Online Security

[MacB]

The first sentence is why regulators exist, and why the powers of European information regulators are being very significantly strengthened. Even if our idiot government cuts off all regulatory ties with the EU businesses will still be following European rules for the foreseeable future if they want to trade in Europe (and many of them do). And the second sentence, as I'm sure you know, is less true than many of the more sloganising radicals would want to admit. It's easier to say "all business wrong" than to acknowledge that business has increased prosperity and that there are many ethical people with a very significant influence over business.

All correct from one perspective but I find your belief in widespread ethical controls in business rather surprising. Nor have I ever made any claims around "all business wrong" all I have done is questioned their ethical standards and claims of being motivated by desires to help/serve their customers.

It's pretty simple, I would like the ability to remove any and all data about me held by private corporations. Whether I used that ability is moot I just feel it should exist and in a very straightforward process. If I then choose to leave my data in corporate hands, and a breach occurs, then I can accept I took that risk. Right now the risk is being assumed on my behalf and that doesn't impress me.

That's how I feel and I hope that it reflects in some way what I thought Dan was putting across.

 

[Flying Dodo]

Under GDPR, you will have the right to be forgotten, so in theory, you can ask a firm to remove all of your details from their records.

In practice though, there will be some exemptions which firms can claim mean they have to retain information about you. For example, if you had a mortgage you'd paid off, a lender could claim they need to keep your details in the future, in case you might make a claim the mortgage has been mis-sold.

 

[srw]

It's pretty simple, I would like the ability to remove any and all data about me held by private corporations

Wait until April and you've got it. Whether corporations can provide it is another question. But if you demand to be forgotten, they tell you you've been forgotten and then a susbequent data subject access request proves they're wrong you'll get compensation.

(I wasn't, by the way, attributing the sentiment of "all business wrong" to you, but to some rather naive idealists. Also, you're misreading if you think that I have a belief in widespread ethical business controls. There are far too many unethical decisions made even by generally ethical people and corporations.)

 

[MacB]

Wait until April and you've got it. Whether corporations can provide it is another question. But if you demand to be forgotten, they tell you you've been forgotten and then a susbequent data subject access request proves they're wrong you'll get compensation.

(I wasn't, by the way, attributing the sentiment of "all business wrong" to you, but to some rather naive idealists. Also, you're misreading if you think that I have a belief in widespread ethical business controls. There are far too many unethical decisions made even by generally ethical people and corporations.)

Fair dos and I'll believe it when I see it on whether it really happens or not. I also accept that my view is probably towards the jaded end of the spectrum. I agree that there are many generally ethical people but I have found that they are only ethical within certain parameters. Introduce a temptation or a fear into the decision making process and, if it's strong enough, then the ethics go out of the window. The level of temptation/fear necessary will vary but I would contend that everyone has their breaking point, or price. I would further contend that many, just by dint of getting to where they have, possess pretty flexible ethics at the best of times.

I hope that makes sense

 

[Tin Pot]

Stolen is maybe the concern. It implies an intent to misuse.

Sure, and really I'm just expanding that so you can draw your own conclusions.

There maybe occasions where you know for sure - someone has found your credit card numbers in a file on the internet, for example. But the rest is kind of hard to know for sure. I find that planning for the worst, and hoping for the best is a reasonable approach. Behave as though anything you share is or will eventually be stolen or known.

Data theft is still largely for financial gain, stealing from you or your bank or blackmailing you (that hot chick that wants to see your private parts on Skype may not be genuine).

However, data breaches are still quite frequent - your friends working in healthcare or finance are often caught nosing around in your records for nothing more malicious than curiosity.

How do you stop all that? Well it's a bit like street crime or burglary, lots is being done but you have to accept that crime can still happen to you. But as long as it's not extreme, you can recover and eventually get over it - the law can be a lot better with ecrime than real crime, sometimes.

 

[Tin Pot]

Fair dos and I'll believe it when I see it on whether it really happens or not. I also accept that my view is probably towards the jaded end of the spectrum.

And so you should.

Even firms that genuinely cared did fark all until they were forced to by law, and even now struggle to do it.

For big firms it's extremely expensive and time consuming to find everything they know about a single person on their current IT landscape, now think about the back up tapes they made seven years ago, and the vaults of paper on customers from the sixties...it doesn't matter how much they want to do the right thing, there's no hiding the burden it causes.

So even if they are very profitable, and most of them aren't high margin businesses, it's a hard sell.

In your shoes I would keep voicing your concerns, complaining when necessary and eventually they'll have to get their house in order.

 

[classic33]

Sure, and really I'm just expanding that so you can draw your own conclusions.

There maybe occasions where you know for sure - someone has found your credit card numbers in a file on the internet, for example. But the rest is kind of hard to know for sure. I find that planning for the worst, and hoping for the best is a reasonable approach. Behave as though anything you share is or will eventually be stolen or known.

Data theft is still largely for financial gain, stealing from you or your bank or blackmailing you (that hot chick that wants to see your private parts on Skype may not be genuine).

However, data breaches are still quite frequent - your friends working in healthcare or finance are often caught nosing around in your records for nothing more malicious than curiosity.

How do you stop all that? Well it's a bit like street crime or burglary, lots is being done but you have to accept that crime can still happen to you. But as long as it's not extreme, you can recover and eventually get over it - the law can be a lot better with ecrime than real crime, sometimes.

And when the measures put in place are circumvented by sending the information as private letters to another individual, once they get access, there's nothing you can do. The damage is done & your private information is out there for anyone.

 

[Tin Pot]

Those must be expensive to keep though, so in the business' interests to get rid of.

...But by law they may have to retain them, it may be too expensive to digitise them or they may have to retain hard copies anyway. I've not worked for solicitors, barristers and their ilk but the informal conversations I've had usually throws up some non-starters for digitisation.

The fundamentals of the exemptions to GDPR are around where here is a legitimate business reason not to destroy the records (e.g. fraud prevention) and legal reasons (a previously existing law supersedes GDPR such as MiFiD).

There is more here:
https://www.gdpr.associates/gdpr-exemptions/

Nothing set in stone and I'm sure a lot will be tested in law these coming years.

 

[classic33]

Those must be expensive to keep though, so in the business' interests to get rid of.

"Empty" warehouse's that aren't actually empty, but storing nothing but paper records.

 

[srw]

Those must be expensive to keep though, so in the business' interests to get rid of.

Paying a fiver* a box each year to keep them in storage is cheaper in any given year than paying a tenner* to get them back into the office and then paying someone a wage to go through them and sort out the must-keeps from the must-dispose-of.

A company I know extremely well is using the GDPR, after a lot of kicking from those with a professional interest in managing risk effectively, to finally implement a proper document retention and destruction regime. A proper document management system is a few years away yet, but will come, I'm sure.

*Amounts for illustration only, but indicative of the relevant cost.

 

[classic33]

The person in the office can't always access the full records, only certain parts.

The request is placed for the information they think they'll need, possibly finding out that parts are missing(not on the requested pieces), so another request is made.

Both require a person at each end to agree that they(the person requesting the information) can access what they've asked for, and a person to retrieve the records for the request to be filled.