GDPR - anyone working in this area?
Discussion
DELETED: Comment made by a member who's account has been deleted.
That's HMRC policy for their own document keeping. HMRC powers to inspect documents are covered under schedule 36 of the finance act 2008. Whilst the advice is documents should be kept for a maximum of 7 years HMRC
can go back Futher than that.
So we just had our first proper brainstorm regarding what we need to do here to ensure GDPR compliance and one of the biggest unknowns that has come out of it is E-mail
We have dozens of staff with thousands of emails in their inbox and sent items, many of those emails will contain personal information both of adults and children, a lot of which we will not have signed consent to keep.
Obviously it's unrealistic to expect staff to wade through in many cases 10k + emails and we can't just delete their accounts and start again so what's the recommendation to deal with this?
We have dozens of staff with thousands of emails in their inbox and sent items, many of those emails will contain personal information both of adults and children, a lot of which we will not have signed consent to keep.
Obviously it's unrealistic to expect staff to wade through in many cases 10k + emails and we can't just delete their accounts and start again so what's the recommendation to deal with this?
K50 DEL said:
So we just had our first proper brainstorm regarding what we need to do here to ensure GDPR compliance and one of the biggest unknowns that has come out of it is E-mail
We have dozens of staff with thousands of emails in their inbox and sent items, many of those emails will contain personal information both of adults and children, a lot of which we will not have signed consent to keep.
Obviously it's unrealistic to expect staff to wade through in many cases 10k + emails and we can't just delete their accounts and start again so what's the recommendation to deal with this?
If your using MS Exchange a good place to start is looking at the Inplace eDiscovery functionality. We have dozens of staff with thousands of emails in their inbox and sent items, many of those emails will contain personal information both of adults and children, a lot of which we will not have signed consent to keep.
Obviously it's unrealistic to expect staff to wade through in many cases 10k + emails and we can't just delete their accounts and start again so what's the recommendation to deal with this?
K50 DEL said:
So we just had our first proper brainstorm regarding what we need to do here to ensure GDPR compliance and one of the biggest unknowns that has come out of it is E-mail
We have dozens of staff with thousands of emails in their inbox and sent items, many of those emails will contain personal information both of adults and children, a lot of which we will not have signed consent to keep.
Obviously, it's unrealistic to expect staff to wade through in many cases 10k + emails and we can't just delete their accounts and start again so what's the recommendation to deal with this?
DELETED: Comment made by a member who's account has been deleted.We have dozens of staff with thousands of emails in their inbox and sent items, many of those emails will contain personal information both of adults and children, a lot of which we will not have signed consent to keep.
Obviously, it's unrealistic to expect staff to wade through in many cases 10k + emails and we can't just delete their accounts and start again so what's the recommendation to deal with this?
What does your business do?
We provide youth services on behalf of one of the bigger UK city councils, this includes running 2 small schools for excluded learners as well as adventure playgrounds, play sessions, one2one support etc
How big is the business?
Around 110 employees, we're a CiC so not so much with the profit
Are these B2B or B2C emails? (guessing as includes child data then B2C)
A mix, lots of internal communication between our staff but also external comms with social workers, the council, police etc
Why have you got these emails?
Because no-one likes deleting things, human nature is to keep things forever (because "you never know") we also need to be able to prove outcomes and what we did with a particular young person if asked by our client and much of that data is held within emails
What time period do these emails cover?
Our current contract started 1-1-13 but many staff here pre-date that so emails would potentially go back a decade+
What is your current retention policy?
Staff are free to manage their mailboxes as they see fit, when an employee leaves, their mailbox (and all their user files) are archived into a storage area that only IT have access to, this data is kept forever.
Are these emails backed up?
We use 365 so not in a traditional sense, no - that said, see above for when a user leaves the company
Where are the email servers? (O365?)
Yes, 365, contracted with MS to ensure all data held within the UK
How many records does your business have?
We're looking at that now, but low-figure thousands would be a good bet
Where are they?
A mixture of departmental drives, an externally hosted database and the aformentioned emails
What are they used for?
Reporting to our client on what we are doing and the success of it (I can't go into too much detail on here, happy to PM if it makes a difference)
Are you marketing to the people held in email?
No, we don't do any real marketing (no sales team etc) the closest we get is a monthly newsletter that is sent via email to several hundred external people (both at the council and also others connected with this industry and what we do) Those who receive this newsletter are happy to do so, though we don't have signed consent forms from them stating such
I could go on but these would be basics.
There is no statute of limitations when it comes to criminal acts. Therefore, HMRC can go back as far as they like if they are investigating fraud. However, in practice, they don't - because they are hard pushed to investigate recent cases of wrong doing let alone old cases.
The general advice is that record should be retained for six years plus one year AFTER the statutory filing date for tax purposes. That can actually stretch the age of retained records to more like eight years.
For example, the statutory filing date for the 2016/217 tax return is 31 January 2018.
If a sole trader had a business year end of 30 April, the accounts entered on the 2016/17 would be the accounts year ended 30 April 2017 - which commenced on 1 May 2016. So the retention of records would stretch from 1 May 2016 through to 31 January 2025.
.
The general advice is that record should be retained for six years plus one year AFTER the statutory filing date for tax purposes. That can actually stretch the age of retained records to more like eight years.
For example, the statutory filing date for the 2016/217 tax return is 31 January 2018.
If a sole trader had a business year end of 30 April, the accounts entered on the 2016/17 would be the accounts year ended 30 April 2017 - which commenced on 1 May 2016. So the retention of records would stretch from 1 May 2016 through to 31 January 2025.
.
DELETED: Comment made by a member who's account has been deleted.
Office 365 has a feature called litigation hold that prevents users from permanently deleting emails. Another feature is Data Loss Prevention which allows you to scan emails for personal data and prevent them being sent or to be flagged to be reviewed before being sent. As and example one off the shelf feature is you can set it up to prevent credit card numbers from being sent via email. This apples to attachments as well as the message body. You can set up multiple keyword searches and fuzzy matches. There are loads of inbuilt definitions to use such as diseases and passport numbers.
This doesn't just apply to email. The same policies can be used for Sharepoint Word, Excel and One Drive.
Are you not aware of these features? I would have thought a Cyber Essentials bod would be well clued up on these and the eDiscovery features in Office 365.
DELETED: Comment made by a member who's account has been deleted.
It is about GDPR. To my mind that includes the technical implementation of GDPR as well as the legal and policy side. I was just a bit surprised that with your background you didn't highlight that K50 DEL already has many tools available to them implement that policy when his initial concern was about email in Office 365. K50 DEL said:
What does your business do?
We provide youth services on behalf of one of the bigger UK city councils, this includes running 2 small schools for excluded learners as well as adventure playgrounds, play sessions, one2one support etc
We provide youth services on behalf of one of the bigger UK city councils, this includes running 2 small schools for excluded learners as well as adventure playgrounds, play sessions, one2one support etc
DELETED: Comment made by a member who's account has been deleted.
I agree with everything TinRobot has already said and make the same disclaimer - I don't know enough about you to say anything authoritative. I would add that there are likely to be Art.14 notification issues if PII is coming from sources other than the data subject - in plain English, you may need a process to directly inform the children in considerable detail of the type of data that you hold, where you got it, why you have it and so on. There are time limits for this notification, and very few exceptions, and it goes beyond the standard privacy notice stuff.
You almost certainly (given what you do) hold Art. 9 special category data (and probably Art. 10 criminal record information) and that places additional constraints on processing both in technical terms (requirements for pseudonymisation and encryption) and in terms of your basis for processing (because the range of justifications is different to the normal stuff in Art. 6 and the default is that processing is prohibited). The basic law here is essentially unchanged from existing legislation and the ICO has very good guidance on this on their website.
