Attention: Please take a moment to consider our terms and conditions before posting.

GDPR

Stands for General Data Protection Regulation.

It is being introduced this May after a 2 year introduction period by the EU for any company,anywhere wanting to trade with any EU country. If you are not GDPR Certified then you wont be able to do 'business' within the EU.

Anyone got certification?/knowledge/any idea?

«1

Comments

  • The headline fines are for ultimate data breaches though. Like what happened with TalkTalk recently etc. They’re not going to put a company out of business because of a couple of unsolicited emails.
  • My work is all over this and throwing out fine amounts to try and scare us. I’ll wait for someone to summarise things for me
  • At the moment there is still a lot for interpretation. Keep an eye on the ICO website for updates and clarification. Sending an unsolicited marketing email is technically a breach of one of the principles but it will not be the same as the loss of a database of health records or something detailing sexual or religious preferences. Fines will be proportional. I think a lot of leeway will be given in the initial stages of the roll out. Technically in the rules anyone in the EU can submit a ‘subject access request’ to any company they believe holds personal data on them, you could cripple a company by doing a ‘subject access request’ denial of service.

    GDPR is a good thing. It’s a lot of work for companies but to get an idea of what personal data companies have on you, submit a subject access request to a online dating site. You’ll be shocked what can be assertained from swiping left and right.
  • As you would suspect, we handle a vast amount of personal data and we have set up a separate department just to deal with GDPR. If you control significant amounts of personal data then starting now is just not too late.
  • Stands for General Data Protection Regulation.

    It is being introduced this May after a 2 year introduction period by the EU for any company,anywhere wanting to trade with any EU country. If you are not GDPR Certified then you wont be able to do 'business' within the EU.

    Anyone got certification?/knowledge/any idea?

    Yes I have been working on this for a year amongst other things. Our data protection regulator is the ICO. Their website has lots of good resources including stuff for small businesses.

    It's essentially a EU harmonisation of data protection regs which will see an enhancement of our dpa98 legislation.
  • Any yes, we’re still bound to it after Brexit....
  • What is Charlton Life Towers doing to protect us ?
  • WSS said:

    Any yes, we’re still bound to it after Brexit....

    Yep entrenched in UK legislation.
  • Sponsored links:


  • Important to note it's employees' personal data equally important as customers. ICO website best place to start for a concise summary.

    If you navigated the Bitcoin thread you'll find that a piece of piss. :-)
  • cabbles said:

    What is Charlton Life Towers doing to protect us ?

    As part of his apprenticeship, @i_b_b_o_r_g is looking into it
    Oh.
  • Is a ball ache for the firm I'm consulting at as although their business is in Asia, they hold data for EU citizens which means they must be compliant.

    Fine usually, except the working practices around data protection out there are shocking. Plenty of fun and games to be had over the next four months.
  • edited January 24
    MarkyE83 said:

    At the moment there is still a lot for interpretation. Keep an eye on the ICO website for updates and clarification. Sending an unsolicited marketing email is technically a breach of one of the principles but it will not be the same as the loss of a database of health records or something detailing sexual or religious preferences. Fines will be proportional. I think a lot of leeway will be given in the initial stages of the roll out. Technically in the rules anyone in the EU can submit a ‘subject access request’ to any company they believe holds personal data on them, you could cripple a company by doing a ‘subject access request’ denial of service.

    GDPR is a good thing. It’s a lot of work for companies but to get an idea of what personal data companies have on you, submit a subject access request to a online dating site. You’ll be shocked what can be assertained from swiping left and right.

    What, like a Belgian semi conductor firm for example? :-)


    Was actually discussing with a colleague today about how long before the parking fine firms, train companies and councils are inundated from disgruntled customers with SARs.

    There's speculation that the parasite claims management companies will focus on this once the PPI redress cash cow they've milked for a decade closes in 2019.

    What a world.
  • Had a briefing from our Information Officer on this last week which was quite good. He's been doing it for a while and basically likes the ICO and assured us that the big headline fines (up to £17M!) are for firms who are making no effort at all. Anyone following the guidance should be OK and most importantly the big change is that the onus is now on the firm to report if there is a data breach. If you do that and work with the ICO, fines will be small (or may not even happen).
    We sometimes have minor breaches where I work (I sent an unsecured email myself a while back which I reported). These are only a problem if you are in denial about them or don't do anything about them.
    And the last thing he told us was that anyone advertising themselves as an expert in this field is pulling a fast one, because it is going to be worked out via cases and so the detail isn't there yet.
  • edited January 25
    Does this mean the PPI guys can’t phone you - only if they have your explicit permission?
  • It is not all about consent. That is one of six lawful reasons for processing data. Others include fulfilment of a contract and "legitimate interest" which can include communicating with your customers via direct marketing.

