GDPR regulations practical summary

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by naxtech, Jan 17, 2018.

  1. naxtech

    naxtech UKBF Contributor Free Member

    99 9
    GDPR practical summary (credit to Matt Richeson Facebook). I thought it'd be useful to post it seperately.

    Customers have the right to request corrections to data, so you may need the ability to amend and correct pdf's

    Customers may request that you delete their data, and unless you have legitimate, legal or contractual basis for keeping their information, then you have to.

    If someone contacts you wanting to know what information you have about them on file, you have 30 days to provide this back to them in an electronically portable medium (pdf is fine). You cannot charge them for this.

    Email is a database, as are contacts lists and phone address books, so you will have a reasonable duty to keep those up to date and sanitised if people do not wish you to contact them.

    GDPR covers paper media, so if you keep paper files, then they need to be filed securely and destroyed as well. Throwing a customers details in the bin rather than shredding them is technically a data breach, and ought to be reported to the ICO

    If your PC (or backup drive / memory stick) gets lost / hacked / stolen you will still have 72 hours to inform the ICO and take measures to inform customers that their data may have been compromised.
     
    Posted: Jan 17, 2018 By: naxtech Member since: May 15, 2014
    #1
  2. ffox

    ffox UKBF Regular Free Member

    979 175
    This includes information that may well be scattered across various business systems. Individual workers contacts lists on PCs, laptops, phones and other devices which belong to the business are all included. The same goes for spreadsheet data, word processor documents and personal databases.

    My experience is that personal data is invariably scattered across multiple device in any business.
     
    Posted: Jan 17, 2018 By: ffox Member since: Mar 11, 2004
    #2
  3. tony84

    tony84 UKBF Big Shot Free Member

    5,151 867
    I have just spent the morning on this after gathering bits together over the last few weeks.

    Can someone clarify if I am missing anything as it seems a lot less than I was expecting although still a big job, but not one that is filling me with dread anymore:

    From an admin perspective:
    A list of anywhere customer data is help.
    What data is help in each of those places.
    Where that data came from.
    Where it is stored.
    Why it is needed (what it is used for).
    Who has access to it.

    So just a table with 6 columns and however many rows?

    A privacy notice on website and in the same format as you are gaining the data (ie if you are filling out paperwork face to face on actual paper then having a print out for them to read through also.

    On te privacy notice:
    - Who you are
    - What we will do with your data
    - Who it will be shared with
    - How long it will be kept for
    - Right to complain to the ICO.
    - How to have data removed/Corrected

    Have a process in place for an SAR request.
    " " " a data breach.

    An authority to collect data which is clear and breaks down how we can contact them, ie differentiate between text, email, phone, carrier pigeon etc - unticked.


    Am I missing anything?

    From a practical level it is ideal to have data encrypted (that includes emails where customers data is being sent) - although encryption is not an actual legal requirement.

    For a government agency, the ICO website is actually pretty good. I guess al those £35s I have been paying have not been wasted.
     
    Posted: Jan 18, 2018 By: tony84 Member since: Apr 14, 2008
    #3
  4. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    80 20
    You will also need to identify and record the 'lawful basis for processing'. This needs to be documented. If you are relying on consent you also need processes to ensure the data subjects rights are maintained (right to erasure etc).

    With regards to data retention, you can't just have a blanket statement, each process should have its own documented statement highlighting the retention periods.

    Consider reviewing all contracts with suppliers and customers to ensure the controls in place are adequate.

    If third parties process data on your behalf (as the controller) has the relevant due diligence been carried out? It is worth contacting them to perform checks to understand that their processes and security are adequate and that should you receive a request for access from a data subject they can provide the information in a timely manner.

    Also, a lot of companies are missing a trick thinking they don't process data, if they employ people they are a controller
     
    Posted: Jan 18, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #4
  5. matthew.adams123123

    matthew.adams123123 UKBF Newcomer Free Member

    3 1
    I am struggling with the "how" of implementing this when it comes to communicating to our email database via mailchimp. Has anyone composed their first email on this? There are a several ways I could go about it but not sure what is best.
     
    Posted: Jan 23, 2018 By: matthew.adams123123 Member since: Jan 23, 2018
    #5
  6. ffox

    ffox UKBF Regular Free Member

    979 175
    I assume that you are looking for a suitable format asking existing customers to Opt-In.
     
    Posted: Jan 23, 2018 By: ffox Member since: Mar 11, 2004
    #6
  7. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    80 20
    It depends what your 'lawful basis for processing is'. Don't forget consent/opt-in is only one lawful basis (there are 5 others!) Is your email DB for marketing purposes or servicing an account/providing a service? If it is marketing could you use 'legitimate interests' as the lawful basis (obviously as long as that is the case). If you use that basis, as long as you offer the ability to remove themselves from the DB, then there should't be an issue. One thing to consider is that Mailchimp servers are all hosted outside the EEA so you need to demonstrate that due diligence has been conducted to ensure they are compliant (privacy shield etc).
     
    Posted: Jan 23, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #7
  8. matthew.adams123123

    matthew.adams123123 UKBF Newcomer Free Member

    3 1
    Well, we use Mailchimp and in my head there are few routes we can take to ask for permission.

