GDPR - anyone working in this area?
Discussion
How random I had never heard of GDPR until today. A lovely lady from the government Software Advisory Service called me and tried to sell printers... And software and GPDR compliance and anything else she could thing of.
I did a quick google and frankly was a bit confused! Then got caught up in operational stuff...
Then this thread pops up!
We are almost entirely B2B, (we manufacture for trade customers and our own fitting aluminium windows and doors etc) the only B2C we do is over a small “trade counter” (that we are winding down) we do no marketing at all to private individuals and tbh would rather not do B2C. All our B2B marketing is very old school, sales reps calling into premises, we occasionally (every 12months or so) do mail shots but they are usually to old customers showcasing new products etc or from internet searches for business who might be interested in what we do.
We do sometimes (either given directly from our counter or from trade customers) have private individuals names and addresses, emails, phone numbers etc usually when we deliver direct to a house, it’s handy to have a contact in case the driver gets lost or what have you. Is this personal data?
We have a database driven SOP/CAM system that creates “orders” this “order” is created with ALL the information relating to it, so it stores the exact specification of what is to be manufactured (and communicates this to our in-house manufacturing process) it then schedules and produces delivery notes and eventually invoices. After the data is entered initially it is largely automatic, where a completed process will trigger the next critical action etc.
Once the order is completed it sits in the database for ever, it is never looked at again unless we have a warranty claim/ other issue or occasional BSI type audit.
Keeping the order details for ever is brilliant for our trade customers, it means they can call us after 10+ years and we can confirm specifications etc long after the contracts and purchase orders have gone.
I think the database has several million orders going back to the late 90s (obviously the program is not the same but still allows access to the data) the only way we could know if there is personal data in those orders is to look at each order!
Do I have to worry about the odd email or phone number being stored for a site delivery?
The other thing that kind of worries me is DDI and mobile numbers, as I recon 99% of my customers (and me) have DDI and mobiles in their email signatures, it is not uncommon for emails to end up in the factory or with drivers, it is often simpler to print the email than to try and re communicate it’s content.
I did a quick google and frankly was a bit confused! Then got caught up in operational stuff...
Then this thread pops up!
We are almost entirely B2B, (we manufacture for trade customers and our own fitting aluminium windows and doors etc) the only B2C we do is over a small “trade counter” (that we are winding down) we do no marketing at all to private individuals and tbh would rather not do B2C. All our B2B marketing is very old school, sales reps calling into premises, we occasionally (every 12months or so) do mail shots but they are usually to old customers showcasing new products etc or from internet searches for business who might be interested in what we do.
We do sometimes (either given directly from our counter or from trade customers) have private individuals names and addresses, emails, phone numbers etc usually when we deliver direct to a house, it’s handy to have a contact in case the driver gets lost or what have you. Is this personal data?
We have a database driven SOP/CAM system that creates “orders” this “order” is created with ALL the information relating to it, so it stores the exact specification of what is to be manufactured (and communicates this to our in-house manufacturing process) it then schedules and produces delivery notes and eventually invoices. After the data is entered initially it is largely automatic, where a completed process will trigger the next critical action etc.
Once the order is completed it sits in the database for ever, it is never looked at again unless we have a warranty claim/ other issue or occasional BSI type audit.
Keeping the order details for ever is brilliant for our trade customers, it means they can call us after 10+ years and we can confirm specifications etc long after the contracts and purchase orders have gone.
I think the database has several million orders going back to the late 90s (obviously the program is not the same but still allows access to the data) the only way we could know if there is personal data in those orders is to look at each order!
Do I have to worry about the odd email or phone number being stored for a site delivery?
The other thing that kind of worries me is DDI and mobile numbers, as I recon 99% of my customers (and me) have DDI and mobiles in their email signatures, it is not uncommon for emails to end up in the factory or with drivers, it is often simpler to print the email than to try and re communicate it’s content.
