GDPR regs - how are you all dealing with it?

[Ynot]

Not wishing to divert the thread, but this all reminds me of Year 2K, & the stupidity & money-wasting surrounding that.

 

I think I may be the only person that believes that part of the reason that Y2K was a non-event was because people had actually checked their systems and fixed any problems they found.

 

You aren't, but it's a useful stick for the media to use to beat support/tech people with - nothing happened so why the panic? Err, well, nothing happened because we spent a long time making sure it wouldn't.

Indeed - there WAS a lot of noise made over Y2K and the potential problems but that was VERY different from this GDPR cattle train in that on the whole, the reason it didn't cause massive problems was the fact that most respectable IT companies did spend the time and money investing in solutions before the problem became a problem. I know we spent a lot of time on BT preparing for the worst but experiencing NO major issues across a global company. (And yes, I was one of those who made silly money being on duty in a fault repair centre over the new year's night).

 

This GDPR as I said is a laudable target to aim at but it's not a 'fix it or we'll crash every computer in the world' scenario - it's a 'fix it or we'll find a way to sue you' kind of thing. And as different people interpret the rules in different ways from different angles the whole thing feels like a disaster waiting to explode...

 

 

 

 

[Junior8]

This GDPR as I said is a laudable target to aim at but it's not a 'fix it or we'll crash every computer in the world' scenario - it's a 'fix it or we'll find a way to sue you' kind of thing. And as different people interpret the rules in different ways from different angles the whole thing feels like a disaster waiting to explode...

 

I too looked at the ICO material and my flip reaction was that for the small enterprise the easiest way to deal with it would be to print out all the information, buy a filing cabinet, put it all in the drawer in named files, then erasing any digital versions. Then compliance would be straightforward if old fashioned - provided you keep the thing locked up! In reality for most SME's and one man bands it's a question of doing as you would be done by and a bit of common sense I think. I think the early post by IRW hits the nail on the head. No open cc lists on emails, no sharing of contacts even with benign motives, that sort of thing. The organisations most likely to have problems are those which have been routinely misusing data for years - and if they end up in hoc to consultants and the like well it's no more than they deserve. I'd be most concerned I think if I was the secretary of a largeish club or society dealing with communications from members and deciding just how to distribute and ensure the security of data that had to go out to club officers some of whom I met only infrequently. I think there I might look for a secure email system that could be monitored rather than using private email boxes.

[sandall]

While many, but far from all, people who have me on their mailing lists have sent the standard "if you don't reply we'll lose you" email or letter, some have just sent some form of "we keep your data safe", & some charities have sent a "we think we already have your permission to contact you", so there seems to be quite a variety of approaches, at least from the bigger organisations. Interestingly, I haven't heard anything at all from either my local authority or any of the community groups I am involved with (heads in sand, or think they 've got it sussed ??).

[Stuart91]

No open cc lists on emails, no sharing of contacts even with benign motives, that sort of thing.

 

I can think of two major distributors / resellers in our industry who have sent out an email with their entire customer list Cc'd in.

 

In one instance, somebody else hit the list with a mailshot of their own the following day, having scraped the addresses.

 

 

The challenge for a lot of organisations will be avoiding a minor administrative slip, which could end up costing them a lot of fines.

[sleah]

print out all the information, buy a filing cabinet, put it all in the drawer in named files, then erasing any digital versions. Then compliance would be straightforward if old fashioned - provided you keep the thing locked up!

I went on a GDPR seminar and the presenter told us the regulations apply just as much to printed material as it does to digital..... so if you can't keep the info in digital form, you can't keep in printed form either.

[alistermorton]

There will always be snake oil salesmen. No doubt there will be expensive consultants to assist with managing the EU 2020 lighting efficiency directive transition process at 500 per hour.

[Junior8]

print out all the information, buy a filing cabinet, put it all in the drawer in named files, then erasing any digital versions. Then compliance would be straightforward if old fashioned - provided you keep the thing locked up!

I went on a GDPR seminar and the presenter told us the regulations apply just as much to printed material as it does to digital..... so if you can't keep the info in digital form, you can't keep in printed form either.

 

Quite - I was pointing out a way of limiting uncontrolled disemination and processing!

[kalmatthew]

One of the intresting things that was mentioned in my (corporate) training is that Force Majeure is not a defence in the GDPR so if somone does steal the key or even if the building burns down and you loose data that you are meant to keep you can be punished. Equally if your computer is compromised that is no defense.

[lonemorf]

While many, but far from all, people who have me on their mailing lists have sent the standard "if you don't reply we'll lose you" email or letter, some have just sent some form of "we keep your data safe", & some charities have sent a "we think we already have your permission to contact you", so there seems to be quite a variety of approaches, at least from the bigger organisations. Interestingly, I haven't heard anything at all from either my local authority or any of the community groups I am involved with (heads in sand, or think they 've got it sussed ??).