Consent is a significant challenge when considering data on children, since they can't consent, and more difficult when working with disadvantaged or excluded children as you may not be able to get parental consent (or the parent may be the problem in the first place). Wherever possible I would think you should look for other justifications (e.g. 9.1b social protection law; 9.1c protection of the vital interests of the data subject; 9.1h social care [but there are restrictions here]). But as TinRobot has quite rightly said, you should talk to the ICO about this. You're not alone and you should also talk to others about their approach - for example charities working in the same area.
Also happy to take a PM on this - but not with a view to treading on TR's toes, of course.
Not sure what to say here guys..... the depth of advice on this thread has gone far above and beyond what I was expecting / hoping for.
I've shared it with my colleague (together we make up the GDPR team) and, will likely share certain bits of it with the senior management of the organisation to (hopefully) make them understand the potential level of work we're looking at.
We're going to take the weekend to read over what you've written and research the recitals you suggest, I suspect some PMs / open posts on here will follow early next week.
Thanks again, I really am very grateful, PH is an amazing place at times like this.
I've shared it with my colleague (together we make up the GDPR team) and, will likely share certain bits of it with the senior management of the organisation to (hopefully) make them understand the potential level of work we're looking at.
We're going to take the weekend to read over what you've written and research the recitals you suggest, I suspect some PMs / open posts on here will follow early next week.
Thanks again, I really am very grateful, PH is an amazing place at times like this.
This short video may be of use to people - https://youtu.be/rypt6J5Cpzc
pmanson said:
This short video may be of use to people - https://youtu.be/rypt6J5Cpzc
DELETED: Comment made by a member who's account has been deleted.pmanson said:
I'll let the relevant people know!
DELETED: Comment made by a member who's account has been deleted. The subject matter of GDPR is very dry but it's fascinating how everyone is approaching it in very different ways
Just starting to get my head around this now, I don't think for me (my company) it'll be that much of a big issue although I do knwo that there's some processes I do need to document and then make sure I do!
But I do have one question about personal information/data.
I understand that Name and Address (interestingly not address on its own), date of birth, email address, IP address, passport, bank details and anything that could be used to identify a person is their personal detail.
I also understand that any person can request a copy of any personal data I hold on them and/or ask me to delete it - no problem (Probably)
But the question is whether my personal note on that person constitutes their personal data.
The easiest way to elaborate is consumers contact us (giving us their personal information) we make notes on what their looking for, what we propose, any feedback and ultimately close the enquiry with a status.
If requested do we have to share and or delete all of our notes or just the personal information we hold?
But I do have one question about personal information/data.
I understand that Name and Address (interestingly not address on its own), date of birth, email address, IP address, passport, bank details and anything that could be used to identify a person is their personal detail.
I also understand that any person can request a copy of any personal data I hold on them and/or ask me to delete it - no problem (Probably)
But the question is whether my personal note on that person constitutes their personal data.
The easiest way to elaborate is consumers contact us (giving us their personal information) we make notes on what their looking for, what we propose, any feedback and ultimately close the enquiry with a status.
If requested do we have to share and or delete all of our notes or just the personal information we hold?
Marcellus said:
Just starting to get my head around this now, I don't think for me (my company) it'll be that much of a big issue although I do knwo that there's some processes I do need to document and then make sure I do!
But I do have one question about personal information/data.
I understand that Name and Address (interestingly not address on its own), date of birth, email address, IP address, passport, bank details and anything that could be used to identify a person is their personal detail.
I also understand that any person can request a copy of any personal data I hold on them and/or ask me to delete it - no problem (Probably)
But the question is whether my personal note on that person constitutes their personal data.
The easiest way to elaborate is consumers contact us (giving us their personal information) we make notes on what their looking for, what we propose, any feedback and ultimately close the enquiry with a status.
If requested do we have to share and or delete all of our notes or just the personal information we hold?
Personal data means any information relating to an identifiable person.But I do have one question about personal information/data.
