Got something to say or just want fewer pesky ads? Join us... 😊

[Finance] Thread for IT geeks and club administrators



Publius Ovidius

Well-known member
Jul 5, 2003
45,919
at home
Hi fellow IT people

What are your companies doing about the EU GDPR regulations being enforced properly in 3 months?

We have had consultants hassling all of us the last 6 months and due to the nature of the new regulations and the fines that can be levied, the US have taken it very seriously and are sending out "big stick" mails on a daily basis

This is the bit that they are getting all jumpy about " if you get a data breach (whatever your size) you can be fined 4% of your revenue, or 20 Million whichever is the greater.."

An example people are not aware of is that if you run a club that holds personal data, you need to encrypt your data to prevent unauthorised data breaches. I have a colleague who runs a Cub/Scouts pack and has encrypted all the data on the websites/databases he has to administer the groups.

Basically, It affects everyone, because the regulation are so wooly that no one really knows what is covered, you should see some of the crap I see on mailing lists from other ISPs and stuff. It's pretty much 'if you have anything personal (and 'personal may include even just an email') then you need to take all possible steps to prevent its disclosure to unauthorized persons..

What about NSC data.....Bozza holds data on all of us, email address etc. I assume there is sufficient security measures taken by the hosting company to protect Bozza.
 


Publius Ovidius

Well-known member
Jul 5, 2003
45,919
at home
gdpr-info.eu
 


Jimmehh

Well-known member
Mar 21, 2016
758
Sussex by the Sea
My work are currently working on it - i'm not 100% sure what exactly is happening as of yet though - but seeing as we hold a lot of details about a lot of students etc, It's not going to be an easy job.

Already had to amend all of our application forms because we ask too much info apparently... faff
 


Beach Hut

Brighton Bhuna Boy
Jul 5, 2003
71,903
Living In a Box
Bozza no longer owns NSC, unless something has changed.

I thought NSC is owned by a holding company
 


Westdene Seagull

aka Cap'n Carl Firecrotch
NSC Patreon
Oct 27, 2003
20,938
The arse end of Hangleton
We hired a full time GDPR person to manage it where I work. Thankfully, with nearly 400 employees, we're big enough to absorb the cost. Could be a very different story for many smaller companies.
 




Bozza

You can change this
Helpful Moderator
Jul 4, 2003
55,575
Back in Sussex
Bozza no longer owns NSC, unless something has changed.

I thought NSC is owned by a holding company

Indeed, although I own the holding company. This structure was put in place in order to afford me some protection should bad stuff happen / people post bad stuff.
 


timbha

Well-known member
Jul 5, 2003
9,834
Sussex
Indeed, although I own the holding company. This structure was put in place in order to afford me some protection should bad stuff happen / people post bad stuff.

So you are still responsible for complying with DPA and GDPR. I doubt (hope) you hold any sensitive info on us NSC people. The big financial services firms, which have hidden behind the lack of clarity and previous low fines are very worried and are spending millions on consultants. Those who have done the right thing up til now have little to fear. A good move by EU.
 


Lethargic

Well-known member
Oct 11, 2006
3,456
Horsham
I sit on the other side of the fence working for a security consultancy and surprise surprise some consultancies are looking to GDPR as a golden cash cow. It is true that there are changes and everyone needs be more aware of personal data and the security around that data but the ICO will not be issuing large fines to hundreds of companies come May. It is more about improve data protection and giving the ICO the teeth to "pursued" repeat offenders (some large corporate have been avoiding the issue for years).

The key is to be able to demonstrate that you have looked into the issue and have viable plans in place to address any issues, the fines may start in a couple of years time when companies are seen not be implementing their plans effectively or at all.

There is plenty of free information out there but you will need to invest some time into assessing your own gaps and needs, whether you do this in house or get a consultant is up to you but you will need to do something.
 




Bozza

You can change this
Helpful Moderator
Jul 4, 2003
55,575
Back in Sussex
So you are still responsible for complying with DPA and GDPR. I doubt (hope) you hold any sensitive info on us NSC people. The big financial services firms, which have hidden behind the lack of clarity and previous low fines are very worried and are spending millions on consultants. Those who have done the right thing up til now have little to fear. A good move by EU.

Yep, I am responsible.

I pay a premium to use a highly reputable hosting company that uses UK-based servers only and, as best I can verify, is diligent with patching and general security procedures.

I patch up NSC's software as soon as is practical to do so.

For GDPR I should prepare a few documents, just in case, but it will be light touch since NSC is a pretty simplistic model.

The only personal information NSC holds about people is email address and, if provided, date of birth.
 


