GDPR - anyone working in this area?
Discussion
ashleyman said:
I've noticed lots of stores asking me to sign up for their newsletters again. I'm wondering if I need to do something similar?
I am a photographer registered as a VAT registered limited company. My only clients are employees within advertising agencies, production companies and brands. I'm contacting these people for the p purpose of marketing my portfolio and trying to get new clients by them seeing my work and wanting to hire me.
I was told that I do not need to change anything as I have a 'Genuine business interest' in emailing these people. Is this correct? Or do I need to ask them to sign up for my newsletter again?
The newsletter is created in Mailchimp and my subscribers are all stored and managed on mail chimp.
I have a separate database of prospects in Excel, which I email 1 by 1 whilst also researching new people to email, 1 by 1 and not as part of a group or mass send.
DELETED: Comment made by a member who's account has been deleted. I am a photographer registered as a VAT registered limited company. My only clients are employees within advertising agencies, production companies and brands. I'm contacting these people for the p purpose of marketing my portfolio and trying to get new clients by them seeing my work and wanting to hire me.
I was told that I do not need to change anything as I have a 'Genuine business interest' in emailing these people. Is this correct? Or do I need to ask them to sign up for my newsletter again?
The newsletter is created in Mailchimp and my subscribers are all stored and managed on mail chimp.
I have a separate database of prospects in Excel, which I email 1 by 1 whilst also researching new people to email, 1 by 1 and not as part of a group or mass send.
Eric Mc said:
If a reply has to be that detailed and expansive, you know the legislation is flawed.
Exactly. Hardly basic as TR keeps suggesting and this isn't even the actual implementation of it! I guarantee, despite whatever efforts have been employed, if you look hard enough no medium to large business will ever be completely compliant.fakenews said:
Exactly. Hardly basic as TR keeps suggesting and this isn't even the actual implementation of it! I guarantee, despite whatever efforts have been employed, if you look hard enough no medium to large business will ever be completely compliant.
And that is true for almost any legislation... the key is that companies make a serious step forward in taking data seriously. I don't think anyone (let alone the ICO) ever expects 100% compliance.fakenews said:
Exactly. Hardly basic as TR keeps suggesting and this isn't even the actual implementation of it! I guarantee, despite whatever efforts have been employed, if you look hard enough no medium to large business will ever be completely compliant.
Probably true re large business, but that applies to any aspect of company procedures which require conformance.In my view, the main effect of GDPR in a few years time will be to create much better awareness amongst the public of how important their data is. I think people will start to feel it is their right to expect their data is treated properly.
To the extent, when there are more minor infringement I think people will be much more likely to complain than they would now.
And when there are more data serious breaches I think it could cause a much more serious public backlash against the companies involved.
EddieSteadyGo said:
And when there are more data serious breaches I think it could cause a much more serious public backlash against the companies involved.
The problem is a company can do everything right and still have a serious data breach. Correctly configured firewall, full patch management, up to date antivirus and anti malware. You can unplug a network from the internet and disable all external storage options (USB ports, SD cards etc) and still have a serious data breach.
plasticpig said:
EddieSteadyGo said:
And when there are more data serious breaches I think it could cause a much more serious public backlash against the companies involved.
The problem is a company can do everything right and still have a serious data breach. Correctly configured firewall, full patch management, up to date antivirus and anti malware. You can unplug a network from the internet and disable all external storage options (USB ports, SD cards etc) and still have a serious data breach.
I mentioned an example a few pages ago where a BMW dealer added me to their spammy SMS marketing list when all I had done is phone and ask a general question about a car. It actually made me feel a little bit indignant as I felt they were taking the piss. I think the general public will increasingly start to feel this way when their data is abused or misused.
ashleyman said:
ashleyman said:
I've noticed lots of stores asking me to sign up for their newsletters again. I'm wondering if I need to do something similar?
I am a photographer registered as a VAT registered limited company. My only clients are employees within advertising agencies, production companies and brands. I'm contacting these people for the p purpose of marketing my portfolio and trying to get new clients by them seeing my work and wanting to hire me.
I was told that I do not need to change anything as I have a 'Genuine business interest' in emailing these people. Is this correct? Or do I need to ask them to sign up for my newsletter again?
The newsletter is created in Mailchimp and my subscribers are all stored and managed on mail chimp.
I have a separate database of prospects in Excel, which I email 1 by 1 whilst also researching new people to email, 1 by 1 and not as part of a group or mass send.
DELETED: Comment made by a member who's account has been deleted.I am a photographer registered as a VAT registered limited company. My only clients are employees within advertising agencies, production companies and brands. I'm contacting these people for the p purpose of marketing my portfolio and trying to get new clients by them seeing my work and wanting to hire me.
I was told that I do not need to change anything as I have a 'Genuine business interest' in emailing these people. Is this correct? Or do I need to ask them to sign up for my newsletter again?
The newsletter is created in Mailchimp and my subscribers are all stored and managed on mail chimp.
I have a separate database of prospects in Excel, which I email 1 by 1 whilst also researching new people to email, 1 by 1 and not as part of a group or mass send.
I've had a couple of update emails as follows:
Click here to update your subscription.
