back to article Beware the GDPR 'no win, no fee ambulance chasers' – experts

The UK's incoming data protection laws could bring with them a wave of "no win, no fee"-style companies, experts have said. Much of the discussion about the impact of the EU General Data Protection Regulation – which comes into force in May 2018 – has focused on the fines regulators can impose. Although these are large – up …

  1. }{amis}{
    Unhappy

    Waiting......

    The impression i get is that a lot of companies are waiting to see what the first few test cases look like before jumping in and reworking their entire companies attitude to data, banking on the odds that they wont be in the first companies to fall afoul of GPDR.

    1. Tigra 07

      Re: }{amis}{

      Makes sense. They do that for everything. Warn 10 companies a tidal wave is coming and i bet less than half plan for it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Waiting......

      I suspect they're looking at other UK regulatory actions and fines against similar "10% of turnover" rules, and concluding that a big data breach is going to cost £4-10m in fines, so probably less than 20% of the clean up costs after the event, and ten to twenty times the ICO's current mosquito bite fines. Those sort of fines are a BAU cost for most big business.

      And the other thing is that the mindset exists in most companies that, having asked themselves a set of easy questions, been given reassuring answers that it is all under control, undertaken some token low cost measures, they conclude that they've done their bit, they are compliant, they are safe, and the directors can doze off again. Take the Equifax breach - they actually had in post a head of IT Security, they had patched most of their systems, they had a big IT budget, they used external advisers and security services. Unfortunately they hadn't patched Struts in the two months the patch was available (and how many big organisations would have a "patch first, ask questions later" regime?). I suspect Equifax would have passed a fairly thorough data security audit. In this respect, data protection is a bit like stopping terrorism - anything you stop or deter is just doing your job, but you have a vast attack surface, and it only takes one to get through.

    3. Doctor Syntax Silver badge

      Re: Waiting......

      "banking on the odds that they wont be in the first companies to fall afoul of GPDR"

      They're probably also banking on being able to get it all fixed in time when someone else falls foul of it first. Good luck with that!

    4. hmv

      Re: Waiting......

      A lesser known power the ICO gets when GDPR kicks in, is the power to instruct companies to stop processing data. Which may well have a much more significant effect than any level of fine.

  2. RFC822

    Dwarves???

    "Dwarves" is the plural of the _noun_ "dwarf".

    When using the _verb_, as in the article, it should be "dwarfs".

    I'm off to listen to Randy Newman's "Short People"...

    1. Doctor Syntax Silver badge
      Headmaster

      Re: Dwarves???

      The plural third person singlar, present tense of the _verb_, which is what is being used in the article, should be "dwarfs".

      FTFY

    2. Anonymous Coward
      Anonymous Coward

      Re: Dwarves???

      I think the plural of the noun is "dwarfs", too, unless you're Tolkien. In the title of Disney's 1937 film (one of Hitler's favourite films, I've been told) it's "dwarfs".

      1. Charles 9

        Re: Dwarves???

        No, in Disney it's with a V, and the spelling is consistent with elves (note that the plural of elf is also spelled with a V), unless you're saying it's supposed to be elfs as well (and for that matter, what about ourself/ourselves and all the related words, and what about wharf/wharves).

        1. Yet Another Anonymous coward Silver badge

          Re: Dwarves???

          Who cares how you spell it, bunch of B'zugda-hiara !

      2. Fazal Majid

        Re: Dwarves???

        Tolkien admitted as much:

        No reviewer (that I have seen), although all have carefully used the correct dwarfs themselves, has commented on the fact (which I only became conscious of through reviews) that I use throughout the 'incorrect' plural dwarves. I am afraid it is just a piece of private bad grammar, rather shocking in a philologist; but I shall have to go on with it. Perhaps my dwarf – since he and the Gnome are only translations into approximate equivalents of creatures with different names and rather different functions in their own world – may be allowed a peculiar plural. The real 'historical' plural of dwarf (like teeth of tooth) is dwarrows, anyway: rather a nice word, but a bit too archaic. Still I rather wish I had used the word dwarrow.

        The Letters of J.R.R. Tolkien 17: To Stanley Unwin, Chairman of Allen & Unwin. October 1937

  3. Loud Speaker

    Google sent me an alert yesterday, and I started reading up on the subject.

