hate these ads?, log in or register to hide them
Page 2 of 2 FirstFirst 12
Results 21 to 39 of 39

Thread: GDPR stuff

  1. #21

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,138
    That sounds far more sensible.

    Then if person X comes back with a more specific request eg: having reviewed the headers i would like to see these emails between Alice and Bob between date Mu and Kappa we can actually work together.

    We need to nail this down, as a bunch of stroppy union members are about to start being fucking assholes just because they can.
    (I am relatively pro union in general but fuck these guys, they give them a bad name.)
    Please don't teach me what to do with my pc.

  2. #22
    Saul's Avatar
    Join Date
    April 10, 2011
    Posts
    2,244
    Actually looking back at one of elmicker's earlier responses he said virtually the same thing. For me personally I'm not convinced I'd give them the metadata either, at least not for the whole dump. What's to stop him searching a few specific senior management email addresses in the list and then asking for those? All you've done is kicked the can down the road a ways.

    Surely the company has a legitimate interest in discussing employee performance etc.?

  3. #23

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,138
    Quote Originally Posted by Saul View Post
    Surely the company has a legitimate interest in discussing employee performance etc.?
    The persons is literally paranoid that they've not been promoted for 12 years because of a senior management plot to keep him under the thumb.
    GDPR has him frothing in the pants to demand we SHOW THE EMAILS PROVING HE IS RIGHT.

    Once they are shown, proving him wrong, said persons will get very agitated and threaten us with more stuff.
    (it's a college, we are quite good at not promoting people for a decade.)

    IIRC there is nothing illegal about discussing someone over email.

    Anyway thanks for the input dudes. i'll go back to HR and say "no he can't have every email ever with his name in that's not how GDPR works" and see what happens.
    Last edited by Itiken; May 31 2018 at 09:44:43 PM.
    Please don't teach me what to do with my pc.

  4. #24
    Joe Appleby's Avatar
    Join Date
    April 9, 2011
    Location
    in front of the class
    Posts
    13,790
    This is relevant to my interests and our school is wholly unprepared and our school board only now sent out their updated rules for us to follow. Some of those are questionable tbh.
    My favorite that stuck was the need for https on our school website. Usually I'd agree, but ours doesn't have a contact form, just contact details and we don't have a way for users to register or something. I assume we have https anyway, but still...

    Tapapapatalk
    nevar forget

  5. #25
    Saul's Avatar
    Join Date
    April 10, 2011
    Posts
    2,244
    Detailed guide as to what constitutes personal data here:

    https://ico.org.uk/for-organisations...personal-data/

  6. #26

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,138
    Quote Originally Posted by Joe Appleby View Post
    This is relevant to my interests and our school is wholly unprepared and our school board only now sent out their updated rules for us to follow. Some of those are questionable tbh.
    My favorite that stuck was the need for https on our school website. Usually I'd agree, but ours doesn't have a contact form, just contact details and we don't have a way for users to register or something. I assume we have https anyway, but still...
    I feel for you man. have you managed to stop the "cyberEssentials" sharks from circling your wagons ?
    Please don't teach me what to do with my pc.

  7. #27
    Daneel Trevize's Avatar
    Join Date
    April 10, 2011
    Location
    T L A
    Posts
    12,328
    Quote Originally Posted by Joe Appleby View Post
    My favorite that stuck was the need for https on our school website. Usually I'd agree, but ours doesn't have a contact form, just contact details and we don't have a way for users to register or something. I assume we have https anyway, but still...
    HTTPS helps ensure integrity, it's not just about private transfer of data. It'll stop ISPs injecting dodgy adverts on pages parents & kids would reasonably view, it'll stop someone subverting the correct contact details seen on a given LAN with ones to prank or phish via (think some popular open wifi nearby, like a café area). And it takes seconds to set up with LetsEncrypt/certbot, for free.
    Quote Originally Posted by QuackBot View Post
    Idk about that, and i'm fucking stupid.

  8. #28
    Donor erichkknaar's Avatar
    Join Date
    April 9, 2011
    Posts
    10,279
    Quote Originally Posted by Daneel Trevize View Post
    Quote Originally Posted by Joe Appleby View Post
    My favorite that stuck was the need for https on our school website. Usually I'd agree, but ours doesn't have a contact form, just contact details and we don't have a way for users to register or something. I assume we have https anyway, but still...
    HTTPS helps ensure integrity, it's not just about private transfer of data. It'll stop ISPs injecting dodgy adverts on pages parents & kids would reasonably view, it'll stop someone subverting the correct contact details seen on a given LAN with ones to prank or phish via (think some popular open wifi nearby, like a café area). And it takes seconds to set up with LetsEncrypt/certbot, for free.
    +1
    meh

  9. #29

    Join Date
    May 31, 2011
    Posts
    3,831
    Quote Originally Posted by erichkknaar View Post
    Quote Originally Posted by Daneel Trevize View Post
    Quote Originally Posted by Joe Appleby View Post
    My favorite that stuck was the need for https on our school website. Usually I'd agree, but ours doesn't have a contact form, just contact details and we don't have a way for users to register or something. I assume we have https anyway, but still...
    HTTPS helps ensure integrity, it's not just about private transfer of data. It'll stop ISPs injecting dodgy adverts on pages parents & kids would reasonably view, it'll stop someone subverting the correct contact details seen on a given LAN with ones to prank or phish via (think some popular open wifi nearby, like a café area). And it takes seconds to set up with LetsEncrypt/certbot, for free.
    +1
    Add to that the fact, that Google will reverse the way they flag sites in Chrome.

