GDPR - anyone working in this area?
Discussion
Loads of great advice on this thread 
The company I work for uses Worldpay's Virtual Terminal to take card payments over the phone. A customer phones up to pay an invoice. We log on to Worldpay's VT and enter the payment details (name on card, registered address, email address, amount, card number, expiry date). We hit Submit and the payment succeeds or fails. If it succeeds we receive a payment notification email from Worldpay a few seconds later containing a summary of the transaction, including the shopper's IP address, but excluding the payment card details. We keep these emails indefinitely.
I'm pretty sure in this scenario we're the data controller and Worldpay are the data processor (please correct me if I'm wrong).
I'm entering this process in my Record of Processing Activities which has the following headings (I'm using the ICO's template for Controllers):
1. Business function: Finance
2. Purpose of processing: Card payments
3. Name and contact details of joint controller (if applicable): N/A
4. Categories of individuals: Customers
5. Categories of personal data: Contact details, IP address, card details
6. Categories of recipients: Payment processor (Worldpay)
7. Link to contract with processor: Is this a link to Worldpay's T&Cs?
8. Names of third countries or international organsations that personal data are transferred to (if applicable): Do I need to know where Worldpay servers are?
9. Safeguards for exceptional transfers of personal data to third countries or international organisations (if applicable): ?
10. Retention schedule (if possible): Is this the length of time we keep the payment notification emails?
11. General description of technical and organisational security measures (if possible): What goes here?
I'd appreciate any suggestions on how to answer questions 7-11
The company I work for uses Worldpay's Virtual Terminal to take card payments over the phone. A customer phones up to pay an invoice. We log on to Worldpay's VT and enter the payment details (name on card, registered address, email address, amount, card number, expiry date). We hit Submit and the payment succeeds or fails. If it succeeds we receive a payment notification email from Worldpay a few seconds later containing a summary of the transaction, including the shopper's IP address, but excluding the payment card details. We keep these emails indefinitely.
I'm pretty sure in this scenario we're the data controller and Worldpay are the data processor (please correct me if I'm wrong).
I'm entering this process in my Record of Processing Activities which has the following headings (I'm using the ICO's template for Controllers):
1. Business function: Finance
2. Purpose of processing: Card payments
3. Name and contact details of joint controller (if applicable): N/A
4. Categories of individuals: Customers
5. Categories of personal data: Contact details, IP address, card details
6. Categories of recipients: Payment processor (Worldpay)
7. Link to contract with processor: Is this a link to Worldpay's T&Cs?
8. Names of third countries or international organsations that personal data are transferred to (if applicable): Do I need to know where Worldpay servers are?
9. Safeguards for exceptional transfers of personal data to third countries or international organisations (if applicable): ?
10. Retention schedule (if possible): Is this the length of time we keep the payment notification emails?
11. General description of technical and organisational security measures (if possible): What goes here?
I'd appreciate any suggestions on how to answer questions 7-11
DELETED: Comment made by a member who's account has been deleted.
f
k me! I'm sorry I asked now 
But seriously, thank you very much for the detailed response. I have raised a ticket with Worldpay and will post their response here. We are currently working with our IT Company to achieve Cyber Essentials.
toddler said:
fk me! I'm sorry I asked now
But seriously, thank you very much for the detailed response. I have raised a ticket with Worldpay and will post their response here. We are currently working with our IT Company to achieve Cyber Essentials.
DELETED: Comment made by a member who's account has been deleted.k me! I'm sorry I asked now But seriously, thank you very much for the detailed response. I have raised a ticket with Worldpay and will post their response here. We are currently working with our IT Company to achieve Cyber Essentials.
toddler said:
Just had a call from Worldpay. They gave me this link to their T&Cs and referred me to Clause 17: https://www.worldpay.com/sites/default/files/17112...
DELETED: Comment made by a member who's account has been deleted.Also, what would be the lawful basis for processing card payments? I'm guessing Article 6(1)(b) - contract?
Edited by toddler on Friday 2nd February 15:55
toddler said:
Thanks again. Can you explain what you mean by "get the front end correct" please?
Also, what would be the lawful basis for processing card payments? I'm guessing Article 6(1)(b) - contract?
DELETED: Comment made by a member who's account has been deleted.Also, what would be the lawful basis for processing card payments? I'm guessing Article 6(1)(b) - contract?
Edited by toddler on Friday 2nd February 15:55
I wonder what the GDPR ramifications is of the following real-life scenario.
Samsung have a new service on their latest handsets called 'Smart Call'. The idea is to help prevent spam calls by showing the name of the caller, even if the number of the person calling is not stored in the handset. So sounds like a useful idea.
The way (I think) it works is that when a user activates the "Smart Call" feature on their new phone, they inadvertently allow a US company (Hiya) to scrape their phone contacts.
The US company then combines all of this data together and provides it to Samsung, so when a name/number which is known to Hiya is called, it can try and predict the name of the person calling.
Whilst I am sure Hiya have a privacy policy, I am wondering if the person who owns the phone can reasonable agree to share the associated names and numbers - after all, is it really their data?
Samsung have a new service on their latest handsets called 'Smart Call'. The idea is to help prevent spam calls by showing the name of the caller, even if the number of the person calling is not stored in the handset. So sounds like a useful idea.
The way (I think) it works is that when a user activates the "Smart Call" feature on their new phone, they inadvertently allow a US company (Hiya) to scrape their phone contacts.
The US company then combines all of this data together and provides it to Samsung, so when a name/number which is known to Hiya is called, it can try and predict the name of the person calling.
Whilst I am sure Hiya have a privacy policy, I am wondering if the person who owns the phone can reasonable agree to share the associated names and numbers - after all, is it really their data?
Bullett said:
If you are call recording and assuming you are not recording the stuff relevant to PCI then you also need to treat the calls as containing personal data and be able to ID which call relates to which customer if required.
We only take 1 or 2 card payments a week. Definitely don't do any call recording.EddieSteadyGo said:
I wonder what the GDPR ramifications is of the following real-life scenario.
Samsung have a new service on their latest handsets called 'Smart Call'. The idea is to help prevent spam calls by showing the name of the caller, even if the number of the person calling is not stored in the handset. So sounds like a useful idea.
The way (I think) it works is that when a user activates the "Smart Call" feature on their new phone, they inadvertently allow a US company (Hiya) to scrape their phone contacts.
The US company then combines all of this data together and provides it to Samsung, so when a name/number which is known to Hiya is called, it can try and predict the name of the person calling.
Whilst I am sure Hiya have a privacy policy, I am wondering if the person who owns the phone can reasonable agree to share the associated names and numbers - after all, is it really their data?
I am sure that Samsung/Hiya will claim legitimate use of the data. As I said previously, there are a lot of companies doing similar things and I envisage a number of court cases shortly after the introduction of GDPR in order to clarify the situation in more detail.Samsung have a new service on their latest handsets called 'Smart Call'. The idea is to help prevent spam calls by showing the name of the caller, even if the number of the person calling is not stored in the handset. So sounds like a useful idea.
The way (I think) it works is that when a user activates the "Smart Call" feature on their new phone, they inadvertently allow a US company (Hiya) to scrape their phone contacts.
The US company then combines all of this data together and provides it to Samsung, so when a name/number which is known to Hiya is called, it can try and predict the name of the person calling.
Whilst I am sure Hiya have a privacy policy, I am wondering if the person who owns the phone can reasonable agree to share the associated names and numbers - after all, is it really their data?
I have a customer who owns a number of outlets. Each is their own limited company, held under a head co. Data is collected and shared in an opaque manner to customers (they just have a group trading name).
A couple of questions to those in the know. 1. Would they have show to customers all the legal entities they share the data with (which could be just the head co?). 2. The ICO's partial exemption for under 250 employees, would this apply to each individual ltd company, or the head co, or the aggregate of all employees across the group?