 

Pizza Express had the best one - we are going to have to delete everything, unless you opt back in. So, we are giving away £100 vouchers in a draw, 50 of them I think. Interestingly, they are asking "please keep in touch", or "please dont mail me anymore" as the options, with no mention that I can see of what happens in the event of a non reply.

[Stuart91]

One of the intresting things that was mentioned in my (corporate) training is that Force Majeure is not a defence in the GDPR so if somone does steal the key or even if the building burns down and you loose data that you are meant to keep you can be punished. Equally if your computer is compromised that is no defense.

 

So your competitors could hire Russian hackers to steal your data, and then you get fined for losing it? That seems to go against the interests of natural justice. I could see the point in punishment if you have been negligent or left an open door for them, but if you have taken reasonable precautions, what else could they expect you to do?

[lonemorf]

The key is in the wording of the penalty. UP TO x amount or X amount of revenue. This implies there will be a hearing/investigation. If you have shown to take all reasonable measures, and taken appropriate actions, then the penalties *should* reflect that. The issue being there, is its down to interpretation as to whether it was negligent or not.

[Biskit]

A question I have about GDPR, especially within our industry, is how (if?) it differentiates between 'personal' and 'business' contacts. At work I have a lot of contacts, the vast majority being companies but some being smaller groups or even individual sole-traders - freelancers if you prefer. To me these are all business contacts - I'm sure that GDPR can't require business contact details to be controlled in the same way as personal contacts )this is about personal data protection isn't it?) but what about if the trading address, phone number and email someone has given me is actually also this person's home address? It may be obvious, but not always.

 

Similarly when dealing with event bookings in our venue, I invariably get calls from mobile numbers of the LD, sound company, tour manager etc - all business contacts to me, but simply by them calling or emailing em I have their number/email on my contacts list... however for all I know it could be their personal details rather than a dedicated work address/number. Should I be asking/checking every time this happens?

 

Another typical scenario is that we host quite a lot of charity events, so often we will be dealing with one person as the main contact, and send them booking info, questions, confirmations, or whatever, by email. They then forward that on to their entire 'committee' of volunteers, all on personal emails, and we eventually get sent back a huge email chain containing all their personal emails, phone numbers etc (in signatures) along with the info we actually require about the event. Previously that email chain would just be filed with info relating to that event, in case we need it for the setup, or in case of future dispute about something. However I think now we'll have to very carefully extract the stuff we need (time consuming) to a different document, and delete the email with the personal details on. Very easy to miss something though, either accidentally delete some important event info, or keep someone's personal details by mistake. Interesting times ahead, I think.

[Andrew C]

So your competitors could hire Russian hackers to steal your data, and then you get fined for losing it? That seems to go against the interests of natural justice.

Just the same as H&S.

 

Someone gets hurt - you are guilty of a breach unless you can prove you took reasonable steps to prevent it.

[lonemorf]

A question I have about GDPR, especially within our industry, is how (if?) it differentiates between 'personal' and 'business' contacts. At work I have a lot of contacts, the vast majority being companies but some being smaller groups or even individual sole-traders - freelancers if you prefer. To me these are all business contacts - I'm sure that GDPR can't require business contact details to be controlled in the same way as personal contacts )this is about personal data protection isn't it?) but what about if the trading address, phone number and email someone has given me is actually also this person's home address? It may be obvious, but not always.

 

Similarly when dealing with event bookings in our venue, I invariably get calls from mobile numbers of the LD, sound company, tour manager etc - all business contacts to me, but simply by them calling or emailing em I have their number/email on my contacts list... however for all I know it could be their personal details rather than a dedicated work address/number. Should I be asking/checking every time this happens?

 

Another typical scenario is that we host quite a lot of charity events, so often we will be dealing with one person as the main contact, and send them booking info, questions, confirmations, or whatever, by email. They then forward that on to their entire 'committee' of volunteers, all on personal emails, and we eventually get sent back a huge email chain containing all their personal emails, phone numbers etc (in signatures) along with the info we actually require about the event. Previously that email chain would just be filed with info relating to that event, in case we need it for the setup, or in case of future dispute about something. However I think now we'll have to very carefully extract the stuff we need (time consuming) to a different document, and delete the email with the personal details on. Very easy to miss something though, either accidentally delete some important event info, or keep someone's personal details by mistake. Interesting times ahead, I think.

 

Its personal identifiying information. Interestingly, a couple of my suppliers are trying this approach of "your data isnt personal, its business data" - I think that is *incredibly* brave. My name is personal to me ;) Many people, especially freelancers have no business/personal seperation - one mobile, one email etc etc - that "business" data is now personal data.

Not worth the shortcut imo.

[MarkPAman]

Just had an email from a dance company I did some work for many years ago, asking me to confirm that I'm happy for them to keep my details on record etc.

 

Shame they seem to have sent it as a CC to about 50 other people....... already had one person "reply to all", that she'd like her info removed......http://www.blue-room.org.uk/public/style_emoticons/default/mur.gif