GDPR - anyone working in this area?
Discussion
jammy-git said:
If you can show that the customer has given you permission for a specific purpose then you don't nee to re-ask them for permission for that purpose again.
DELETED: Comment made by a member who's account has been deleted.I normally live in France. It is interesting that virtually every company from the UK and the big US ones have already written to me about consents.
But the French ones are conspicuous by their absence. Which is a pity as they can be the most irritating. Especially the worlds largest Supermarket Carrefour. I have been trying to unsubscribe for ages, but you can only deselect things you do not want.
Everything is not however an option.
But the French ones are conspicuous by their absence. Which is a pity as they can be the most irritating. Especially the worlds largest Supermarket Carrefour. I have been trying to unsubscribe for ages, but you can only deselect things you do not want.
Everything is not however an option.
Eric Mc said:
How this act REALLY works won't be properly understood as we will need a raft of court cases to clarify how the law actually should be interpreted.
Flip side is that the ICO seem to have made clear that they don't intend handing out massive fines for sts and giggles.Intention seems to be that you'd need to be pretty much negligent to your responsibilities rather than (for example) sending a customer a single email and being clobbered for it.
bhstewie said:
Flip side is that the ICO seem to have made clear that they don't intend handing out massive fines for sts and giggles.
Intention seems to be that you'd need to be pretty much negligent to your responsibilities rather than (for example) sending a customer a single email and being clobbered for it.
Correct. They have been clear and vocal that they are a fair regulator and their interest is for people to take better care of data, not to run around fining people. The big fines will be saved for the very big offenders (e.g. if banks do silly things and can't show clear plans)Intention seems to be that you'd need to be pretty much negligent to your responsibilities rather than (for example) sending a customer a single email and being clobbered for it.
The ICOs position has been that it is a start point, not an end point come May 25.
anonymous said:
[redacted]
I suspect there will be some high profile cases against big institutions - banks, insurance, Google, and then the fuss will die down.Hopefully it won't turn into the next PPI with "helpful" lawyers offering to check up on your data for you.
Every business I know is devoting time they can ill afford to this. Volunteer run clubs are having palpitations about it. And do you know what? The unscrupulous sorts who sell or pass on data will simply carry on doing so...
This is my favourite bit of the ICO website:
"...standard contract clauses may be provided by the European Commission or the ICO, and may form part of certification schemes. However at the moment no standard clauses have been drafted."
Come on chaps, you've only got a week!
bhstewie said:
Flip side is that the ICO seem to have made clear that they don't intend handing out massive fines for sts and giggles.
Intention seems to be that you'd need to be pretty much negligent to your responsibilities rather than (for example) sending a customer a single email and being clobbered for it.
I hope penalties are limited to those completely flouting the rules, collecting and selling data at scale without consent for profit. Either way, good companies with strong principles are paying through the nose (time and money) to check their compliance against these new rules - really doesn't sit well with me, especially as many 'experts' haven't a clue how an ill-thought regulation applies to complicated real-world companies.Intention seems to be that you'd need to be pretty much negligent to your responsibilities rather than (for example) sending a customer a single email and being clobbered for it.
plasticpig said:
The next big GDPR clusterfk is Google and their AdMob in app advertising platform.
If an $800 billion tech giant can't get GDPR right then how can apps developed by individuals or micro companies be expected to get it right?
Wow, don't understand much of that article but that's awful.If an $800 billion tech giant can't get GDPR right then how can apps developed by individuals or micro companies be expected to get it right?
Eric Mc said:
And that is a pretty dreadful position for businesses to be in "- "hoping" they aren't going to be targeted by the ICO because no one know really what they need to be doing.
Very true. Trouble with this regulation is that just one error/oversight would see you being non-compliant. It could be a legacy form on an old part of your website with pre-ticked boxes (sending referrer and IP too), a 3rd party tracking script, any non-hashed server log or web-design which uses GET instead of POST. Some of these examples are from the business I work for. No large company could ever be 100% compliant in my mind - there will be something somewhere.How long until the go to option for disgruntled consumers is to run to the ICO...
fakenews said:
bhstewie said:
Flip side is that the ICO seem to have made clear that they don't intend handing out massive fines for sts and giggles.
Intention seems to be that you'd need to be pretty much negligent to your responsibilities rather than (for example) sending a customer a single email and being clobbered for it.
I hope penalties are limited to those completely flouting the rules, collecting and selling data at scale without consent for profit. Either way, good companies with strong principles are paying through the nose (time and money) to check their compliance against these new rules - really doesn't sit well with me, especially as many 'experts' haven't a clue how an ill-thought regulation applies to complicated real-world companies.Intention seems to be that you'd need to be pretty much negligent to your responsibilities rather than (for example) sending a customer a single email and being clobbered for it.
For example if you spend your days on the train with an unencrypted laptop full of all your customers details and you shouldn't need a consultant or regulations to tell you that you're being negligent.
I'd hope and expect a dimmer view would be taken of that than someone who's sending their customers a weekly email and who honours "remove me" requests.
rdjohn said:
I normally live in France. It is interesting that virtually every company from the UK and the big US ones have already written to me about consents.
But the French ones are conspicuous by their absence.
That's at odds with our French colleagues attitude - they're quite exercised about GDPR.But the French ones are conspicuous by their absence.
Not as much as the Germans though - they're basically saying they won't be able to work after 25th May as it'll be illegal to contact anyone!
Eric Mc said:
fakenews said:
I hope penalties are limited to those completely flouting the rules
And that is a pretty dreadful position for businesses to be in "- "hoping" they aren't going to be targeted by the ICO because no one know really what they need to be doing.fakenews said:
Very true. Trouble with this regulation is that just one error/oversight would see you being non-compliant. It could be a legacy form on an old part of your website with pre-ticked boxes (sending referrer and IP too), a 3rd party tracking script, any non-hashed server log or web-design which uses GET instead of POST. Some of these examples are from the business I work for. No large company could ever be 100% compliant in my mind - there will be something somewhere.
How long until the go to option for disgruntled consumers is to run to the ICO...
But again, just fix it assuming it's not willfully negligent.How long until the go to option for disgruntled consumers is to run to the ICO...
If the ICO fines anyone for a pre-ticked box on a website I'd be amazed.
This st, fine away https://www.theregister.co.uk/2018/05/17/cps_325k_...
DELETED: Comment made by a member who's account has been deleted.
Picking up on this it is pretty basic isn't it?Thinking of most small companies who are given personal data during the course of their daily business, if they;
- take all reasonable steps to safeguard any PI given.
- do not share any PI with anyone without that persons explicit consent.
- not to use the PI for any purpose other than what it was given for.
- let the PI know that can get a copy of all PI held if they wish foc.
- only hold the PI for a reasonable defined period
- that the company will make any PI anonymous if requested to and the company has no valid reason not to (such as contractual relationship, tax, regulatory purposes)
or am I missing something?
Gassing Station | Business | Top of Page | What's New | My Stuff