Report comment

GDPR is the biggest load of horse dung I've ever had the misfortune to waste hours of my life reading and trying to understand (together with the Data Protection Act 2018 and its schedules).

I consider myself a reasonably intelligent person, able to understand complex legislation. And I still haven't the foggiest idea of how the GDPR is supposed to work in practice.

It starts from the beginning. What is personal data? Art 4.1:- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).

Which means what, exactly? It's about as meaningful as "Brexit means Brexit". The article goes on to give specific (but not exhaustive) examples of what information means in this context. It includes any information that can be identified by reference to an "identifier" (which itself includes a name or reference number, but also includes one of more factors specific to the physiological, mental or cultural identity of that natural person.

???

What on God's earth is information referenced by an identifier that does not include a name or reference number but includes a mental or cultural identity of a natural person?

So in a divorce case, for example. I have information about, say, my client and the opponent. And the client advises me that the opponent has an adult child from their previous marriage. But, let's say, I do not have their name. That adult child is a natural person. I hold information about them. And I can reference them by their cultural identity (namely the identify of one their parents and the fact of the individual being their child).

So that seems to suggest I owe GDPR duties to that person, including their rights to be informed of the data and their right to object to processing (albeit that I could justify non-informing on various grounds and may be able to over-ride their objection). And if they ask, I am required - free of charge - to search for and identify any information that "relates" to them, and at the same time redact any information that "relates" to anybody else.

And what actually constitutes their information or personal data? Is their primary key used internally on the PostGreSQL database against the file their personal data? What about the SMTP headers on the email they sent me? The fact of a letter having been scanned in on a certain day? Or the graphical representation of that letter on the database? Or the physical piece of paper itself, if that paper has information that can't be identified as easily from the scanned in copy?

The whole thing is a bureaucrat's dream.

And the ICO guidance in most cases seems to be regurgitating the text of the GDPR and then saying "you need to consider whether X, Y, or Z".

No! I don't want to consider whether my rights to process justify overriding rights to stop processing (or whatever). I want you to ****ing tell me what I can and can't do!!!