GDPR
It is being introduced this May after a 2 year introduction period by the EU for any company,anywhere wanting to trade with any EU country. If you are not GDPR Certified then you wont be able to do 'business' within the EU.
Anyone got certification?/knowledge/any idea?
Comments
-
You don’t need to be “certified”, just comply with the rules in your processes. They are just a basis of rules around consent to store, process and use personal details, send communications etc.
In the UK it’s a more robust form of the data protection act and the fines are huge if the ICO follow through with their threats.
Nobody really knows the impact at the moment it seems. There’s loads of people and firms who are trying to sell consultancy. Jump on the ICO site and look at their checklists and guidelines for the foundations.
Consent is the big thing though. You need explicit consent from anyone on databases etc to use their personal info (email, phone number anything). This includes existing “customers” - everyone should be now getting the consent to carry on “business as usual”. Opting out also needs to be as giving consent. All those annoying tick boxes and ambiguous statements on web pages should be a thing of the past.7 -
My hr lady is doing a lot of reading up on this. The fines are pretty frightening and I’m too pretty for prison10
-
The headline fines are for ultimate data breaches though. Like what happened with TalkTalk recently etc. They’re not going to put a company out of business because of a couple of unsolicited emails.1
-
My work is all over this and throwing out fine amounts to try and scare us. I’ll wait for someone to summarise things for me1
-
At the moment there is still a lot for interpretation. Keep an eye on the ICO website for updates and clarification. Sending an unsolicited marketing email is technically a breach of one of the principles but it will not be the same as the loss of a database of health records or something detailing sexual or religious preferences. Fines will be proportional. I think a lot of leeway will be given in the initial stages of the roll out. Technically in the rules anyone in the EU can submit a ‘subject access request’ to any company they believe holds personal data on them, you could cripple a company by doing a ‘subject access request’ denial of service.
GDPR is a good thing. It’s a lot of work for companies but to get an idea of what personal data companies have on you, submit a subject access request to a online dating site. You’ll be shocked what can be assertained from swiping left and right.1 -
As you would suspect, we handle a vast amount of personal data and we have set up a separate department just to deal with GDPR. If you control significant amounts of personal data then starting now is just not too late.0
-
Yes I have been working on this for a year amongst other things. Our data protection regulator is the ICO. Their website has lots of good resources including stuff for small businesses.The_President said:Stands for General Data Protection Regulation.
It is being introduced this May after a 2 year introduction period by the EU for any company,anywhere wanting to trade with any EU country. If you are not GDPR Certified then you wont be able to do 'business' within the EU.
Anyone got certification?/knowledge/any idea?
It's essentially a EU harmonisation of data protection regs which will see an enhancement of our dpa98 legislation.0 -
Any yes, we’re still bound to it after Brexit....3
-
What is Charlton Life Towers doing to protect us ?1
-
Yep entrenched in UK legislation.WSS said:Any yes, we’re still bound to it after Brexit....
1 - Sponsored links:
-
As part of his apprenticeship, @i_b_b_o_r_g is looking into itShootersHillGuru said:What is Charlton Life Towers doing to protect us ?
7 -
Important to note it's employees' personal data equally important as customers. ICO website best place to start for a concise summary.
If you navigated the Bitcoin thread you'll find that a piece of piss. :-)2 -
Oh.cabbles said:
As part of his apprenticeship, @i_b_b_o_r_g is looking into itShootersHillGuru said:What is Charlton Life Towers doing to protect us ?
0 -
Is a ball ache for the firm I'm consulting at as although their business is in Asia, they hold data for EU citizens which means they must be compliant.
Fine usually, except the working practices around data protection out there are shocking. Plenty of fun and games to be had over the next four months.0 -
Another scam, like most of y2k was. Just a way for hustlers and lawyers to make piles of cash out of you. Won't make a blind bit of difference, other than a few token wrist slaps - data breaches will still go unreported. Most of the dire warnings are being out out by people who have a vested interest in rinsing you for cash.6
-
What, like a Belgian semi conductor firm for example? :-)MarkyE83 said:At the moment there is still a lot for interpretation. Keep an eye on the ICO website for updates and clarification. Sending an unsolicited marketing email is technically a breach of one of the principles but it will not be the same as the loss of a database of health records or something detailing sexual or religious preferences. Fines will be proportional. I think a lot of leeway will be given in the initial stages of the roll out. Technically in the rules anyone in the EU can submit a ‘subject access request’ to any company they believe holds personal data on them, you could cripple a company by doing a ‘subject access request’ denial of service.
GDPR is a good thing. It’s a lot of work for companies but to get an idea of what personal data companies have on you, submit a subject access request to a online dating site. You’ll be shocked what can be assertained from swiping left and right.
Was actually discussing with a colleague today about how long before the parking fine firms, train companies and councils are inundated from disgruntled customers with SARs.
