Beware the GDPR 'no win, no fee ambulance chasers' – experts The UK's incoming data protection laws could bring with them a wave of "no win, no fee"-style companies, experts have said. Much of the discussion about the impact of the EU General Data Protection Regulation – which comes into force in May 2018 – has focused on the fines regulators can impose. Although these are large – up …
I suspect they're looking at other UK regulatory actions and fines against similar "10% of turnover" rules, and concluding that a big data breach is going to cost £4-10m in fines, so probably less than 20% of the clean up costs after the event, and ten to twenty times the ICO's current mosquito bite fines. Those sort of fines are a BAU cost for most big business.
And the other thing is that the mindset exists in most companies that, having asked themselves a set of easy questions, been given reassuring answers that it is all under control, undertaken some token low cost measures, they conclude that they've done their bit, they are compliant, they are safe, and the directors can doze off again. Take the Equifax breach - they actually had in post a head of IT Security, they had patched most of their systems, they had a big IT budget, they used external advisers and security services. Unfortunately they hadn't patched Struts in the two months the patch was available (and how many big organisations would have a "patch first, ask questions later" regime?). I suspect Equifax would have passed a fairly thorough data security audit. In this respect, data protection is a bit like stopping terrorism - anything you stop or deter is just doing your job, but you have a vast attack surface, and it only takes one to get through.
No, in Disney it's with a V, and the spelling is consistent with elves (note that the plural of elf is also spelled with a V), unless you're saying it's supposed to be elfs as well (and for that matter, what about ourself/ourselves and all the related words, and what about wharf/wharves).
Tolkien admitted as much:
No reviewer (that I have seen), although all have carefully used the correct dwarfs themselves, has commented on the fact (which I only became conscious of through reviews) that I use throughout the 'incorrect' plural dwarves. I am afraid it is just a piece of private bad grammar, rather shocking in a philologist; but I shall have to go on with it. Perhaps my dwarf – since he and the Gnome are only translations into approximate equivalents of creatures with different names and rather different functions in their own world – may be allowed a peculiar plural. The real 'historical' plural of dwarf (like teeth of tooth) is dwarrows, anyway: rather a nice word, but a bit too archaic. Still I rather wish I had used the word dwarrow.
The Letters of J.R.R. Tolkien 17: To Stanley Unwin, Chairman of Allen & Unwin. October 1937
Google sent me an alert yesterday, and I started reading up on the subject.
I run a part-time, one-man company with fewer than 10 customers. However, there is no lower bound on company size for the GDPR.
GDPR compliance could easily exceed my entire workload. It is beginning to look like the end for one-man companies unless something is done about this.
Before the PC existed, I also ran a one-man company, processing mailing lists for multinationals. I had tens of thousands of names and addresses, all verified.
Its not easy to say where the cut-off should be, but I would guess that it should have to do with the number of records, and whether they are accessible to outside users. If you only have 10 email addresses, supplied by their owners so you can email them back, and the addresses of people you have billed for goods and services supplied, or who billed you (retention required by law) you probably aught to be exempt.
I predict a whole load of tax evasion (and worse) very hard to prosecute because the data/evidence was destroyed "because of the GPDR".
I predict a whole load of tax evasion (and worse) very hard to prosecute because the data/evidence was destroyed "because of the GPDR".
That would be blatant fraud and would be prosecuted as such (unless a director was a Tory MP).
The GDPR expressly exempts data necessary for a business and for tax purposes. In a game of Top Trumps, Tax always beats GDPR.
I do empathise with your point, but i would also point at all of the belly aching that happened when the regs demanding that all companies regardless of size kept proper hr / employment records came in.
At the time this was a major change / cost but after a few years it is now a automated system that you buy in for a few £ a year
Verified in that "no one cancels a Reader's Digest subscription unless they actually live there". (This was in 1985). Yes we paid for the list of people who had cancelled a Reader's Digest subscription -i it was quite cheap. We also ran competitions in local newspapers - you don't enter a competition with a false name and address. Do not suppose selling address lists started with the Internet.
