Unknown number of people?
Nonsense, nobody, ICO included bothered to check.
Just shows how seriously they take it, if they don't know - they can't inform those involved. That's a failing both by the company and the ICO.
A pharmacy that left around half a million documents, including customers' personal information and medical data, in unlocked storage at the back of its premises, has been fined £275,000 - a financial penalty the ICO has issued under the General Data Protection Regulation. UK data watchdog, the Information Commissioner’s …
On 100% of the paper?
It's something the El'Reg readers are totally inconsistent on. They may be experts on database tech, auditing etc but the basics - go right over their heads.
They didn't even list an estimate for the number of people, that means it was all binned prior to ICO investigation, or the ICO completely failed to push them on it. Either of these is bad for the data subjects.
I 100% guarantee the average punter off the street would have been able to get some identifiable information from that pile of papers, it's not as if it was submerged in a swirling swimming pool.
I agree with Halfmad, the ICO are clearly out of their depth and most of what we get from them is window dressing. I doubt the ICO discovered this themselves independently, most likely is a good natured person took some time out of their day and reported it to them.
I can only go by what I observe, and all I observe with them is ineptitude and their clueless approach to the problem
I've never understood why companies bothered to do go to the effort of blocking people.
If you own a company in America, trading in America and somebody happens to visit from the EU and is subject to the GDPR then so what? That's their problem, not yours.
The GDPR can only be enforced against a foreign company if that company actually has a local subsidiary in the EU. In extremis the EU commission might decide to block payments to a particular US company that was accepting and processing orders from EU customers, but honestly I think they'd struggle to do even that.
They certainly wouldn't be able to impose fines for noncompliance; foreign courts would (quite rightly) point out that courts don't have jurisdiction out of their territory and refuse to enforce their decisions.
And if the company in question never sends anyone on business trips to Europe, or doesn’t have any presence in Europe, and ships their assets in ways which do not enter Europe? This attitude is precisely why the place I work has simply geoblocked IPs from the EU. We have told our (very few) customers in the EU goodbye and have stated on our ToS that we do not offer service to the EU. The only data still present on EU residents is in our backups, and as those age out (for tax reasons we must keep some records for seven years) that data will be removed. At least two potential customers have attempted to use VPNs to get past our geoblocking; we terminated the (fraudulent) contracts when we discovered them. We do not want to hold any PI on EU residents. We don’t want your business. Find someone in the EU to do what we do, there must be someone, and if you have a problem, that’s _your_ problem, not ours. We are not in advertising, we don’t give a damn about tracking beyond getting our services to the correct address and we are simply unwilling to comply with any right to be forgotten which might conflict with keeping data for taxes. Once past the IRS’ requirements, that data will be gone, but not one millisecond before. If this upsets someone, how sad, too bad, come over here and do something about it. We have zero assets of any kind in the EU, as of this nonsense we stopped going to conferences and such in the EU, our clients in Africa and the Middle East can be served without anything entering EU territory or airspace.
I, personally, have not been in the EU since the late 1970s. I no longer have very many close relatives in the EU, and, frankly, have little interest in EU tourism, especially as some bright lad might try to enforce EU bullshit on me personally.
Let the downvotes begin.
The UK requires tax records to be held for 6 years after the tax return deadline, or if you submit the return late, 6 years from when you file it. That means in practice for about 7-8 years from when the transaction took place.
If you are required to hold records for tax purposes, whether it is HMRC, IRS or anyone else, that's fine. The GDPR doesn't interfere with that. It only gets involved if you start using your tax records for another purpose.
Or they could just *not collect* any of the data of EU visitors.
You know, serve adverts that are merely relevant to the content on your specific website instead of trying to "personalize" them and acting like that creepy guy who follows you around all the time taking notes about everywhere you go and everything you say and do.
Compliance is trivial, all you need to do is grind your marketing department into a red goo every time they suggest tracking people is a good idea.
So the cost of proving you need the data--who pays for that? GDPR a tax for doing business in the EU. Not every business is going to be happy to pay that.
Sheesh, people. I get dumped on all the time when I say that if you do business in the US, you must comply with our laws. You folks are demanding that people do business in the EU!
If you do business in jurisdiction X, follow the laws in X. If you don't like the laws in X, don't do business there.
What is hard about this?
"So the cost of proving you need the data--who pays for that?"
Most of said cost is very small, i.e. several simple forms (including links to the particular laws that define what data must be kept) and little to no human supervision. If the American (or Whereverian :^) company only keeps the data they need to comply with their legal obligations and only for the mandatory period, everything can be automated in a few hours, and it's a one time charge (unless the laws change).
Things get complicated, though, if they try to keep any other kind of data, or if they expect to sell space in their webpages to the usual suspects (G, FB, etc.)
To make my point clear: I understand that for pop & mom shops with minuscule online sales to the EU, the most cost effective solution could be geoblocking, but for anything above that (i.e. most companies that sell online to the rest of the world) the cost should be peanuts.
1 according to our legal and accounting people, the cost would not be peanuts, and it would be on-going, as it would apply _every time we added a new EU-based client. It would be additional expenses. We could just pass the cost to the customers by raising prices. We see no reason to have a two tier pricing system, one price for the EU and one price for everyone else. And I believe the raising prices to cover GDPR is a no-no anyway.
2 the definition of ‘other kind of data’ is critical. If, in our opinion, we need certain data, but in the EU’s opinion we don’t, there will be an expensive problem.
3 we really don’t care for that 4% of the gross penalty.
4 you have to delete data on demand, even if the reason is stupid or there is no reason. We have data for a reason and no, we are not leaving holes in our databases because some idiot has a hissy fit.
