Talk for Article "World business prepares for EU data protection rule"

Talk about this Article

  1. [ This comment is from a user you have muted ] (show)

    This is the kind of projects that quality WikiTribune reporting should gravitate around. The kind of things you don’t pick up randomly elsewhere.
    But also keep reporting on the short news that big media forgets to cover. Keep it up

    1. [ This comment is from a user you have muted ] (show)

      Thanks for the support, Nino. We are trying all the time!

  2. [ This comment is from a user you have muted ] (show)

    Hey Lihn,

    Fantastic to see this being put together I work in digital and this is a monumental piece of legislation. I’d like to introduce you to and suggest interviewing:

    Mariella Thanner, COO and Co-Founder of Cybersmart

    They are a UK startup that automates cyber compliance for SME’s. Cyber essentials, CE+ and soon GDPR & PSI.

    Backed by GCHQ’s first cyber accelerator cohort, seedcamp & cylon.

    Let me know if you’d like an introduction.


  3. [ This comment is from a user you have muted ] (show)

    I am curious about whether the change will influence criminal investigation? Shall we also include some comments from law makers or prosecutors?

    1. [ This comment is from a user you have muted ] (show)

      I am also curious about this too. Do you have any lawmakers or prosecutors in mind you’d like to see comments from?

      1. [ This comment is from a user you have muted ] (show)

        Thomas Janovsky, the director of Attorney General Bamberg, and Markus Koths, a German police officer responsible for cybercrimes, may be suitable people.

  4. [ This comment is from a user you have muted ] (show)

    It is not only businesses and public bodies that will be affected. Private individuals will also have to be aware.

    I am a committee member of a local U3A group in the UK (University of the Third Age – playtime for the almost senile). Our group has just over 300 members – the total national membership is around 250,000 and there are 1,000 groups around the UK. As it is a charity, I have the status of a trustee, which is effectively, in legal terms, equivalent to being a director. At our monthly committee meeting this morning we discussed the changes from the DPA 1998 rules to the GDPR. There will be increased security requirements as well as re-educating people who have difficulties with electronic communications in the first place. We have a number of sub-groups, which are mainly educational, but some are social. For various reasons, including public liability insurance, each sub-group needs to keep a register of attendees, which should be communicated to a group co-ordinator.

    Attempting to convince 80-plus year old ladies (this is not sexist, most of the group leaders are female) of the necessity to submit data sheets each month is a losing battle! Many of them have no interest in “The Interweb”, as I have heard it called. As a committee, we are fairly confident that we will be compliant, but we are in the process of checking all our processes and risks for almost every file in the system, because almost all of them hold personal data.

    Now this may be seen as a “costless” process, because the U3A is a voluntary organisation. However, it can be extremely time-consuming and our Webmaster’s hairline has receded by an inch in the past few weeks!

    1. [ This comment is from a user you have muted ] (show)

      That’s very interesting to hear Peter. There does seem to be a generational gap on the importance of ‘personal data.’ What particular things do these ladies say to you when you try to convince them of the necessity of submitting data sheets?

  5. [ This comment is from a user you have muted ] (show)

    Seeing as the GDPR is coming out on the 25th of May, we have four ‘pre-annviersaries’ we can use (25th February, 25th March, 25th April, and then the 25th of May).

    It might make sense to try and publish a story about this on each date?

    My background is in law, and for the first date (25th February) I’m happy to write a research piece that looks at the history of data protection in Europe, how it compares with England and America (as two major common law systems in comparison to the EU civil systems), and what prompted the GDPR.

    Thoughts? Can other people commit to writing three more pieces?

    1. [ This comment is from a user you have muted ] (show)

      Hi Damiano, that’s a fantastic idea. The series might be more difficult to deliver considering time and getting people to do it, but I would definitely love to read the research piece you’ve suggested. Will it be an explainer type piece?

      When you do think you can get the piece done by? I’m happy to help anyway I can.

      1. [ This comment is from a user you have muted ] (show)

        I was indeed thinking about an explainer.

        I’ll try and get it done by Friday 23rd and post it in the talk section so people can add anything they want?

        My background is much more on the European side, so any help with American treatment of privacy would be appreciated.