    1. we essentially start from scratch – build a new sign in form for a new list and direct all our current recipients to sign up for comms. If they don't sign up, they won't be stored on our list.

    2. we simply ask folk to click on an opt in button in the email. I then track those emails and use them to build a new list.

    3. we direct folk to update their preferences on current list's preference centre.

    Sure there are other ways. There are issues with all of the above solutions though.
     
    Posted: Jan 23, 2018 By: matthew.adams123123 Member since: Jan 23, 2018
    #8
  9. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    80 20
    Like i mentioned, consent is only one lawful basis. On the surface consent appears to be the obvious 'easy' implementation, however it then raises the questions similar to what you have asked. If you are going to rely on consent (which I would steer away from if possible) then you need to decide and document how this is going to be obtained. Given the options above, I would probably look to option 3. Odds on hardly anyone will go to it though, meaning you will then need to remove most of the contacts anyway.

    On the flip-side, if you process the individuals email addresses as 'legitimate interest' (rather than consent), you can then send a communication with a privacy statement explaining why you have the details, what you are doing with it, how long you will keep it etc (look at the ICO guiidance on this statement). Give them a clear signpost to amend their options, remove themselves and request copies of their data etc. This would be transparent, clear and easy to understand (the aims of GDPR).
     
    Posted: Jan 23, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #9
  10. Clinton

    Clinton UKBF Big Shot Free Member

    3,249 1,063
    Ah so this is how spammers are going to try and get around GDPR?!

    By spammers I mean the gits who send me their marketing emails because they "thought it would be of interest" or because they figure I am well "targeted".

    It's good to know. Thanks, Simon.

    Does anyone know if this can be challenged? How does one defend against every marketer (spammer) assuming "legitimate interest"?
     
    Posted: Jan 23, 2018 By: Clinton Member since: Jan 17, 2010
    #10
  11. ffox

    ffox UKBF Regular Free Member

    979 175
    Email marketing falls under PECR which, according to the ICO runs side by side with GDPR.

    PECR states - 'You can still send unsolicited marketing messages – as long as you comply with PECR.'

    The PECR checklist for unsolicited email is -

    Marketing by email or text 
    1. We only text or email with opt-in consent (unless contacting previous customers about our own similar products, and we offered them an opt-out when they gave their details) 
    2. We offer an opt-out (by reply or unsubscribe link) 
    3. We keep a list of anyone who opts out 
    4. We screen against our opt-out list

    Anyone who has 'accidentally' Opted-in up for marketing email can simply Opt-out using the method which must be provided.
     
    Posted: Jan 23, 2018 By: ffox Member since: Mar 11, 2004
    #11
  12. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    80 20
    Indeed, so true 'spammers' wouldn't be able to justify this, not that they would in any case because they are generally illegitimate! :)

    However in the realms of 'Junk Mail' rather than SPAM, those where you have genuinely ended up on a list will have to give the option to unsubscribe, request copies and delete the data they hold on you etc etc.

    If you genuinely believe there is no legitimate interest, for example you receive a marketing email for banking in a country on the other side of Europe (which you have never or would consider), you have the right to request removal/deletion ask where your details came from, reason for processing. Again, if they are legit, then they should have clear signposting to their privacy statement that should cover this in straightforward easy to understand language (i.e. bullet point rather than a 30 page privacy policy), if this has no effect, then report to the ICO or the data protection authority in the country of origin as effectively they have moved from legitimate marketers to spammers.
     
    Posted: Jan 23, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #12
  13. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    80 20
    For the UK the Data Protection Bill (currently with the Commons) should tighten this further giving a little more clarity.
     
    Posted: Jan 23, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #13
  14. Clinton

    Clinton UKBF Big Shot Free Member

    3,249 1,063
    I don't buy into any distinction between junk mail and spam. If it's unsolicited and commercial and the user does not want it, then it's spam.

    Calling it junk is just a weasel way for scammers to try and seem more respectable than the pond scum that they are.

    Unsolicited email is spam. Period. Not junk, not targeted marketing email, not some other euphemism.

    A company resorting to spam - or "targeted marketing email" or "junk mail" or whatever you want to call it - are simply advertising to the world that their product is so crap that they need to resort to desperate measures to get sales.

    What do you mean by "genuinely ended up on a list"?
     
    Posted: Jan 23, 2018 By: Clinton Member since: Jan 17, 2010
    #14
  15. matthew.adams123123

    matthew.adams123123 UKBF Newcomer Free Member

    3 1
    Junk and spam triggers can be triggered by certain emails and email clients – even if you have signed up to receive such emails.
     
    Posted: Jan 23, 2018 By: matthew.adams123123 Member since: Jan 23, 2018
    #15
  16. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    80 20
    And don't forget, this is legislation not a technical control. If people don't comply there will now be the facility to report this irrespective of terminology of spam, junk and whatever else.

    It gives the individuals the rights they don't currently afford, for instance, I may sign up to something (genuinely), then change my mind later down the line, the new regulations give the authorities the teeth they need to enforce this effectively (albeit it isn't clear how resourced they are at present).

    We have to remember, most of these laws are broadly in place currently, just not policed effectively.

    No regulation will just 'stop spam' (PECR didn't), and it would be naive to think it would. It is one step in the right direction, not a silver bullet.
     
    Posted: Jan 23, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #16