BristolEcho
Well-Known Member
What angle are you coming at this from? Are you in charge of people's data and would you have any reason for contacting ICO in your line of work?
Last edited:
Help Hive mind GDPR help
- Thread starter fucthest8
- Start date
What angle are you coming at this from? Are you in charge of people's data and would you have any reason for contacting ICO in your line of work?
Saul Goodman
It's all good, man
What if someone were to boot the machine into Linux from a USB pen, then mount the drive read only and copy the data, how would you know it had been accessed?
farmerbarleymow
I'm Petee's spirit animal
He's trolling I think.
Boris Sprinkler
Dont be scared
I work in Security. GDPR tried finding its way onto my desk. Wasnt having it.
Boris Sprinkler
Dont be scared
And then they would know something about someone.
Given how widely used social media is, i dont think minor things like this are worth a toss reporting to the authorities. There's some process stuff that needs updating and an idiot needs retraining.
farmerbarleymow
I'm Petee's spirit animal
good luck with that approach.
There is a lot of could, should here and few facts
this is what the ico wants when you report a breach
Personal data breaches
Reportable breaches have to put someone at risk
“When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. ”
this is what the ico wants when you report a breach
Personal data breaches
Reportable breaches have to put someone at risk
“When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. ”
Athos
Well-Known Member
Saul Goodman
It's all good, man
People generally don't post their credit card details on Facebook.
Also, posting things to Facebook is voluntary. Having your private data leaked to a third party isn't, and failing to report it could land someone in a world of shit, not least the person whose data was leaked.
fucthest8
Cool people die horrible, preventable deaths.
Well, you all fail.
We're the data processor, not the controller, so it's not even up to us to report the breach. Shan't be taking advice from any of you lot again!
Anyway, cheers for all the input, it was more that I wanted to provide the right advice to the customer.
Some of you though need to go take a course on assessing risk.
We're the data processor, not the controller, so it's not even up to us to report the breach. Shan't be taking advice from any of you lot again!
Anyway, cheers for all the input, it was more that I wanted to provide the right advice to the customer.
Some of you though need to go take a course on assessing risk.
fucthest8
Cool people die horrible, preventable deaths.
I can't say too much about what the data was and (see above) I actually need the customer to make that assesment. You deserved a response though.
Suffice it to say that we are talking about the details from one small organisation being leaked to another even smaller organisation, utterly unrelated. I think the likelihood of any consequences is extremely low, but the severity is probably medium.
Anyway, not my call!
fucthest8
Cool people die horrible, preventable deaths.
You also deserve a response. Yeah, we have a policy, which is - per the regs - what's the risk? Which was the part I was struggling with, per my OP "I want to believe that the "risk to people" is actually low ..." and having slept on it I still think it is.
Again though, not actually my call!
Athos
Well-Known Member
Obviously you can't give the detail of the data, but in the broadest terms is it more like e.g. names and addresses, than, say, medical notes or bank details? (Severity)
Have you had any assurances from the receiver of the data re who's seen it at their end, and what's been done with it? (Liklihood)
Last edited:
Well, you all fail.
We're the data processor, not the controller, so it's not even up to us to report the breach. Shan't be taking advice from any of you lot again!
Anyway, cheers for all the input, it was more that I wanted to provide the right advice to the customer.
Some of you though need to go take a course on assessing risk.
This is wrong - you have a obligation to report it to the controller, possibly even a contractual one
fucthest8
Cool people die horrible, preventable deaths.
See the part in the post you quote where I talk about providing advice to the customer?
Do some inferring. You can do it.
Supine
Newt Member
You come across as a bit rude about all of this. It was your company that fucked up and you who asked for u75 advice.
fucthest8
Cool people die horrible, preventable deaths.
Yep, having recovered the drive yesterday and met with both customers, they* believe there is a very small amount of really sensitive data, but the likelihood of it having made it off the drive is low, vanishingly so. You'll just have to take my word for that, not going into even the vaguest details.
Customer whose data it is has made the decision not to report - yet - while we do forensics on what's been accessed to confirm what we've been told
Should be fine. Phew!
*The customer whose data it is
