Is wonderful...
Work is an endless stream of clients begging to buy really expensive encryption solutions despite us telling them they probably don't need it
And every man and his dog who's been spamming me for the last decade or more, that I've long given up playing whackamole to unsubscribe to send me mails begging for me to let them carry on.
If this takes hold I may return to the days of getting 2-3 e-mails a month from actual real people and that's it - a return to the golden age of the personal email.
Generally, it's going to be a good thing for companies who adhere to it. I think most spammers operate outside of any existing Data protection laws anyway so I don't think this will have any impact on them.
For my customers, we are still not sure if they need to move their sites to https or not. AFAIK, the ICO states that communications need to be secure but whether or not these means they need an SSL cert on their website and to use TLS in the email clients or not, I don't 100% know.
I think there will be quite a few junk/marketing email type companies going out of business soon.
Prepare your subject access requests to send to the businesses you want to see sweat on May 26th......
And they can not charge you for a SAR “unless the request is unreasonably complex” rather than the £40 some already charge, also its immediate not a month or 40day turnaround..
Its not just mail spammers, those direct marketers are in for a shock.
Prepare your subject access requests to send to the businesses you want to see sweat on May 26th……
Oh, there is some fun to be had with that one....
I have spent morning getting automated 'Are you still wanting us to email you a newsletter?' system prepared and ready. Our newsletter distribution (from which about half of our new customers and unrestricted income comes from) I think will loose 90% of circulation.
I can see a few companies either falling foul of it, or as the OP hints, spend a fortune tying themselves in knots about it.
I have spent morning getting automated ‘Are you still wanting us to email you a newsletter?’ system prepared and ready. Our newsletter distribution (from which about half of our new customers and unrestricted income comes from) I think will loose 90% of circulation.
It may not be bad news - I think we're long past saturation point, I used to get dozens if not more, newsletters, special offers and whatnot a day and a read none of them. Not many were actual spam, at some point I'd done business with all of them and no doubt ticked a box to hear from them again but they all got deleted or ignored because you can't really see the wood for the trees. I think most people these days rarely look at their non-work e-mail account unless they're expecting something.
The situation got better a few years ago when the one-click, or near one-click unsubscribe button came in. I don't know about anyone else but I killed off 90% of the 'spam' mails to make my inbox more usable. Now with GDPR coming in and the auto/blanket unsibscribe element I'll only have the companies I really do want to hear from - I've reopted (lots of new words being invented) in to 2/3 who send me either interesting content or good offers and they'll likely get read more often.
Yes you may lose 90% of your circulation, but the 10% left are your real customers.
we are still not sure if they need to move their sites to https or not.
Why not just do it anyway? It's good practice and not particularly difficult. You can get basic SSL certs free these days too - https://letsencrypt.org/
@P-jay - I still use personal email a lot, had nine today already: 2 newsletters (Cotic and CTBM), three transaction related, four personal. I don't do social media, forums like this excepted.
Some of the "Do you still want us to contact you?" emails come from companies I've never heard of, they seem to be subcontractors to whoever I've signed up with but there's no indication of who I'd actually dealt with in the first place! For companies that are meant to be in the business of communication these are good examples of it being done badly!
Of the others, quite a few of the emails are laid out in a way that makes finding the unsubscribe link very hard to find. The "Keep me on your list" links are massive buttons but the Unsubscribe link is low contrast text on a coloured background for example.
Maybe get rid of them all then sign up to the ones I really want.
> I think most people these days rarely look at their non-work e-mail account unless they’re expecting something.
My work email gets 10x more Spam than my personal email. Exchanges blocked senders list is very, very long. The spam filters still picks up loads e.g. 10 this morning, all deleted without even looking at them.
The bulk of the junk mail coming to my work account is via people getting my name from LinkedIn and guessing my email address. "When's the best time to call you about our product?" Jog on, I don't deal with spammers.
Funny thing. When my profile had "engineer" in the title, no-one gave me a second look. As soon as it changed to "manager" I got loads of UCE spam and random link requests from recruitment parasites.
Cougar
Why not just do it anyway? It’s good practice and not particularly difficult. You can get basic SSL certs free these days too –> https://letsencrypt.org/
Because it's an awful lot of work as I have a lot of clients so it would be a fair chunk of my time.
I will be sending out an email to all of my clients with my updated Policy anyway and would like to offer a GDPR service to them but I need to know what is required first.
1) Remove any pre-ticked opt-in marketing checkboxes on contact forms
2) Add and style their Privacy Policy and add links in the site footer
3) Add a required consent checkbox to all contact forms with a clear link to their Privacy Policy
4) Enable https on their website?
5) Onsite visit/remote session/phone advice to enable SSL/TLS in the email client?
So we are in the position where we are nearly ready to offer the service but just want to know what is required. Yes we can have an "its quite useful to change to https service" esp with Google slowly moving towards a secure web and using https as a ranking feature but it would sound a bit woolly.
"Well we think you need to change all 40 of your Outlook accounts to SSL/TLS and this will require a site visit but we aren't 100% sure if this is required or not".
Yes you may lose 90% of your circulation, but the 10% left are your real customers.
True, but our customers being teachers, they often read one in six newsletters I send out - and then buy our training services. This means that many just will not read this weeks - and in 10 days we nuke their data.
Apparently it isn't the done thing to email them daily with ever increasingly desperate messages...
Hmmmm can I suggest that folks on here go and read the ICO/GDPR guidance on legitimate business interest, which by the way specifically mentions Marketing.
Oh and can i also suggest thst encryption of mobile devices is very sensible as the loss of unencrypted personal and sensitive data from a mobile device is -
A. Reportable after May 25th
B. Likley to receive a substantial fine
C. Likley to receive a very big fine if you fail to report within 72 hours if the ICO finds out.
Things you are likley to start hearing are -
Device Ransom of unencrypted devices (bit coin please)
Material damage claim for loss of data (GDPR PPI)
Its not the ICO you need to worry about....
matt - who told you that you need their explicit consent? as oldmanmtb alludes to consent is only one of six reasons for processing their data. I'd get better GDPR advisors.
Cougar,
3) Add a required consent checkbox to all contact forms with a clear link to their Privacy Policy
when you say "required" do you mean if they don't tick it they can't submit the form? Best to go and read the ICO guidance on consent again... you'd also need to consider how consent can be revoked just as easily as it was provided. Are you sure consent is even the right legal basis for processing data from a contact form?
As to whether you need to consider SSL etc - it depends what you are doing. There isn't a blanket one size fits all solution. An alternative approach would be to say, "Many of our clients are asking us to turn on a higher level of security (SSL/TLS) for their email server. If you handle personal data via email this may be required to help you comply with GDPR, but is good security practice anyway. If you believe you would require this feature turned on before 25th May please let us know as soon as possible as it is likely to require a site visit for many of our clients."
matt – who told you that you need their explicit consent? as oldmanmtb alludes to consent is only one of six reasons for processing their data. I’d get better GDPR advisors
You ou and me both, but the person who has been on all the training in our organisation has decreed so, stating we need to confirm consent and 'everyone else is doing it' .
i disagree, but I'm not the 'trained' one or my role. I just have to do some of the techy and email stuff.
I should add - I'm talking about a discrete marketing list. It is populated over years of sign ups via web and course attendees - and some attendees we would struggle to evidence source and express permission.
Our existing customers are in a separate data store, and they remain.
I'm loving it because we've been keeping random data on our supporters forever 'just because' and I've been trying to get rid because too much data means you can no longer find what you really want. Being forced to justify what you keep and why is brilliant - everyone is forced to think
The difficult stuff is the historical stuff. We would love to keep the names of our early supporters as they are part of our story but working out how to do that isn't so easy. Everyone is in the same boat though so lots of people to ask
edit: also had all our websites hacked last week (drupalgeddon 2 🙁 ) but only lost a small amount of data and nothing serious. That really focused minds though
How many new privacy statements have you had to sign so far ?
Plenty coming through from the big players in Data Usage.. it’s the millions of others you need to be weary of...
Cougar,
Wuzzn't me.
matt - I realise I'm preaching to the choir to some extent, but you'd only need to show "signups and express permission" if you were claiming consent was your legal reason for processing. I also realise the ball is rolling so very messy to reverse it - however I'd be kicking up a fuss, and also making sure their boss understood that they weren't as hot on this GDPR stuff as they could be and were losing you "customer reach" unnecessarily. There are six lawful reasons for processing data (I'm assuming you are talking ordinary contact details etc not special category data), consent is one of them (unhelpfully many self appointed experts seem to think you need consent for some/all of the other five, or are delivering their training in such a way to encourage you to engage their further services), for some reason everyone defaults to Consent, even though none of the reasons is supposed to be more important than the others (and actually consent is the most effort). In your case Legitimate Interests may well apply. The full guidance is on the ICO website. Some of the key points are (all my underlining):
- It is likely to be most appropriate where you use people’s data <span style="text-decoration: underline;">in ways they would reasonably expect</span> and which have a <span style="text-decoration: underline;">minimal privacy impact</span>, or where there is a compelling justification for the processing.
Now assuming you've been emailing these people for months/years with an "unsubscribe" type link and they've not unsubscribed or replied saying "give it a rest" then its obviously not having much privacy impact or unexpected.
- The legitimate interests can be your own interests or the interests of third parties. They can include <span style="text-decoration: underline;">commercial interests</span>, <span style="text-decoration: underline;">individual interests</span> or <span style="text-decoration: underline;">broader societal benefits</span>.
Obviously you have a commercial interest. The individual you are emailing presumably has some interest because they made an initial enquiry or attended previously, and society benefits because of the type of work you do.
- The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
So the other "less intrusive" way would be to send them an extra unsolicited email asking them to sign up to something (and possibly sending them a further we've removed you email on the 24th). That does not seem less intrusive to me. It would also be less effective.
