You might think that the day after the General Data Protection Regulation goes into effect in EU member states is a bit late in the day, but it seems there’s so much last minute panic and uncertainty around I thought I might at least put up some relevant links while the dust settles. These links are posted to the new page here.
Here’s a sensible article by Mirko Zorz for Help Net Security – GDPR: Today is the day – echoing a point I’ve been making to anyone who insisted on getting my opinion. “The other big misconception is that GDPR is forcing companies to think about something new. Legislation in the EU and UK to protect data has been around years before GDPR. What’s new in GDPR is the potential size of the fine and the fact that it can affect non-EU companies. Getting companies to think seriously about how they protect data has been an ongoing effort for many years.” The point I’ve been trying to make (though not previously in any sort of article) is that if you’ve been compliant with the Data Protection Directive that GDPR supersedes and harmonized legislation like the UK’s Data Protection Act (updated for 2018 in order to conform with GDPR), then GDPR shouldn’t be such a big deal. Yes, many organizations have needed to tweak their policies and practices, but the broad focus of the legislation, in the words of the Data Protection Act, is still along these broad lines:
The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—
(a)requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis,
(b)conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and
(c)conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.
Even organizations outside the European Union but engaged in transactions with member states should not be strangers to the need to address these issues, which have been addressed with regard to external states for decades by the EU directives and legislation. Remember Safe Harbour? Of course, not all organizations have shown equal enthusiasm and prompt action. Microsoft, for instance, has announced that:
…we will extend the rights that are at the heart of GDPR to all of our consumer customers worldwide. Known as Data Subject Rights, they include the right to know what data we collect about you, to correct that data, to delete it and even to take it somewhere else. Our privacy dashboard gives users the tools they need to take control of their data.
(This is also a neat summary from Microsoft: In case you missed it: 10 of your questions from our GDPR webinars.)
Help Net also notes that “Apple has set up a Data and Privacy portal where users can make a request to download all the data Apple has on them, correct their personal information, deactivate or delete their account.”
Sounds good to me, in principle at least. No doubt we’ll have lots of fun seeing what happens in practice.
Facebook has been more equivocal, while claiming to be singing from the same hymnsheet. While ICANN has been noticeably wrong-footed in its belated attempts to tweak DNS and WHOIS in order to achieve conformance. And there is no need for me to even try to name and shame all the services that are currently suspended while the providers try to sort themselves out.
Meanwhile, ESET offers to tell us Why GDPR affects companies around the world (video) and also offers a free guide and compliance check here. And here’s more advice from Jon Fielding of Apricorn for Help Net: It’s time to embrace GDPR
Gizmodo: Facebook and Google Accused of Violating GDPR on First Day of the New European Privacy Law – “So what are Facebook and Google allegedly doing to violate the GDPR? Privacy advocates in Europe say that instead of adhering to the letter of the law, companies aren’t really giving consumers a choice; you can either agree to let Facebook and Google collect enormous amounts of data on you, or you can delete their services. There is no middle ground.” No surprise there, then…
And, from the Guardian:
Most GDPR emails unnecessary and some illegal, say experts “Many firms have the required consent already; others don’t have consent to send a request”