There's speculation that the parasite claims management companies will focus on this once the PPI redress cash cow they've milked for a decade closes in 2019.
What a world.0 -
Had a briefing from our Information Officer on this last week which was quite good. He's been doing it for a while and basically likes the ICO and assured us that the big headline fines (up to £17M!) are for firms who are making no effort at all. Anyone following the guidance should be OK and most importantly the big change is that the onus is now on the firm to report if there is a data breach. If you do that and work with the ICO, fines will be small (or may not even happen).
We sometimes have minor breaches where I work (I sent an unsecured email myself a while back which I reported). These are only a problem if you are in denial about them or don't do anything about them.
And the last thing he told us was that anyone advertising themselves as an expert in this field is pulling a fast one, because it is going to be worked out via cases and so the detail isn't there yet.0 -
Does this mean the PPI guys can’t phone you - only if they have your explicit permission?1
-
It is not all about consent. That is one of six lawful reasons for processing data. Others include fulfilment of a contract and "legitimate interest" which can include communicating with your customers via direct marketing.
As usual, a lot of stuff and nonsense and people trying to make money out of fear and ignorance.0 -
They never should have been able to if you are TPS registered. But they still do. Just ask them where they got your number from and what their company registration number is. I bet they hang up.MrOneLung said:Does this mean the PPI guys can’t phone you only they have your explicit permission?
1 - Sponsored links:
-
Reckon I get 2/3 emails a week on this from accountants for presentations they are running. Fortunately no relevance to me so all ends up in junk!0
-
We are working on this in my charity.
I have a specific question which I am getting different answers It’s about geographical scope. We have a legal branch in Vietnam would they have to adher to GDPR or is it just for EU data. We will of course roll out best practice throughout the organisation.
I think it’s a Y2K too
1 -
We’re in the same boat. Here’s a starter for 10:kimbo said:We are working on this in my charity.
I have a specific question which I am getting different answers It’s about geographical scope. We have a legal branch in Vietnam would they have to adher to GDPR or is it just for EU data. We will of course roll out best practice throughout the organisation.
I think it’s a Y2K too
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/?q=children2 -
Just to confirm, by May you only have to evidence you are working towards being GDPR compliant.
It am currently working on a consent management piece of work. It's crazy the hoops you have to jump through and this is for people actively seeking marketing!2 -
I'm 99% sure that is not true. People have had since April 2016 to "work towards" being compliant.Dazzler21 said:Just to confirm, by May you only have to evidence you are working towards being GDPR compliant.
It am currently working on a consent management piece of work. It's crazy the hoops you have to jump through and this is for people actively seeking marketing!
Come May 25th the directive is enforceable.
2 -
This is true.WSS said:
I'm 99% sure that is not true. People have had since April 2016 to "work towards" being compliant.Dazzler21 said:Just to confirm, by May you only have to evidence you are working towards being GDPR compliant.
It am currently working on a consent management piece of work. It's crazy the hoops you have to jump through and this is for people actively seeking marketing!
Come May 25th the act is enforceable.
Also, in reference to your only post, you can use personal data without express permission if your company has a "legitimate interest". How "legitimate interest" is defined is another matter.0 -
thats my understanding too.WSS said:
I'm 99% sure that is not true. People have had since April 2016 to "work towards" being compliant.Dazzler21 said:Just to confirm, by May you only have to evidence you are working towards being GDPR compliant.
It am currently working on a consent management piece of work. It's crazy the hoops you have to jump through and this is for people actively seeking marketing!
Come May 25th the directive is enforceable.0 -
Doing a bit of work on this at the moment as I'm an Underwriter and our Policy Wording is likely to restrict coverage for Employers in relation to GDPR (as I am sure will many others)
No doubt that you will still be able to get the cover for it as an employer but you will have to pay for it (just what small businesses need at the moment)0 -
Agreed, then the question comes about you acquired that personal data in the first place.sinking feesh said:
This is true.WSS said:
I'm 99% sure that is not true. People have had since April 2016 to "work towards" being compliant.Dazzler21 said:Just to confirm, by May you only have to evidence you are working towards being GDPR compliant.
It am currently working on a consent management piece of work. It's crazy the hoops you have to jump through and this is for people actively seeking marketing!
Come May 25th the act is enforceable.
Also, in reference to your only post, you can use personal data without express permission if your company has a "legitimate interest". How "legitimate interest" is defined is another matter.
I think the ease of withdrawing consent is a big one and the one 'customers' will benefit from (if enforced properly). For example, take Charlton's emails they send out - you have to jump through hoops to stop them sending them to you, I've tried it. Sure it's all in hand though...
1 -
Also, if you're an employee (or anyone else) and think that your boss or any other staff member have been slagging you off etc. behind your back you have the right to ask for all the information that relates to you. This can be emails that include your name (not necessarily sent to you), any instant messages that include your name etc. Could open it up for a few tribunals...1