    As usual, a lot of stuff and nonsense and people trying to make money out of fear and ignorance.
  • MrOneLung said:

    Does this mean the PPI guys can’t phone you only they have your explicit permission?

    They never should have been able to if you are TPS registered. But they still do. Just ask them where they got your number from and what their company registration number is. I bet they hang up.
  • Sponsored links:


  • Reckon I get 2/3 emails a week on this from accountants for presentations they are running. Fortunately no relevance to me so all ends up in junk!
  • We are working on this in my charity.
    I have a specific question which I am getting different answers It’s about geographical scope. We have a legal branch in Vietnam would they have to adher to GDPR or is it just for EU data. We will of course roll out best practice throughout the organisation.

    I think it’s a Y2K too
  • kimbo said:

    We are working on this in my charity.
    I have a specific question which I am getting different answers It’s about geographical scope. We have a legal branch in Vietnam would they have to adher to GDPR or is it just for EU data. We will of course roll out best practice throughout the organisation.

    I think it’s a Y2K too

    We’re in the same boat. Here’s a starter for 10:

    https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/?q=children
  • Just to confirm, by May you only have to evidence you are working towards being GDPR compliant.

    It am currently working on a consent management piece of work. It's crazy the hoops you have to jump through and this is for people actively seeking marketing!
  • WSSWSS
    edited January 25
    Dazzler21 said:

    Just to confirm, by May you only have to evidence you are working towards being GDPR compliant.

    It am currently working on a consent management piece of work. It's crazy the hoops you have to jump through and this is for people actively seeking marketing!

    I'm 99% sure that is not true. People have had since April 2016 to "work towards" being compliant.

    Come May 25th the directive is enforceable.

  • edited January 25
    WSS said:

    Dazzler21 said:

    Just to confirm, by May you only have to evidence you are working towards being GDPR compliant.

    It am currently working on a consent management piece of work. It's crazy the hoops you have to jump through and this is for people actively seeking marketing!

    I'm 99% sure that is not true. People have had since April 2016 to "work towards" being compliant.

    Come May 25th the act is enforceable.

    This is true.

    Also, in reference to your only post, you can use personal data without express permission if your company has a "legitimate interest". How "legitimate interest" is defined is another matter.
  • WSS said:

    Dazzler21 said:

    Just to confirm, by May you only have to evidence you are working towards being GDPR compliant.

    It am currently working on a consent management piece of work. It's crazy the hoops you have to jump through and this is for people actively seeking marketing!

    I'm 99% sure that is not true. People have had since April 2016 to "work towards" being compliant.

    Come May 25th the directive is enforceable.

    thats my understanding too.
  • Doing a bit of work on this at the moment as I'm an Underwriter and our Policy Wording is likely to restrict coverage for Employers in relation to GDPR (as I am sure will many others)

    No doubt that you will still be able to get the cover for it as an employer but you will have to pay for it (just what small businesses need at the moment)
  • WSS said:

    Dazzler21 said:

    Just to confirm, by May you only have to evidence you are working towards being GDPR compliant.

    It am currently working on a consent management piece of work. It's crazy the hoops you have to jump through and this is for people actively seeking marketing!

    I'm 99% sure that is not true. People have had since April 2016 to "work towards" being compliant.

    Come May 25th the act is enforceable.

    This is true.

    Also, in reference to your only post, you can use personal data without express permission if your company has a "legitimate interest". How "legitimate interest" is defined is another matter.
    Agreed, then the question comes about you acquired that personal data in the first place.

    I think the ease of withdrawing consent is a big one and the one 'customers' will benefit from (if enforced properly). For example, take Charlton's emails they send out - you have to jump through hoops to stop them sending them to you, I've tried it. Sure it's all in hand though...
  • Also, if you're an employee (or anyone else) and think that your boss or any other staff member have been slagging you off etc. behind your back you have the right to ask for all the information that relates to you. This can be emails that include your name (not necessarily sent to you), any instant messages that include your name etc. Could open it up for a few tribunals...
Sign In or Register to comment.

Roland Out!