"GDPR compliance could easily exceed my entire workload. It is beginning to look like the end for one-man companies unless something is done about this."
Unless your company has been a bit fast & loose with handling data ... unlikely. I would suggest finding a really good summary (i.e. not anything published by the UK press), and reading it. It's really not that bad.
"I predict a whole load of tax evasion (and worse) very hard to prosecute because the data/evidence was destroyed "because of the GPDR"."
No. Some idiot may attempt to claim it, much like they do now with the DPA (the "no, we can't talk to your partner about your account even if you say we can, because the DPA says we can't"-type idiocy), but it's not the root cause.
No - because GDPR doesn't require to perform specific activities, buy/rent specific software or hardware, etc. Even certification is not compulsory - and even there it explicitly says to take into account the need of micro and small businesses.
GDPR sets out the principles of personal data handling - and the associated fines if something bad happens to data.
Hope your customer data are handled with a modicum of security.... although I guess they're stored in some Google applications - and thereby the rules about such kind of transfer and processing apply. Surely Google is not happy at all about the rules, and will disseminate a lot of FUD.
In most European jurisdiction, the handling of personal data is already regulated - for any business size, because what matters are the right of the owner of the data. I don't really care if you're a physician with only nine patients and you leak or store the wrong data (which may kill me later).
And if you have data about tens of thousand people, I don't really care if you're a one man person, or Google. What matters is the impact of a mishandling of those data. Just, probably, 4% of your revenues will be far smaller than Google's one.
GDPR compliance should be easier for you. There is, very intentionally, no lower bounds to the "organisation size" when it comes to GDPR appliance. If there were, this would be gamed by the unscrupulous within minutes, if not faster.
What we already have is a new industry of GDPR ambulance chasing, even before GDPR kicks in - i.e. those organisations whose only interest is to promote their "training" or "certification processes" or "GDPR compliance applications". They have zero benefit other than draining cash and making GDPR compliance look considerably harder or "needing" legal advice repeatedly.
"companies were holding data they shouldn't"
"firms often don't know what data they collect, or where it is held."
"companies often try to hang on to data in the hope it will one day be valuable to the business"
A they shouldn't pay for their mistakes when caught??? It looks to me GDPR is only opening the septic tank, and it's time to clean it.
Most (if not every) companies have been very sloppy and grredy with their customers/users data. Now it's going to change - at last!!
They can't blame the law - they can only blame themselves for having been greedy idiots, hoping nothing would ever change. If those data are valuable for them, it's clear they are also valuable for their owners, and any criminal who believes they can be exploited for profit.
The problem is that all the PPI firms have caused a massive embuggarance with spam calls and timewasting. But on the other hand, the banks have now been forced to pay out something like £25billion in compensation - so to some extent that's been worth it. Maybe that's a big enough sting - involving much pain, reputational damage, time-consuming clean-up and cold hard cash - that the banks will learn a few lessons.
In an ideal world senior execs would have gone to prison, or at least had their lives ruined for a few years while being fruitlessly dragged through the courts before getting off on the difficulty of proving intent/individual responsibility. The mortgage backed securities thing was a collective mistake, the PPI thing was in large part an organised fraud.
If the regulators aren't going to do their jobs, then maybe the fear of legal chaos is the only thing we can hope for, to concentrate a few minds.
"What all the PPI firms will be doing next......."
... with the database of clients they have built up through the PPI feeding frenzy!
Perhaps they can conveniently augment that with green energy, double glazing and kitchen sales companies' databases.
Keep those auto-diallers dialling!
I customise CRM systems used in the recruitment industry for a living, The Business Analysis side of our company have been warning our clients about GDPR for ages, people are only just sitting up and starting to take notice.
One issue is that many of the CRM systems used in the recruitment can't easily delete data.
To maintain referential integrity when you delete a candidate, all that happens is that the candidate is given a deleted status and is hidden from the users, that data still remains in the DB along with the CV and all the lovely personal data goodies it contains. This is currently giving me lots of migration projects as people switch to supported CRM systems that can be made compliant.