Cheers.
A couple of questions to those in the know. 1. Would they have show to customers all the legal entities they share the data with (which could be just the head co?). 2. The ICO's partial exemption for under 250 employees, would this apply to each individual ltd company, or the head co, or the aggregate of all employees across the group?
Cheers.
Well we're still proceeding incredibly slowly - have just achieved Cyber Essentials and will shortly have new GDPR compliant policies in place, then we'll start to train staff on their obligations under the new policies to ensure we comply with the regs.
At the same time we're also working to identify what data we hold, where we hold it, why we hold it and for how long.
We'll get there!!
At the same time we're also working to identify what data we hold, where we hold it, why we hold it and for how long.
We'll get there!!
K50 DEL said:
Well we're still proceeding incredibly slowly - have just achieved Cyber Essentials and will shortly have new GDPR compliant policies in place, then we'll start to train staff on their obligations under the new policies to ensure we comply with the regs.
At the same time we're also working to identify what data we hold, where we hold it, why we hold it and for how long.
We'll get there!!
DELETED: Comment made by a member who's account has been deleted.At the same time we're also working to identify what data we hold, where we hold it, why we hold it and for how long.
We'll get there!!
I'll keep contributing here as we go along and thank you for all your help so far.
DELETED: Comment made by a member who's account has been deleted.
Thanks for the reply. I'm aware that the exemption is only partial and that all co's within the group would need to comply with the GDPR. I'm just not sure whether the ICO would consider them under 250 employees or not (each individual co would be under 250, as would head co, but the aggregate of the co's employees would be over 250).I received my first "opt in" this morning:
OPT-IN TO STAY CONNECTED TO THE WORLD OF BMW.
From seeing the next groundbreaking concept car of tomorrow, to the next practical innovation of today, until now you’ve been in the know on all things BMW. And the road ahead looks more exciting than ever before.
But the law is changing, so to keep hearing from us, click the ‘I’m in’ button below. If you do nothing, from 25 May you will lose your access to the world of BMW.
OPT-IN TO STAY CONNECTED TO THE WORLD OF BMW.
From seeing the next groundbreaking concept car of tomorrow, to the next practical innovation of today, until now you’ve been in the know on all things BMW. And the road ahead looks more exciting than ever before.
But the law is changing, so to keep hearing from us, click the ‘I’m in’ button below. If you do nothing, from 25 May you will lose your access to the world of BMW.
Q: We do a lot of emailings a few every day to our database, how often should we update our database with unsubscribes? Given that we do a lot of emailing daily it's not practical to remove every email every time we get an unsubscribe, therefore we save them up and do them through an automated process every 2 weeks. Whilst I am sure GDPR will say 'remove as soon as they tell you' would be that far in breach if we maintained our 2 week process?
anonymous said:
[redacted]
Because we don't have people sitting around doing nothing that can be used to jump every time someone unsubscribes. It's just not practical. 1 occasionally is not what we get. And I don't mean have significant numbers either but enough to make it a more efficient process to do all at once on an automated process.Frimley111R said:
anonymous said:
[redacted]
Because we don't have people sitting around doing nothing that can be used to jump every time someone unsubscribes. It's just not practical. 1 occasionally is not what we get. And I don't mean have significant numbers either but enough to make it a more efficient process to do all at once on an automated process.This thread is making me look at various elements of online business (my field) in a new light, thanks to TR and others.
I abandoned a cart on a website today and received an email 10 minutes later, sent to my email address and addressed to my name.
Surely not allowed under GDPR without me providing explicit permission when I entered my name and email address? So a checkbox saying by entering your email address you give us permission to email you in the event you do not complete the purchase.
I abandoned a cart on a website today and received an email 10 minutes later, sent to my email address and addressed to my name.
Surely not allowed under GDPR without me providing explicit permission when I entered my name and email address? So a checkbox saying by entering your email address you give us permission to email you in the event you do not complete the purchase.
Gassing Station | Business | Top of Page | What's New | My Stuff