This link takes you to a form where you can change your subscription or unsubscribe. Presumably they have a date of the subscribe and anyone who subscribed before that date and ignores the email will be deleted? Is that how it works? I guess the issue is when the business can't remember whether it was a genuine "add me please" back in 2016 or they were just added to the list because they made a one-off enquiry?
Click here to update your subscription.
This link takes you to a form where you can change your subscription or unsubscribe. Presumably they have a date of the subscribe and anyone who subscribed before that date and ignores the email will be deleted? Is that how it works? I guess the issue is when the business can't remember whether it was a genuine "add me please" back in 2016 or they were just added to the list because they made a one-off enquiry?
Been looking into the Legitimate Interests stuff and found that I would need to do a Legitimate Interests Assessment.
2 of the things to think about are:
• Why you want to process the data
• Who benefits from the processing and in what way
When they talk about 'processing data' do they mean using? IE, I have an email address and I want to send an email to it so I make a new email, put the email address in the 'TO' field and then compose an email. Is that processing? Or is processing something else?
2 of the things to think about are:
• Why you want to process the data
• Who benefits from the processing and in what way
When they talk about 'processing data' do they mean using? IE, I have an email address and I want to send an email to it so I make a new email, put the email address in the 'TO' field and then compose an email. Is that processing? Or is processing something else?
Received an email from Trust Pilot this week:
trustpilot said:
At Trustpilot, we've always taken data protection seriously. During 2017 and 2018, we've been working really hard to update our processes and documentation to meet the requirements of the GDPR, the new European data protection law coming into force on 25 May 2018. As part of this work, we’ve updated our privacy policy to give you more insights into how we process your personal data.
We’d like to let you know about these updates to our Privacy Policy for users, and invite you to take a look at it when you have a moment. The changes will take effect on 25 May 2018.
We’ve improved the wording of our Privacy Policy to make it easier for you to understand how we handle your personal data, and we’ve also made it more detailed and specific.
The most important changes include:
We set out exactly what types of information we collect, when, and detail what we use your personal information for
We explain when others may be able to see your identity
We set out clearly in what situations we pass on any of your personal information to anyone else - including information about the sub-processors who process personal information on our behalf
We include information about how long we keep personal data for, how you can find out what personal data we have about you, and how to download it or correct it
We include contact details for our Data Protection Officer
If for any reason you don’t agree with our updated Privacy Policy and would like to close your account, you can do so. Simply log in to your account, go to your Personal Settings and select “Delete my profile”.
We’ve also added information about privacy and data protection to our Support Center - and will continue to grow and improve these resources for everyone using Trustpilot. We hope you find them helpful!
Pretty much spot on! We’d like to let you know about these updates to our Privacy Policy for users, and invite you to take a look at it when you have a moment. The changes will take effect on 25 May 2018.
We’ve improved the wording of our Privacy Policy to make it easier for you to understand how we handle your personal data, and we’ve also made it more detailed and specific.
The most important changes include:
We set out exactly what types of information we collect, when, and detail what we use your personal information for
We explain when others may be able to see your identity
We set out clearly in what situations we pass on any of your personal information to anyone else - including information about the sub-processors who process personal information on our behalf
We include information about how long we keep personal data for, how you can find out what personal data we have about you, and how to download it or correct it
We include contact details for our Data Protection Officer
If for any reason you don’t agree with our updated Privacy Policy and would like to close your account, you can do so. Simply log in to your account, go to your Personal Settings and select “Delete my profile”.
We’ve also added information about privacy and data protection to our Support Center - and will continue to grow and improve these resources for everyone using Trustpilot. We hope you find them helpful!
pmanson said:
Pretty much spot on!
Nope!The guidelines on consent say otherwise.
Guidelines on consent under Regulation 2016/679 said:
[Example 1]
A mobile app for photo editing asks its users to have their GPS localisation activated for the use of its services.
The app also tells its users it will use the collected data for behavioural advertising purposes. Neither geolocalisation
or online behavioural advertising are necessary for the provision of the photo editing service and
go beyond the delivery of the core service provided. Since users cannot use the app without consenting to these
purposes, the consent cannot be considered as being freely given.
Exactly the same criteria apply to a website. Their site collects data for the purpose of advertising. I should be able to opt out of data collection used to serve me adverts and still be able to use the full functionality of the website. The site can serve me untargeted advertising instead.A mobile app for photo editing asks its users to have their GPS localisation activated for the use of its services.
The app also tells its users it will use the collected data for behavioural advertising purposes. Neither geolocalisation
or online behavioural advertising are necessary for the provision of the photo editing service and
go beyond the delivery of the core service provided. Since users cannot use the app without consenting to these
purposes, the consent cannot be considered as being freely given.
The only option is to delete my account if I don't agree to the site collecting data for advertising purposes. That's classed as detriment as I am no longer able use some of the core services of the site.
jammy-git said:
Shouldn't you only need to opt-in/out if the data being collected is personally identifiable? Would IP or geo-location by themselves constitute as PII?
From a legal standpoint an IP Address is PII. The ECJ have already ruled that it is (assuming that Truspilot have the ability to link the IP to an account).DELETED: Comment made by a member who's account has been deleted.
The ruling refers to the 1995 Data Protection Directive. The definition of personal data is the same as you quote."(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;"
The ECJ ruling says:
ECJ said:
Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.
Gassing Station | Business | Top of Page | What's New | My Stuff