As well as the technical issues, psychologically, its difficult to get recruiters to delete candidate data, it's their product after all, when I was in house, it was quite a task getting permission to delete stuff from senior management (it usually involved lots of nagging and pointing out we hadn't spoken to people in a decade)
I predict much wailing and gnashing of teeth in recruitment, as soon as a recruiter sends out a job spec to half the internet and lots of legally switched on types notice that they didn't give consent under GDPR and fire up the lawyers.
"I predict much wailing and gnashing of teeth in recruitment, as soon as a recruiter sends out a job spec to half the internet and lots of legally switched on types notice that they didn't give consent under GDPR and fire up the lawyers."
And well deserved. One could spend time customising a screed for one particular gig only to have the pimp send it out for something quite different. I'm sure this must occasionally cost perople gigs they might otherwise have got so real money's involved.
"And well deserved. One could spend time customising a screed for one particular gig only to have the pimp send it out for something quite different."
Not to mention the asswipes who reactivate your existence on their mailing lists a couple of years after you've told them to delete your data.
(Not just recruiters. Asda have done this twice)
Unless the CRM system is completely stupid it will be able to do database exports and imports. If so then (if there is no better way) the deleted data can be removed by exporting the non-deleted records then dropping the database tables and recreating them from the exported records.
Another possible alternative (depending on the database structure and the CRM programs) would be to overwrite the data in the "deleted" records - replace all the text with a load of XXXXXXXXXXX , change all personal names to "John Smith", change all NI numbers to "VV123456Z", change all company names to "Fake Company", change all phone numbers to "0123456789" and change all addresses to "House of Commons London SW1A 0AA" - this should remove the personal information.
Most CRM's are SQL based so stuff can be deleted with enough time/skill, but as recruiters are on commission (and thus tend to want to work weekends as well as normal office hours) bringing down the CRM for half the weekend while you do a manual delete via SQL does cause some stress.
While its fine having an outage once in a while if your doing it every weekend for the latest batch of GDPR removal requests, its going to get old quickly. Not to mention, if I am working weekends cleaning out your data, frankly your going to be paying for it (either OT costs or TOIL). Unfortunately, some techie doing manual deletes on your CRM each week isn't really a viable business solution.
Obfuscation of the data will work for some industries, the problem with recruitment, is that we deal with a lot of personal data in document form (CV's, Passport scans for legal compliance etc), all of that is going to have to be cleared off a record to put it out of use and although you don't generally run into any referential integrity issues with documents, unless the CRM has a real delete function in it for user level deletes, you are still paying people like me to go clear your data off at a weekend.
Also, its not just about the CRM's, Email/Exchange, SMS facilities and Mass mailing systems (e.g. Dotmailer) all need to be cleared of identifiable data and usually they are not well integrated with the CRM and certainly not for delete functions.
Its not that any of this is technically impossible, its that frankly doing all the analysis and development is a lot of work. In the same way that in Y2K it was easy to say, oh just store your dates in long date format, saying it is one thing, changing policies, procedures and systems is something very different and quite expensive.
There's really no need to bring down a SQL database while you delete old records, or any application using them - unless you're deleting millions or billions of records.
Sure, some old engines had issue because of lock escalation and the like, but a well coded application written by skilled developers knowing the database they use will minimize those issues.
And that's not what you usually do "manually" - they should be automatic jobs that can also be run at night or when most people are on holidays. And may need to be run only a few time per year, maybe only one - unless you have specific delete requests. Which, again, should be processed by specific functions to avoid the classic "manual error".
There was also a reason why I always advocated to store all data inside a database, and not scattered around in file shares or the like, for example - because in a database I could track where they were, and could ensure a full delete of them when needed.
Data contained in other systems - and you know where they are, right - of course needs to be managed accordingly - technical solutions can help only up to a point.
Actually, the real issue are archived data, like old backups. They can't be easily cleaned of no longer useful data only.
But what you tell is exactly the problem the article illustrates: companies for a long time recorded data without any clue about how to manage them properly.