Simple solution: do no business in the EU.
"If, in our opinion, we need certain data, but in the EU’s opinion we don’t..."
Quoting the relevant USA laws regarding mandatory data retention in the terms and conditions and the forms would get rid of the issue.
"the cost would not be peanuts, and it would be on-going, as it would apply _every time we added a new EU-based client."
That's what this newfangled things, automation and IT, are for. In this context, very easy stuff unless you or your "partners" are intent on selling clients data to "third parties". If this is the case, things get exponentially more difficult, which is, IMHO one of the main points of GDPR.
"you have to delete data on demand..."
This can be done through an user facing form and some simple database code, unless -again- the company involved is trying to slurp as much data from customers as they can.
"we are not leaving holes in our databases..."
Why? Do you intend to keep customers data forever? For what reason?
It might well be the case that it makes sense for your business to geoblock the EU and if this the case, please geoblock at your leisure, but I get the impression that many American companies doing this could have been misled in regard to the GDPR and its application.
The data gets removed when it ages out... and not one millisecond before. As I stated earlier. No, we don’t keep it forever. Yes, we do keep it until we no longer need it... and _we_ decide when that is. No, we will not be paying extra just to satisfy the EU. It’s much simpler to just not do any business with EU residents. Problem done.
As far as holes in any database, aren't the two main areas where that would even be any kind of problem invoicing (ERP) and corporate Email? Where a US company could simply say "our retention policy is permanent retention for taxation and legal defense purposes", especially considering the only PII in play would be address, phone, and Email? If those are in a dedicated, segregated, secured system (definitely ERP should be already for business reasons), and marketing has zero access, then it should be considered reasonable retention?
1. National legislations in several jurisdictions are beginning to align their data protection legislation with the GDPR anyway (some are even more demanding), and this is not a new problem anyway. A decade ago I had to review worldwide data protection legislation for a multinational, and we found there were around 30 different national requirements to fulfil. The idea that the GDPR is the first time you needed to take foreign data protection law seriously is a dangerous myth.
2. The GDPR doesn't define any data as "critical". It defines certain categories as sensitive, but these are essentially the same categories as were defined as sensitive under the EU Directive and thus under our UK DPA 1998. So no change there.
3. In which case you'll probably be awarded it. The maximum penalties are assigned where wilful negligence or intent to act unlawfully are in evidence.
4. The GDPR right of erasure is qualified by the data in question no longer being required for legitimate declared business purposes, so this is also a non-problem.
The best solution would be to take advice from people who actually know what they're talking about. Every Tom Dick and Harry has suddenly become an "expert" on the GDPR, and almost all of them are talking tosh, probably due to the five-day-and-pub-quiz Data Protection Officer crash courses. Would you employ a CFO who'd only taken a one week course in accounting?
"What is hard about this?"
Nothing, apart from the fact it isn't a tax, it's just that whatever you need to do to comply with the law wherever you trade is a standard cost of doing business..
So why do US businesses come here winging about having to obey the laws of the countries they want to do business in? Is it just the general view that US law should apply everywhere?
There isn't an "exemption" (explicit or otherwise) as it's not needed anyway. Retention can be on any basis you choose provided you justify, document and adhere to that basis. You're even allowed to describe the basis on which you decide retention periods rather than specifying a finite duration (e.g. "until no longer required for taxation claims").
In event of challenge, the supervisory authority should however be likely to agree that your retention criteria are reasonable, so you do have to be specific whichever of the two approaches to defining and documenting it you choose to adopt.
Actually it can be enforced if a business in a third country markets or delivers its services in the EU. If that is the case, the business must appoint a representative in the EU to which data subjects can apply to exercise their rights. The marketing has to be envisaged, so a chance enquiry or purchase by a data subject in the EU does not automatically qualify, but if for example the business web site supports EU languages or currencies it will.
"Come Jan 31, if the UK leaves the EU as planned, Brexit will trigger a statutory instrument that changes some text to create a "UK GDPR". The little kingdom's Data Protection Act 2018 will also get tweaked. You can see the expected changes here. ®"
No, your link is to changes planned for "the event the UK leaves the EU without a deal". Come Jan 31, if the UK leaves the EU as planned, 'no deal' plans will not come into effect. Please keep up.
(Unless, of course you're talking about Ben and Holly when you mention a 'little kingdom'.)
The "No Deal' exit is still on the table for 31st Dec 2020 if there is no Trade Deal with the EU by the end of June. Given that El Supremo Bojo has removed certain EU workers rights from the withdrawal agreement then as he has IMHO clearly wanted since the day he came out on the side of EXIT in 2016, we will exit with 'No Deal'. Then we'll see the fun really start.
Bail outs from the IMF (As happened in the late 1970's) perhaps?
Just my useless 2p worth of thoughts.
The URL suggests that that's the site to deal with DP implications of leaving the EU so it's scarcely el Reg's fault if that's the best HMG can do. However you need to remember that the end of January just decants us into a transition period during which a deal is to be negotiated. As yet that deal doesn't exist and until it does No Deal is the actual situation beyond the end of next year. So as far as I can make out the site is telling it like it is.
I think people are getting confused about "deal" and "no deal" and what it/they refer to. The "deal" is the one between the UK and EU on beginning the process of leaving the EU and the transition period. That's what the recent vote was about. We "leave" the EU on Jan 31st but pretty much everything stays just as it is now until Dec 2020, the end of the transition period. At that point, we need another deal in place, eg a trade deal to define our future relationship with the EU post-transition period.