This is mostly true until your driving a vehicle where the driver is low to the ground, like a triumph spitfire and then every dam car light is at about head height.
22 publicly visible posts • joined 8 Dec 2011
Very few have the time and resources to run a test environment that replicates everything in production.
Many don't have any resources for testing unless it's code their company has created or commissioned.
Sure, you don't deploy to every box at once and you start with the most trivial but those aren't going to be DC's and HyperV hosts so you'd not find the issue in a low pain fashion.
We expect for the sums of money that we are paying to MS that they do a reasonable degree of testing.
In this case, it's clear they didn't. The scenarios that seem to result in the patch's breaking fundamental windows components are not rare edge cases.
And that is probably the key point of the finding.
I had to go and check my memory as I thought GDPR was actually broad enough to always apply if the data subject or the data controller was a subject of a signed up country but from the guidance there does also have to be a targeting of the individual that had entitlement to those rights. So an incidental customer/user is fine but if you market to a UK/EU citizen then GDPR absolutely applies.
The GDPR applies to:
a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.
If your company is a small and medium-sized enterprise ('SME') that processes personal data as described above you have to comply with the GDPR. However, if processing personal data isn’t a core part of your business and your activity doesn't create risks for individuals, then some obligations of the GDPR will not apply to you (for example the appointment of a Data Protection Officer ('DPO')). Note that ‘core activities’ should include activities where the processing of data forms an inextricable part of the controller’s or processor’s activities.
When the regulation applies
Your company is a small, tertiary education company operating online with an establishment based outside the EU. It targets mainly Spanish and Portuguese language universities in the EU. It offers free advice on a number of university courses and students require a username and a password to access your online material. Your company provides the said username and password once the students fill out an enrolment form.
When the regulation does not apply
Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
This sort of thing is exactly why I pay as much attention to managing outbound access from our systems as inbound.
Good services we work with very readily have the necessary documentation to tell us exactly what domains, IP's and ports need to be made accessible.
Poor ones go 'Why do you restrict access out to the internet? I'll have to go and ask some other team if we know'.
And if as if oft the case your pay role system does not have an inbuilt function to assess pay rises and create a mail merge to print letter for each employee for their revised remuneration?
And yes printing physical letters for such things is still a requirement, in some cases because of what is written in union arrangement but more commonly because not all of your employees will have an email address or at least not one they wish to share with their employee.
Seeing the way government seems to 'work', the solution to the wifi not working well enough will not be to spend maybe £20,000 per building on getting a well engineered wifi solution but will decide that all the buildings are not suited to working with digital technology.
Therefore they will spend several millions per building knocking it down and building a new one.
I 'm suspecting that a high number of these are because people simply didn't know they needed to, thinking that GDPR removed the need to do so.
However a new bit of regulation "Data Protection (Charges and Information) Regulations 2018" created a new fee to replace the one lost by the superseeding Data Protection Act 1998.
Firstly we have to remember here that the incident occurred prior to GDPR so the requirements and penalty's differ from what they would be today.
Regardless of Facebook's ability to pay, the fine seems too high in comparison to other cases.
TalkTalk caused potential harm to a large number of its customers by failing to implement basic security controls, and failed to act on warnings it had previously been given. In other words it was considered to have been willfully negligent.
Facebook is being fined for not being quite clear enough about what data was being shared with who and being lied to by Cambridge Analytica who said they had deleted the data when Facebook became aware it was being misused but in fact didn't.
So they did tell users what they were letting happen with their information, and they did act when somebody did something incorrect with it. Not willful and not negligent and yet they get fined more than they would have done if they had failed to try and protect the information.
Its not the most friendly in the world but it does seem to work decently well and it's called GovermentGatewayID
works perfectly well and robustly enough for dealing with HMRC and that includes functions where they owe you.
Why are they reinventing the wheel, particularity when that already have a wheel that was designed for the purpose?
The EU has two main types of acts. Regulations and Directives.
Directives are instructions to EU states to create their own legislation that meets the intent of the directive.
Regulations are exactly that and are automatically part of the law in all EU states.
However that does not stop states creating legislation that goes further than an EU regulation and that along with ensuring that we already have rules in place that will cause us to meet Data Protection adequacy requirements when we have left the EU is what the UK government are currently doing.
I expect how they will enforce any fines once we have left the EU is the same way as they will for any other non EU country. They will send a bill and if you don't pay it then any official from the organisation setting foot in the EU will be arrested.