Now will you actually delete those who don't respond or just put them on a "do not send list"? What then if you have news which really is important to share as widely as possible (say someone has been passing themselves off as your organisation and you believe that presents a safety or safeguarding issue)... that is definitely Legit Interest.
poly
"when you say “required” do you mean if they don’t tick it they can’t submit the form? Best to go and read the ICO guidance on consent again… you’d also need to consider how consent can be revoked just as easily as it was provided. Are you sure consent is even the right legal basis for processing data from a contact form?
As to whether you need to consider SSL etc – it depends what you are doing. There isn’t a blanket one size fits all solution. An alternative approach would be to say, “Many of our clients are asking us to turn on a higher level of security (SSL/TLS) for their email server. If you handle personal data via email this may be required to help you comply with GDPR, but is good security practice anyway. If you believe you would require this feature turned on before 25th May please let us know as soon as possible as it is likely to require a site visit for many of our clients.”
Hi poly,
thanks for your detailed reply. It is appreciated.
I was under the impression that consent was required for a contact form. I've read the ICO guidelines again as you suggested and it states:
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
- Explicit consent requires a very clear and specific statement of consent.
- Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
So, the way I read that is that a positive consent opt-in is required on a contact form to alert users to the fact that by sending the form with their personal details in it, we are collecting their data and they will need to consent to this.
You asked if "consent is even the right legal basis for processing data from a contact form".
My understanding of this is that we are collecting their data so, therefore, need to notify them of this and obtain their consent. And if they don't consent, then they shouldn't be able to submit the form and therefore we need to make it a required field.
But. We are also aware that:
- Avoid making consent to processing a precondition of a service.
which means that we can't make the consent checkbox a required field.
But then GDPR also says:
- Keep records to evidence consent – who consented, when, how, and what they were told.
So if we don't have a required consent checkbox, we won't have any record of it.
If you are able to offer any advice it would be appreciated. I have spent a long time researching this and to be honest, am still confused and I don't think I am alone.
thanks,
Hedley
But. We are also aware that:
- Avoid making consent to processing a precondition of a service.
which means that we can’t make the consent checkbox a required field.
But then GDPR also says:
- Keep records to evidence consent – who consented, when, how, and what they were told.
So if we don’t have a required consent checkbox, we won’t have any record of it.
Having thrashed through (again) ours this morning, this is our issue. Thousands of members who could not join us without consenting to our newsletter, which we know was the case. All the online sign ups are fine - it is the others who signed up as members. And some doofus both overwrote the database a few years back, and deleted all the sign up information that is always included in notes when we upload new contacts...
So we are on a start again and get specific permissions.
A last question: I want to send out an email with a gert big 'Yes, keep sending me this stuff' type button (below which is a formal statement of what that means) and a 'Oi, NO!' button alongside.
Ideally this takes you to a page that has email and name pre-filled - you just click one last box to go 'yes please'. I take that as not default consent and prefilled - as you click on the email to confirm. A few I have recieved are already like this.
A colleague thinks that it takes you to a blank page, you have to re-fill with name, email, location...
Who is 'right'?
Consent is pretty simple ...
1) It cannot be by default... someone must ACTIVELY opt-in
2) It must be granular and list every purpose for which the data will be used.
2.1) One good practice is that you make one of those granular items "contacting you to confirm you wish to continue your current consent"
(e.g. you might want to conform they still wish to continue as is or due to technical reasons you may need to alter the TOS and what exactly they are signed up for...
So if we don’t have a required consent checkbox, we won’t have any record of it.
This is pretty simple you have a Yes and a No ... the DEFAULT must be no.
However
So, the way I read that is that a positive consent opt-in is required on a contact form to alert users to the fact that by sending the form with their personal details in it, we are collecting their data and they will need to consent to this.
You asked if “consent is even the right legal basis for processing data from a contact form”.
My understanding of this is that we are collecting their data so, therefore, need to notify them of this and obtain their consent. And if they don’t consent, then they shouldn’t be able to submit the form and therefore we need to make it a required field.
You don't need consent if you have another legal basis .. if you deliver newspapers to addresses then you have legal basis to hold the address for example.
This MUST be in the Article 30 Data Register...
Do you need their name to do that?
Possibly not .. but you would need their name and other personal data to verify who they are if someone phoned up or otherwise contacted them asking for your paper delivery to be cancelled.
Where-ever possible avoid consent... implicitly consent can be withdrawn and this can then leave you without for example your accounting records... in other words better to say you need to keep X,Y,Z for the process of accounting and financial reporting...
Keep in mind the potential damage the information you ask for could cause if there was a data breach...
For example if you are keeping data that is otherwise publicly available in one way or another then the risk is low... if you keep peoples bank details etc. then the risk is high and if you ask questions about special categories (sexual preference, religion, union membership (or not), medical records or details etc. WITHOUT a really good reason you're playing with fire.
Let's say you organise a race (its going to be road but makes an easier explanation)
You are going to close a road.. so you can send out correspondence "to the occupier"
Some occupiers complain and give their name and address ... you define legal basis to keep this because they contacted you and provided this and you need to track it for your "complaints management process"
Some occupiers write telling you Bob and No. 74 has a specific medical condition and may need emergency services access and carers etc.