    As of now, they mark HTTPS sites as "safe". As of July (2018), HTTPS will be treated "as the standard", i.e. no special optical flagging anymore. Instead, HTTP sites will be marked as "not secure": https://security.googleblog.com/2018...e-to-stay.html

  10. #30

    Join Date
    May 31, 2011
    Posts
    3,831
    Quote Originally Posted by Joe Appleby View Post
    This is relevant to my interests and our school is wholly unprepared and our school board only now sent out their updated rules for us to follow. Some of those are questionable tbh.
    Don't worry, you're in good company. Just that your employer can't get bankrupt by not complying ...

    Our (worldwide operating) company undertook these enormous steps to ensure GDPR compliance:

    - Wait
    - Wait a bit longer
    - Dec 2017: sent out note stating "we'll start looking into this matter in Feb 2018 and will start acting in Apr 2018"
    - Mar 2018 "We've looked into every relevant part, spoke with every person involved in data collection and will now act upon". (Note: no one spoke to me, doing inhouse programming that mostly deals with shuffling data from system A to system B, including lots of customer data")
    - May 2018 "we're done, kthxbye. And oh - we're looking for ways to circumvent that pesky thing"


  11. #31

    Join Date
    April 13, 2011
    Posts
    6,184
    Quote Originally Posted by Itiken View Post
    i'll go back to HR and say "no he can't have every email ever with his name in that's not how GDPR works" and see what happens.
    If they're any good at their jobs they'll come back with "sorry but that's exactly how GDPR works". If they're identifiable in the email or the email is about them then you've got a record containing their personal information and you must make every effort to turn it over. This is exactly what a SAR is supposed to achieve. You must also make allowances for the privacy of other people (e.g. through redaction, consent) and consider whether records are relevant to the SAR (e.g. was the email sent in an official or private capacity, is it covered by one of the exemptions) but in general you must disclose everything you hold related to that person.

    Yes this is hard, yes this is why you shouldn't use email as a system of record.

  12. #32
    Joe Appleby's Avatar
    Join Date
    April 9, 2011
    Location
    in front of the class
    Posts
    13,790
    Quote Originally Posted by Itiken View Post
    Quote Originally Posted by Joe Appleby View Post
    This is relevant to my interests and our school is wholly unprepared and our school board only now sent out their updated rules for us to follow. Some of those are questionable tbh.
    My favorite that stuck was the need for https on our school website. Usually I'd agree, but ours doesn't have a contact form, just contact details and we don't have a way for users to register or something. I assume we have https anyway, but still...
    I feel for you man. have you managed to stop the "cyberEssentials" sharks from circling your wagons ?
    The what?

    To the others: thanks for clarification.

    Tapapapatalk
    nevar forget

  13. #33

    Join Date
    May 30, 2011
    Location
    asleep
    Posts
    6,138
    Suppliers are going to start demanding you have a CyberEssentials certificate, so you have to find a bunch of conmen who will cyberaudit your company and recommend cyberupdates and cyberpolicies and cyberimprovements.

    it's somewhere between a massive con, and mildly useful depending on the state of your IT + IT policies.

    I got into an argument with the bloke who came to our place because:
    - failing to understand the difference between a penetration test and a vulnerability assessment.
    - their ideas of password policy is stupid
    - windows firewalls are a hot thing according to their spreadsheet....

    it's all very and
    Please don't teach me what to do with my pc.

  14. #34
    Joe Appleby's Avatar
    Join Date
    April 9, 2011
    Location
    in front of the class
    Posts
    13,790
    Quote Originally Posted by Itiken View Post
    Suppliers are going to start demanding you have a CyberEssentials certificate, so you have to find a bunch of conmen who will cyberaudit your company and recommend cyberupdates and cyberpolicies and cyberimprovements.

    it's somewhere between a massive con, and mildly useful depending on the state of your IT + IT policies.

    I got into an argument with the bloke who came to our place because:
    - failing to understand the difference between a penetration test and a vulnerability assessment.
    - their ideas of password policy is stupid
    - windows firewalls are a hot thing according to their spreadsheet....

    it's all very and
    We are a school. Our IT department is a retired teacher (who will stop this summer as his wife also retires), a physics teacher and a former student now tech that comes help once a week. And we have no budget for that.
    nevar forget

  15. #35

    Join Date
    April 13, 2011
    Posts
    6,184
    Quote Originally Posted by Itiken View Post
    Suppliers are going to start demanding you have a CyberEssentials certificate,...
    And to think we binned CESG for this shit.

  16. #36
    Caldrion Dosto's Avatar
    Join Date
    November 19, 2011
    Posts
    2,034
    Itiken seems your out of luck, if you have a record of something with mentions and identifiable person you have to turn it over.

    “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
    Of course you can quote whatever bs reasons you want and hope it takes to log/effort to take you to court thought.

    Im pretty sure most companies should now put into effect a policy of deleting emails frequently to avoid this shit.

  17. #37
    Lana Torrin's Avatar
    Join Date
    April 13, 2011
    Location
    Bonding around
    Posts
    18,444
    Quote Originally Posted by Saul View Post
    personally I'm not convinced I'd give them the metadata either
    This.. If the email doesnt constitute their personal data I fail to see how the headers for that email do.
    Quote Originally Posted by lubica
    And her name was Limul Azgoden, a lowly peasant girl.

  18. #38
    Movember 2011Movember 2012 Nordstern's Avatar
    Join Date
    April 10, 2011
    Posts
    9,002
    "Holy shit, I ask you to stop being autistic and you debate what autistic is." - spasm
    Quote Originally Posted by Larkonis Trassler View Post
    WTF I hate white people now...

  19. #39

    Join Date
    April 13, 2011
    Posts
    6,184
    Quote Originally Posted by Nordstern View Post
    See also: consent popups that now read:

    Manage Continue

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •