Fines, Enforcement and good faith

Fines, Enforcement and good faith

We then considered enforcement trends. The total number of fines is going up; the maximum under the DPA is £½ m, the maximum under the GDPR will be €20m or 4% of global turnover. Today the ICO can fine under two laws, the Data Protection Act and the Privacy and Electronic Communication Regulation (PECR),  which regulate Data Controllers and Processors and direct mailing houses respectively. The ICO have taken more interest in the DPA since they gained fining powers. This note looks at the record in court, the change in enforcement powers, and notes that the preponderance of fines have been levied due toinadequate technical protection.

An overview of issues with the GDPR

An overview of issues with the GDPR

At the BCS legal day,  a presentation was made entitled “Key Issues” which they started with a quote from Jan Albrecht MEP (the Rapporteur),

“[The] result is something that makes (as we intended from the beginning) everybody equally unhappy, but at the same time is a huge step forward for all sides involved.

Jan Albrecht MEP”

It is hoped that business opportunity will be created by a harmonisation of regulation across Europe with a goal of improved privacy for its citizens. The harmonisation is constrained by the Restrictions Article, which excludes areas of law from the Regulation and creates nationally authored variances.

BCS Legal Day

BCS Legal Day

I attended the BCS ISSG Legal day where the priority was the coming General Data Protection Regulation. I believe that the day was held under Chatham House rules, which means that comments cannot be attributed. I prefer to work on more open terms; it allows me to attribute credit to those who have informed me or changed my mind but the notes have been anonymised. The running order has been changed to make the story better and to conform to my preferred priority order, of principles, rights, obligations and enforcement.  The day consisted of two presentations, entitled “Key Issues”, “the Data Protection Officer” and one on trends in enforcement.  I have written these notes over the last week, and backdated them to the day of occurrence. These are a bit less polemic than my recent articles here, but for various reasons I have been reminded that that’s how they once were; I hope these articles are useful to my more technical readers. Some of the discussions and issues may interest those that follow me for politics.

Compliance

After attending the BCS IS Security Group meeting yesterday, I began to think about how small (or more accurately, medium) companies might deal with the additional compliance actions required of the GDPR. There would seem to be two design patterns, a golden source, or an all knowing switch. The first pattern led me to consider the SaaS solutions, which should be used to dealing with suspects, prospects and customers (CRM), also any employees that might be employed, with the ERP solution catering for personal data located in the supply chain. Over the years I have been made aware of Sugar CRM & OpenBravo (ERP), more recently I have looked at Financial Services KYC problem, and been pointed at kyc.com,  an enhanced CRM system designed for the financial services industry. The gap is an industry leading HR system, and it will surprise none of my long term friends and colleagues, that I think we can assume that fault is in the buying community where the priority would seem to be recruitment and applicant tracking although, of course, payroll was the first SaaS offering by an order of decades.

Focus

Over the weekend, a spat broke out between Jon Lansman, veteran leftist and Tom Watson MP. This twitter exchange pretty much summarises it.

Actually this was started because comments Lansman made to a private meeting were leaked to the press via video and blown up into a new conspiracy.

What I want to add, starting from Watson’s tweet, is that I believe it’s the so-called moderates that are destroying the party as an electoral force. The focus on the personality of the Leader and the evidence free proposition that we just need to knock on a few or even many more doors and we can win is wrong.

There are central political questions that need to be answered or Labour will follow the Greek PASOK, the Dutch PvdA, the French PS and its own example in Scotland.

Faerûn

I returned to NWN2 last night, I should probably take notice of the fact that I find it so hard to return to. The fights are so hard …. This can be fixed … I think.

But the bioware forums have finally gone for ever.

Privacy Law

Here’s an interesting review of the UK’s DP Act and the likely implications of the GDPR/Brexit. The author identifies that the Commission has launched an infraction investigation into the UK’s implementation of the Data Protection Directive, they identify some of the weaknesses and report that despite issuing several freedom of information requests, that the infractions identified by the Commission are secret.

It is suggested that the UK Government will use the Restrictions Article powers to reduce the impact of the GDPR and in doing so may jeopardise the UK’s attempts to obtain an adequacy ruling. I think they’re a bit excitable since UK firms and foreign owned multi-nationals will be able to use model clauses and binding corporate commitments to trade with the EU even without an adequacy ruling, although some firms may choose to relocate, most easily to Dublin.

The article also talks about two court cases which have expanded citizen protection under the DPA using reference to the Directive and the CJEU rulings. After Brexit, the opinions of the CJEU are likely to be irrelevant,