Posts by Doctor Syntax

Re: ...the cat farts...

"Don't forget the forsaken moaning of the arid wind, broken only by the piercing cry of a distant hawk in the parched, burning sky. Bonus points for a cow skull in the foreground!"

I never knew SE London could be so interesting.

Re: Backups aren't the problem

"Erm, yeah, but I've deleted everything about Joe Bloggs of Wankstain, Essex, including his request to be deleted."

Two points. If you have some central record ID and that gets used as a foreign key in every other table affected then retain that foreign key. Otherwise retain the request. It will be needed to re-delete on restore. Without it you can't do as he asked so if you deleted it it you were doing it wrong.

Re: Is this GDPR or Right to Be Forgotten?

"As for the right to be forgotten, well, IANAL but wasn't all this discussed at length some weeks or months ago?"

Weeks and months ago. And still we have numpties crawling out of the woodwork asking about which law trumps which when storage is legally mandated.

Re: Ivory tower IT

"Maybe come down from the tower occasionally and meet the real world of personal data scattered in Excel spreadsheets, Word documents, pdfs and for all I know coded into C# objects."

If this is the primary data storage then they have other problems already. If this is secondary storage - look for it particularly in Sales and Marketing or possibly HR - it needs to be dealt with. Audit the business and delete any of it you find. Permanently. Even if it means going through old file system backups (not the same problem as RDBMS as regards data integrity). In the real world it's this sort of secondary storage in the hands of users that's most likely to cause damage.

"So who wins that one?"

Every time GDPR comes up we have to explain this all over again.

E V E R Y bloody time!

If anybody concerned with implementing GDPR compliance is still asking this sort of thing they're clearly out of their depth.

Re: Not a problem

"Why has it taken until a week after the law started for someone to say 'what about backups'?"

It hasn't.

Re: Not a problem

"If it's for a legal requirement with very infrequent and non urgent access then yes."

If this means that the PII has to be retained for legal purposes then you're in the clear.

Re: Not a problem

"You have Fred's data on a tape backup that you know you cannot dump in the bin but at the same time you can no longer read."

This raises questions about the sanity of the audit or about your failure to migrate the old data to new media once the old one becomes obsolete. It also raises the question of whether you have effectively forgotten everything on the old media already.

Re: Not a problem

"If it's that difficult for you to restore a backup, do you really have a backup?"

And why are you even keeping it that long?

Re: Not a problem

" If it's ever necessary to restore from a backup taken prior to the deletion then later transactions, including the deletion, will be reapplied."

You'd hope so but Murphy's Law can apply here.

Re: Not my field of expertise

"Erase-on-restore is probably a nonstarter because it is technically trivial to *not* erase-on-restore"

It's equally technically trivial to not act on the request in the first place. No difference.

"If you delete the tokenisation key or the master record, the record in the backup becomes (to some extent) anonymous."

How do you handle the restoration of the backup of the key?

Re: Not my field of expertise

My only question is, once you've "forgotten" about somebody, how do you remember to forget them on a restore?

GDPR allows you to keep PII which is being held for a good reason. You couldn't, for instance, forget the delivery details of an order which is yet to be despatched. On this basis one should be able to hold the forget request until all the backups that the real data may be on have been superseded and wiped.

"They are happy to be disqualified as a director"

Citation required. Remember that simply putting up someone else as a front is an offence that can carry a gaol sentence.

Re: What's that ?

The Microsoft downvoting shills are pretty active these days.

Re: Corporate users?

"I just hope that somebody from legal or the IT security group runs into that before I do."

If they don't run into it before make sure they do immediately afterwards.

Re: Firewalls?

"Could some kind soul work out what IP address(es) they're using, so that we can add a few new rules to the firewall."

By the time they've finished you'll probably need a lot more memory in your firewall, just to hold the rules.

Re: Gah!

"I apologise to any lowlife libertarians"

Why?

Re: Windows 10 April update is in breach

Microsoft are clearly relying on legitimate interest here - "to help keep Windows secure..."

Saying it doesn't make it so although I'll admit that within the Redmond reality distortion field that might not be so obvious.

Re: Msft Employee Perspective

"There's also a LOT of new rules around storing PII." (My emphasis)

One of the main rules in GDPR is the need for specific permission to collect anything beyond what's needed to process a transaction or what's legally required. It makes no difference having your own rules about storing information if you don't have the permission to acquire it. Couple that with the fact that the law in the US might be quite different to the law in Europe about what's legally required (and we note that MS welcomed the CLOUD Act) and it's still difficult to see how this makes MS GDPR compliant. My suspicion remains that by concentrating on what MS can do that doesn't greatly impinge on telemetry they're trying to deflect any EU investigation to the latter.

Re: Want vs Need

"Speak for yourself because in many parts of the world there haven't been enough IPv4 addresses for years."

SEP to be blunt.

"It's infrastructure so people shouldn't really care whether it's IPv4 or IPv6, it should just work, but this pretty much does mean IPv6, with mandatory privacy extensions."

The last two words say it all. Privacy extensions. Privacy isn't built in, it's an extension. What do we keep saying about security (or privacy)? It should be part of the original design and not an extension. If it isn't it's yet another thing to go wrong.

"Which, if (as you should) you assign addresses randomly, improves your protection against network mapping and hence port scanning, even if you do accidentally forget to do ingress filtering."

This implies that the LAN owner has to do stuff. For a large enterprise this is fair enough - they can pay for people to do it* - but for small businesses and home users it's a no-no. Unless the whole thing comes configured with such sensible default options it's going to be addressed along the lines of "what we have works - don't need anything else".

* and, in theory, to be trained if they're not already equipped with the knowledge although enterprises tend to treat this as optional, default off.

Re: Privacy issues with IPv6?

If all it requires is a few tweaks in the devices and a few tweaks in the router to eliminate a security issue it's amazing that this hasn't been rolled out for home users.

Re: Simples

"So skipping/wasting a number or two is not something you really want to do."

If IPv6 is inherently unsaleable - which the article seems to be pointing to - that number is already wasted and skipping it doesn't cost more. The important thing would be to take a good deal more care next time around.

"A cursory search shows BT still provide kilostream, but only until 31 March 2020 which may hamper your proposal for mandatory private circuits"

Regulations such as this could extend its life by renewing the market.

"Maybe, instead of waving around pointless fines, the government should make it a mandatory requirement of operating, set in law, that utilities and power companies must use private circuits for their infrastructure."

If your mandatory requirement was flouted what would you do? Impose fines of course. Which is just what this regulation does. The only difference is that it says what's to be done rather than how to do it.

Re: Data protection laws are there for a reason

Until that "Action" is a deterrent, you may as well just add a surcharge to companies for them to pay the crown yearly.

Up to now this behaviour has probably been seen as standard practice by a lot of salesdroids. This case should be a warning that it isn't. Although the fine in this case might be low* don't expect it to be as low under GDPR and don't expect it to be low for repeat offenders.

* You also have to factor in that a guilty plea brings a reduced fine.