Publius Ovidius

Well-known member
Jul 5, 2003
45,919
at home
It is a murky area for outsources that hold data for perhaps thousands of companies.

So for example outsourcer A has its own employees, it then provides hosting services for another 1000 companies that live on VMs in their cloud environment. So inside those VMs there may be personal data of thousands of users.

Whose responsibility is it to make sure that data is secure? If you are a managed services provider and will patch servers etc as part of the maintenance contract, then it could be argued that it is your responsibility to make sure your clients data is secure...but what happens if the client changes its configuration that cannot be supported by the outsourcer?

No wonder people are paying thousands to security consultants to work out who is covered and more importantly, what.
 


timbha

Well-known member
Jul 5, 2003
9,834
Sussex
Yep, I am responsible.

I pay a premium to use a highly reputable hosting company that uses UK-based servers only and, as best I can verify, is diligent with patching and general security procedures.

I patch up NSC's software as soon as is practical to do so.

For GDPR I should prepare a few documents, just in case, but it will be light touch since NSC is a pretty simplistic model.

The only personal information NSC holds about people is email address and, if provided, date of birth.

Thanks. You will probably have to nominate yourself as Data Protection Officer and notify the authorities (via your forms).
 








beorhthelm

A. Virgo, Football Genius
Jul 21, 2003
35,265
ha! if my company, which relies on a lot of data, is anything to go by there is lack of planning for this change out there. no excuses as its been well published, but business units think corporate is doing something and corporate thing business units are. oops.

i do think its too stringent though, at least for the smaller/voluntary organisations. the major change is not that to keep data secure (thats always been required), its that you must gain explicit permission to use the data. if you intend to run a mailshot you must tell individuals thats what its for. creates a problem if you never had a data cleanse and relying on information gather years ago when people signed up to your society or what not, you know have to contact them and ensure they agree to use.

for somewhere like NSC thats never sent any email (right?) its probably not an issue.
 




timbha

Well-known member
Jul 5, 2003
9,834
Sussex
I understand that some firms may have to attest as to whether they are GDPR compliant when it goes live in May. Squeaky bum time for many CEOs!!

MiFiD, solvency 2, PPI and now GDPR - the big consultancy firms are raking it in
 


Jul 7, 2003
8,571
I sit on the other side of the fence working for a security consultancy and surprise surprise some consultancies are looking to GDPR as a golden cash cow. It is true that there are changes and everyone needs be more aware of personal data and the security around that data but the ICO will not be issuing large fines to hundreds of companies come May. It is more about improve data protection and giving the ICO the teeth to "pursued" repeat offenders (some large corporate have been avoiding the issue for years).

The key is to be able to demonstrate that you have looked into the issue and have viable plans in place to address any issues, the fines may start in a couple of years time when companies are seen not be implementing their plans effectively or at all.

There is plenty of free information out there but you will need to invest some time into assessing your own gaps and needs, whether you do this in house or get a consultant is up to you but you will need to do something.

Very well put Sir. There does seem to be a degree of scare mongering out there from some companies looking to make a fast buck out of this.

I work for a multi-national organisation who deal with a lot of very sensitive data including that from the NHS. As we have had ISO27001 for some years, although there has been a lot of work to meet the standard, much of this has been further strenghtening things we have had in place for years.

For a lot of organisations, if you have had decent Data Protection policies etc in place then GDPR shouldn't be too much of a stretch.
 


Triggaaar

Well-known member
Oct 24, 2005
49,989
Goldstone
Indeed, although I own the holding company. This structure was put in place in order to afford me some protection should bad stuff happen / people post bad stuff.
Are we still allowed to call Zaha a diving cheat?
 


Springal

Well-known member
Feb 12, 2005
23,710
GOSBTS
Interesting that some corps, such as Wetherspoons have 'opted out' and completely removed their mailing lists etc. Easier to do that than try and manage it
 




Publius Ovidius

Well-known member
Jul 5, 2003
45,919
at home
Interesting that some corps, such as Wetherspoons have 'opted out' and completely removed their mailing lists etc. Easier to do that than try and manage it

Doesn't wetherspoons own Costa coffee shops? If so I get mail shots from them as I have a costa card.
 


Springal

Well-known member
Feb 12, 2005
23,710
GOSBTS
Doesn't wetherspoons own Costa coffee shops? If so I get mail shots from them as I have a costa card.

No, Wetherspoons is just then and Lloyd’s Bar.

Costa owned by Whitbread
 



Paying the bills

Latest Discussions

Paying the bills

Paying the bills

Paying the bills

Albion and Premier League latest from Sky Sports


Top
Link Here