Several reasons to panic, of course... the GDPR will make surface a lot of applications issues and bad database/storage designs. As written in another post, it's opening the septic tank.
Requiring "by design" security and privacy will make clear what was written by competent and skilled people, and what was written by unskilled (and usually low paid) ones. It could be a good thing, because many will need to invest to clean the mess, or face the fines one day.
This post has been deleted by its author
What if the candidate table is linked to your tax invoice table, which you are required to keep for about 8 years (6 years from the tax return deadline date, which for a company is one year after the end of the accounting period).
Your tax invoice must contain a description of the product or service supplied, which would be the candidate.
Good databases have been implementing cascaded deletes/updates for a long time. And even without, it could be implemented with triggers and/or stored procedures. Of course, developers using RDBMS as simple data dumps resembling file-based storage ignored good practices.
The reasons behind not deleting a record could have been regulatory - i.e. if you need to keep payroll or invoice data you may need to keep those records in the database for some years, but not show them as active - or, as the article says, greedy ones - "those data could be valuable one day".
The application I wrote when I was involved in such kind of applications had functions to perform cleanups every year, purging records that were no longer needed by law. Another way was to export them so they could be stored and timestamped on WORM discs if they was to be stored off-line.
And as GDPR says, you have to track those records as well, and destroy them when they are no longer needed.
I'm sure there's a lot of crappy software out there. It's not an excuse to keep, sell and make data vulnerable.
I agree, and actually, I think in some ways we have gone backwards.
There is one CRM I deal/dealt with that was based on its own custom filesystem rather than SQL, it had a real delete function (but no referential integrity), its newer (not that new) replacement system is SQL Server based and has no hard delete function for users/administrators and the delete entity stored procedure that exists in the DB no-longer functions (they have added additional FK constraints to later versions of the CRM but not updated the USP).
Now, I expect the company in question is planning to address this in a new release (and probably most other CRM vendors too) but that means an additional project for every firm that uses the software (test & deployment) and all that needs planning in, ideally now before its too late.
"Good databases have been implementing cascaded deletes/updates for a long time. "
All good databases do, yes. Sadly poor designers and shitty app coders, do not!
Some very badly written apps still do all that pesky referential integrity in the app tier instead of letting the DB do what a DB does best, deal with maintaining and securing data. I remember the first time I peeked in a Siebel schema and just couldn't believe there was just a shed load of tables and indexes with nothing holding any of them together! You want to delete something and you don't want to use the app well you'd better get your cheque book out cos you're going to be calling in a Siebel tech at £1000 a day to do it for you!
They want to leave because they don't want the hordes of Turkish immigrants entering the country just as soon as Turkey enters the EU. At least that was one of the reasons a friend gave me for voting leave.
Oh what's that. Turkey is unlikely to enter the EU any time soon, and because we are leaving we want to do trade deals with any one including Turkey which will likely involve letting hordes of Turkish immigrants enter the country.
Here is my reason.
The general feeling in the EU is that they should be heading for a Federated State, with more and more power being moved to Brussles. There is legislation in their pipeline that moves things like tax harmonization closer.
This is happening at the same time as efforts to change the structure of the EU to better reflect the fact that it (currently) has 28 members rather than the founding 6 members failed, leaving the voting structures in the EU almost completely incapable of allowing any significant or controversial policies to be implemented in a reasonable time scale. I predict we will see the effect of this as they debate any UK exit deal, as I think it's going to be a long and difficult process to get them to agree to anything at all.
Without reform, the EU is fast becoming moribund, and I did not want the UK shackled to an organization that we did not join (we joined the EEC, an organization with a different purpose), that I see as having a reducing importance in the world (and, yes, I do know that the UK was instrumental in the Maastricht Treaty, although I think UK politicians at the time thought that it was a first step in reform, rather than an end in itself).
Stresses within the EU over the north/south financial policies, the increasing desire to make the Euro the currency across the whole of Europe, and the increasing pressure on the southern most countries to cope with migration pressures without assistance from the countries further away, will, in my view, tear the current EU apart.
