Jump to content

GDPR and (show) Company Email lists...


Recommended Posts

Hi All,A thought that's been floating around my head for a little while now, which someone more knowledgeble on the subject may have an insight to...


When things like crew calls, rehearsal calls, show reports, etc etc are sent out, personally, I will always put the 'to' list in as BCC, if nothing else to help prevent people ending up on spam lists in the event that one of the accounts is compromised, and I always hate it when I end up in a 'to' box on these sort of emails. It also has the added bonus of stopping those who don't know the difference between 'reply' and 'reply to all' making fools of themselves...!



Now with all the hoo-har over GPDR, it feels as though there may actually a legal aspect to this? Just to be clear, I'm not talking about a corporate company customer list, more along the lines of self-employed stage/production manager emails to the company, and I'd just like to get my facts straight on the situation before I have to advise or pull someone up on it!



In a similar vein, I'll never send out a plain excel spreadsheet as a contacts list- If I need to send something out, I'll password protect the sheet, email that, and then text the recipients with the password...would people consider this good practice, or simply OTT protection?



Edited by IRW
Link to comment
Share on other sites

From the lengthy and extremely tedious 'training' on this subject I had to endure, it's my understanding that email addresses should not be shared (e.g. by using 'cc' fields) unless permission has been given by recipients for those details to be shared.
Link to comment
Share on other sites

  • 2 months later...

I used to do legal work years ago and now live and breath data on a daily basis, so let me help you clear things up.


Firstly, GDPR only covers personal information and not business, so you can publish business information, a catch all business email, phone numbers, etc. in open lists without having to obtain consent. However, personal information such as personal email addresses, home address, etc is covered by GDPR and must be protected. GDPR also covers paper information, so if you print or even write crew information with names, addresses, etc. on paper and lose them, you have breached GDPR. GDPR is not just computer data, it also covers personal information stored in a filing cabinet, phone book etc. so if you lose your FiloFax and don't report it to the ICO, you are in breach.


Regarding call sheets. Whenever anyone gives you their email, you can communicate with them as it is deemed as they gave it to you, they consent to you communicating with them. A suggestion is that on any purchase orders or correspondence, maybe even on your email footer, add a clause stating that any email and phone number suppliers give you or you hold, they agree that it can be shared with other subcontractors who are on the same job and that you can communicate with them. It's not 100% compliant with GDPR, you actually need them to authorise it and keep copies of the authorisation.


My personal opinion is that GDPR is a complete waste of time and doesn't protect you, it just gives EU states an easy way to issue fines. As an example, this week personal data of every Bulgarian citizen (a few million) has been leaked due to a flaw in the Bulgarian tax database, there is no punishment for negligence or recompense to all those affected. Last week BA just got fined for being hacked, the hacked data of 300,000 customers (most of which were businesses, so they shouldn't count) never got used and nobody suffered, yet BA were fined around £400 million. States can do as they wish, even share your and demand your personal data, so Bulgaria can demand all of your personal data (paragraph 4 or 5 of the Act from memory) from the UK, leak and sell it, and there is nothing you can do about it.


Being practical, will the ICO chase and fine you for sharing phone numbers and email addresses on a call sheet without the proper consent, probably not, that is unless one of those people complain to the ICO. Also, don't print them, email them, as if they are left lying around or get lost, you are in breach of GDPR. If the contractor printed it and lost it, as long as you can prove you never printed it, you are fine (maybe add a footnote on each page saying that the PDF is a digital copy and that they should not print this, if they do they are responsible for disposing of it).


To fully comply it not possible or reasonably practicable, more so for small businesses as GDPR is not like UK health and safety regulation that states "if reasonably practicable", which is one of the many reasons I feel it should be abolished. To be honest, you will never be able to fully comply, no matter what you do. Look at BA, with all their resources and money, they failed because they fell victim to a hacker who found a weakness.

Edited by jlevene
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.