it's a tablet computer which requires you to enter your vehicle registration and there was no obvious privacy statement on how/if they'd use or store that data.

      Needless to say I went elsewhere...

      1. Tom Paine

        Re: The new PPI


        Walk me through what an attacker could do with the information that a registration number exists, and is associated with $(make, model), and that you bought new wipers for it?

        1. Wayland

          Re: The new PPI

          It's a 'joinder'. It links you to Halford's and your car and that you were aware of a problem with your wipers. On it's own it's not much but could be the key to supporting your prosecution for something.

      2. Orv Silver badge

        Re: The new PPI

        That strikes me as oddly convoluted. In the US such devices generally only ask for the year, make, model, and sometimes trim level.

  3. localzuk Silver badge


    This seems like its going to be a nightmare for schools. We gather, process, and transfer data every day! The bureaucracy this will generate seems like it will make the lives of teachers very difficult.

    1. Halfmad

      Re: Schools?

      I'd argue it's not something teachers should be doing. I work in the NHS, we have a Data protection officer who handles this and will handle the GDPR requirements too, not a single nurse will need to fill in a form.

      It's up to the local council / Education authority and head teachers to ensure schools are ready. They can pass the buck all they want, the ICO won't care when looking to fine.

      1. Frank Jennings - The Cloud Lawyer

        Re: Schools?

        Yes, ask data compliance manager / DPO at local authority / Education authority that oversees your school. Don't forget, existing Data Protection Act already regulates gathering, processing and transfer of data.

        1. localzuk Silver badge

          Re: Schools?

          I'd say that neither of you understand how schools operate day to day.

          Data is used by staff all day everyday. Some departments in some schools sign up to third party education sites (eg. MyMaths) and set up users within those systems (this is especially the case in smaller schools).

          Also, Academies are no longer anything to do with the LEA - it has to be dealt with in house, meaning the school has to pay for legal advice and set up their own compliance systems. That's a significant cost for a small academy, especially when budgets are worth less now than they used to be (inflation, unfunded pay increases etc...).

          Most schools use a catch-all agreement for data usage/processing each year on the data-checking sheet sent to parents. That will have to change, in fact most data protection procedures will have to change.

          So, as I said, it will make teachers lives more difficult.

  4. Anonymous Coward
    Anonymous Coward


    Does this mean that companies producing smartphone apps for use within the EU will have to toe the line and not slurp data willy nilly or face multi-million pound fines?

    1. Halfmad

      Re: Question

      Legally yes, but I expect a lot of terms and conditions etc to be updated prior to that to try to wriggle out of it.

      1. Frank Jennings - The Cloud Lawyer

        Re: Question

        GDPR is designed to protect EU citizens data wherever it is in the world. It is not possible to avoid compliance by simply contracting out of GDPR or changing the law. I imagine previous commenter Derichleau will be watching out for any attempt to do so!

  5. Baldy50

    Fines for companies etc... Yes!

    But I don't believe schools or NHS/Trusts should be fined, it just takes money away they desperately need.

    Notice the article didn't mention how many trusts have been fined over the years.

    I remember this one.

    1. Doctor Syntax Silver badge

      Re: Fines for companies etc... Yes!

      "But I don't believe schools or NHS/Trusts should be fined, it just takes money away they desperately need."

      OTOH public bodies handling personal information, especially that from people who virtually have no option but to give it, should not get a free pass if they fail. It's a difficult issue and needs a solution.

      1. HelpfulJohn

        Re: Fines for companies etc... Yes!

        Easy solution: fine the people not the organisation. Sequester the assets and garnishee the incomes of a few managers and Ministers and data protection will suddenly become a very important item on everyone's budget.

    2. Frank Jennings - The Cloud Lawyer

      Re: Fines for companies etc... Yes!

      "But I don't believe schools or NHS/Trusts should be fined, it just takes money away they desperately need."

      As Baldy50 says, we often don't have a choice to use public sector services so they should lead by example but taking away money from an entity funded by the taxpayer is not a great solution. In fact, the whole principle of fining has always struck me as dodgy. "You've committed a [data / road traffic / tax (delete as required)] offence but if you pay us money we'll forgive you."

      Largest public sector ICO fine (and largest ICO fine ever until TalkTalk) was £325k against Brighton and Sussex University Hospitals NHS Trust.

      1. localzuk Silver badge

        Re: Fines for companies etc... Yes!

        Fining schools or NHS etc is pointless. There should be a consequence to management, not the organisation. A fine for a school could bankrupt them, and all that'd do is disrupt the education of children.

        No, make it apply directly to the person in charge - a personal fine, and loss of their job etc...

  6. Alistair

    Keeping an eye on you right pondians

    Don't envy anyone over there in IT.

    Checks Hadoop data store guidance document. "All fields with directly identifying customer data shall be anonymized during the load process".

    Not much. but its there.

    1. Doctor Syntax Silver badge

      Re: Keeping an eye on you right pondians

      "Don't envy anyone over there in IT."

      The core problem is often marketing wanting to gather too much information and then handing processing of it over to some friendly spammer digital marketing agency. Alternately it's top management wanting to scrimp on IT. In either case pointing out the possibility of €20m fines should give IT a useful line in to put in any powerpoint.

  7. Alex McDonald 1

    VG article.

    Good quality stuff here. Should be mandatory reading for every CEO.

    1. Doctor Syntax Silver badge

      Re: VG article.

      "Should be mandatory reading for every CEO."

      CEOs reading el Reg?

      Following on from my previous comment, and much as I hate powerpoint presentations, maybe the first chance anyone gets to do a presentation for upper management or marketing should start off with a slide saying in large letters:

      IN MAY 2018 WE BECOME LIABLE FOR A FINE OF €20,00,00.00

      That should get their attention.

  8. Anonymous Coward
    Anonymous Coward

    To paraphrase Oscar Wilde...

    Government... the stupid in pursuit of the ignorant.

  9. AndrewDu

    The joke about all this is that while private companies risk £20m fines or whatever, the government (any government) will just carry on doing exactly as it pleases.

    Call your bank to make some trivial query about your account and you get the ninth degree of security nonsense, but if the NHS wants to hand over your data to Crapita, that's just fine and dandy, they don't even need to tell you.

    Data protection works for them against you, but not the other way around.

  10. Graham Cobb Silver badge

    Impact of TISA?

    Any analysis of the impact of the Trade in Services Agreement? Reports (not necessarily reliable) say that it outlaws any restrictions on sending data out of the country? Would this prevent the EU signing up? Or override EU rules?

    After Brexit, if we retain GDPR-level rules (so we can exchange data with the EU) what would be the implication if we were then to sign up to TISA, or a bilateral trade agreement with similar text?

    1. Doctor Syntax Silver badge

      Re: Impact of TISA?

      I'm not familiar with the agreement but it would appear the two would be mutually incompatible, especially if or, as I think we mostly expect, when the Privacy Figleaf gets torn down. I think the implication would be that it would have to go the courts to sort out the implications.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like