    I run a part-time, one-man company with fewer than 10 customers. However, there is no lower bound on company size for the GDPR.

    GDPR compliance could easily exceed my entire workload. It is beginning to look like the end for one-man companies unless something is done about this.

    Before the PC existed, I also ran a one-man company, processing mailing lists for multinationals. I had tens of thousands of names and addresses, all verified.

    Its not easy to say where the cut-off should be, but I would guess that it should have to do with the number of records, and whether they are accessible to outside users. If you only have 10 email addresses, supplied by their owners so you can email them back, and the addresses of people you have billed for goods and services supplied, or who billed you (retention required by law) you probably aught to be exempt.

    I predict a whole load of tax evasion (and worse) very hard to prosecute because the data/evidence was destroyed "because of the GPDR".

    1. DJO Silver badge

      I predict a whole load of tax evasion (and worse) very hard to prosecute because the data/evidence was destroyed "because of the GPDR".

      That would be blatant fraud and would be prosecuted as such (unless a director was a Tory MP).

      The GDPR expressly exempts data necessary for a business and for tax purposes. In a game of Top Trumps, Tax always beats GDPR.

      1. Doctor Syntax Silver badge

        "In a game of Top Trumps, Tax always beats GDPR."

        Except, of course, Top Trump.

    2. }{amis}{
      Holmes

      Automation

      I do empathise with your point, but i would also point at all of the belly aching that happened when the regs demanding that all companies regardless of size kept proper hr / employment records came in.

      At the time this was a major change / cost but after a few years it is now a automated system that you buy in for a few £ a year

    3. Doctor Syntax Silver badge

      "I had tens of thousands of names and addresses, all verified."

      Verified that they existed or verified that they wanted letter-box litter?

      1. Loud Speaker

        Verified in that "no one cancels a Reader's Digest subscription unless they actually live there". (This was in 1985). Yes we paid for the list of people who had cancelled a Reader's Digest subscription -i it was quite cheap. We also ran competitions in local newspapers - you don't enter a competition with a false name and address. Do not suppose selling address lists started with the Internet.

    4. Anonymous Coward
      Anonymous Coward

      "GDPR compliance could easily exceed my entire workload. It is beginning to look like the end for one-man companies unless something is done about this."

      Unless your company has been a bit fast & loose with handling data ... unlikely. I would suggest finding a really good summary (i.e. not anything published by the UK press), and reading it. It's really not that bad.

      "I predict a whole load of tax evasion (and worse) very hard to prosecute because the data/evidence was destroyed "because of the GPDR"."

      No. Some idiot may attempt to claim it, much like they do now with the DPA (the "no, we can't talk to your partner about your account even if you say we can, because the DPA says we can't"-type idiocy), but it's not the root cause.

    5. Anonymous Coward
      Anonymous Coward

      "GDPR compliance could easily exceed my entire workload."

      No - because GDPR doesn't require to perform specific activities, buy/rent specific software or hardware, etc. Even certification is not compulsory - and even there it explicitly says to take into account the need of micro and small businesses.

      GDPR sets out the principles of personal data handling - and the associated fines if something bad happens to data.

      Hope your customer data are handled with a modicum of security.... although I guess they're stored in some Google applications - and thereby the rules about such kind of transfer and processing apply. Surely Google is not happy at all about the rules, and will disseminate a lot of FUD.

      In most European jurisdiction, the handling of personal data is already regulated - for any business size, because what matters are the right of the owner of the data. I don't really care if you're a physician with only nine patients and you leak or store the wrong data (which may kill me later).

      And if you have data about tens of thousand people, I don't really care if you're a one man person, or Google. What matters is the impact of a mishandling of those data. Just, probably, 4% of your revenues will be far smaller than Google's one.

    6. Nick Ryan

      GDPR compliance should be easier for you. There is, very intentionally, no lower bounds to the "organisation size" when it comes to GDPR appliance. If there were, this would be gamed by the unscrupulous within minutes, if not faster.

      What we already have is a new industry of GDPR ambulance chasing, even before GDPR kicks in - i.e. those organisations whose only interest is to promote their "training" or "certification processes" or "GDPR compliance applications". They have zero benefit other than draining cash and making GDPR compliance look considerably harder or "needing" legal advice repeatedly.

