Forum menu
I think we’re in agreement Steve – regardless of anything else above, you need a comprehensive register in place – if you have that you’ll always be in a stronger position than without even if the worst happened.
Relying on consent – yes, not ideal but reflects reality for many companies where it’s not going to be realistic (economically) to go back and remove data outside of ‘need’ – as such, they would need to ensure it’s registered and they’re ready to erase/anonymise if a request comes in (or can show why it’s not reasonable to remove it but that the data is still beyond reach).
I agree we are broadly in agreement ...
I think my interpretation though is if you can't realistically and economically minimise it then come up with a reason in the Data Register that if possible isn't consent.
As an example take billing data.
Many/Most companies will need to keep this for 7 years just to conform to legislation. That is a very obvious legal basis.
However it is arguable that you may need to extend this ... for dealing with customer queries or if legislation changes (such as anti money laundering) ... take say your electricity bill... its calculated on consumption but errors can and do occur... and it is used to forecast your next bill. This falls into automated processing but still.. it's a pretty defendable legitimate interest to keep the units used and costs.
You could of course give customers the chance to opt-in, ultimately with the caveat "we will just guess your next bill" but legislation say's they have to forecast and advise clients on saving money and energy.
Of course this may <span style="text-decoration: underline;">at some point</span> be tested in court.... it's <span style="text-decoration: underline;">possible</span> that this may be deemed non-legitimate but then at least you need to go back and delete/anonymise <span style="text-decoration: underline;">everyones</span> data consistently... if you rely on consent you're then in a position of deleting what bits people decide they want deleting on a customer by customer basis... and if what you are claiming is reasonable then it's not likely the court is going to ask you to specifically be unable to provide a service legislated by the relevant authorities.
At the same time even if the test was you needed to delete the data then your competitors will ALSO have to comply.
IF you leave it to opt-in consent however you're dealing with this on a customer by customer basis ... wheres a competitor may be relying on legitimate interest.
You could argue that if the test case goes with deletion/anomymisation then the company that has consent can still use the data... however its more likely that by then the data will be some patchwork of inconsistent data according to what individual customers have consented to.
At this point .. if you actually do action on the deletion/anonymisation (and you'd be pretty stupid to pretend) then that data is gone. Come some over-riding legislation or a test case that it is legitimate you wrecked your billing and forecasting database for no good reason.
Obviously .. I just picked a certain type of data and certain company.... and in some specific contexts consent is the best option. However the point I'm making is i<span style="text-decoration: underline;">t's not usually the best option so long as you have others</span>.
Heres an interesting scenario.
Yesterday one of our employees visited a website for office furniture. He did not buy anything and did not enter any details.
This morning our purchasing department get a phone call from this company saying, "we see you visited our website, is there anything we can help you with?"
No consent, no sign up, but he company are able to identify which company visited their site and also identify the correct person to contact by searching linked in and possibly other networks to find a name for a purchasing employee.
They will still be able to do this after 25th, because you visited their site, so there is a reasonable expectation that you will be interested in their goods and services.
Makes you wonder what GDPR will actually change.
My inbox will change.
IP addresses are classed as personal data. As such we will be requested to remove this by users. But we use IP addresses to moderate and this is going to cause moderation to be more difficult.
We use IP lookups to detect if we suspect a user has more than one account. This is necessary in order to police things such as bans. Without this a banned user could simply re-register an account and they have circumvented the ban. I know this is not fool proof but it’s one tool we use to help moderate the forum. Taking that away is going to make things harder.
Those are legitimate interests
More seriously, we have been contacted on many occasions by legal authoriteis ie. the police with requests to help them track down a crime. This involves us disclosing IP addresses which they can use to help trace users. We only do this for legal authorities with a genuine reason for doing so.
Legal basis ... (or if not legitimate interests)
The rest of this sounds very legitimate... but its also somewhat complex when it comes to deleting posts for a forum because posts can be quoted etc.
Assuming you don't want to pay a huge amount ..
1/ You can go and check the T&C's of other internet services.
Copy/Paste it all together and then see what "the big boys are doing" as they will have paid for the legal advice.
2/ Come May 25th (you can do it now but you'll need to pay) you can personally (as in being a data subject) then issue a DSAR to said "big boys". Further you can exert your right to data portability and ask them to supply you with it.
3/ You can also copy what the ICO is doing for itself 😀
(They have to track complains and such)
Whatever you do though make sure your data register contains this and your reasons.
Make sure your privacy policy is up to date.
In many ways you are in a good position because you have the forum database and can use this to answer DSAR's and you can automate a lot of that.
In most cases you are not meant to limit HOW someone issues a DSAR ... (i.e. phone, mail etc.) but in light of this being a forum that is likely not hugely applicable to you!
Finally, justify your basis for keeping the database of users (document and put in Data Register) and then extend this to allow you to do some sort of case management that includes tracking GDPR requests. This is obviously legitimate/legal basis because the GDPR states you must be able to do this! (In a round about way)
Thanks Steve..
Very helpful.
As I understand it the underlying premise is evidence, can you explain or demonstrate you have it for a reason and that has to be a good thing.
I’ve taken a view to document when people sign up to any list for years but then I’ve also had a view to encourage people to leave the list at every opportunity as whats the point in emailing people that don’t want to hear from you?
A really simple view ... the underlying premise is that personal data is the property of the "data subject"
You can use that data (like a public footpath across private farmland) if you have legitimate interest but you don't OWN it you are just using it.
If you do use it and then SERIOUSLY mis-use it... (using the footpath access to dig some nice table tops and using weedkiller on the farmers crops to clear vegetation) your wilfully misusing it and your going to be screwed... you are causing obvious damage (this is important later)
If you slightly misuse it... like riding across the footpath when it's not being used ... and you have a reasonable reason your unlikely to be screwed but you may be told not to ride across it again. Lets say your reason was the alternative was riding along a bypass ...
If you hold my CC numbers, bank details etc. and you misuse these then obviously that is either direct criminal damage or indirect ... and most importantly if you LOSE my bank details in a breach ... you're exposing me to damage. (Hence you must notify ICO and me ASAP) .. if you lose my name and address.. yeah not great but I'm in a phone book and electoral register etc. and the damage is probably some spam mail.
It feels a bit millennium bug but talking to some of the big data processors I know they are already expecting someone to fall foul quite fast, a perceived list of victims already in hand at ICO post May and increased headcount at ICO to get people, fines and income for the government.
If you read Elizabeth Denham's blog then this really doesn't seem to be the case... (For contrast read the Irish ICO's where some huge internet names are registered)
The ICO will use it against you, they’ll be on the hunt for some Big Names so they can prove a point of the regulation ..
If you believe lack of evidence will protect you then better to fold the company now.
Back to the bikes on the footpath over private land...
If you turn up in court or refuse to turn up even because "The law doesn't apply to me and I don't recognise your authority" you will be given indefinite accommodation at the tax payers expense. Meanwhile you'll be well and truly screwed over.
If however you have an operation on that day .. then you may well get some sympathy... but what will play out badly is just not responding.
I'm just looking at this again as I'm the membership secretary for a running club. There have been clarifications in the year or so since I last did so. We don't hold much personal information, even before GDPR this was kept to a minimum and I've no reason to increase it. We don't pass the information on to anyone. Even writing a simple privacy statement to this effect for the club website is fraught!
Mark: I think it's reasonable to argue that usernames, IP addresses, etc serve a legitimate interest as you have shown: X posts a hate message then asks for their personal details to be deleted; Y takes offence at the message and decides to pursue it in court. But you've now taken positive steps to protect the hate poster and may well be seen as complicit in it. But just what do you do with the hate message itself? Leave it? Delete it? Replace with a message stating that it broke forum rules?
If you've written something then it's no different to having said it and you can't "un-say" something!
Mark: I think it’s reasonable to argue that usernames, IP addresses, etc serve a legitimate interest as you have shown: X posts a hate message then asks for their personal details to be deleted; Y takes offence at the message and decides to pursue it in court. But you’ve now taken positive steps to protect the hate poster and may well be seen as complicit in it. But just what do you do with the hate message itself? Leave it? Delete it? Replace with a message stating that it broke forum rules?
Remember this pertains to personal data, ie data that identifies an individual. So data subjects cannot make you delete all their forum posts. Not sure about what happens if they post the personal information of another individual though. My guess would be that they are responsible and liable for that posting, not you (so long as its backed up by your terms and conditions)
I could spend all day working through some of the misapprehensions on here, but I will stick to the big stuff:
The ICO is NOT SELF FUNDED BY FINES. Fines go back to the Treasury.
Mark - the right to erasure is not absolute - if you have a contuning reason to process personal data that is linked to the purpose for which you collected it you may not have to,. See the ICO guide https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
You do stlil have to respond and explain this to the person, but you can get out ahead of that with a well written privacy notice, that details the purposes and legal basis for the processing, and some other info it is now a legal requirement to provide.
Requests from the Police for personal data - this was covered under Section 29 of the DPA and will be replicated in the Data Protection Bill (this is the vehicle UK Gov are using for the derogations/exemptions available to member states) which is still moving through the process.
In any case, this allows you to pass information to the Police if you want to. You don't have to, it is still the decision of the data controller to disclose information to enforcement bodies.
In my personal view - other views are available - you could make an argument that forum posts are not personal data, as you cannot identify an individual from the data. Unless you know them. Anyway thats worth considering.
I'd take a look at the Guardian's Comment is Free T&Cs, they'll have spent millions on legal advice with regard to deleting a user's history....
I could spend all day working through some of the misapprehensions on here, but I will stick to the big stuff:
The ICO is NOT SELF FUNDED BY FINES. Fines go back to the Treasury.
I think your pissing into the wind... people who are claiming that the ICO is funded by fines are going to go round in circular arguments basically ... "well its the government innit,."
In my personal view – other views are available – you could make an argument that forum posts are not personal data, as you cannot identify an individual from the data. Unless you know them. Anyway thats worth considering.
It's a view I share ... but there are a couple of complexities.
Mark - I think it’s much more likely you’ll fall foul of a data breach like the “big hack” than encounter any financial penalty for arguing the points you made (legit interest, etc) and then being found to be wrong. Your worst case scenario with erasure etc (assuming you behave sensibly, document properly, and respond to requests explaining your reasons) is that the ICO *might* interpret the law differently and write to you demanding you change. It might seem daft but the lawyers will actually be far better placed to advise you on accepting or fighting a specific demand probably with the benefit of case law / experience than hypothetical problems. At the moment most lawyers adopt a defensive approach which ignores the practicalities of running your business (most lawyers have never run a business other than a legal practice).
Next.. It has been suggested that under GDPR a user can not only demand their data be removed from our database but their posts be removed too. That would be a disaster for the forum if that were the case
This is one that I'm not so sure about. I'm not so sure that I like the idea that posts live forever although I understand your problem. I had a friend that wanted to become a politician (many years ago now) but he, as have most people, had posted stuff in many places on the internet before. Back then it was easy to close your accounts and the stuff would largely disappear so we persuaded him to clean up his online presence before taking it any further. What you are saying is that you don't want that to be possible and I think that is partly what the GPDR is meant to address, it should actually be possible to clean up behind you. When you are 30 you don't want to be held to what you said and thought when you were 20. The downside of digital is not that it is available, it is that it is so easily available. I'm not sure what the solution is but I think I prefer that people can delete their history, especially on something like a bike forum.