GDPR - anyone working in this area?
Discussion
CzechItOut said:
RicksAlfas said:
3 - if I only use that data for my own business i.e. I don't sell it or pass it on, do I need to seek consent to retain it?
Yes. People have the right to be informed of what data you are collecting and why.Legitimate interest, or needing it to fulfil a contract, or even legal (in our case we could be asked who we've supplied stuff to).
I think our customers (this is B2B) would be fine us keeping data related to ongoing specific business - what they would never agree to is that data being used for general marketing purposes. Quite where that leaves us in terms of emailing or calling a customer and saying "you buy this, maybe you'd be interested in this" I don't know - if we can't do that then eventually we'll cease to exist.
Sheepshanks said:
My reading of various sources is that it's better to try and find a reason that avoids needing to use consent.
Legitimate interest, or needing it to fulfil a contract, or even legal (in our case we could be asked who we've supplied stuff to).
Why wouldn't you articulate the above reasons and use them to gain consent?Legitimate interest, or needing it to fulfil a contract, or even legal (in our case we could be asked who we've supplied stuff to).
I have heard a few company claim they don't need to inform an individual or gain their consent as they have "legitimate use" of their personal data. For example, screenscraping LinkedIn to produce a pool of prospective candidates.
I think after the regulations come into force this will quickly be tested in court.
Sheepshanks said:
CzechItOut said:
RicksAlfas said:
3 - if I only use that data for my own business i.e. I don't sell it or pass it on, do I need to seek consent to retain it?
Yes. People have the right to be informed of what data you are collecting and why.Legitimate interest, or needing it to fulfil a contract, or even legal (in our case we could be asked who we've supplied stuff to).
I think our customers (this is B2B) would be fine us keeping data related to ongoing specific business - what they would never agree to is that data being used for general marketing purposes. Quite where that leaves us in terms of emailing or calling a customer and saying "you buy this, maybe you'd be interested in this" I don't know - if we can't do that then eventually we'll cease to exist.
This article was written by our Compliance Director (who also chairs the DMA Councils GDPR task force
https://econsultancy.com/blog/69542-cutting-out-th...
DELETED: Comment made by a member who's account has been deleted.
Doh. It's been a long day already. I can't seem them getting organised for eprivacy this year... I reckon 18mths at the earliest but you never know.Did you see the Carphone Warehouse fine announced today? Not a cheap mistake but it would have been a lot worse under GDPR!
CzechItOut said:
RicksAlfas said:
I would like to know in easy to understand, non-TLA'd language:
1 - what is data? Name only? Name with phone number?
Any data which can be used to identify a person, so name, address, telephone number, email, DoB, age, gender etc. Basically, the safest assumption is any data related to an individual.1 - what is data? Name only? Name with phone number?
RicksAlfas said:
2 - what activities are legitimate (lawful basis?) uses of that data? Wages? Quotations? Invoices? Delivery notes?
Any activity which is relevant to your business. There is nothing wrong with collecting and storing data, as long as you have a legitimate use for that data. So for example, if you pay people, you obviously need their bank account details. If you want to be about to contact an employee's next of kin, you can legitimately collect their emergency contact details.What you can't do is collect information you have no legitimate use for and/or retain data for longer than you need it.
RicksAlfas said:
3 - if I only use that data for my own business i.e. I don't sell it or pass it on, do I need to seek consent to retain it?
Yes. People have the right to be informed of what data you are collecting and why.Sheepshanks said:
Also as I mentioned before that was the other thing the teacher said - I didn't quite get this but basically there's a sheet that's supposed to be openly accessible and anyone who walks into the room can see it. They've been told they won't be able to do this, but no alternative solution has been suggested.
There's lots of ways depending on how the school functions & what the need/immediacy of access to that data is. For example if it lists emergency actions for a particular child then it'd need to be pretty accessible, if it's more background then perhaps less so.Edited by Sheepshanks on Thursday 11th January 12:32
Who has a need to see that sheet? Where do those people & only those people congregate? (Every teaching staff may need to see it so a closed staff room wouldn't probably be a problem). Perhaps putting it as a document on a suitable part of the network might be better if it's not needed on a casual moment-by-moment basis.
It sounds more like the school don't really have a handle on what information they have & how that information should be classified. Do that and it becomes a lot easier to see solutions.
Either a poor Consultant, disengaged SMT or lacklustre advice from the LEA is probably the root! GDPR isn't about not using data, it's just helping ensure that it doesn't end up in strange places.
Pot Bellied Fool said:
GDPR isn't about not using data, it's just helping ensure that it doesn't end up in strange places.
That's a good point, but because it's open to interpretation it's going to cause a lot of grief, and because of the threats of fines the advice will always be more restricitive than relaxed. An emergency action list for a kid with a medical condition needs to be instantly accessible. The classroom wall seems like an obvious place for it. But someone will decide it needs to be kept under lock and key "because of GDPR", and when that kid is poorly the distraught teacher or classroom assistant won't know where to find it.
Would the school be able to ask the parents' permission to display it on the wall and that would satisfy everyone?
CzechItOut said:
RicksAlfas said:
3 - if I only use that data for my own business i.e. I don't sell it or pass it on, do I need to seek consent to retain it?