In this case you would be better to not store the actual condition and instead only flag this with a "requires medical/carer access".
This could involve redaction of text.
Now.. how was that sent? If it was an email how do you prevent that email being duplicated? (forwarded)
How do you prevent this being baked up non-redacted either on (for example) and exchange server and/or in separate employees .PST files?
How long do you keep this data? (Deletion right after the road reopens seems the most correct ... though it might be tempting to keep for next years race you would need to justify that
You also need to remember that consent is not permanent, it decays with time. How long it's valid for depends on the relationship with the data subject. So a one time opt in given now won't necessarily be something you can rely on in 5 years time.
You also need to remember that consent is not permanent, it decays with time. How long it’s valid for depends on the relationship with the data subject. So a one time opt in given now won’t necessarily be something you can rely on in 5 years time.
The consent must be given for a time period or event anyway... heck why consent is a bad choice if there is other legal basis.
However the more onerous side is that consent can be WITHDRAWN ... and at that point you cannot invoke "but we need this data for..." you should have done that a year ago and it should be in the Article 30 Data Register instead of consent...
If consent is withdrawn then you need to DELETE all data that relies on it .. and that includes every instance in those daily backups....
If consent is withdrawn then you need to DELETE all data that relies on it .. and that includes every instance in those daily backups….
I thought this would be under reasonable endeavour? It may not be practical to go through all backups deleting bits of data or individual records from a database. As long as there is a policy and system in place to keep the backups safe and a system to not restore data that has been marked for deletion then you should* be fine.
*IMNAL or an ICO Officer
"You don't need consent if you have another legal basis .. if you deliver newspapers to addresses then you have legal basis to hold the address for example."
Aha, so would I be correct in saying that...
We won't need a consent checkbox on a contact form, because, as part of the process of them contacting us is to make an enquiry and therefore we have a legal basis* to hold their data to answer their query?
* For the period of time it takes to reply/deal with their enquiry and then delete if not required after X time as stated in our PP.
</div>
Withdrawing consent does not mean you have to delete that data if there is still a legal or contractual obligation to keep it (within a defined retention period) and it is being kept for the original (consented to) purpose - for example if you legally have to keep a record of who bought something from you, you can keep that information even if the person withdraws consent.
Regarding backups, the interpretation that alphabet gives is the stance being taken by many (most?) businesses - you need to ensure that the data is still secure, will not be restored (without being removed again) and is documented.
Of course, after 25th May there will no doubt be legal cases brought that will set precedents in some of the more grey areas. "Interesting" times...
There are some people giving advice in this thread that I would consider to be ill informed. I would suggest to anyone asking for advice or clarification on an internet forum to seek proper consultancy on this matter, you cannot afford to get it wrong, and "that's what some guy on an internet forum told me" will not cut it in an audit situation.
Withdrawing consent does not mean you have to delete that data if there is still a legal or contractual obligation to keep it and it is being kept for the original (consented to) purpose – for example if you legally have to keep a record of who bought something from you, you can keep that information even if the person withdraws consent.
Then that should be the legal basis in the Art 30 Data Register ...
Of course, after 25th May there will no doubt be legal cases brought that will set precedents in some of the more grey areas. “Interesting” times…
So as I remember nothing says you can't have more than one legal basis but most companies are simply avoiding consent where they can because what would happen if you do need to delete or anonymise it.
Regarding backups, the interpretation that alphabet gives is the stance being taken by many (most?) businesses – you need to ensure that the data is still secure, will not be restored (without being removed again) and is documented.
Storage is defined as processing... It's also worth noting that separate to GDPR in the UK it is now a criminal offence to de-anonymise data.
In context ... lets say someone makes a SAR ... you have data in backups but you have no idea what it is... you would also need a legal basis for keeping backups with personal data.
In normal cases .. probably* (can't say professionally) you'll be OK... but lets say you have a data breach and get the ICO coming to investigate. If your backups are stolen* can you say what is in them... what risk has this then created for the data subjects?
*Let's assume if you have backups then you'll have an offsite copy as well... today perhaps cloud so where is it and what do you have in force as the data controller with the data processor (cloud company)
IMHO it's best to reduce relying on consent ... it sounds like an easy option but I think it's actually the one with most pitfalls.
It's good for data that is ephemeral .. like marketing databases because in most cases you might as well dump marketing data if the customer doesn't want it... and its probably useless after a few years (honest Amazon I was buying Nappies 7 yrs ago but my kid no longer uses them - didn't you notice)
For everything else you have a solid legal basis just don't use consent as the basis.
Just follow the ICO guidelines, and apply them to your organisation (whatever size)
There are consultancies out there that know far less than some comments on here.
Typically it's 80/20 interpretation, but if you've made inroads towards a roadmap and got some of the basics right it's far more than some organisations.
Some haven't even started yet...
I think we're in agreement Steve - regardless of anything else above, you need a comprehensive register in place - if you have that you'll always be in a stronger position than without even if the worst happened.