  4. Anonymous Coward
    Anonymous Coward

    Let me understand...

    "companies were holding data they shouldn't"

    "firms often don't know what data they collect, or where it is held."

    "companies often try to hang on to data in the hope it will one day be valuable to the business"

    A they shouldn't pay for their mistakes when caught??? It looks to me GDPR is only opening the septic tank, and it's time to clean it.

    Most (if not every) companies have been very sloppy and grredy with their customers/users data. Now it's going to change - at last!!

    They can't blame the law - they can only blame themselves for having been greedy idiots, hoping nothing would ever change. If those data are valuable for them, it's clear they are also valuable for their owners, and any criminal who believes they can be exploited for profit.

    1. Derezed

      Re: Let me understand...

      100% agree with this.

      The wild West approach to personal data management at companies needs to end. Don't hate the player, hate the game.

      1. Doctor Syntax Silver badge

        Re: Let me understand...

        " Don't hate the player, hate the game."

        Why not both?

    2. Anonymous Coward
      Anonymous Coward

      Re: Let me understand...

      companies often try to hang on to data in the hope it will one day be valuable to the business

      Isn't that exactly what the "Big Data" analytics firms have been pushing - all that lovely data just sitting there waiting to be mined?

  5. ArchieTheAlbatross
    Coat

    At least we know now

    What all the PPI firms will be doing next.......

    1. I ain't Spartacus Gold badge

      Re: At least we know now

      The problem is that all the PPI firms have caused a massive embuggarance with spam calls and timewasting. But on the other hand, the banks have now been forced to pay out something like £25billion in compensation - so to some extent that's been worth it. Maybe that's a big enough sting - involving much pain, reputational damage, time-consuming clean-up and cold hard cash - that the banks will learn a few lessons.

      In an ideal world senior execs would have gone to prison, or at least had their lives ruined for a few years while being fruitlessly dragged through the courts before getting off on the difficulty of proving intent/individual responsibility. The mortgage backed securities thing was a collective mistake, the PPI thing was in large part an organised fraud.

      If the regulators aren't going to do their jobs, then maybe the fear of legal chaos is the only thing we can hope for, to concentrate a few minds.

      1. Anonymous Coward
        Anonymous Coward

        Re: At least we know now

        let me corect that for you:

        > the banks customers have now been forced to pay out something like £25billion in compensation

        1. TheVogon

          Re: At least we know now

          let me correct that for you:

          >> the bank's shareholders have now been forced to pay out something like £25billion in compensation

          And in some cases subsidised by the tax payer...

      2. Loud Speaker

        Re: At least we know now

        fruitlessly dragged through the courts

        Preferably feet first, and by galloping horses.

    2. Doctor Syntax Silver badge

      Re: At least we know now

      "What all the PPI firms will be doing next"

      And doing it to each other with any luck.

    3. Hans Neeson-Bumpsadese Silver badge

      Re: At least we know now

      What all the PPI firms will be doing next.......

      I wonder how well they'll be securing their database of potential clients...

    4. Flak

      Re: At least we know now

      "What all the PPI firms will be doing next......."

      ... with the database of clients they have built up through the PPI feeding frenzy!

      Perhaps they can conveniently augment that with green energy, double glazing and kitchen sales companies' databases.

      Keep those auto-diallers dialling!

  6. WookieBill

    In the recruitment industry the panic is just starting to set in.

    I customise CRM systems used in the recruitment industry for a living, The Business Analysis side of our company have been warning our clients about GDPR for ages, people are only just sitting up and starting to take notice.

    One issue is that many of the CRM systems used in the recruitment can't easily delete data.

    To maintain referential integrity when you delete a candidate, all that happens is that the candidate is given a deleted status and is hidden from the users, that data still remains in the DB along with the CV and all the lovely personal data goodies it contains. This is currently giving me lots of migration projects as people switch to supported CRM systems that can be made compliant.

    As well as the technical issues, psychologically, its difficult to get recruiters to delete candidate data, it's their product after all, when I was in house, it was quite a task getting permission to delete stuff from senior management (it usually involved lots of nagging and pointing out we hadn't spoken to people in a decade)

    I predict much wailing and gnashing of teeth in recruitment, as soon as a recruiter sends out a job spec to half the internet and lots of legally switched on types notice that they didn't give consent under GDPR and fire up the lawyers.

    1. Doctor Syntax Silver badge

      Re: In the recruitment industry the panic is just starting to set in.

      "I predict much wailing and gnashing of teeth in recruitment, as soon as a recruiter sends out a job spec to half the internet and lots of legally switched on types notice that they didn't give consent under GDPR and fire up the lawyers."

      And well deserved. One could spend time customising a screed for one particular gig only to have the pimp send it out for something quite different. I'm sure this must occasionally cost perople gigs they might otherwise have got so real money's involved.

      1. Alan Brown Silver badge

        Re: In the recruitment industry the panic is just starting to set in.

        "And well deserved. One could spend time customising a screed for one particular gig only to have the pimp send it out for something quite different."

        Not to mention the asswipes who reactivate your existence on their mailing lists a couple of years after you've told them to delete your data.

        (Not just recruiters. Asda have done this twice)

    2. Duncan Macdonald

      Re: In the recruitment industry the panic is just starting to set in.

      Unless the CRM system is completely stupid it will be able to do database exports and imports. If so then (if there is no better way) the deleted data can be removed by exporting the non-deleted records then dropping the database tables and recreating them from the exported records.

      Another possible alternative (depending on the database structure and the CRM programs) would be to overwrite the data in the "deleted" records - replace all the text with a load of XXXXXXXXXXX , change all personal names to "John Smith", change all NI numbers to "VV123456Z", change all company names to "Fake Company", change all phone numbers to "0123456789" and change all addresses to "House of Commons London SW1A 0AA" - this should remove the personal information.

      1. WookieBill

        Re: In the recruitment industry the panic is just starting to set in.

        Most CRM's are SQL based so stuff can be deleted with enough time/skill, but as recruiters are on commission (and thus tend to want to work weekends as well as normal office hours) bringing down the CRM for half the weekend while you do a manual delete via SQL does cause some stress.

        While its fine having an outage once in a while if your doing it every weekend for the latest batch of GDPR removal requests, its going to get old quickly. Not to mention, if I am working weekends cleaning out your data, frankly your going to be paying for it (either OT costs or TOIL). Unfortunately, some techie doing manual deletes on your CRM each week isn't really a viable business solution.

        Obfuscation of the data will work for some industries, the problem with recruitment, is that we deal with a lot of personal data in document form (CV's, Passport scans for legal compliance etc), all of that is going to have to be cleared off a record to put it out of use and although you don't generally run into any referential integrity issues with documents, unless the CRM has a real delete function in it for user level deletes, you are still paying people like me to go clear your data off at a weekend.

        Also, its not just about the CRM's, Email/Exchange, SMS facilities and Mass mailing systems (e.g. Dotmailer) all need to be cleared of identifiable data and usually they are not well integrated with the CRM and certainly not for delete functions.

        Its not that any of this is technically impossible, its that frankly doing all the analysis and development is a lot of work. In the same way that in Y2K it was easy to say, oh just store your dates in long date format, saying it is one thing, changing policies, procedures and systems is something very different and quite expensive.

        1. Anonymous Coward
          Anonymous Coward

          Re: In the recruitment industry the panic is just starting to set in.

          There's really no need to bring down a SQL database while you delete old records, or any application using them - unless you're deleting millions or billions of records.

          Sure, some old engines had issue because of lock escalation and the like, but a well coded application written by skilled developers knowing the database they use will minimize those issues.

          And that's not what you usually do "manually" - they should be automatic jobs that can also be run at night or when most people are on holidays. And may need to be run only a few time per year, maybe only one - unless you have specific delete requests. Which, again, should be processed by specific functions to avoid the classic "manual error".

          There was also a reason why I always advocated to store all data inside a database, and not scattered around in file shares or the like, for example - because in a database I could track where they were, and could ensure a full delete of them when needed.

          Data contained in other systems - and you know where they are, right - of course needs to be managed accordingly - technical solutions can help only up to a point.

          Actually, the real issue are archived data, like old backups. They can't be easily cleaned of no longer useful data only.

          But what you tell is exactly the problem the article illustrates: companies for a long time recorded data without any clue about how to manage them properly.

          1. Loud Speaker

            Re: In the recruitment industry the panic is just starting to set in.

            a well coded application written by skilled developers

            So no need to panic then?

            1. Anonymous Coward
              Anonymous Coward

              Re: In the recruitment industry the panic is just starting to set in.

              Several reasons to panic, of course... the GDPR will make surface a lot of applications issues and bad database/storage designs. As written in another post, it's opening the septic tank.

              Requiring "by design" security and privacy will make clear what was written by competent and skilled people, and what was written by unskilled (and usually low paid) ones. It could be a good thing, because many will need to invest to clean the mess, or face the fines one day.

      2. This post has been deleted by its author

      3. katrinab Silver badge

        Re: In the recruitment industry the panic is just starting to set in.

        What if the candidate table is linked to your tax invoice table, which you are required to keep for about 8 years (6 years from the tax return deadline date, which for a company is one year after the end of the accounting period).

        Your tax invoice must contain a description of the product or service supplied, which would be the candidate.

    3. Anonymous Coward
      Anonymous Coward

      Re: In the recruitment industry the panic is just starting to set in.

      Good databases have been implementing cascaded deletes/updates for a long time. And even without, it could be implemented with triggers and/or stored procedures. Of course, developers using RDBMS as simple data dumps resembling file-based storage ignored good practices.

      The reasons behind not deleting a record could have been regulatory - i.e. if you need to keep payroll or invoice data you may need to keep those records in the database for some years, but not show them as active - or, as the article says, greedy ones - "those data could be valuable one day".

      The application I wrote when I was involved in such kind of applications had functions to perform cleanups every year, purging records that were no longer needed by law. Another way was to export them so they could be stored and timestamped on WORM discs if they was to be stored off-line.

      And as GDPR says, you have to track those records as well, and destroy them when they are no longer needed.

      I'm sure there's a lot of crappy software out there. It's not an excuse to keep, sell and make data vulnerable.

      1. WookieBill

        Re: In the recruitment industry the panic is just starting to set in.

        I agree, and actually, I think in some ways we have gone backwards.

        There is one CRM I deal/dealt with that was based on its own custom filesystem rather than SQL, it had a real delete function (but no referential integrity), its newer (not that new) replacement system is SQL Server based and has no hard delete function for users/administrators and the delete entity stored procedure that exists in the DB no-longer functions (they have added additional FK constraints to later versions of the CRM but not updated the USP).

        Now, I expect the company in question is planning to address this in a new release (and probably most other CRM vendors too) but that means an additional project for every firm that uses the software (test & deployment) and all that needs planning in, ideally now before its too late.

      2. Anonymous Coward
        Anonymous Coward

        Re: In the recruitment industry the panic is just starting to set in.

        "Good databases have been implementing cascaded deletes/updates for a long time. "

        All good databases do, yes. Sadly poor designers and shitty app coders, do not!

        Some very badly written apps still do all that pesky referential integrity in the app tier instead of letting the DB do what a DB does best, deal with maintaining and securing data. I remember the first time I peeked in a Siebel schema and just couldn't believe there was just a shed load of tables and indexes with nothing holding any of them together! You want to delete something and you don't want to use the app well you'd better get your cheque book out cos you're going to be calling in a Siebel tech at £1000 a day to do it for you!

  7. RegGuy1 Silver badge
    Thumb Up

    A good thing too

    This EU thingy seems pretty cool to me. They have worked out a way to get Google (and the rest) to pay more tax.

    What's that? We're leaving? Which pillock thinks that's a good idea?

    1. ToddRundgrensUtopia

      Re: A good thing too

      An awful lot of us do

      1. Cynical Observer
        Trollface

        Re: A good thing too

        @ToddRundgrensUtopia

        But can you explain why?

        1. John G Imrie
          Facepalm

          Re: A good thing too

          They want to leave because they don't want the hordes of Turkish immigrants entering the country just as soon as Turkey enters the EU. At least that was one of the reasons a friend gave me for voting leave.

          Oh what's that. Turkey is unlikely to enter the EU any time soon, and because we are leaving we want to do trade deals with any one including Turkey which will likely involve letting hordes of Turkish immigrants enter the country.

          1. ToddRundgrensUtopia

            Re: A good thing too

            Perhaps you have a stupid friend

          2. Loud Speaker

            Re: A good thing too

            Think of the Kebabs!