        1. [ This comment is from a user you have muted ] (show)

          No worries, I’ll connect you with our U.S. editor Chuck Thompson who is happy to help you edit the piece as well as provide an American perspective.

          What is your email address?

          And there’s no need to post it in talk, you can just save it as a draft which people are free to contribute to. Please read our journalism guideline to help you get started:

          1. [ This comment is from a user you have muted ] (show)

            I like the anniversary ideas and of breaking it down.

            I’d be interested to think through how you’d digest it though:

            I think there’s some work to be done around putting this in historical context. For those within Europe, some of the aspects people are most worried about are actually already in the European Directive.

            There is an argument to be made that there is little new about the consent requirements (was ambiguous consent ever really sufficient!?) but some EU countries never seemed to embrace a zealous approach to rights, this law is a clarification so there can be no misunderstanding… plus an enforcement regime to ensure boards sit up and take note.

            Then you can perhaps highlight what’s new separately (e.g. the new rights, the idea that it has a global jurisdiction if you want to hold data on EU citizens or sell into Europe!)

            1. [ This comment is from a user you have muted ] (show)

              Thanks for this. I think the question of whether this directive simply ‘repackages’ is an interesting one, and hopefully one that we can explore in our first ‘context’ piece. I’m in the process of starting to write it. It will be in the usual draft area. So feel free to head over and add anything you think pertinent.

    2. [ This comment is from a user you have muted ] (show)

      I am an informatician. Maybe my background can also be helpful in this series. How do you think if I write some report about IT companies. I think they own quite a lot of personal data. (Not so sure if these companies have something released though.)

      1. [ This comment is from a user you have muted ] (show)

        That could work – what specific things will you tackle in the report?

        1. [ This comment is from a user you have muted ] (show)

          I planned to write about marketing, but there is already a lot about it. Let me think a little bit more to find a interesting and novel topic.
          Any suggestion is welcome.

  6. [ This comment is from a user you have muted ] (show)

    For many the headline of ‘world prepares’ is a bit of misnomer. I work with many businesses most of whom are at quite early stages of dealing with the issues raised by GDPR.

    In particular, there’s a great deal of confusion about what it means in practical terms and an assumption, for many, that as long as their intentions are honourable everything else will be OK. In reality, of course, this will be most people’s experience and so will justify their decision not to make many changes.

    That’s to miss an important opportunity, as well as to fail to properly mitigate the risks inherent in, basically ignoring regulation. The opportunities arise because those that do this well will:

    – Talk to fewer people, but in a much more relevant way, so driving up conversions (to whatever the goal of the conversation was).
    – Be much clearer about what data will be used for and why it is important. Whilst that will put some people off it will increase confidence for those that choose to share (provided of course that it is only used in a stated way) – I think that will ultimately lead to more relevant sign-ups because the risk of being spammed will fall.
    – I think it will make companies more inquisitive about where internet-based data is stored, shared, and used since they will be responsible for the actions of those who provide services that they use.

    Those who do all of this well, do it transparently, do it with honour will get a much better result, and I think that may lead to GDPR being seen as the nudge the world needed to create a virtuous circle of openness and collaboration between companies and their (potential) customers.

    1. [ This comment is from a user you have muted ] (show)

      Thank you for your thoughts William, I agree that there is a great deal of confusion in practical terms, as it seems every company is expected to implement it in their own way.

      I’d love to hear more about how the businesses you work with are dealing with the issues raised by GDPR, despite it being quite early stages. Thanks, Linh

      1. [ This comment is from a user you have muted ] (show)

        Mostly, they are not dealing with them!

        I think there’s a lack of ownership of the issues. Sometimes management is delegating to people who don’t have the knowledge or authority to look across the whole business and it often sits in one department or division, with little oversight.

        I encourage leaders to take an interest in the opportunities rather than considering it a (solely) regulatory issue. Invariably once there’s a recognition that GDPR is also about being open and honest with the business contacts that matter, it becomes much easier to champion.

  7. [ This comment is from a user you have muted ] (show)

    Hope talk is the right place to share some background, opinions and links?

    I think it’s holds the potential to be a significant change, but that hinges on the regulators actions.

    If senior management buys in, you get a role who should be acting as an advocate for individuals rights, has a protected ability to report to board level and independently raise concerns.

