General Data Protection Regulation (GDPR) - useful/practical tips for small developers
- KVRist
- 409 posts since 26 Oct, 2004 from U.K.
There’s obviously s lot of people making a lot of money out of this. My wife’s school are even worried about having their children’s names on their school books. That’s the sort of unnecessary panic it’s causing amongst people who dont really understand this thing
'and when we got bored, we'd have a world war...'
- KVRian
- 573 posts since 20 Aug, 2013
We talked about this problem to our data protection guys.Cyforce wrote:The worry in my eyes is (...) the admonish-laywer... which will fly around the web like hungry vultures to send out admonish letters with "we demand XXXX € or we go to court" because a little blog or shop missed something in their GDPR files.
In short: don't worry about it too much.
If anything about your company or web site (regarding GDPR) is not in order, or appears not to be in order, or could potentially not be in order... then the first report ALWAYS has to go through the data protection authority. Courts will not handle cases like this.
The "vulture" lawyer has to report your company or web site to the appropriate data protection authority, they will then check the claims and contact you, give you a certain time period in which you can either prove that what you're doing is OK or fix anything that was wrong. Finally, they'll check your company or web site again to make sure everything is in order now.
If anything still isn't in order, despite the authority telling you to fix it and giving you an ultimatum to fix it by, only THEN would you get into trouble.
But you can safely refer any "vulture" lawyer who tries to extort you like that to your data protection authority. If they want to take your money for not obeying the law, make them obey the law first and make them go through the legally required instances.
-
- KVRAF
- 2393 posts since 28 Mar, 2005
Well, they explicitly saysUrs wrote:Nope, you need one as soon as you handle certain employee data (that record-keeping bit?). We have confirmed this with both our data protection authority and - yep - our data security officer.otristan wrote:FWIW, the data security officer is only for company with more than 250 employee AFAIK.
http://www.privacy-regulation.eu/en/recital-13-GDPR.htm
Furthermore, external data security officers shift a lot of the liability away from the company. Which we thought is a good thing during the initial phase of enforceability of the law.
"To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping"
Except if you process sensitive data like health or stuff like that which is not the case in our business
- u-he
- 28063 posts since 8 Aug, 2002 from Berlin
I'm not sure what the actual reason is, but the guys were pretty clear that we need a data security officer. In any case, it isn't a big deal to have one - even if it turns out we were advised poorly (by the data protection authority nonetheless), it's not like we're not allowed to have oneotristan wrote:Except if you process sensitive data like health or stuff like that which is not the case in our business
-
- KVRAF
- 2367 posts since 17 Apr, 2004
I also dunno the exact legislation, but we are well below 250 and have a DPO. Seeing as she is our in-house legal expert, I'm guessing she actually read the requirements.
Voted KVR's resident drunk Robert Smith impersonator (thanks Frantz!)
https://open.spotify.com/artist/2myYesRBRgQB3LkZzEYdt5 | https://soundcloud.com/steevm/
https://open.spotify.com/artist/2myYesRBRgQB3LkZzEYdt5 | https://soundcloud.com/steevm/
- KVRAF
- 6305 posts since 9 Dec, 2008 from Berlin
As I understand it: You need a DPO as soon as you have 10 or more people (employed) handling personal data regularly.
There seems to be some ambiguity about the owner(s) counting or not.
Cheers,
Tom
There seems to be some ambiguity about the owner(s) counting or not.
Cheers,
Tom
"Out beyond the ideas of wrongdoing and rightdoing, there is a field. I’ll meet you there." - Rumi
ScreenDream Instagram Mastodon
ScreenDream Instagram Mastodon
-
- KVRAF
- 2393 posts since 28 Mar, 2005
If you have references regarding this requirement, don't hesitate to post the URL.ThomasHelzle wrote:As I understand it: You need a DPO as soon as you have 10 or more people (employed) handling personal data regularly.
Didn't found such information so far.
- KVRAF
- 6305 posts since 9 Dec, 2008 from Berlin
A central place for good information was the german magazines c't and iX:otristan wrote:If you have references regarding this requirement, don't hesitate to post the URL.ThomasHelzle wrote:As I understand it: You need a DPO as soon as you have 10 or more people (employed) handling personal data regularly.
Didn't found such information so far.
https://www.heise.de/suche/?q=DSGVO&sea ... rt_by=date
Another great resource (also german) is:
https://www.datenschutzzentrum.de/dsgvo/
And especially this one:
https://datenschutzzentrum.de/artikel/1201-.html
Which basically translates to:"Demnach ist eine Benennung eines DSB auch in folgenden Fällen erforderlich:
- es werden in der Regel mindestens zehn Personen ständig mit der automatisierten Verarbeitung personenbezogener Daten beschäftigt oder
- es werden Verarbeitungen vorgenommen, die einer Datenschutz-Folgenabschätzung nach Art. 35 DS-GVO unterliegen oder es werden personenbezogene Daten geschäftsmäßig zum Zweck der Übermittlung, der anonymisierten Übermittlung oder für Zwecke der Markt- oder Meinungsforschung verarbeitet;
dann muss unabhängig von der Anzahl der mit der Verarbeitung beschäftigten Personen ein DSB benannt werden."
(I'm not a native speaker so I hope I got it right)."Therefore a DPO is also necessary if:
- there are at least 10 people working regularly on the automated processing of personal Data or
- there is processing that requires a data-protection impact-assessment according to §35 GDPR or there is commercial processing of personal data for transmission, anonymised transmission or for the purpose of market- or opinion-analysis. Then a DPO is necessary independent of the number of people working on personal data"
Like Urs said, it may be better to be on the safe side and an external DPO may actually release some tension and stress if he/she knows his/her stuff and can help you get over the initial confusion and uncertainty by knowing that you have somebody who is specifically responsible for it.
Cheers,
Tom
P.S. another good german source: https://www.lda.bayern.de/de/datenschutz_eu.html
P.P.S. Regarding cookies it's not so clear cut: if you use cookies only for things like saving the chosen language of the visitor, the volume of your audio player or items in a shopping cart without creating any kind of ID to the visitor, the usage does not need a cookie banner.
P.P.P.S Another interesting blog of a german lawyer: https://www.delegedata.de/
"Out beyond the ideas of wrongdoing and rightdoing, there is a field. I’ll meet you there." - Rumi
ScreenDream Instagram Mastodon
ScreenDream Instagram Mastodon
-
- KVRAF
- 2393 posts since 28 Mar, 2005
This seems to be German only requirement
https://www.itgovernance.co.uk/data-pro ... r-the-gdpr
There is also scope with the Regulation for each EU country to specify other circumstances in which a DPO needs to be appointed. Data protection laws in Germany, for example, require every business with ten or more employees that permanently process personal data to appoint a DPO.
https://www.itgovernance.co.uk/data-pro ... r-the-gdpr
There is also scope with the Regulation for each EU country to specify other circumstances in which a DPO needs to be appointed. Data protection laws in Germany, for example, require every business with ten or more employees that permanently process personal data to appoint a DPO.
- KVRAF
- 6305 posts since 9 Dec, 2008 from Berlin
I just tried to look it up on the main GDPR website but it can't be reached...otristan wrote:This seems to be German only requirement
https://www.itgovernance.co.uk/data-pro ... r-the-gdpr
There is also scope with the Regulation for each EU country to specify other circumstances in which a DPO needs to be appointed. Data protection laws in Germany, for example, require every business with ten or more employees that permanently process personal data to appoint a DPO.
https://www.eugdpr.org/gdpr-faqs.html
Originally the idea was, to have one regulation for the whole of the EU, but it seems that this went down the drain - Austria issued a set of laws that make the whole thing a toothless joke there.
We'll see how it goes, but the statement of one of the main guys behind the whole thing, that it will reduce bureaucracy is a joke already.
Sorry for the noise if what I posted isn't accurate for France.
Cheers,
Tom
"Out beyond the ideas of wrongdoing and rightdoing, there is a field. I’ll meet you there." - Rumi
ScreenDream Instagram Mastodon
ScreenDream Instagram Mastodon
-
- KVRAF
- 2194 posts since 18 Mar, 2006 from Plymouth, UK
We're waiting to see what impact it has on business next week - we rely on a *lot* of external traffic (we're a massive data processor) and it could well be we see a huge drop in traffic next week as everyone suddenly stops passing on things they weren't meant to be.
With half of the office on holiday due to a public holiday and school breaks, it could be both very quiet and very nerve-wracking in the office.
With half of the office on holiday due to a public holiday and school breaks, it could be both very quiet and very nerve-wracking in the office.
- u-he
- 28063 posts since 8 Aug, 2002 from Berlin
So today we got the final document with the GDPR compliant privacy statement - in German. After a lot of formatting we have that online, and we've sent it to a translator.