          3. TheVogon

            Re: A good thing too

            "They want to leave because they don't want the hordes of Turkish immigrants entering the country just as soon as Turkey enters the EU"

            Within a few decades, global warming is predicted to create tens of millions of refugees. The Turks are the least of our worries.

        2. Anonymous Coward
          Anonymous Coward

          Re: A good thing too

          Here is my reason.

          The general feeling in the EU is that they should be heading for a Federated State, with more and more power being moved to Brussles. There is legislation in their pipeline that moves things like tax harmonization closer.

          This is happening at the same time as efforts to change the structure of the EU to better reflect the fact that it (currently) has 28 members rather than the founding 6 members failed, leaving the voting structures in the EU almost completely incapable of allowing any significant or controversial policies to be implemented in a reasonable time scale. I predict we will see the effect of this as they debate any UK exit deal, as I think it's going to be a long and difficult process to get them to agree to anything at all.

          Without reform, the EU is fast becoming moribund, and I did not want the UK shackled to an organization that we did not join (we joined the EEC, an organization with a different purpose), that I see as having a reducing importance in the world (and, yes, I do know that the UK was instrumental in the Maastricht Treaty, although I think UK politicians at the time thought that it was a first step in reform, rather than an end in itself).

          Stresses within the EU over the north/south financial policies, the increasing desire to make the Euro the currency across the whole of Europe, and the increasing pressure on the southern most countries to cope with migration pressures without assistance from the countries further away, will, in my view, tear the current EU apart.

          It will only take one of the major countries to have a right-wing government elected, and IMHO we will see border control between EU countries again, and a rising reluctance to offer financial support to the poorer countries. It amazed me that the Greece situation was constrained, and this was only by other EU countries, in particular Germany, offering money to prop Greece up while it dismantled it's pension and social services to contain costs. Will the German population agree to do this again in the future? Only time will tell.

          If the EU had agreed to much needed reform, I would have voted differently. But my only regret in voting the way I did is that those around me thought I did it because of immigration, which, if it was at all, was only a very, very minor part of my decision.

          1. Anonymous Coward
            Anonymous Coward

            "while it dismantled its pension and social services to contain costs"

            That was wholly a Greek decision. It had public employees who got pensions for almost nothing (they could retire very early, and even unmarried daughters got pensions http://greece.greekreporter.com/2015/06/16/greek-unwed-sons-to-receive-pension-if-deceased-father-was-civil-servant/) combined with a long standing habit of evading taxes on everything - for example car fuel. Any attempt to recover those money utterly failed because politicians don't like to enforce "unpopular" measures when they touch hard their friends and themselves, so when they need money they aim at the weakest one, those who can't complain too much, and are not influential.

            Greek is a failed state because it is a failed society - and of course it's not the only one in Europe, just the first to go down the hill. Just wait for the upcoming elections in Italy...

            1. Commswonk

              Re: "while it dismantled its pension and social services to contain costs"

              @ LDS: That was wholly a Greek decision.

              As, we must assume, was employing Golden Sacks to massage the books so that the country could join the Euro.

              A decision that has cost others dear...

          2. Anonymous Coward
            Anonymous Coward

            Re: A good thing too

            The EU has stresses and strains like any multinational organisation. The UK, for example, is not without internal tensions within the Union (Scotland, Northern Ireland etc.).

            The question is not "Is the EU without flaws?" but "Will the UK be better off outside the EU?".

            No one knows the answer to this yet but from where I am sitting:

            i. our abiliy to benefit from Brexit are dependent on managing the process in an competent manner. I think even most Brexiters would agree that the Brexit process has been a complete shambles. It looks like we are heading for a very, very hard landing. We have about 12 months left to wrap up exit arrangements with the EU (latest date for ratification by EU States) and from the conversations I am having, the Government doesn't even understand the issues, let alone know the solutions, let alone agree them with the EU;

            ii. there are very significant disadvantages to leaving the worlds largest single market. Yes, I know we "might" get an FTA for goods but if we are not in the customs union then customs control at our borders will be very damaging, and regulatory divergence will create significant non-tariff barriers. For services (80% of our economy) the position is much worse, hence the exodus of financial services from London.

            I could go on but frankly why bother. Brexit is a relgion. You believe it or your don't.

            However, please note I have a hate list for Brexiters and if Brexit goes badly wrong (which increasingly seems the case) you do not get to disown it.

