GDPR question - as an end user not someone holding the data.
Discussion
Order66 said:
Sheepshanks said:
P924 said:
Sorry, being a little obtuse, was talking to a consultant about this, and he said, don't request delete of your details, as then they'll just keep contacting you, having no record of the earlier deletion.
This was discussed earlier in the main GDPR thread and even though your data has been deleted firms are still supposed to screen against 'do not mail' lists - an IT person in the thread said it can be done easily using hashed data.Even "do not mail" lists - the whole concept shouldn't be needed. If you haven't gathered individual specific consent to keep/process personal data you shouldn't be sending it mail, so the list is not needed. If you have gathered consent the precise details of what/when that consent is forms your effective list - there should be no concept of gathering email addresses which would be needed to be compared against a list of this time.
Sheepshanks said:
I think the issue was where it was subsequently picked up from another source - I guess a mail list from a connected company, or even a bought-in one.
In my case this is definitely the issue.I've received mail (and previously mailshots) from recruitment agencies I've never had any past dealings with.
Therefore my details must have been shared / sold (which in itself is arguably a bigger crime than redirecting their spam back to them five fold...).
Wolff said:
I work in IT for a recruitment firm, certainly with us all data is encrypted and has been for a long time.
The ones you need to worry about are those still keeping paper copies!
It might be encrypted at rest, it's more the awful internal ACLs that I have seen time and time again. Meaning Doris on the front desk and Bob the cleaner have the same accesses to it as Sarah the recruiter. The ones you need to worry about are those still keeping paper copies!
Daughter is red hot on this as she has personal data of students in connection with her uni job. Some / most of it is exempt according to the regs, but it's unclear in certain areas just what applies. The uni has been threatened with massive fines if they fall foul in the areas where they are not exempt. As person responsible for her research data she has to know the ins and outs.
Which makes what she has found regarding firms holding her own personal data interesting. In short it's a a minefield of mendacity and incompetence. One firm contacted to delete her data said they had done so. Later following a trail from a firm where there had been no interaction and thus must have been sold the information resulted in arriving back at the first business. They denied having any data or selling it, later proven to be a lie. But we really have deleted the data they said. A while later arrives an email asking for update and permission etc etc.
Which makes what she has found regarding firms holding her own personal data interesting. In short it's a a minefield of mendacity and incompetence. One firm contacted to delete her data said they had done so. Later following a trail from a firm where there had been no interaction and thus must have been sold the information resulted in arriving back at the first business. They denied having any data or selling it, later proven to be a lie. But we really have deleted the data they said. A while later arrives an email asking for update and permission etc etc.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff