December 18, 2017 at 7:38 am
I agree with Hugo. Junior IT folk are not required to know about stuff like this. A mid to senior level DBA, responsible, one assumes, for implementing, validating and verifying policy (not defining it) for the organization had sure better understand the types of data in hand and the laws surrounding it. For example, knowingly releasing a patient's healthcare information to unauthorized people can result in jail time. I wouldn't expect someone who has never worked with healthcare data to know this, but if you're applying for a senior DBA position and you have healthcare in your background, be prepared for me asking you about it. Also, I'd expect that you'd want to know the legal requirements of your position as you move from job to job, industry to industry. They do vary. I had to go through extensive background and drug tests to work for a Wall Street firm (bonded). I didn't have to do anything while working for dot com. I had a bunch of requirements I had to meet dealing with the insurance company. My responsibilities legally for Redgate are different again (and a lot less stringent).
Like it or not, we may not be interested in the law, but the law is every interested in us. I would suggest a working understanding of the kinds of things that can affect us. Next thing to read up on after the GDPR are the NIST proposals and drafts.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
December 18, 2017 at 7:41 am
ZZartin - Monday, December 18, 2017 7:37 AMOn a side note is there some particular reason that the EU is doing this? Or is just an overly paranoid idea?
My opinion, worth what you're paying for it:
It's all about making money for the EU. The penalties are insane. 20 million euro or 4% of your companies income, which ever is higher.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
December 18, 2017 at 8:05 am
Sergiy - Monday, December 18, 2017 7:03 AM1. I have a Facebook account (registered to my personal email, so this falls under the definition of identifiable natural person.2. I am a EU citizenBased on the two verifiable facts above, the obvious conclusion is that I have now given solid proof that Facebook holds personal recorrds of at least one EU citizen. They will need to follow GDPR.
What course of actions you'd suggest me to take to verify these 2 "verifiable facts"?
I don't know why you want to verify this yourself, but the stpes are fairly easy. For the first step, go to facebook.com and type my name in a search box. For the second, come by my house and I'll show you my passport. (I will not post a copy here, for obvious reasons).
But you are missing the point. Facebook knows damn well that they have data of EU citizens, because they have a website without signup restrictions. They do not exclude the EU from their business model, hence they are bound by EU law.
If they breach the GDPR regulations, the EU can fine them. And then it's Facebook that will have to prove that the breach didn't affect any citizen covered by GDPR if they want to wiggle out of that fine.
December 18, 2017 at 8:06 am
ZZartin - Monday, December 18, 2017 7:37 AMOn a side note is there some particular reason that the EU is doing this? Or is just an overly paranoid idea?
Privacy protection of their citizens.
(Grant's more cynical answer might also apply.)
December 18, 2017 at 8:14 am
Ed Wagner - Monday, December 18, 2017 7:20 AMSergiy - Monday, December 18, 2017 7:03 AM1. I have a Facebook account (registered to my personal email, so this falls under the definition of identifiable natural person.2. I am a EU citizenBased on the two verifiable facts above, the obvious conclusion is that I have now given solid proof that Facebook holds personal recorrds of at least one EU citizen. They will need to follow GDPR.
What course of actions you'd suggest me to take to verify these 2 "verifiable facts"?
I'm sure a huge bureaucracy will develop around it to "verify facts" and other activities. From what Hugo posted, it looks like the scope is wide enough to suppose that they really want the law to apply to everyone in the world. After all, I presume at least 1 EU citizen lives outside the EU. The "competent professionals" clause sounds like a legal loophole they'll use to apply the law how the governing body sees fit.
No need for a huge bureacracy, in my opinion. Either abide by the GDPR regulations, or stop doing business in the EU.
(Non-EU companies can CHOOSE to set up a bureacracy. Not for most of the generic protection regulations, they apply to systems and not to individual data entries, but to specific citizens right such as the right to be forgotten or the right to get a copy of your personal data from a company). They can decide to only allow EU citizen to exercise that rights. But they'll have to enable the functionality anyway; I think it's easier to just click the button on any sich request rather than refuse a US citizen to be forgotten).
EU citizens living outside the EU are not protected by GDPR. (Unless doing business with EU companies of course). For non-EU companies, the liability is limited to the business they do (with EU citizens) in the EU. When I live in South Africa and buy from a Japanses company, the EU has no jurisdiction; my EU citizenship doesn't change that.
December 18, 2017 at 8:16 am
Grant Fritchey - Monday, December 18, 2017 7:41 AMZZartin - Monday, December 18, 2017 7:37 AMOn a side note is there some particular reason that the EU is doing this? Or is just an overly paranoid idea?My opinion, worth what you're paying for it:
It's all about making money for the EU. The penalties are insane. 20 million euro or 4% of your companies income, which ever is higher.
For the record, that is the maximum penalty. We'll have to wait and see how much they will actuall fine once the transition period is over and fines start to apply.
December 18, 2017 at 8:22 am
Hugo Kornelis - Monday, December 18, 2017 8:14 AMEd Wagner - Monday, December 18, 2017 7:20 AMSergiy - Monday, December 18, 2017 7:03 AM1. I have a Facebook account (registered to my personal email, so this falls under the definition of identifiable natural person.2. I am a EU citizenBased on the two verifiable facts above, the obvious conclusion is that I have now given solid proof that Facebook holds personal recorrds of at least one EU citizen. They will need to follow GDPR.
What course of actions you'd suggest me to take to verify these 2 "verifiable facts"?
I'm sure a huge bureaucracy will develop around it to "verify facts" and other activities. From what Hugo posted, it looks like the scope is wide enough to suppose that they really want the law to apply to everyone in the world. After all, I presume at least 1 EU citizen lives outside the EU. The "competent professionals" clause sounds like a legal loophole they'll use to apply the law how the governing body sees fit.
No need for a huge bureacracy, in my opinion. Either abide by the GDPR regulations, or stop doing business in the EU.
(Non-EU companies can CHOOSE to set up a bureacracy. Not for most of the generic protection regulations, they apply to systems and not to individual data entries, but to specific citizens right such as the right to be forgotten or the right to get a copy of your personal data from a company). They can decide to only allow EU citizen to exercise that rights. But they'll have to enable the functionality anyway; I think it's easier to just click the button on any sich request rather than refuse a US citizen to be forgotten).EU citizens living outside the EU are not protected by GDPR. (Unless doing business with EU companies of course). For non-EU companies, the liability is limited to the business they do (with EU citizens) in the EU. When I live in South Africa and buy from a Japanses company, the EU has no jurisdiction; my EU citizenship doesn't change that.
Given the likelihood of Grant's answer being 100% correct, the chances of the huge bureaucracy being created are rather high. The "penalties" can be used to help pay for it, infuse money into local economies, create jobs, etc. You know...whatever they need it for. The bureaucracy's first duty will probably be the first (usually unstated) duty of any bureaucracy - to sustain the bureaucracy. I really hope this is flat wrong, but I fear it's right.
December 18, 2017 at 8:28 am
What actually surprised me is the amount of countries, once GDPR comes in, we're not allowed to share data with, unless the company itself can show that they are following GDPR, and an equivalent. I think the list only covers about 7 countries, none of which are USA, Australia or Japan.
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
December 18, 2017 at 8:32 am
Ed Wagner - Monday, December 18, 2017 8:22 AMHugo Kornelis - Monday, December 18, 2017 8:14 AMNo need for a huge bureacracy, in my opinion. Either abide by the GDPR regulations, or stop doing business in the EU.