        3. ToddRundgrensUtopia

          Re: A good thing too

          Democracy,

          Make our own laws

          Security

          Trade with the growth regions, (which isn't Europe)

          Guy Verhofstadt

          Junker

          Clegg

          All Libdems

          Martin Selmayr

          JCB

          Dyson

          SMEs (who employ most people in the UK)

          is that OK for now?

          1. Cynical Observer

            Re: A good thing too

            No. Not really. Take for example Dyson and JCB. You voted out because they recommend it? But Dyson has offshored how many jobs? His faith in the country is that robust?

            JCB lost court cases in Europe - are we really to believe that this didn't colour their opinion?

            Some of your reasons would seem to stem from personal dislike of individuals. But people come and people go. Jean Claude will be gone in a few months.

            Security - how does diminished cooperation improve security?

            And trade - Oz has said its first priority is a deal with the EU because of the market size.

            I appreciate it's a big ask but please, more than just a list of words, why did you make the choice you made?

  8. Anonymous Coward
    Anonymous Coward

    All this is against a back drop of giggling ...

    When data protection breaches are mentioned.

    Case in hand. My mobile rings. Turns out it's a recruiter asking my availability. Only snag is that is my work mobile, and has never ever been used to register as a candidate.

    It *has* been used to register as an employer.

    I ask the young lady where she got my details. She replied "Oh, they were on the system".

    At which point I got a tad medieval, and suggested that (a) she was lying, and (b) I wasn't impressed that her employer was so casual around data protection.

    "Oh" she said *giggling* "That's not a big deal is it ?"

    One very grumpy email and a few minutes later and I had the companies lawyers on the phone "clarifying the misunderstanding". The main misunderstanding being that I record *all* calls these days.

    Anyway, that's the mindset you are up against.

    A/C, as legal words were exchanged.

    1. Anonymous Coward
      Anonymous Coward

      Re: All this is against a back drop of giggling ...

      "The main misunderstanding being that I record *all* calls these days."

      I hope those calls are stored on a GDPR compliant database. The usual "All calls may be recorded yada yada yada" doesn't absolve you of your data protection responsibilities with those calls. In fact I'm certain we've spoke before. Can I please have a copy of all recordings involving me or about me in an MP3 format? What's that? You haven't got them? You've published that you record all calls so by not having them you are either lying or in breach of your own policy. Naughty naughty both ways as far as the GDPR is concerned. Please provide evidence that you didn't have a recording of the call after all.

      Etc etc etc :)

  9. GingerOne

    Surely for this to work for the ambulance chasers they will need to change their model from how they operate in the PPI model? They will no longer be able to do cold calling (in fact this could completly illiminate cold calling?), they will only be able to advertise and wait for customers to contact them and expressly give them permission to hold their data. This really could be such a massive game-changer.

  10. Anonymous Coward
    Anonymous Coward

    Fuck 'em

    Personally I would be happy to add my name to an 'ambulance chaser' and the warm feeling I would get knowing lawyers were hounding people who were storing information on me would be reward enough.

    This crap has gone on too long, from tracking adverts, tracking ISPs, tracking 'free' WiFi, to cold callers, to telemetry in everything from your hoover, your phone (fuck you Android), your car, your speakers, your headphones, watches, vibrators, childrens toys, your compiler (fuck you Visual Studio 2015), your operating system (fuck you Windows 10), libraries (fuck you .NET), the transport system (fuck you London Underground). And of course a massive fuck you to Google and Facebook.

    I hope GDPR draws some blood.

  11. Anonymous Coward
    Trollface

    Ring-ring....

    "Hello, this is Steve in Mumbai. You may have been a victim of a privacy breach that wasn't your fault, we can help you with that"

  12. Anonymous Coward
    Trollface

    Sweet!

    Just updated my company's B2C terms and conditions, stating that all contracts are formed under US legislation and any claims will heard before a court in Orange County, CA.

    Anyone who buys online accepts they've accepted these T&Cs

    1. GingerOne

      Re: Sweet!

      Good luck with that.

    2. imanidiot Silver badge

      Re: Sweet!

      Yeah, good luck with that. I HIGHLY doubt those T&Cs are enforceable.

    3. Anonymous Coward
      Anonymous Coward

      Re: Sweet!