Yep ...I'm involved in this good old chestnut (together with a team of about 15 others in our business)...legal, marketing, tech, compliance, information security etc etc etc)
Large business
Mainly consumer
Huge amounts of data (personal consumer and employee) millions of records
At least a couple dozen different data stores
100+ customer data entry/ creation points
several dozen partner relationships, who data is exchanged with.
As we probably failed to fully meet the standards of existing pecr and DPA reqs we have a lot to do. I think our project cost will be close to or above the suggested business average I.e, "€1.3 million"
The "system" part of the project probably constitutes 25% of the overall project.
It is a real opportunity for us to challenge how much direct marketing we do going forward (and therefore how much personal data we collect, process and retain).
Large business
Mainly consumer
Huge amounts of data (personal consumer and employee) millions of records
At least a couple dozen different data stores
100+ customer data entry/ creation points
several dozen partner relationships, who data is exchanged with.
As we probably failed to fully meet the standards of existing pecr and DPA reqs we have a lot to do. I think our project cost will be close to or above the suggested business average I.e, "€1.3 million"
The "system" part of the project probably constitutes 25% of the overall project.
It is a real opportunity for us to challenge how much direct marketing we do going forward (and therefore how much personal data we collect, process and retain).
Frimley111R said:
jonamv8 said:
So how exactly are they enforcing this?! Are they going to visit premises and audit CRMs etc?
Clearly not. I suspect they will just come down on hard on anyone reporting a business for 'spamming' them. It'll be 'policing by fear'. All it takes is for one customer to report a business...plasticpig said:
Many companies don't register with the ICO because processing and holding data for the purposes of payroll is exempt as is holding data for the marketing of their own goods and services and data held for accounting purposes.
I've never seen that scope of exemption under ICO - could you point to it? It would be great as it covers everything we do!I notice now the ICO have said they're going to develop a way to continue to charge businesses for registering - although they haven't figured out what that's going to be yet. The requirement to register was supposed to go away under GDPR. Apparently only 10% of UK companies register anyway.
Met with French and German colleagues yesterday - they always love to point at laws and regulations and they're very excited about GDPR.
Sheepshanks said:
I've never seen that scope of exemption under ICO - could you point to it? It would be great as it covers everything we do!
I notice now the ICO have said they're going to develop a way to continue to charge businesses for registering - although they haven't figured out what that's going to be yet. The requirement to register was supposed to go away under GDPR. Apparently only 10% of UK companies register anyway.
Met with French and German colleagues yesterday - they always love to point at laws and regulations and they're very excited about GDPR.
https://ico.org.uk/for-organisations/guide-to-data-protection/exemptions/I notice now the ICO have said they're going to develop a way to continue to charge businesses for registering - although they haven't figured out what that's going to be yet. The requirement to register was supposed to go away under GDPR. Apparently only 10% of UK companies register anyway.
Met with French and German colleagues yesterday - they always love to point at laws and regulations and they're very excited about GDPR.
ICO said:
Most organisations that process personal data must notify the ICO of certain details about that processing. However, the Act provides exemptions from notification for:
organisations that process personal data only for:
staff administration (including payroll);
advertising, marketing and public relations (in connection with their own business activity); and
accounts and records;
some not-for-profit organisations;
organisations that process personal data only for maintaining a public register;
organisations that do not process personal information on computer.
organisations that process personal data only for:
staff administration (including payroll);
advertising, marketing and public relations (in connection with their own business activity); and
accounts and records;
some not-for-profit organisations;
organisations that process personal data only for maintaining a public register;
organisations that do not process personal information on computer.
plasticpig said:
Sheepshanks said:
I've never seen that scope of exemption under ICO - could you point to it? It would be great as it covers everything we do!
I notice now the ICO have said they're going to develop a way to continue to charge businesses for registering - although they haven't figured out what that's going to be yet. The requirement to register was supposed to go away under GDPR. Apparently only 10% of UK companies register anyway.
