[GLLUG] Charity WiFi, a bit off topic
james.dutton at gmail.com
Wed Mar 28 10:11:30 UTC 2018
On 28 March 2018 at 10:37, James Roberts via GLLUG
<gllug at mailman.lug.org.uk> wrote:
> On 27/03/18 17:14, Marco van Beek via GLLUG wrote:
>> Most of the technical requirements of the GDPR have been law since 2003.
> No that's not quite right.
> It's been in force for just under two years, but there has been a moratorium
> on enforcement which expires on the 24th of May 2018.
> The thing in force since 2003 is the Data Protection directive, which dies
> on the 25th. Much of it is similar, but there's the 'buts'
>> It's just that the fines are going up by a lot so people are finally
>> paying attention.
> Yes, but it's not just that. There's much more stringent requirements and
> there's no exclusions for small organisations (some still believe there are,
> due to a proposal in the drafts - the final issue now only excludes the
> requirement for some documentation for companies <250 employees).
>> Running an insecure network that holds personal sensitive data could be
>> considered negligent and the directors of the organisation could be
> Just so, and they will try to shift the blame to some scapegoat in IT. Or a
>> It's a bit like Y2K all over again. There are consultants out there are
>> making a small fortune out of companies that should have known better.
> Too true. There's loadsa bull, but a real issue or two, and most at the very
> SMB end don't even seem to know it.
> I'm a consultant, though just IT general, not in GDPR, but have had to bone
> up on it to save my clients/myself. No one has paid me a €cent/dime/penny to
> do so, so far...
>From the perspective of the OP.
Data protection is important.
If, by adding Wifi, you make it easier for someone to access someone
else's private data, when they should not have access to it, you WILL
be in trouble.
The way to pass the risk onto someone else, is by using a contract, or document.
You write in the document what you are going to do. I.e. Add Wifi type XYZ.
You highlight that it may have GDPR implications.
You get the other party to sign off, saying that they have taken
responsibility for any risks and will not hold you liable for any
reason, and wish you to proceed.
Then if it eventually turns out to be a GDPR problem, you can wave the
document and say that you highlighted that it might be a problem, and
they agreed to take any risk/liability associated with it.
You will therefore be protected from prosecution.
For your part, make sure you don't take any data off-site. E.g.
Network packet traces etc.
More information about the GLLUG