- Banned
- 1583 posts since 19 Aug, 2011
First. Yes, I'm an expert on GDPR, the German BDSG, and the UK DPA.Urs wrote:BS? On what? Are you an expert for German BDSG which the GDPR was largely base upon? Or do you not believe my claims that we spent so much money?BMoore wrote:Even more BS.Urs wrote:At least for German companies, privacy and user rights have been in place for quite a while (1997 I think). All those parts of GDPR are a piece of cake for us. The largest part of our expenses (again, a 5-digit sum in Euros, maybe 6 if we factor the whole website into it) went into security infrastructure, and moving data from the web (where people always had it, and many still do) to closed servers behind multiple firewalls.BMoore wrote:No. This is wrong. Data breach is a part of GDPR, but "this whole thing is quite a bit about" privacy and user rights.Urs wrote:
This whole thing is quite a bit about "if and once data is breached, have a really good reason why you had it in the first place". So if data isn't essential, remove it. If you can anonymize, do so. If someone handles the data (customer support, newsletter etc.), know what they do, and restrict it to the amount of information necessary.
Also, the enormous fines in the law are tied to data breaches, which among hacking and stuff also encompass using the data for purposes other than what consent was given for.
Oh well. Can't teach em all.
Oh wait, I think you don't have any insights in any of this.
A few example spendings on data protection, specifically on preventing possible breaches:
- new alarm system with special ceritification for the office (8000€)
- new cupboards which are lockable (2000€)
- new firewall/router system (4000€) with 10 satellites (500€ or so each) for external people because VPN-no-more
- consultants (few grand)
- external data security officer (few grand per year)
- renting a shredding ton because our small shredder won't cut it anymore (couple hundred bucks a year)
...and that is before the amount of work which went into planning and developing a new information flow & structure, including a website that is fully rendered offline, i.e. has no active server scripts. Done over months and years by people who get actual salaries.
Second. I don't give a rats ass about how much you've spent on this.
Althoug it might tell us that you really didn't have proper security for your users before.
And third. The fines are not tied to data breaches.
I don't know why you're so hung up on data breaches only. You might be in for a surprise later.
Cats are intended to teach us that not everything in nature has a function | http://soundcloud.com/bmoorebeats
- u-he
- 28063 posts since 8 Aug, 2002 from Berlin
Cool. Our consultants would pretty much say the same.BMoore wrote: First. Yes, I'm an expert on GDPR, the German BDSG, and the UK DPA.
That is correct. The GDPR has been an eye opener for me. I trust I'm not alone.Second. I don't give a rats ass about how much you've spent on this.
Althoug it might tell us that you really didn't have proper security for your users before.
(it would be helpful if you used more precise language to say what exactly you criticise instead of just throwing swearwords - I had no way of distinguishing which argument you were making)
I'm hung up on data breaches because there's particular emphasize on them (see the emphasize on immediacy when reporting them to data protection authorities), and various consultants reckoned that the full extent of fines will happen on data breaches when companies could have prevented them.And third. The fines are not tied to data breaches.
I don't know why you're so hung up on data breaches only.
I have never said that it is "all about data breaches", but you'll have a hard time convincing me that data breaches (including using data for purposes not given consent for) isn't a strong motivator for the law.
That a threat?You might be in for a surprise later.
Last edited by Urs on Wed May 23, 2018 8:38 pm, edited 1 time in total.
-
fluffy_little_something fluffy_little_something https://www.kvraudio.com/forum/memberlist.php?mode=viewprofile&u=281847
- Banned
- 12880 posts since 5 Jun, 2012
Sounds like yet another crazy EU law, which costs a lot to implement and yields poor results.
As long as a company is online, privacy and safety are just an illusion. As soon as data leaves the EU, adiós data protection. In Germany even public organizations are selling citizen data to companies, and it's legal.
Do developers who outsource the whole shopping part to a third-party service provider also have to invest in all that security?
German Abmahn parasites will like that new law, though.
I remember a text on the EU-US data protection shield or whatever it is called. It is a joke.
As long as a company is online, privacy and safety are just an illusion. As soon as data leaves the EU, adiós data protection. In Germany even public organizations are selling citizen data to companies, and it's legal.
Do developers who outsource the whole shopping part to a third-party service provider also have to invest in all that security?
German Abmahn parasites will like that new law, though.
I remember a text on the EU-US data protection shield or whatever it is called. It is a joke.
Last edited by fluffy_little_something on Wed May 23, 2018 8:40 pm, edited 2 times in total.