GDPR regs - how are you all dealing with it?

[lonemorf]

Reply all to her saying, would you like me to remove your details too? :D

[litemog]

A previous poster has mentioned how many freelancers have no real personal and business separation. Many of these will have one phone full of people they have worked with or for ( along with personal and family contacts). Presumably the new regulations will require these freelancers to have a written policy on how they use and protect this business contact data on their phones. This is going to be easier said than done, with many of the social media apps that we use for work purposes requiring access to your contacts before they will actually work.

[Andrew Edwards]

Anyone asking to reconsent either didn't obtain the details in a DPA/PECR compliant way or has completely misunderstood the new* regulations. I do think that some have taken this as an opportunity to cleanse their database and save some pennies on email shots.

 

*It's not new, it came in 2 years ago and as usual everyone has waited until the end of the grace period and then panicked.

 

Most reconsent emails where unnecessary though.

 

The amount of begging emails has been hilarious. Some major retailers have sent me 3 or 4 now. I remember signing up for many of them and the way it was obtained was compliant with GDPR. Ironically, they have lost me because I no longer trust my 'data' with them due to the way they have handled the whole thing.

 

Because of the way I implement my email and use unique addresses for everyone, I have and will no doubt catch more non-compliant organisations. I'm expecting the compensation to go up when I do threaten them with the ICO.

 

Example, Santander told me they had purged me after they were hacked a number of years ago. Guess who sent me a reconsent email yesterday?

 

Personally, I'm enjoying it in a schadenfreude way.

[jmdh]

Anyone asking to reconsent either didn't obtain the details in a DPA/PECR compliant way or has completely misunderstood the new* regulations. I do think that some have taken this as an opportunity to cleanse their database and save some pennies on email shots.

 

 

This is a common argument, but it isn't true. The ICO's own website points out that the definition of consent has been strengthened in GDPR compared to DPA 1998, such that it is entirely possible that a company might (prior to 25th May) need to request fresh, GDPR-standard consent, and also that refreshing consent on a periodic basis is also appropriate.

 

But I don't disagree with you that there are a lot of badly drafted emails flying around at the moment.

 

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

https://iconewsblog.org.uk/2018/05/09/raising-the-bar-consent-under-the-gdpr/

 

"But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent."

[Jivemaster]

What annoys me is that small groups that I'm a member of have started asking for consent -usually they are small groups of friends, yet my bank hasn't mentioned it not has Ebay. Every time I look at an ebay page I get an email next day asking me if I still want the item.

[lonemorf]

He's making a list

He's checking it twice

He's gonna find out who's naughty or nice

Santa Claus is in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679

[jmdh]

What annoys me is that small groups that I'm a member of have started asking for consent -usually they are small groups of friends, yet my bank hasn't mentioned it not has Ebay. Every time I look at an ebay page I get an email next day asking me if I still want the item.

 

Possibly your bank/ebay are have collected GDPR specific consent and delivered GDPR specific privacy notices a long while before the small outfits as it'll have been on their radar for a lot longer. And consent isn't the only basis on which one is permitted to process personal data under the GDPR so lack of clear consent is not necessarily a problem in itself.

[litemog]

the ICO website is currently offline http://www.blue-room.org.uk/public/style_emoticons/default/rolleyes.gif Somewhat ironic that the organisation that wants to regulate how everybody else uses their IT systems can't actually build one that works when it's needed to.

[litemog]

On a more serious note. I have written a GDPR policy to cover the relatively small amount of data I hold on people. All of the data I have can be covered on a Contractual Agreement, Legal, or Legitimate Interest basis. However, I have a small group of people who I use as sub contracted casual labour on an occasional basis. Am I correct in assuming that as of tomorrow I will be in breach of the regulations if I contact them with offers of work as none of them have given me explicit permission to do this, other than not objecting in the past.

[timsabre]

On a more serious note. I have written a GDPR policy to cover the relatively small amount of data I hold on people. All of the data I have can be covered on a Contractual Agreement, Legal, or Legitimate Interest basis. However, I have a small group of people who I use as sub contracted casual labour on an occasional basis. Am I correct in assuming that as of tomorrow I will be in breach of the regulations if I contact them with offers of work as none of them have given me explicit permission to do this, other than not objecting in the past.

 

I think this is all going a bit far for individual use of data. Maybe you would be technically in breach of the regulations, but really, will anyone care? I am sure your subbies aren't going to dob you in to the GDPR police for offering them work.

 

[jmdh]

On a more serious note. I have written a GDPR policy to cover the relatively small amount of data I hold on people. All of the data I have can be covered on a Contractual Agreement, Legal, or Legitimate Interest basis. However, I have a small group of people who I use as sub contracted casual labour on an occasional basis. Am I correct in assuming that as of tomorrow I will be in breach of the regulations if I contact them with offers of work as none of them have given me explicit permission to do this, other than not objecting in the past.

 

I think you could argue a legitimate interest - but do bear in mind that this isn't a freebie, you need to weigh up your needs against theirs: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/

[Stuart91]

I am sure your subbies aren't going to dob you in to the GDPR police for offering them work.

 

You just need to fall out with one of them... especially if, as some people suspect, there are going to be firms of lawyers advertising and encouraging people to make claims.

[Andrew Edwards]

Anyone asking to reconsent either didn't obtain the details in a DPA/PECR compliant way or has completely misunderstood the new* regulations. I do think that some have taken this as an opportunity to cleanse their database and save some pennies on email shots.

 

 

This is a common argument, but it isn't true. The ICO's own website points out that the definition of consent has been strengthened in GDPR compared to DPA 1998, such that it is entirely possible that a company might (prior to 25th May) need to request fresh, GDPR-standard consent, and also that refreshing consent on a periodic basis is also appropriate.

 

 

I'd still be asking why they couldn't argue legitimate interest. All of the re-consent I have received has been unnecessary. I ticked a box that said 'I would like to be marketed at' when I first encountered the service or vendor. Now the new parts of GDPR consent calls for more clear and affirmative action and granular choices for processing. This doesn't make 'Please send me emails about your stuff' no longer compliant. Just because you didn't tell someone you use a purchase history to segment marketing and only send certain mails out the first time they ticked doesn't invalidate the consent either. Just list what you do, tell them and give them a way out if they don't like it.

 

If this was designed to educate the user in how their data is used, it simply didn't work. The complicated and far more 'private' data companies have not asked for re-consent. They sent a mail our saying 'we got you' and 'read this to see' and I'd wager nobody did. Then we have Joe shopkeep who has some contact details and maybe a smattering of behaviour profiling from his marketing partner, mailsRus. He has just committed marketing suicide by asking us to tick the box again without much of explanation other than GDPR made me do it. He hasn't even told us front and centre that they passed on the email address to mailsRus, which was the whole point.

 

I'm tempted to go into Argos today and see if they have to read an entire statement about policy before asking you for an email address for an e-receipt. They don't sign you up or at least they didn't as I've tested them in the past.

Other retailers that ask to send e-receipts have added it to mailing lists without telling me. The fools, I like getting free stuff.

 

I suppose having to read all this legislation does have it's benefits.

[sandall]

On the Today programme this morning the Information Commissioner seemed to be suggesting that most of the emails are totally unnecessary. Her attitude to GDPR sounded rather similar to that of the HSE, as opposed to the "if in doubt, ban it" elth'n'safety brigade. Of course the real test won't come till the first court case, by which time the GDPR "consultants" will have taken their fees & be looking for the "next big thing".