I understand that Name and Address (interestingly not address on its own), date of birth, email address, IP address, passport, bank details and anything that could be used to identify a person is their personal detail.
I also understand that any person can request a copy of any personal data I hold on them and/or ask me to delete it - no problem (Probably)
But the question is whether my personal note on that person constitutes their personal data.
The easiest way to elaborate is consumers contact us (giving us their personal information) we make notes on what their looking for, what we propose, any feedback and ultimately close the enquiry with a status.
If requested do we have to share and or delete all of our notes or just the personal information we hold?
So in relation to your question, yes, anything you hold against that person's identifiable record (name, email, IP address etc.), including notes, comments, feedback etc falls within the right of access and right to be forgotten.
CzechItOut said:
Personal data means any information relating to an identifiable person.
So in relation to your question, yes, anything you hold against that person's identifiable record (name, email, IP address etc.), including notes, comments, feedback etc falls within the right of access and right to be forgotten.
Cheers, so theoretically, a consumer contacts you in 2017 it doesn't go anywhere, you have no contact with them for a couple of years so any consent you had has expired so you've deleted all of their records and then in 2020 they contact you again and you can't look back in your CRM to see what they looked for last time?So in relation to your question, yes, anything you hold against that person's identifiable record (name, email, IP address etc.), including notes, comments, feedback etc falls within the right of access and right to be forgotten.
Marcellus said:
Cheers, so theoretically, a consumer contacts you in 2017 it doesn't go anywhere, you have no contact with them for a couple of years so any consent you had has expired so you've deleted all of their records and then in 2020 they contact you again and you can't look back in your CRM to see what they looked for last time?
It is up to you to determine your data retention policy. Realistically, your company could argue you have a legitimate use to retain a consumer's data for say seven years, before you no longer need it and it should be deleted.On the other hand, it would be quite difficult for you to justify keeping a customers data indefinitely "just in case" they contact you in the future.
I can see the day-to-day, regular stuff being relatively easy to deal with once systems are in place.
But what about the little things. For instance a customer I deal with regularly has asked me to send some samples to someone else. I now have "another person's" full info - name, address and phone number. I need this information to send them the samples. They are not a customer, they are not in my system. I just have their info which I will then be entering onto a courier's website.
Once I've dispatched the samples what do I do with the information?
By putting this info on to a courier's website am I contravening something?
It's small events like this which start getting me tied in knots!
But what about the little things. For instance a customer I deal with regularly has asked me to send some samples to someone else. I now have "another person's" full info - name, address and phone number. I need this information to send them the samples. They are not a customer, they are not in my system. I just have their info which I will then be entering onto a courier's website.
Once I've dispatched the samples what do I do with the information?
By putting this info on to a courier's website am I contravening something?
It's small events like this which start getting me tied in knots!
RicksAlfas said:
I can see the day-to-day, regular stuff being relatively easy to deal with once systems are in place.
But what about the little things. For instance a customer I deal with regularly has asked me to send some samples to someone else. I now have "another person's" full info - name, address and phone number. I need this information to send them the samples. They are not a customer, they are not in my system. I just have their info which I will then be entering onto a courier's website.
Once I've dispatched the samples what do I do with the information?
By putting this info on to a courier's website am I contravening something?
It's small events like this which start getting me tied in knots!
As I understand it in your example you are a "Data processor", given data by the "Data Controller" to complete a specific task.But what about the little things. For instance a customer I deal with regularly has asked me to send some samples to someone else. I now have "another person's" full info - name, address and phone number. I need this information to send them the samples. They are not a customer, they are not in my system. I just have their info which I will then be entering onto a courier's website.
Once I've dispatched the samples what do I do with the information?
By putting this info on to a courier's website am I contravening something?
It's small events like this which start getting me tied in knots!
Therefore once you have used the data to complete that specific task you have to forget/delete it
ETA it's the data controller who has to seek consent to give you the data.
Gassing Station | Business | Top of Page | What's New | My Stuff