    They should also be an ally for the business helping them navigate the legal complexities. Perhaps their most serious power is that if executives overrule a DPO they would need to account for why as part of a regulatory investigation. So they need to think carefully about their choices.

    Ultimately I think it’ll come down to enforcement. If many businesses (in the UK) ignore GDPR as they did DPA 98 then DPOs and the regulator is nowhere to be seen then a reasonably low ranking internal auditor may think twice about challenging senior management over their use of the “digital oil” that is data.

    Inversely an active regulaor empowers the DPO to offer the carrot of helping them prepare for the inevitable whilst avoiding the regulatory stick.

    In the UK I sense the ICO is struggling. They are underfunded and pay less for case workers than the DPOs embedded in businesses, which concerns me.

    DPOs will only be a neccisary ally for business connecting rights and freedoms if senior management fear a credible reputational risk (the public seem capricious about their privacy sometimes) or if the regulaor scares them silly and a DPO is empowred to allay their fears.

    Good DPO resources for the UK:

    The ICO:

    The regulation itself:
    Article 37-39 + recital 97

    I also highly recommend the blogs as general sources and their authors as interview candidates:

    1. [ This comment is from a user you have muted ] (show)

      Hello Huw, thank you for your thoughts and the information you provided, I found them very helpful. Can you also expand more on why you sense the ICO is struggling?

      1. [ This comment is from a user you have muted ] (show)

        # One half is merely anecdotal:

        1. in the past few months I’ve called for advice on several occasions and been unable to get through after around 2-5 minutes. Earlier in 2017, wait times appeared much less.

        I’ve also rarely seen their web chat client available in recent months – which was usually always accessible in working hours. My suspicion is that staff providing advice may be heavily loaded currently. That page would need to be reviewed more systematically however to confirm a trend.

        Their website also went down for a period recently during working hours.

        We likely won’t know of sure until the publication of their next annual review in Summer (2016/17 version: which has stats on caseload and response times.

        2. Also whilst their advice is improving all the time, we’re still only just getting some key elements. You can see the development of the legal basis section on the waybackwhen machine:*/

        My personal view is that legal basis is the heart of this regulation, if you don’t know why processing is legal you won’t know how you can use it, share it, keep it or anything else. Yet this guidance is really still only just coming online. This has been a little nailbiting if you’ve been preparing across the year.

        # The other half is more deductive but very much an outsiders view:

        Alongside the Annual Report we got the Information Rights Strategic plan for the UK (link:

        The commissioner identifies their own challenges (p4-5) as keeping up and growing their workforce at a time where these skills are in demand.

        I have no data on how successful they’ve been on that, but I suspect it’s hard. There are interesting comparisons to be made between the ICO vacancies page ( and rates for staff vs what you see advertised for expertise elsewhere, especially in the private sector. It must be a challenging time to recruit.

        Until October there was also uncertainty on the ICO’s funding model, at least externally. Currently organizations pay a fixed or discounted fee to gain an entry on a register (much likes companies house but for data protection). We’ve known for a while that would go, but not how the ICO would fund itself (note they do not keep receipt of any Civil Monetary Penalties).

        In this blog: we found out some, but not all of the details.

        I imagine they’ve been able to model scenarios and have had confirmations for a bit longer than we’ve known, but it can’t have helped to have revenue uncertainty or an unannounced funding model during a period where you needed to grow a workforce.

        So my use of ‘struggle’ is mostly me wondering how they could not be. They’ve got moving goalposts of legislation (the Data Protection Act is still in the commons), pan European advice (WP29 still publishing), their funding seemed unclear earlier this year, and they’re recruiting in a competitive market, with limited expertise offering Wilmslow wages where some big firms elsewhere are offering double.

        We’ll know for sure in the next annual report – until then every time I can’t get through on the support line I suspect they’re experiencing a challenge.

Subscribe to our newsletter

Be the first to collaborate on our developing articles

WikiTribune Open menu Close Search Like Back Next Open menu Close menu Play video RSS Feed Share on Facebook Share on Twitter Share on Reddit Follow us on Instagram Follow us on Youtube Connect with us on Linkedin Connect with us on Discord Email us