Relying on consent - yes, not ideal but reflects reality for many companies where it's not going to be realistic (economically) to go back and remove data outside of 'need' - as such, they would need to ensure it's registered and they're ready to erase/anonymise if a request comes in (or can show why it's not reasonable to remove it but that the data is still beyond reach).
As mentioned above, I wouldn't treat any advice in this thread (including my own) as gospel - first of all, some of it seems to be based on interpretation of the regulations rather than the actual text and second nobody here fully understands the situation of any other poster and without that it is impossible to give advice. Oh and finally gdpr hasn't been tested in court yet so nobody knows what the ico will accept.
Anyhow as Elizabeth Denham said "there's no deadline" so why are we all so bothered 🙂
Hedley - I'd say most likely yes. The legal basis there would probably be Legitimate Interest. Good practice would be to explain what you will do above the submit button. You may even have a legit interest to contact them again after the initial enquiry but you need to read the ICO guidance and decide if it is reasonable and can be expected.
Matt - presenting them an empty form is both stupid and rude, and totally unnecessary. Personally I'd say just clicking the link in the email could take them to a "Thanks for agreeing to receive our newsletter, you can unsubscribe at any time by following this link" page , and not requiring them to click again. However if its useful to get them to update their details it would be good, but will loose you some click through. I don't think you really need a NO button in the email - ignoring it will have the same effect. The reality is GDPR does not stipulate how these things need to be done. there is ICO guidance, and a rather dull Article 29 Working Party Guidance document but even they don't go that granular. Anyone who says you need to open a blank form will be unable to point to any piece of legislation that says this.
Personally I’d say just clicking the link in the email could take them to a “Thanks for agreeing to receive our newsletter, you can unsubscribe at any time by following this link” page
Most are doing this... It's become an accepted way of this treatment.
I've almost finished my lot.. but we are expanding some of the more technical aspects to Apps and our Secure Portals.. I'm all up for some time off again after this one..
Japan Surfing? Yeah.. why not.
An important thing to bear in mind with regard to various interpretations of the laws is that at present even the ICO can only issue guidance based upon an interpretation. Until the laws have been through the courts and a judicial precedent is set then there will be many grey areas
The important thing is to make sure you aren't involved in setting the precedent...for the most part having evidence of making an effort to comply will likely suffice. If your company ignores everything and makes no effort to comply, then they are more likely to be the ones on the naughty step. Make sure you have documented what you have done, and how you believe your actions make you compliant. The ICO will be after those who are flagrantly ignoring the laws in the first instance, rather than trying to trip up those who are making an effort to comply but get caught out by differing interpretations.
(At least....that's what our legal people tell us...)
Is anyone else's work DP paranoid?
A colleague was told she couldn't use our shredded paper (for a project) in case of a DP breach, she'd have to buy some in.
Jca hits the nail on the head.
If the paper is cross cut shread then crack on....
If the paper is linear shred it is not destroyed....
Because it’s an awful lot of work as I have a lot of clients so it would be a fair chunk of my time.
And that's where letsencrypt type services can come in. I've got a similar problem with the software I work on as it's a pain for some customers to get a certificate and install it, often requiring hand holding for some who lack IT skills (or an IT department, or managers who are unwilling to use their IT department for some reason).
I'm planning on doing like many apps are now, and offer a simple button for letsencrypt which will use their API to get one, installs it and they're good to go until it needs renewing (they only last 90 days) and then the software can renew it automatically I believe.
Whole idea of letsencrypt (non-profit org) is to make certificates available for the masses at no cost and push the web to HTTPS, which is what Google are pushing by flagging non-HTTP as insecure and ranking them lower in search results.
As I understand it the underlying premise is evidence, can you explain or demonstrate you have it for a reason and that has to be a good thing.
I've taken a view to document when people sign up to any list for years but then I've also had a view to encourage people to leave the list at every opportunity as whats the point in emailing people that don't want to hear from you?
I would concur with a lot of the comments above that professionals (assumign they are!) are sometimes worth the money and in my case we had advice and legal involved to get fixed upa few months back.
It feels a bit millennium bug but talking to some of the big data processors I know they are already expecting someone to fall foul quite fast, a perceived list of victims already in hand at ICO post May and increased headcount at ICO to get people, fines and income for the government. Yikes.
James
As I understand it the underlying premise is evidence, can you explain or demonstrate you have it for a reason and that has to be a good thing.
This.
The ICO will use it against you, they'll be on the hunt for some Big Names so they can prove a point of the regulation ..
If they'd hung on for Cambridge Analytics until passed the 25th I'm fairly sure they'd have more zest for any convictions.. and media output.
The ICO will be gunning for known entities on the 26th, the likes of Talk Talk who have a history of poor data protection.
*edit, The ICO is also self funded from the fines they generate, you can guess what that will mean.
I'm joining in here as we have a real GDPR quandry here at Singletrack and I think it would be useful to get your take on it. We are looking for legal advice right now for some clarity but here's the crux of the issue for us, and you.