(Non-EU companies can CHOOSE to set up a bureacracy. Not for most of the generic protection regulations, they apply to systems and not to individual data entries, but to specific citizens right such as the right to be forgotten or the right to get a copy of your personal data from a company). They can decide to only allow EU citizen to exercise that rights. But they'll have to enable the functionality anyway; I think it's easier to just click the button on any sich request rather than refuse a US citizen to be forgotten).EU citizens living outside the EU are not protected by GDPR. (Unless doing business with EU companies of course). For non-EU companies, the liability is limited to the business they do (with EU citizens) in the EU. When I live in South Africa and buy from a Japanses company, the EU has no jurisdiction; my EU citizenship doesn't change that.
Given the likelihood of Grant's answer being 100% correct, the chances of the huge bureaucracy being created are rather high. The "penalties" can be used to help pay for it, infuse money into local economies, create jobs, etc. You know...whatever they need it for. The bureaucracy's first duty will probably be the first (usually unstated) duty of any bureaucracy - to sustain the bureaucracy. I really hope this is flat wrong, but I fear it's right.
I am not for a second doubting that the EU will set up some huge and very disfunctional and slow bodies employing thousands of public servants for verifying compliance and applying penalties.
My comment was on the need for bureacracy within individual companies to separate how they deal with EU citizens and other customers. I don't expect that to be needed. If you set up data protection as specified within the GDPR, there is no need to also have a "less seecure" database for the non-EU citizens, all your customers will benefit from it. If you create procedures to implement a right to be forgotten, then you can just apply them to anyone who asks. (Or you can choose to disregard such a request from non-EU citizens, but then you are choosing freely to open up some cans of worms - easier to just forget anyone who asks).
December 18, 2017 at 8:44 am
Hugo Kornelis - Monday, December 18, 2017 8:32 AMMy comment was on the need for bureacracy within individual companies to separate how they deal with EU citizens and other customers. I don't expect that to be needed. If you set up data protection as specified within the GDPR, there is no need to also have a "less seecure" database for the non-EU citizens, all your customers will benefit from it. If you create procedures to implement a right to be forgotten, then you can just apply them to anyone who asks. (Or you can choose to disregard such a request from non-EU citizens, but then you are choosing freely to open up some cans of worms - easier to just forget anyone who asks).
Completely agree with this. We deal with very few customers outside of the EU, but we're treating all our customers the same, regardless of if they're EU or not (in fact, it would be more work do do otherwise). I really don't see the point of people splitting their EU customers out to a more "secure" environment; it's almost like their saying "we don't mind if our American customer's have their data stolen, because we won't get fined."
Like Hugo said, if we had a customer from a non-EU country ask for us to "forget" them, we probably would, as we'd likely have to justify why we wouldn't; which would be more of a pain than "forgetting" them.
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
December 18, 2017 at 10:42 am
Hugo Kornelis - Monday, December 18, 2017 8:06 AMZZartin - Monday, December 18, 2017 7:37 AMOn a side note is there some particular reason that the EU is doing this? Or is just an overly paranoid idea?Privacy protection of their citizens.
(Grant's more cynical answer might also apply.)
That was my question, what caused this new law? Was there some major breach in the EU that warranted it or is it just paranoia? Or the cynical reason i hadn't even considered, because yes persisting customers information is a pretty major requirement for a lot of businesses....
December 18, 2017 at 11:08 am
ZZartin - Monday, December 18, 2017 10:42 AMHugo Kornelis - Monday, December 18, 2017 8:06 AMZZartin - Monday, December 18, 2017 7:37 AMOn a side note is there some particular reason that the EU is doing this? Or is just an overly paranoid idea?Privacy protection of their citizens.
(Grant's more cynical answer might also apply.)
That was my question, what caused this new law? Was there some major breach in the EU that warranted it or is it just paranoia? Or the cynical reason i hadn't even considered, because yes persisting customers information is a pretty major requirement for a lot of businesses....
My understanding (FWIW) is that the EU legislators are increasingly aware that old privacy rules no longer apply in the current world. Modern technology enables things that old rules (and even fairly new rules) didn't cater for.
