GDPR - anyone working in this area?
Discussion
stevesuk said:
Yep, my worry also is that now you're obliged to respond free-of-charge (you used to be able to charge an admin fee I think?), these requests are going to become more and more prevalent. Glad its not my direct responsibility to deal with them.
This was the biggest fear of everyone I had spoken to, that there would be a deluge of all encompassing Subject Access Requests from customers and ex-employees alike.Luckily, the media seemed to latch on to all the consent emails being sent by companies and SARs went completely under the radar.
jammy-git said:
They can't reply because they've deleted all his personal data.
Of course they can - they can just confirm they can find no traceWith my employers the issue is not whether we want to delete the data its that the system is no crap its impossible to say with certainty whether you actually hold the data - for example we have records where we have peoples names and addresses linked to them but there will be all sorts of data within the 'free text' which is where all the juicy stuff is - but its not searchable.
I have had an unsolicited sales email from a company advertising "GDPR Compliant Marketing Data".
The blurb within their email says
"Our data only contains the type of businesses that you are able to contact without prior direct consent. Therefore, you can freely use our data for cold contact marketing and be rest assured that you aren’t breaking any laws. Using data that does not only contain these restricted types of businesses is very dangerous and could result in a hefty fine."
The blurb within their email says
"Our data only contains the type of businesses that you are able to contact without prior direct consent. Therefore, you can freely use our data for cold contact marketing and be rest assured that you aren’t breaking any laws. Using data that does not only contain these restricted types of businesses is very dangerous and could result in a hefty fine."
It had to happen sooner or later, I messed up today.
I regularly individually email new contacts introducing them to my portfolio and services as a photographer.
For follow ups I started using a tool called YAMM which integrates with Google Sheets and Gmail - I have a business G Suite to manage domains and email etc... Anyway, YAMM allows me to send custom mail merge emails to multiple people from Google Sheets to save time.
Well, today I sent one to 262 people and got the merge tag wrong. I sent emails starting with "Hi [First Name], " instead of "Hi {First Name}, "
That meant all 262 people got an email that was obviously sent en masse, was not personalised like it should have been and just screamed HES STUPID!
The email read,
Hi [First Name],
Email Content Goes Here.
A few people were sports and replied jokingly, a few were pretty nasty and some just asked to be removed. 1 guy who I've been trying to see for months actually scheduled a meeting to see me next week which was cool.
I guess it could have been worse and thankfully it's all business to business so no major risk of having any punishment except perhaps a dented pride and being todays joke amongst ad industry people.
I had thought about sending a follow up apology but decided against it instead deciding to change my website to just say
Hi [First Name],
Oh well. Lesson learnt.
I regularly individually email new contacts introducing them to my portfolio and services as a photographer.
For follow ups I started using a tool called YAMM which integrates with Google Sheets and Gmail - I have a business G Suite to manage domains and email etc... Anyway, YAMM allows me to send custom mail merge emails to multiple people from Google Sheets to save time.
Well, today I sent one to 262 people and got the merge tag wrong. I sent emails starting with "Hi [First Name], " instead of "Hi {First Name}, "
That meant all 262 people got an email that was obviously sent en masse, was not personalised like it should have been and just screamed HES STUPID!
The email read,
Hi [First Name],
Email Content Goes Here.
A few people were sports and replied jokingly, a few were pretty nasty and some just asked to be removed. 1 guy who I've been trying to see for months actually scheduled a meeting to see me next week which was cool.
I guess it could have been worse and thankfully it's all business to business so no major risk of having any punishment except perhaps a dented pride and being todays joke amongst ad industry people.
I had thought about sending a follow up apology but decided against it instead deciding to change my website to just say
Hi [First Name],
Oh well. Lesson learnt.
Edited by ashleyman on Tuesday 3rd July 17:09
Their reply is along the lines of:
"The Company' has not relied on consent for the basis for capturing marketing preference for our customers, instead we have followed guidance from the Information Commissioner's Office that electronic marketing can be conducted in our Legitimate Interest:
"The Company' has not relied on consent for the basis for capturing marketing preference for our customers, instead we have followed guidance from the Information Commissioner's Office that electronic marketing can be conducted in our Legitimate Interest:
- where we've obtained a person's details in the course of a sale or negotiations for a sale of a product or service;
- where the messages are only marketing similar products or services; and
- where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in future messages."
Ranger 6 said:
Their reply is along the lines of:
"The Company' has not relied on consent for the basis for capturing marketing preference for our customers, instead we have followed guidance from the Information Commissioner's Office that electronic marketing can be conducted in our Legitimate Interest:
"The Company' has not relied on consent for the basis for capturing marketing preference for our customers, instead we have followed guidance from the Information Commissioner's Office that electronic marketing can be conducted in our Legitimate Interest:
- where we've obtained a person's details in the course of a sale or negotiations for a sale of a product or service;
- where the messages are only marketing similar products or services; and
- where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don't opt out at this point, are given a simple way to do so in future messages."
TINROBOT!Yes - it's definitely opt-out.
I've had a further response which is very interesting and appears to contradict the GDPR regulation, but quotes other advice. There appears to be an opportunity for companies to still use opt-out methods.
I've had a further response which is very interesting and appears to contradict the GDPR regulation, but quotes other advice. There appears to be an opportunity for companies to still use opt-out methods.
Insurance Company said:
Thank you for your recent email received on 17 August 2018.
You are correct in your understanding if we were processing on the basis of consent we would need your active opt in; however as previously stated we are using legitimate interests as our basis for processing, and as such the active opt in requirement for consent to be valid is not required here. Our approach meets the requirements of the Privacy & Electronic Communications Regulations for electronic marketing and GDPR requirements for non-electronic marketing. We respect the marketing preferences of individuals, and offer individuals the opportunity to object to direct marketing and instructions on how to opt out in all our direct marketing communications.
If you are unhappy with the way we have responded please refer to the Information Commissioners Office (ICO) guidelines, on their website https://ico.org.uk/
You are correct in your understanding if we were processing on the basis of consent we would need your active opt in; however as previously stated we are using legitimate interests as our basis for processing, and as such the active opt in requirement for consent to be valid is not required here. Our approach meets the requirements of the Privacy & Electronic Communications Regulations for electronic marketing and GDPR requirements for non-electronic marketing. We respect the marketing preferences of individuals, and offer individuals the opportunity to object to direct marketing and instructions on how to opt out in all our direct marketing communications.
If you are unhappy with the way we have responded please refer to the Information Commissioners Office (ICO) guidelines, on their website https://ico.org.uk/
Not sure if this has been covered here and I would appreciate the view of the PH hive on this. I will admit now that I’m not 100% up to speed with GDPR but what is the current stance around the right to erasure (be forgotten)?
The company has always worked to the HMRC rule of 6+1 financial years of data needs to be retained.
Talking to some people at a conference last week and it was mentioned that if there is a legal obligation then a company may have to keep records for more than 7 years.
The example given was that if any of our employees work with children we need to keep records for 25 year (probably more like life IMO).
The company I work for does work with children and in social care, the CQC (I’m not sure if this is a legal requirement) recommendation is that we (or an employee) can prove their entire social care career history.
Where do we stand on right to be forgotten requests? Do we need to politely decline on legal grounds?
The company has always worked to the HMRC rule of 6+1 financial years of data needs to be retained.
Talking to some people at a conference last week and it was mentioned that if there is a legal obligation then a company may have to keep records for more than 7 years.
The example given was that if any of our employees work with children we need to keep records for 25 year (probably more like life IMO).
The company I work for does work with children and in social care, the CQC (I’m not sure if this is a legal requirement) recommendation is that we (or an employee) can prove their entire social care career history.
Where do we stand on right to be forgotten requests? Do we need to politely decline on legal grounds?
Seek proper legal guidance but my understanding is that if you have a good reason to store/keep the record then you can do so.
I have a customer who had a blanket storage rule of 7 years. They are changing this to a proportional rule based on the other selling rules they are exposed to. So, a basic enquiry - 6 months, an enquiry that is sales related 2 years and an actual sale 5 years.
You can't just ask to be deleted and have it done regardless of other frameworks.
You still need to make sure the data held is proportional though, my Electricty Co. doesn't need to know my whole medical history. Data should be protected, excrypted, limited access etc etc.
You sound like you could have and need to store special category data and have vulnerable 'customers' so definately engage an expert.
I have a customer who had a blanket storage rule of 7 years. They are changing this to a proportional rule based on the other selling rules they are exposed to. So, a basic enquiry - 6 months, an enquiry that is sales related 2 years and an actual sale 5 years.
You can't just ask to be deleted and have it done regardless of other frameworks.
You still need to make sure the data held is proportional though, my Electricty Co. doesn't need to know my whole medical history. Data should be protected, excrypted, limited access etc etc.
You sound like you could have and need to store special category data and have vulnerable 'customers' so definately engage an expert.
Bullett said:
Seek proper legal guidance but my understanding is that if you have a good reason to store/keep the record then you can do so.
I have a customer who had a blanket storage rule of 7 years. They are changing this to a proportional rule based on the other selling rules they are exposed to. So, a basic enquiry - 6 months, an enquiry that is sales related 2 years and an actual sale 5 years.
You can't just ask to be deleted and have it done regardless of other frameworks.
You still need to make sure the data held is proportional though, my Electricty Co. doesn't need to know my whole medical history. Data should be protected, excrypted, limited access etc etc.
You sound like you could have and need to store special category data and have vulnerable 'customers' so definately engage an expert.
I have a customer who had a blanket storage rule of 7 years. They are changing this to a proportional rule based on the other selling rules they are exposed to. So, a basic enquiry - 6 months, an enquiry that is sales related 2 years and an actual sale 5 years.
You can't just ask to be deleted and have it done regardless of other frameworks.
You still need to make sure the data held is proportional though, my Electricty Co. doesn't need to know my whole medical history. Data should be protected, excrypted, limited access etc etc.
You sound like you could have and need to store special category data and have vulnerable 'customers' so definately engage an expert.
Thanks , ive mentioned it to our DPO and they are picking it up. I just wondered if anyone else had come across a similar situation. I have been keeping up to speed on GDPR so I know we should only be keeping relevant data but this feels like this would be compounding the effort needed.
We will need to look at what we need to keep, how long we need to keep it for and how we manage the different combinations (we couldnt/shouldnt just have a blanket ban on this) and then find a way to reliably manage all of this going forward.
Im not sure an expert would exist as we would need an expert in childrens services & social care & GDPR, there cant be many of them about!
Interesting take from the ICO.
I was given a voucher when I purchased some stuff from my local CO-OP this morning. To redeem the voucher you have to go to https://www.gift.coop/ and enter the voucher code. By submitting the code you are agreeing to sign up to receiving email marketing. I was very much under the impression that this is classed as forced consent but not according to the ICO:
I was given a voucher when I purchased some stuff from my local CO-OP this morning. To redeem the voucher you have to go to https://www.gift.coop/ and enter the voucher code. By submitting the code you are agreeing to sign up to receiving email marketing. I was very much under the impression that this is classed as forced consent but not according to the ICO:
ICO said:
The ICO’s view is that it may still be possible to incentivise consent to some extent. There will usually be some benefit to consenting to processing. For example, if joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing. The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal.
Gassing Station | Business | Top of Page | What's New | My Stuff