Yes. People have the right to be informed of what data you are collecting and why.RicksAlfas said:
Would the school be able to ask the parents' permission to display it on the wall and that would satisfy everyone?
DELETED: Comment made by a member who's account has been deleted.Sheepshanks said:
My reading of various sources is that it's better to try and find a reason that avoids needing to use consent.
Legitimate interest, or needing it to fulfil a contract, or even legal (in our case we could be asked who we've supplied stuff to).
I think our customers (this is B2B) would be fine us keeping data related to ongoing specific business - what they would never agree to is that data being used for general marketing purposes. Quite where that leaves us in terms of emailing or calling a customer and saying "you buy this, maybe you'd be interested in this" I don't know - if we can't do that then eventually we'll cease to exist.
This is a good argument for role based email addresses for businesses.Legitimate interest, or needing it to fulfil a contract, or even legal (in our case we could be asked who we've supplied stuff to).
I think our customers (this is B2B) would be fine us keeping data related to ongoing specific business - what they would never agree to is that data being used for general marketing purposes. Quite where that leaves us in terms of emailing or calling a customer and saying "you buy this, maybe you'd be interested in this" I don't know - if we can't do that then eventually we'll cease to exist.
I've read about as much GDPR as I can handle tonight, I did a vague presentation on the subject 6 months ago and that apparently makes me our office specialist...
technically we have a central team dealing with the whole issue, but they've been awfully quiet and May is fast approaching..
I'm ok with data management going forward, and consent etc. What about historical data, we hold patient records for everyone we've treated. Some records can be destroyed after fixed periods of time (dependent on implants used/ treatment given etc), but at present all records are paper. Do we need opt in consent from patients for historical records held?
I have a sneaking suspicion this might "become my job" tomorrow and whist I'm not against that, I'd like an idea of the size of the task before i make any decisions!
technically we have a central team dealing with the whole issue, but they've been awfully quiet and May is fast approaching..
I'm ok with data management going forward, and consent etc. What about historical data, we hold patient records for everyone we've treated. Some records can be destroyed after fixed periods of time (dependent on implants used/ treatment given etc), but at present all records are paper. Do we need opt in consent from patients for historical records held?
I have a sneaking suspicion this might "become my job" tomorrow and whist I'm not against that, I'd like an idea of the size of the task before i make any decisions!
Sheepshanks said:
Thanks for the effort and the information that you've put into this thread so far.
DELETED: Comment made by a member who's account has been deleted.Interesting thread. A small company I support sells via eBay - mostly to the US but also to Europe and elsewhere. eBay passes on buyers' details (eBay id, name, address, phone number and email address) to us for us to ship the goods. Should eBay be getting an explicit opt-in from the customer to pass this data on to us ?
Currently, we keep the data "for ever" so that we can analyse it (what sells well to whom, can we sell more to them, what trends can we see). But also because on occasion we want to block someone from bidding on our products - e.g. persistent non-payers. If such a blocked bidder changes their eBay id, we need to detect that so that we can block the new one too - and this could in theory happen a long way down the road, many years after they were originally blocked. Are those legitimate reasons for keeping all data on all customers for ever ?
Currently, we keep the data "for ever" so that we can analyse it (what sells well to whom, can we sell more to them, what trends can we see). But also because on occasion we want to block someone from bidding on our products - e.g. persistent non-payers. If such a blocked bidder changes their eBay id, we need to detect that so that we can block the new one too - and this could in theory happen a long way down the road, many years after they were originally blocked. Are those legitimate reasons for keeping all data on all customers for ever ?
DELETED: Comment made by a member who's account has been deleted.
There is a statutory basis for the retention period. HMRC investigations can go back 20 years in terms of requesting documents if they believe information supplied regarding taxIs fraudulent. Since the invoice for the goods is likely to be delivered via eBay then the email address and eBay user ID is a component of the financial audit trail.
Granted 20 years is not forever but it's probably far longer than the information is actually useful for the purposesnmentioned.
DELETED: Comment made by a member who's account has been deleted.
It does help, thanks. In the vast majority of cases, we have no contact with the buyer - we get the order via eBay and the payment via PayPal (usually), then we pack and despatch direct to the customer at the address given by eBay. Email and phone are only used in case of problems. Would we have to explicitly ask customers' permission to retain their data (via a separate single-purpose communication) ? Data is accurate in that the eBay user id is unique world-wide, we don't care what device/MAC/IP address they use. We clean up the data from time to time, for example using names and addresses to detect that unwanted buyers are using a different eBay id.plasticpig said:
There is a statutory basis for the retention period. HMRC investigations can go back 20 years in terms of requesting documents if they believe information supplied regarding tax
Is fraudulent. Since the invoice for the goods is likely to be delivered via eBay then the email address and eBay user ID is a component of the financial audit trail.
Granted 20 years is not forever but it's probably far longer than the information is actually useful for the purposes mentioned.
Indeed, 20 years will certainly see me out,anyway !Is fraudulent. Since the invoice for the goods is likely to be delivered via eBay then the email address and eBay user ID is a component of the financial audit trail.
Granted 20 years is not forever but it's probably far longer than the information is actually useful for the purposes mentioned.
Gassing Station | Business | Top of Page | What's New | My Stuff