It will only take one of the major countries to have a right-wing government elected, and IMHO we will see border control between EU countries again, and a rising reluctance to offer financial support to the poorer countries. It amazed me that the Greece situation was constrained, and this was only by other EU countries, in particular Germany, offering money to prop Greece up while it dismantled it's pension and social services to contain costs. Will the German population agree to do this again in the future? Only time will tell.
If the EU had agreed to much needed reform, I would have voted differently. But my only regret in voting the way I did is that those around me thought I did it because of immigration, which, if it was at all, was only a very, very minor part of my decision.
That was wholly a Greek decision. It had public employees who got pensions for almost nothing (they could retire very early, and even unmarried daughters got pensions http://greece.greekreporter.com/2015/06/16/greek-unwed-sons-to-receive-pension-if-deceased-father-was-civil-servant/) combined with a long standing habit of evading taxes on everything - for example car fuel. Any attempt to recover those money utterly failed because politicians don't like to enforce "unpopular" measures when they touch hard their friends and themselves, so when they need money they aim at the weakest one, those who can't complain too much, and are not influential.
Greek is a failed state because it is a failed society - and of course it's not the only one in Europe, just the first to go down the hill. Just wait for the upcoming elections in Italy...
The EU has stresses and strains like any multinational organisation. The UK, for example, is not without internal tensions within the Union (Scotland, Northern Ireland etc.).
The question is not "Is the EU without flaws?" but "Will the UK be better off outside the EU?".
No one knows the answer to this yet but from where I am sitting:
i. our abiliy to benefit from Brexit are dependent on managing the process in an competent manner. I think even most Brexiters would agree that the Brexit process has been a complete shambles. It looks like we are heading for a very, very hard landing. We have about 12 months left to wrap up exit arrangements with the EU (latest date for ratification by EU States) and from the conversations I am having, the Government doesn't even understand the issues, let alone know the solutions, let alone agree them with the EU;
ii. there are very significant disadvantages to leaving the worlds largest single market. Yes, I know we "might" get an FTA for goods but if we are not in the customs union then customs control at our borders will be very damaging, and regulatory divergence will create significant non-tariff barriers. For services (80% of our economy) the position is much worse, hence the exodus of financial services from London.
I could go on but frankly why bother. Brexit is a relgion. You believe it or your don't.
However, please note I have a hate list for Brexiters and if Brexit goes badly wrong (which increasingly seems the case) you do not get to disown it.
No. Not really. Take for example Dyson and JCB. You voted out because they recommend it? But Dyson has offshored how many jobs? His faith in the country is that robust?
JCB lost court cases in Europe - are we really to believe that this didn't colour their opinion?
Some of your reasons would seem to stem from personal dislike of individuals. But people come and people go. Jean Claude will be gone in a few months.
Security - how does diminished cooperation improve security?
And trade - Oz has said its first priority is a deal with the EU because of the market size.
I appreciate it's a big ask but please, more than just a list of words, why did you make the choice you made?
When data protection breaches are mentioned.
Case in hand. My mobile rings. Turns out it's a recruiter asking my availability. Only snag is that is my work mobile, and has never ever been used to register as a candidate.
It *has* been used to register as an employer.
I ask the young lady where she got my details. She replied "Oh, they were on the system".
At which point I got a tad medieval, and suggested that (a) she was lying, and (b) I wasn't impressed that her employer was so casual around data protection.
"Oh" she said *giggling* "That's not a big deal is it ?"
One very grumpy email and a few minutes later and I had the companies lawyers on the phone "clarifying the misunderstanding". The main misunderstanding being that I record *all* calls these days.
Anyway, that's the mindset you are up against.
A/C, as legal words were exchanged.
"The main misunderstanding being that I record *all* calls these days."
I hope those calls are stored on a GDPR compliant database. The usual "All calls may be recorded yada yada yada" doesn't absolve you of your data protection responsibilities with those calls. In fact I'm certain we've spoke before. Can I please have a copy of all recordings involving me or about me in an MP3 format? What's that? You haven't got them? You've published that you record all calls so by not having them you are either lying or in breach of your own policy. Naughty naughty both ways as far as the GDPR is concerned. Please provide evidence that you didn't have a recording of the call after all.