We've always run this forum on the basis that you need to think before you post and that once you have spoken your comments are published and there's no taking them back. Stand by what you say, think before saying it and imagine first that you are saying it to the other person's face. Which is all noble and well intentioned and I know it doesn't always work, but as a guiding principle it's a good one to follow I think. But I'm really worried that all this is going to be put at risk with GDPR due to technicalities in the legislation, classification of personal data and misunderstandings. Like I say, I'm going to run this through some proper legal expertise.
Some of my concerns then.
IP addresses are classed as personal data. As such we will be requested to remove this by users. But we use IP addresses to moderate and this is going to cause moderation to be more difficult.
We use IP lookups to detect if we suspect a user has more than one account. This is necessary in order to police things such as bans. Without this a banned user could simply re-register an account and they have circumvented the ban. I know this is not fool proof but it's one tool we use to help moderate the forum. Taking that away is going to make things harder.
More seriously, we have been contacted on many occasions by legal authoriteis ie. the police with requests to help them track down a crime. This involves us disclosing IP addresses which they can use to help trace users. We only do this for legal authorities with a genuine reason for doing so. We have it laid down in our site T&Cs. No matter what you think about this one thing it does is attribute a level of accountability to what users post in here. One poor outcome of this is around hate speech and just general nastiness. If you know you can say anything on the forum and then request that your account be closed and all your personal data removed from our servers then anything you've said on the forum will be anonymised, including potentially your username, which is also classed as personal information as far as we can tell. I think that's a bad situation that will not help us in our strive to keep the forum as a good place to visit. I think it will encourage poorer behaviour overall. But there's more..
If we remove your username from your posts then you can effectively say anything you like with zero consequences and no way to be held to account for it, either in the real world or online - be that accountability legal or moral.
I would like to retain usernames and keep them connected to posts as the author so that everyone knows who said what. Usernames are personal info so that's not entirely clear if we can or not. It may be we have a legitimate interest to do so but even if we do I foresee arguments and conflict around users claims. Our lives are not going to be made easier, that's for sure.
Plus, I want to keep a record of usernames at least in order to protect those users. If we remove usernames from the database and ergo posts by those users are rendered anonymous, without a record of the usernames anyone else can then coma along and re-register that username and commence posting with it. I think that will be a very bad outcome for the forum and actually lead to identity issues at large. I would like to keep a record of all used usernames in order to prevent them ever being re-registered in the future, ironically for the benefit of the person who has asked to be removed from our database. certainly I think that would be best for the community at large too. Again, I'm hoping that under the legitimate interest clause we will be able to do that, but it's not clear.
Next.. It has been suggested that under GDPR a user can not only demand their data be removed from our database but their posts be removed too. That would be a disaster for the forum if that were the case. It's our claim/hope that this would fall under the freedom of speech clause. It's actually why we currently have the shared copyright clause in our terms. ie. you post and we then have a shared right with you over the right to keep it there. If posts were removed it would render threads illegible, ruin the historical archive of the forum and lead to a wild west situation where users would feel free to say anything they like knowing they could just get us to delete it if they wanted to at any point in the future. ie. leading to the exact opposite of what we have always striven to create - a forum that is as respectful and well behaved (as far as possible).
So, I'm concerned about the impact that GDPR is going to have on forums like ours. I am certain it's going to cause us a shitload of extra work after the 25th May no matter what the clarifications are. Do you really want a forum where there is literally no accountability for what any user says? Where identity of users becomes vague?
I don't know yet the full ramifications of how the forum will look after the 25th but my worry is it's going to be complicated and the community of this forum and indeed all forums is going to be changed dramatically, and not necessarily for the better.
Thoughts?
I think we’re in agreement Steve – regardless of anything else above, you need a comprehensive register in place – if you have that you’ll always be in a stronger position than without even if the worst happened.
Relying on consent – yes, not ideal but reflects reality for many companies where it’s not going to be realistic (economically) to go back and remove data outside of ‘need’ – as such, they would need to ensure it’s registered and they’re ready to erase/anonymise if a request comes in (or can show why it’s not reasonable to remove it but that the data is still beyond reach).
I agree we are broadly in agreement ...
I think my interpretation though is if you can't realistically and economically minimise it then come up with a reason in the Data Register that if possible isn't consent.
As an example take billing data.
Many/Most companies will need to keep this for 7 years just to conform to legislation. That is a very obvious legal basis.
However it is arguable that you may need to extend this ... for dealing with customer queries or if legislation changes (such as anti money laundering) ... take say your electricity bill... its calculated on consumption but errors can and do occur... and it is used to forecast your next bill. This falls into automated processing but still.. it's a pretty defendable legitimate interest to keep the units used and costs.
You could of course give customers the chance to opt-in, ultimately with the caveat "we will just guess your next bill" but legislation say's they have to forecast and advise clients on saving money and energy.
Of course this may <span style="text-decoration: underline;">at some point</span> be tested in court.... it's <span style="text-decoration: underline;">possible</span> that this may be deemed non-legitimate but then at least you need to go back and delete/anonymise <span style="text-decoration: underline;">everyones</span> data consistently... if you rely on consent you're then in a position of deleting what bits people decide they want deleting on a customer by customer basis... and if what you are claiming is reasonable then it's not likely the court is going to ask you to specifically be unable to provide a service legislated by the relevant authorities.
At the same time even if the test was you needed to delete the data then your competitors will ALSO have to comply.
IF you leave it to opt-in consent however you're dealing with this on a customer by customer basis ... wheres a competitor may be relying on legitimate interest.
You could argue that if the test case goes with deletion/anomymisation then the company that has consent can still use the data... however its more likely that by then the data will be some patchwork of inconsistent data according to what individual customers have consented to.
At this point .. if you actually do action on the deletion/anonymisation (and you'd be pretty stupid to pretend) then that data is gone. Come some over-riding legislation or a test case that it is legitimate you wrecked your billing and forecasting database for no good reason.
Obviously .. I just picked a certain type of data and certain company.... and in some specific contexts consent is the best option. However the point I'm making is i<span style="text-decoration: underline;">t's not usually the best option so long as you have others</span>.
Heres an interesting scenario.
Yesterday one of our employees visited a website for office furniture. He did not buy anything and did not enter any details.
This morning our purchasing department get a phone call from this company saying, "we see you visited our website, is there anything we can help you with?"
No consent, no sign up, but he company are able to identify which company visited their site and also identify the correct person to contact by searching linked in and possibly other networks to find a name for a purchasing employee.
They will still be able to do this after 25th, because you visited their site, so there is a reasonable expectation that you will be interested in their goods and services.
Makes you wonder what GDPR will actually change.
My inbox will change.
IP addresses are classed as personal data. As such we will be requested to remove this by users. But we use IP addresses to moderate and this is going to cause moderation to be more difficult.
We use IP lookups to detect if we suspect a user has more than one account. This is necessary in order to police things such as bans. Without this a banned user could simply re-register an account and they have circumvented the ban. I know this is not fool proof but it’s one tool we use to help moderate the forum. Taking that away is going to make things harder.
Those are legitimate interests
More seriously, we have been contacted on many occasions by legal authoriteis ie. the police with requests to help them track down a crime. This involves us disclosing IP addresses which they can use to help trace users. We only do this for legal authorities with a genuine reason for doing so.
Legal basis ... (or if not legitimate interests)
The rest of this sounds very legitimate... but its also somewhat complex when it comes to deleting posts for a forum because posts can be quoted etc.
Assuming you don't want to pay a huge amount ..
1/ You can go and check the T&C's of other internet services.
Copy/Paste it all together and then see what "the big boys are doing" as they will have paid for the legal advice.
2/ Come May 25th (you can do it now but you'll need to pay) you can personally (as in being a data subject) then issue a DSAR to said "big boys". Further you can exert your right to data portability and ask them to supply you with it.
3/ You can also copy what the ICO is doing for itself 😀
(They have to track complains and such)
Whatever you do though make sure your data register contains this and your reasons.
Make sure your privacy policy is up to date.
In many ways you are in a good position because you have the forum database and can use this to answer DSAR's and you can automate a lot of that.
In most cases you are not meant to limit HOW someone issues a DSAR ... (i.e. phone, mail etc.) but in light of this being a forum that is likely not hugely applicable to you!
Finally, justify your basis for keeping the database of users (document and put in Data Register) and then extend this to allow you to do some sort of case management that includes tracking GDPR requests. This is obviously legitimate/legal basis because the GDPR states you must be able to do this! (In a round about way)
Thanks Steve..
Very helpful.
As I understand it the underlying premise is evidence, can you explain or demonstrate you have it for a reason and that has to be a good thing.
I’ve taken a view to document when people sign up to any list for years but then I’ve also had a view to encourage people to leave the list at every opportunity as whats the point in emailing people that don’t want to hear from you?
A really simple view ... the underlying premise is that personal data is the property of the "data subject"
You can use that data (like a public footpath across private farmland) if you have legitimate interest but you don't OWN it you are just using it.
If you do use it and then SERIOUSLY mis-use it... (using the footpath access to dig some nice table tops and using weedkiller on the farmers crops to clear vegetation) your wilfully misusing it and your going to be screwed... you are causing obvious damage (this is important later)
If you slightly misuse it... like riding across the footpath when it's not being used ... and you have a reasonable reason your unlikely to be screwed but you may be told not to ride across it again. Lets say your reason was the alternative was riding along a bypass ...
If you hold my CC numbers, bank details etc. and you misuse these then obviously that is either direct criminal damage or indirect ... and most importantly if you LOSE my bank details in a breach ... you're exposing me to damage. (Hence you must notify ICO and me ASAP) .. if you lose my name and address.. yeah not great but I'm in a phone book and electoral register etc. and the damage is probably some spam mail.
It feels a bit millennium bug but talking to some of the big data processors I know they are already expecting someone to fall foul quite fast, a perceived list of victims already in hand at ICO post May and increased headcount at ICO to get people, fines and income for the government.
If you read Elizabeth Denham's blog then this really doesn't seem to be the case... (For contrast read the Irish ICO's where some huge internet names are registered)
The ICO will use it against you, they’ll be on the hunt for some Big Names so they can prove a point of the regulation ..
If you believe lack of evidence will protect you then better to fold the company now.
Back to the bikes on the footpath over private land...
If you turn up in court or refuse to turn up even because "The law doesn't apply to me and I don't recognise your authority" you will be given indefinite accommodation at the tax payers expense. Meanwhile you'll be well and truly screwed over.
If however you have an operation on that day .. then you may well get some sympathy... but what will play out badly is just not responding.
I'm just looking at this again as I'm the membership secretary for a running club. There have been clarifications in the year or so since I last did so. We don't hold much personal information, even before GDPR this was kept to a minimum and I've no reason to increase it. We don't pass the information on to anyone. Even writing a simple privacy statement to this effect for the club website is fraught!
Mark: I think it's reasonable to argue that usernames, IP addresses, etc serve a legitimate interest as you have shown: X posts a hate message then asks for their personal details to be deleted; Y takes offence at the message and decides to pursue it in court. But you've now taken positive steps to protect the hate poster and may well be seen as complicit in it. But just what do you do with the hate message itself? Leave it? Delete it? Replace with a message stating that it broke forum rules?
If you've written something then it's no different to having said it and you can't "un-say" something!
Mark: I think it’s reasonable to argue that usernames, IP addresses, etc serve a legitimate interest as you have shown: X posts a hate message then asks for their personal details to be deleted; Y takes offence at the message and decides to pursue it in court. But you’ve now taken positive steps to protect the hate poster and may well be seen as complicit in it. But just what do you do with the hate message itself? Leave it? Delete it? Replace with a message stating that it broke forum rules?
Remember this pertains to personal data, ie data that identifies an individual. So data subjects cannot make you delete all their forum posts. Not sure about what happens if they post the personal information of another individual though. My guess would be that they are responsible and liable for that posting, not you (so long as its backed up by your terms and conditions)
I could spend all day working through some of the misapprehensions on here, but I will stick to the big stuff:
The ICO is NOT SELF FUNDED BY FINES. Fines go back to the Treasury.
Mark - the right to erasure is not absolute - if you have a contuning reason to process personal data that is linked to the purpose for which you collected it you may not have to,. See the ICO guide https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
You do stlil have to respond and explain this to the person, but you can get out ahead of that with a well written privacy notice, that details the purposes and legal basis for the processing, and some other info it is now a legal requirement to provide.
Requests from the Police for personal data - this was covered under Section 29 of the DPA and will be replicated in the Data Protection Bill (this is the vehicle UK Gov are using for the derogations/exemptions available to member states) which is still moving through the process.
In any case, this allows you to pass information to the Police if you want to. You don't have to, it is still the decision of the data controller to disclose information to enforcement bodies.
In my personal view - other views are available - you could make an argument that forum posts are not personal data, as you cannot identify an individual from the data. Unless you know them. Anyway thats worth considering.
I'd take a look at the Guardian's Comment is Free T&Cs, they'll have spent millions on legal advice with regard to deleting a user's history....
I could spend all day working through some of the misapprehensions on here, but I will stick to the big stuff:
The ICO is NOT SELF FUNDED BY FINES. Fines go back to the Treasury.
I think your pissing into the wind... people who are claiming that the ICO is funded by fines are going to go round in circular arguments basically ... "well its the government innit,."
In my personal view – other views are available – you could make an argument that forum posts are not personal data, as you cannot identify an individual from the data. Unless you know them. Anyway thats worth considering.
It's a view I share ... but there are a couple of complexities.
Mark - I think it’s much more likely you’ll fall foul of a data breach like the “big hack” than encounter any financial penalty for arguing the points you made (legit interest, etc) and then being found to be wrong. Your worst case scenario with erasure etc (assuming you behave sensibly, document properly, and respond to requests explaining your reasons) is that the ICO *might* interpret the law differently and write to you demanding you change. It might seem daft but the lawyers will actually be far better placed to advise you on accepting or fighting a specific demand probably with the benefit of case law / experience than hypothetical problems. At the moment most lawyers adopt a defensive approach which ignores the practicalities of running your business (most lawyers have never run a business other than a legal practice).
Next.. It has been suggested that under GDPR a user can not only demand their data be removed from our database but their posts be removed too. That would be a disaster for the forum if that were the case
This is one that I'm not so sure about. I'm not so sure that I like the idea that posts live forever although I understand your problem. I had a friend that wanted to become a politician (many years ago now) but he, as have most people, had posted stuff in many places on the internet before. Back then it was easy to close your accounts and the stuff would largely disappear so we persuaded him to clean up his online presence before taking it any further. What you are saying is that you don't want that to be possible and I think that is partly what the GPDR is meant to address, it should actually be possible to clean up behind you. When you are 30 you don't want to be held to what you said and thought when you were 20. The downside of digital is not that it is available, it is that it is so easily available. I'm not sure what the solution is but I think I prefer that people can delete their history, especially on something like a bike forum.