Met with French and German colleagues yesterday - they always love to point at laws and regulations and they're very excited about GDPR.
https://ico.org.uk/for-organisations/guide-to-data-protection/exemptions/I notice now the ICO have said they're going to develop a way to continue to charge businesses for registering - although they haven't figured out what that's going to be yet. The requirement to register was supposed to go away under GDPR. Apparently only 10% of UK companies register anyway.
Met with French and German colleagues yesterday - they always love to point at laws and regulations and they're very excited about GDPR.
ICO said:
Most organisations that process personal data must notify the ICO of certain details about that processing. However, the Act provides exemptions from notification for:
organisations that process personal data only for:
staff administration (including payroll);
advertising, marketing and public relations (in connection with their own business activity); and
accounts and records;
some not-for-profit organisations;
organisations that process personal data only for maintaining a public register;
organisations that do not process personal information on computer.
organisations that process personal data only for:
staff administration (including payroll);
advertising, marketing and public relations (in connection with their own business activity); and
accounts and records;
some not-for-profit organisations;
organisations that process personal data only for maintaining a public register;
organisations that do not process personal information on computer.
DELETED: Comment made by a member who's account has been deleted.
Sure. But the need to register was supposed to go away under GDPR. The ICO have just said they will continue to charge people, but haven't quite figured it out yet.https://iconewsblog.org.uk/2017/10/05/ico-fee-and-...
Eric Mc said:
What's left that isn't exempted?
DELETED: Comment made by a member who's account has been deleted. When someone asks a question I always try to answer rather than redirect them to a website.
Or is the list so long it's too tedious to list?
Eric Mc said:
Or is the list so long it's too tedious to list?
I suppose it's 'everything else'.Clearly, they want to encompass as much as they can. Even the definitions seem nonsense - "personal data" isn't someone's name but it becomes personal if there's pretty well any other reference to them (business or personal). But a business wouldn't keep a name and nothing else.
Sheepshanks said:
I suppose it's 'everything else'.
Clearly, they want to encompass as much as they can. Even the definitions seem nonsense - "personal data" isn't someone's name but it becomes personal if there's pretty well any other reference to them (business or personal). But a business wouldn't keep a name and nothing else.
You wrong there IMO. My name identifies me as an individual because it's unique. There is no one with the same name in the rest of the world. Google my name and the only hits that come back relate to me. So just holding my name and nothing else in a database identifies me. Clearly, they want to encompass as much as they can. Even the definitions seem nonsense - "personal data" isn't someone's name but it becomes personal if there's pretty well any other reference to them (business or personal). But a business wouldn't keep a name and nothing else.
That's just my forename and surname BTW.
plasticpig said:
You wrong there IMO. My name identifies me as an individual because it's unique. There is no one with the same name in the rest of the world. Google my name and the only hits that come back relate to me. So just holding my name and nothing else in a database identifies me.
That's just my forename and surname BTW.
How is a holder of your name supposed to know that?That's just my forename and surname BTW.
plasticpig said:
Eric Mc said:
How is a holder of your name supposed to know that?
They don't need to know that. Companies need to take into consideration that a name alone can be a unique identifier for the purposes of GDPR.Isn't that the problem.
But how is the holder of a person's name supposed to decide whether that person's name is a "common or garden" name and therefore not a unique identifier.
Most names are not unique and therefore you would have to have lots of other data points about that person before you had to decide that their name alone was enough to identify them as one person and one person only. Even my name, which is not that common a combination, has shown around four to five similar names when a Google search is conducted. And every person in the world isn't identifiable by Google.
Most names are not unique and therefore you would have to have lots of other data points about that person before you had to decide that their name alone was enough to identify them as one person and one person only. Even my name, which is not that common a combination, has shown around four to five similar names when a Google search is conducted. And every person in the world isn't identifiable by Google.
Gassing Station | Business | Top of Page | What's New | My Stuff