13 comments

[ 2.8 ms ] story [ 39.1 ms ] thread
Jean Claude Juncker is a great leader for us in Europe and I think he will fix this very soon.
The title is kind of misleading considering that the article clearly states that GDPR doesn't apply to European institutions. (Apparently European institutions are "'separate' from GDPR for 'legal reasons'" and "subject to a new law that 'mirrors' GDPR which will come into effect in the autumn".)
Yes, since GDPR only applies for non-regulated areas where no other law is effective. In the EU government there a bunch of other laws effective which overrides GDPR.
I am not surprised and It’s even worse: important parts of European countries themselves aren’t ready as well. In the Netherlands parts of the taxes and even the authority that is going to do the checking.

I’ve been doing quite a few GDPR projects, even a GDPR website for a Dutch GDPR lawyer that used to be a developer and specializes in GDPR for small/medium American/Canadian SaaS and App companies. A lot of companies doing business in the EU need someone guiding them through the process and a EU Representative as well. The big companies charge you an arm and a leg. If your GDPR guy knows the tech scene and understands code and systems, it can really speed things up!

This all GDPR market is all bullshitting. There are no guidances and nobody really knows how to implement it as law is vague. "GDPR guy" is a snake oil salesman.
A “GDPR Guy” isn’t necessarily snake oil if you had a person or a team that their job was to work with a DPA prior to the GDPR to implement previous data protection regulations.

That relationship is very important as it’s essentially a lobby.

However beyond that it’s very hard to definitely make any claims and currently also use lawful basis other than consent that are not tied to pre-existing contracts.

Other parts of the law like those which refer to anonymization including pseudo-anonymization, deletion and processing halt are also very tricky to implement currrently in a guaranteed manner.

For example if I pseudo or fully anonymize a piece of information what is the benchmark that i need to ensure that it’s complaint?

How resilient does it need to be against cross referencing? Specifically for examples how many additional pieces of information does one need to de-anonymize my information before my process is consider non complaint?

Do I need only to consider information that i collect or process in this benchmark? Or do I need to evaluate my process against any potential information that can be gathered about a data subject by any other party?

There are guidances. The ICO for example.

You might misunderstand law in general. Much of it is expert guidance. For complex areas, like GDPR, you might have 3 lawyers with 5 different ideas. Most law is educated guesswork until it reaches court.

They were hacked. This doesn't imply they were not complying with the GDPR.

The fact that this leaked addresses of people also doesn't imply anything special. A webshop, for example, also needs to store addresses of people temporarily.

Quite a lot more permanent than you would imagine, say a purchase goes wrong and there is a fraud investigation etc. so most countries have laws that require such shops to have the info for at least a year or two.
Yes, but you don't store it in plain text using excel files.
They were not. Someone just searched for all excel files with personal information on their thousand+ websites and found hundreds of examples with names, addresses and phone numbers of ordinary citizens.
I don't think you really understand GDPR if you think that you can just "store" the information and be compliant.

It's not only about what data you store.

It's about how the data is stored and who has and can get access to it.

The fact that they stored it in excel files is already a big red flag.

They were not compliant with the cookies law either. They did not show warnings that other websites show and they used Google Analytics years after cookies law went into effect.

Also, look at europa.eu now. See the cookie law popup? I don't.