Also, my feeling is that a fairly large proportion of the EU population is concerned about privacy. Perhaps more than in other countries? Or the EU politicians have a more open ear for this? (I do personally think that a lot of politicians in a lot of other countries hold the interests of companies at a higher leven then the interests of citizens).
Let's also not forget that this is not completely new law. Many countries already had privacy laws. The EU legislation is also an attempt to level the playing field within the entire EU, while also protecting EU citizens (and even visitors within the EU jurisdiction).
Fun fact: As I was researching the "right to be forgotten", I found US case law dating back to 1931 (Melvin v Reid, 1931)
December 18, 2017 at 2:57 pm
anthony.green - Monday, December 18, 2017 7:18 AMSergiy - Monday, December 18, 2017 7:03 AM1. I have a Facebook account (registered to my personal email, so this falls under the definition of identifiable natural person.2. I am a EU citizenBased on the two verifiable facts above, the obvious conclusion is that I have now given solid proof that Facebook holds personal recorrds of at least one EU citizen. They will need to follow GDPR.What course of actions you'd suggest me to take to verify these 2 "verifiable facts"?
Can verify it by going and signing up for a Facebook account
Your asked for your name, email, date of birth. Once done you can add in your current country of residence, hometown etc. All that would constitute a "data subject".
There does seem to be a lot of "grey" in GDPR at the moment and nothing crystal "Black and White" standards while they have provided guidelines it does seem to be open to interpretation and companies will implement it differently. It's not like its PCI-DSS or SoX compliance where there are hard fast rules you have to follow, but I guess this is to come with GDPR.[/quote]
I personally don't have a Facebook account. How you verify if I'm EU citizen?
Name, DOB may be all made up. Email is a one-off gmail account created specifically for that particular registration.
As for "you can add" - check user profiles on this web sites. How many of them have "Location" entry populated?
How can you base your business decisions on information of this kind of quality?
"A lot of grey" in terms of legislation means it cannot be really enforced.
Well, it could be, actually. Like they do in Russia and other totalitarian states.
_____________
Code for TallyGenerator
December 18, 2017 at 3:04 pm
Sergiy - Saturday, December 16, 2017 6:06 AMMichael L John - Friday, December 15, 2017 7:18 AMBut, the astounding thing is that out of 6 candidates we have interviewed, only ONE had any understanding of the upcoming GDPR regulations.
The other 5 had never even heard of it. Wait, you mean to tell me you are an IT professional, and you have never even hears of this???Why should they have?
GDPR is rather legal subject, with very little relevnce to technical implementations. It's a company lawer which must understand it, not a report developer.
It depends on what function your're applying to, and whow you profile yourself. If you are a junior report writer, you may get away with not knowing this. But if you are a data professional (and I consider every database-related job at medior and higher level to ALSO include being a data professional), then you should be aware. If not to keep your management out of jail, then at least to protect yourself. You do not need all the fine details (that's what legal departments are for), but you should know the general idea of the GDPR.
See article 4, definitions:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
So, to be able to deliver goods to any of EU addresses I have to collect all the info listed above from potential customers.
And they have to give it to me, in order to buy anything online.
Are you sure it's about protecting customer's privacy, not exposing his/her most detailed personal data to as many foreign entities asd possible?
_____________
Code for TallyGenerator
December 18, 2017 at 3:13 pm
Sergiy - Monday, December 18, 2017 3:04 PMSo, to be able to deliver goods to any of EU addresses I have to collect all the info listed above from potential customers.
And they have to give it to me, in order to buy anything online.Are you sure it's about protecting customer's privacy, not exposing his/her most detailed personal data to as many foreign entities asd possible?
I think you're missing the point. You don't have to collect all that data to conform to GDPR; you have to conform to GDPR is you collect ANY of that data. The two statements are not mutually exclusive.
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
Viewing 15 posts - 60,706 through 60,720 (of 66,749 total)
You must be logged in to reply to this topic. Login to reply