      Orange County? Pffft.... use some imagination. Somalia is where it's at...

    4. Anonymous Coward
      Anonymous Coward

      Re: Sweet!

      Read Chapter V of the GDPR....

      1. Yet Another Anonymous coward Silver badge

        Re: Sweet!

        I put that all complaints have to be filed at our office in Mordor

    5. TheVogon

      Re: Sweet!

      "Anyone who buys online accepts they've accepted these T&Cs"

      If you sell to someone in the EU then EU laws apply. Any T&C that contradicts EU law is invalid. So if an EU customer say raises a credit card chargeback based under a right in EU law, you will lose it.

  13. Alan Brown Silver badge

    The death of a million paper cuts

    It's _exactly_ this threat that's needed.

    If you want evidence of how well this works in practice, look at the stats of the US junk fax industry before and after the passing of the Telephone Consumer Protection Act.

    Yes, there are still junk faxers, but putting most of the small fly-by-nighters out of business (by making the hirers liable for damages too - which rapidly let to a dearth of companies willing to pay for fax advertising) left the authorities more able to go after the egrarious offenders such as fax.com

    1. Charles 9

      Re: The death of a million paper cuts

      But you would think they would just funnel things through foreign shells where the law can't reach them. I think the big thing that ended junk faxing was simply faxing going out of style in favor of e-mail attachments (and note, we haven't found a solution to the Spam problem in e-mail as of yet). That and faxmodems which means faxes could be winnowed before they were printed, reducing waste.

  14. JimmyPage

    junk fax industry

    Personally I thought that died a death when fax machines stopped using paper, so junk faxes cost nothing to bin.

  15. Missing Semicolon Silver badge
    Happy

    Finally!

    The potential cost of a breach now will be of the order of the profits, if the ambulance-chasers are anywhere near good enough.

    The unintended consequence of GPDR will be to actually work!

  16. Anonymous Coward
    Anonymous Coward

    The Lawyers Are Coming

    I've already dealt with a few that see this as a *big* pot of gold, once they figure out the best way to setup the money-generating conveyor belt. It's the next PPI with absolute certainty.

    I think it will be a lot bigger than PPI as we are all potential claimants, not just those of us that had useless extras tacked onto loans/credit cards etc.

    GDPR introduces several key differences compared to the current regime: consent must be freely given, informed, specific & auditable; co-liability between data owner and data processor; really big fines (the bigger of €20m or 4% of global turnover); breaches can be administrative & not require actual data loss; compensation claims allowed by data subjects due to 'distress' even if no actual loss resulted from a breach - that's the big one for the lawyers to exploit..

    GDPR doesn't just affect companies either. Some of the schools I've dealt with have been sharing pupil data willy-nilly with external providers for years without explicit consent. Data subjects (pupils) are opted in via woeful 'data privacy' notices. The 'public interest' or 'essential processing' argument will crumble once the lawyers get going.

    Results analysis & performance tracking being the perfect example of poor data handling/processing behaviour: "We like using this system, even though there's no legal requirement to do so, we've done no due diligence on the external supplier, everyone else uses them so they must be OK, we don't know where the data is held, we don't know what security is in place, we don't know who can access the data at the other end, we don't know who at the supplier is CRB checked (if anyone), we didn't ask for or receive consent from pupils/parents but there's no risk on us so we don't care, we'll use it anyway cos we like it".

    That's just one example of a widespread GDPR-unfriendly reality that will be like shooting tuna in a barrel for the lawyers come May '18.

    Bring it on.

    1. Duncan Macdonald

      Re: The Lawyers Are Coming - caseload

      Filing a lawsuit is one thing - getting it heard may be another. If there are too many GDPR cases filed then it could take a long time for them to be heard by the courts. (Most courts already have large caseloads and there are complaints about too many cases and too few judges.) Unlike PPI where most cases were straightforward and well documented there will be a lot of variation between GDPR cases and judges will have to decide in each case whether there was a significant breach and what (if anything) is the correct amount of the penalty.

      (Crudely - having and releasing private details on all the UK population has a maximum penalty of £20m or 4% so what is the correct level of penalty if data on only 100 people is involved. That is a matter for the judge to decide depending on the circumstances. Also either side could appeal which would result in even more court backlogs.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like