bigdunk

"A set back of the twin regime is it means factories have to run two different production lines." That's some fabulous cutting of 'EU red tape' there, lads .

They also need to explain why they're willing to renege on an international agreement re the Ireland border, actually find some way to put border checks in place (given the sheer number of crossings, it's almost impossible), explain that the increased costs and unpredictable delivery times due to additional customs checks will make our exports significantly less attractive to the rest of the EU (almost certainly resulting in business closures/relocations and job losses), and explain why the massive disruption to our transport system caused by the customs checks is causing supply issues (especially if it results in food shortages, which it almost certainly will in the short term). And of course, they will also to explain why they spent the last 2 years claiming that none of this would happen. I imagine there's going to be quite a few angry leave voters when they find out they are getting very little of what they were actually promised.

That was always going to be the problem - the arguments for remaining are all rational ones, the arguments for leaving are all emotional ones. It's impossible to have a clear, productive discussion about co-operation for mutual benefit and shared ideals etc, when the other side is singing Rule Britannia at ever-increasing volumes. And now they they have won, they need to convert those emotional ideas into actual, rational policies, and it's all falling down around them. And FWIW, I don't think that remainers have slunk off, it's more that they're being sidelined because the arguments are still the same as during the referendum and the major news outlets aren't interested in 're-running the referendum'. The difficulties of post-Brexit customs are exactly the same now as they were 2 years ago, but anybody trying to point this out gets shut-down with 'we won, get over it' or similar. The only actual, rational solution to the Irish border problem is staying in the EU, and it's the one answer that isn't really capable of being discussed, and so on.

Thanks, that's good to hear . And yeah, that's what we've been told about the ICO as well. We think we're doing everything sensibly and we have our rationale documented for everything, so at least we have a decent base to make any case from.

We're the polar opposite of that - 9 full time employees at the moment, and we have nobody on staff with any real expertise in this. And trust me, I've been over the stuff on the ICO website more times than I can count in the last few months. We could go round this endlessly - is a school providing a bursar's contact because they want to tell us how we can invoice them, or are we collecting a bursar's contact because we want to help them to pay us. And I think a lot of companies are going to be in this kind of situation - I know a bunch of companies that we use for various things have my work contact details (that we have chosen to provide, as I'm the most suitable contact here), but I wouldn't choose to class them as data processors of ours, and I don't think they would either. When it comes down to it, we aren't doing anything massively dodgy (the data is all held securely in the UK, we're very clear on the website about what we do with all of the data, we're not passing it to 3rd parties bar our web host and so on), so any potential GDPR issues are hopefully going to be minor.

Like I said, it's not really clear either way - we can see their point about us being a processor, we just don't agree on it. The difference between the first and second part is on who's behalf the data is being processed. Having school contacts is for our benefit, and we are determining the reasons for processing etc (paying invoices, contacting the school about their subscription, informing teachers of updates to their subscription etc). The cases where contacts change does complicate things even more (and we tried to get a straight answer on this very point from the ICO, but they're basically useless). There's no consistent pattern to how it happens either (sometimes we contact the school and confirm who they want listed on their accounts, sometimes a new contact will get in touch with us, sometimes someone else at the school will ask for a new person to be added, and schools can also manage their own contacts in an admin area of the site), but we always try and get consent from anyone we add (if we don't already have it), and will remove personal data immediately if asked (and automatically if they've expired a while ago). And we would happily carry on with a generic admin@ or office@ email address if the school wanted it (assuming we were getting responses back from it when necessary).

They've all agreed to our terms and conditions at the point their subscriptions started, but it's not remotely clear whether that's 'good enough' or not. We haven't pushed it because we don't think it's necessary. They only seem to be pushing it because they've been told by their Local Education Authority that they have to, but no one at the schools we've spoken to actually knows enough to go against their LEA. They've been told that their suppliers must do X, Y, and Z, and if they don't, you can't use them. And we don't want to lose customers by arguing GDPR specifics with them. Basically, the only personal data we collect from schools is contact details for a few key staff members - a primary point of contact for the account, maybe some teachers so we can update them when we change things (with their consent), and bursars/financial staff to handle invoicing etc. We don't require any other data from them to deliver the service (no individual logins for staff members, no pupil records etc). So as far as we're concerned, we're processing the data on our behalf to deliver our service to them, so we're the controller. They're convinced that they're handing staff details to us so we're a processor. The thing that slightly complicates things is that teachers can customise stuff a bit, and pupils can save work to carry on later, and sometimes they can involve people's names (I.e. Making a custom profile for a specific child, or saving a work with a name as the file name). And in these cases, we probably are a processor. So we've settled on claiming to be a controller for the first part, and a processor for the second, and that's clearly documented in our terms etc. It's just that schools aren't always agreeing on the first part.

Yeah. The thing that complicates everything is that our school customers are convinced we're a data processor of theirs, in which case we would need their permission to share their data with a sub-processor. We're convinced we're not a data processor, we're the data controller and they're just a customer of ours, in which case it's entirely up to us to ensure that we're happy using the hosting company. We've settled on claiming to be both a data processor and controller for various cases, and been up front in our terms and conditions/privacy policy that we use them. But it's not remotely clear that what we've done is the correct way to approach things.

It standardises a lot of stuff across the whole EU, it formalises a bunch of stuff that people probably should have been doing anyway, and massively bumps up the fines for non-compliance. On paper it's all good stuff, but it seems to have been written with no idea of how modern tech companies actually operate. Plus if you are doing anything remotely unusual (i.e. not a factory making and shipping widgets to customers), it can descend into an arcane mess of trying to figure out who is actually responsible for owning and processing data, and there's quite often not a clean, simple answer. And if both sides come up with different interpretations (and with no legal precedent to clarify things at the moment), it's just unworkable.

We've had an absolute nightmare with this. At one stage we were told by the official ICO helpline that, unless we could get clear written permission from every single one of our customers (800 odd schools in the UK), we weren't allowed to use an actual web hosting company to host our website, we'd have to set up our own web servers on our own property. Thus making our service less secure, less reliable, and probably more expensive. Needless to say, there's no way we are complying with that.

They also make passports for a load of other countries. And obviously if they all decided to follow the same sort of protectionist policies that Leavers seem to be wanting, De La Rue would probably be down by far more than they'd gain from this one contract.

"Global Britain" in action. This is what they voted for, right? Right?

When your majority is as slim as May's is, every MP can demand whatever they like.

I think he's saying he finds it pretty easy to disagree with Mogg. I certainly do on most things.

Except we're not talking about keeping current standards. The US will absolutely demand that we drop standards if we want a trade deal with them. Of course, there's no way we can do that and keep the Irish border open, so who knows what will happen there. Just because we can't 100% feed ourselves doesn't mean we should destroy what farming we do have by dropping tariffs. What do you think is going to happen if there's no domestic food production? Foreign producers will be able to jack up their prices without competition, and if there's ever a food shortage (as has happened here with certain imported foods when therr have been poor harvests) foreign producers will focus on feeding domestic markets, not us. And for all that, the vast majority of food we import either comes direct from the EU, or via an EU trade deal, meaning no tariffs anyway.