Load of old pony. It's designed to stop shithouses like TalkTalk from being hacked through their own stupidity then not telling you about it. Not to prevent companies from bombarding you with marketing email that you've stupidly opted into by using their 'free' WiFi or sending off for a 10% discount coupon in something
A LOT of shysters out there making huge sums of money off the back of this, and the ICO couldn't organise a piss up in a brewery. There's no chance that any company with even a rudimentary data protection policy will get stamped on
My Mrs is a wedding hair and make-up artist here in France and I run her website through Squarespace (Highly recommended!), they say that they have it all covered, although I think I need to put in some banners for cookies etc., but a friend of her's, a florist, has uploaded some photos from a wedding she worked on last Saturday and has blurred out everyone's faces. |In a word, is this necessary?
I mentioned similar in the thead re: my photography business. Pre-GDPR, the photographer could reasonably presume that any photograph could be used for portfolio/publicity etc and the model release form would give them an option to 'opt out' but now the standard is they are opted out so now they have to 'opt in'. Thus the blacked out faces.
Did you get advice on that? I really don’t think it’s that clear cut. Consent is only one of the pillars that so many people seem to be getting caught up in.
Unless you’re putting peoples’ name alongside their face so that you can easily identify an individual I’d suggest you had legitimate interest to use their image.
Problem is at the moment nobody really knows across all sectors.
that's the guidance given by the photographer's guild, the trade association
I think they're playing it safe. I only say that because the ICO don't offer sector specific advice so associations and trade bodies are doing a lot of interpretation themselves. I'd expect the line they are offering now will shift to being more relaxed over the coming months.
My current company has paid a very large consulting firm a lot of money to help them with GDPR.
And they still dont get it. The advice this consulting company have given is junk.
They have sent them this email to send out to their entire database:
Dear Data Subject
The new EU regulation, GDPR comes into effect on 25th May 2018 and we wish to notify you that we consider your privacy seriously at XXXX and we hold your following record/information with us:
a. Information being held (for e.g. Name, Business Contact, Tax Number, Bank Details etc.) b. Purpose of holding this information c. The aforementioned data is also being transferred to the following recipients […] only for the purposes of […].(if applicable) d. Duration for which this information is being retained
Action required from your end
Please reply to this email or send an email to abc@XXX.com with the complete text (para i, ii, iii, iv and v)
i. I hereby give consent that [XXXX] ([address]) processes the following personal data: (for e.g. Name, Business Contact, Tax Number, Bank Details etc.) for the purposes of (for e.g. Payroll, Payments, Marketing communication, meeting regulatory obligation etc]. ii. The aforementioned data may be transferred to the following recipients [for e.g. Statutory body, bank, vendor, service provider] only for the purposes of […]. iii. I acknowledge that in countries, which are not EU Member states, the level of data protection can be lower than the level of data protection within the EU. iv. I can withdraw my consent (or update the information) at any time in writing by sending an e-mail to [abc@XXXX.com] v. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal
Note: Please feel free to highlight if you do not want XXXXX to hold any of your personal data. We will perform the necessary action accordingly.
It's a shame because I grew up on the LA Times and my dad and grandad grew up on the Trib. And The Baltimore Sun has done some excellent investigative journalism down the years. But certainly for the former two no one would claim they are what they once were. Trunc, which is maybe the worst name I can think of, sounds like a shit Ibiza DJ, have just slashed costs and layed people off and from what I can tell they're not complying with this because they don't want to spend money. They're awful.
I really appreciate the insight you all have provided. I've spent the last 6-7 years working pretty much exclusively with US Government systems, clinical Healthcare systems, or a combination thereof so everything covered under GDPR feels baseline to me (sorry I don't mean that to sound patronizing, it's just all the major stuff has to be baked in to systems I've dealt with). I'm wondering what specific problems some of you are seeing, and what kinds of changes/updates/migrations you're having to do?
Had a quick read up on various sites and the main consensus seems to be there ain't nothing to worry about...
There ain't. So long as you have some evidence that you have at least acquainted yourself with your duties and made a reasonable effort to ensure you are carrying them out. That's direct from the mouth of the Commissioner on the radio this morning.
Exactly what I have been told from a very good legal source.
Comments
A LOT of shysters out there making huge sums of money off the back of this, and the ICO couldn't organise a piss up in a brewery. There's no chance that any company with even a rudimentary data protection policy will get stamped on
And they still dont get it. The advice this consulting company have given is junk.
They have sent them this email to send out to their entire database:
Dear Data Subject
The new EU regulation, GDPR comes into effect on 25th May 2018 and we wish to notify you that we consider your privacy seriously at XXXX and we hold your following record/information with us:
a. Information being held (for e.g. Name, Business Contact, Tax Number, Bank Details etc.)
b. Purpose of holding this information
c. The aforementioned data is also being transferred to the following recipients […] only for the purposes of […].(if applicable)
d. Duration for which this information is being retained
Action required from your end
Please reply to this email or send an email to abc@XXX.com with the complete text (para i, ii, iii, iv and v)
i. I hereby give consent that [XXXX] ([address]) processes the following personal data: (for e.g. Name, Business Contact, Tax Number, Bank Details etc.) for the purposes of (for e.g. Payroll, Payments, Marketing communication, meeting regulatory obligation etc].
ii. The aforementioned data may be transferred to the following recipients [for e.g. Statutory body, bank, vendor, service provider] only for the purposes of […].
iii. I acknowledge that in countries, which are not EU Member states, the level of data protection can be lower than the level of data protection within the EU.
iv. I can withdraw my consent (or update the information) at any time in writing by sending an e-mail to [abc@XXXX.com]
v. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal
Note: Please feel free to highlight if you do not want XXXXX to hold any of your personal data. We will perform the necessary action accordingly.
https://writershq.co.uk/privacy-policy/
https://www.theguardian.com/technology/2018/may/25/gdpr-us-based-news-websites-eu-internet-users-la-times
I really appreciate the insight you all have provided. I've spent the last 6-7 years working pretty much exclusively with US Government systems, clinical Healthcare systems, or a combination thereof so everything covered under GDPR feels baseline to me (sorry I don't mean that to sound patronizing, it's just all the major stuff has to be baked in to systems I've dealt with). I'm wondering what specific problems some of you are seeing, and what kinds of changes/updates/migrations you're having to do?
The scope of this seems pretty ambitious.