Etc etc etc :)
Surely for this to work for the ambulance chasers they will need to change their model from how they operate in the PPI model? They will no longer be able to do cold calling (in fact this could completly illiminate cold calling?), they will only be able to advertise and wait for customers to contact them and expressly give them permission to hold their data. This really could be such a massive game-changer.
Personally I would be happy to add my name to an 'ambulance chaser' and the warm feeling I would get knowing lawyers were hounding people who were storing information on me would be reward enough.
This crap has gone on too long, from tracking adverts, tracking ISPs, tracking 'free' WiFi, to cold callers, to telemetry in everything from your hoover, your phone (fuck you Android), your car, your speakers, your headphones, watches, vibrators, childrens toys, your compiler (fuck you Visual Studio 2015), your operating system (fuck you Windows 10), libraries (fuck you .NET), the transport system (fuck you London Underground). And of course a massive fuck you to Google and Facebook.
I hope GDPR draws some blood.
It's _exactly_ this threat that's needed.
If you want evidence of how well this works in practice, look at the stats of the US junk fax industry before and after the passing of the Telephone Consumer Protection Act.
Yes, there are still junk faxers, but putting most of the small fly-by-nighters out of business (by making the hirers liable for damages too - which rapidly let to a dearth of companies willing to pay for fax advertising) left the authorities more able to go after the egrarious offenders such as fax.com
But you would think they would just funnel things through foreign shells where the law can't reach them. I think the big thing that ended junk faxing was simply faxing going out of style in favor of e-mail attachments (and note, we haven't found a solution to the Spam problem in e-mail as of yet). That and faxmodems which means faxes could be winnowed before they were printed, reducing waste.
I've already dealt with a few that see this as a *big* pot of gold, once they figure out the best way to setup the money-generating conveyor belt. It's the next PPI with absolute certainty.
I think it will be a lot bigger than PPI as we are all potential claimants, not just those of us that had useless extras tacked onto loans/credit cards etc.
GDPR introduces several key differences compared to the current regime: consent must be freely given, informed, specific & auditable; co-liability between data owner and data processor; really big fines (the bigger of €20m or 4% of global turnover); breaches can be administrative & not require actual data loss; compensation claims allowed by data subjects due to 'distress' even if no actual loss resulted from a breach - that's the big one for the lawyers to exploit..
GDPR doesn't just affect companies either. Some of the schools I've dealt with have been sharing pupil data willy-nilly with external providers for years without explicit consent. Data subjects (pupils) are opted in via woeful 'data privacy' notices. The 'public interest' or 'essential processing' argument will crumble once the lawyers get going.
Results analysis & performance tracking being the perfect example of poor data handling/processing behaviour: "We like using this system, even though there's no legal requirement to do so, we've done no due diligence on the external supplier, everyone else uses them so they must be OK, we don't know where the data is held, we don't know what security is in place, we don't know who can access the data at the other end, we don't know who at the supplier is CRB checked (if anyone), we didn't ask for or receive consent from pupils/parents but there's no risk on us so we don't care, we'll use it anyway cos we like it".
That's just one example of a widespread GDPR-unfriendly reality that will be like shooting tuna in a barrel for the lawyers come May '18.
Bring it on.
Filing a lawsuit is one thing - getting it heard may be another. If there are too many GDPR cases filed then it could take a long time for them to be heard by the courts. (Most courts already have large caseloads and there are complaints about too many cases and too few judges.) Unlike PPI where most cases were straightforward and well documented there will be a lot of variation between GDPR cases and judges will have to decide in each case whether there was a significant breach and what (if anything) is the correct amount of the penalty.
(Crudely - having and releasing private details on all the UK population has a maximum penalty of £20m or 4% so what is the correct level of penalty if data on only 100 people is involved. That is a matter for the judge to decide depending on the circumstances. Also either side could appeal which would result in even more court backlogs.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
