GDPR

You don’t need to be “certified”, just comply with the rules in your processes. They are just a basis of rules around consent to store, process and use personal details, send communications etc.

In the UK it’s a more robust form of the data protection act and the fines are huge if the ICO follow through with their threats.

Nobody really knows the impact at the moment it seems. There’s loads of people and firms who are trying to sell consultancy. Jump on the ICO site and look at their checklists and guidelines for the foundations.

Consent is the big thing though. You need explicit consent from anyone on databases etc to use their personal info (email, phone number anything). This includes existing “customers” - everyone should be now getting the consent to carry on “business as usual”. Opting out also needs to be as giving consent. All those annoying tick boxes and ambiguous statements on web pages should be a thing of the past.

The headline fines are for ultimate data breaches though. Like what happened with TalkTalk recently etc. They’re not going to put a company out of business because of a couple of unsolicited emails.

At the moment there is still a lot for interpretation. Keep an eye on the ICO website for updates and clarification. Sending an unsolicited marketing email is technically a breach of one of the principles but it will not be the same as the loss of a database of health records or something detailing sexual or religious preferences. Fines will be proportional. I think a lot of leeway will be given in the initial stages of the roll out. Technically in the rules anyone in the EU can submit a ‘subject access request’ to any company they believe holds personal data on them, you could cripple a company by doing a ‘subject access request’ denial of service.

GDPR is a good thing. It’s a lot of work for companies but to get an idea of what personal data companies have on you, submit a subject access request to a online dating site. You’ll be shocked what can be assertained from swiping left and right.

The_President said:

Stands for General Data Protection Regulation.

It is being introduced this May after a 2 year introduction period by the EU for any company,anywhere wanting to trade with any EU country. If you are not GDPR Certified then you wont be able to do 'business' within the EU.

Anyone got certification?/knowledge/any idea?

Yes I have been working on this for a year amongst other things. Our data protection regulator is the ICO. Their website has lots of good resources including stuff for small businesses.

It's essentially a EU harmonisation of data protection regs which will see an enhancement of our dpa98 legislation.

What is Charlton Life Towers doing to protect us ?

ShootersHillGuru said:

What is Charlton Life Towers doing to protect us ?

As part of his apprenticeship, @i_b_b_o_r_g is looking into it

cabbles said:

ShootersHillGuru said:

What is Charlton Life Towers doing to protect us ?

As part of his apprenticeship, @i_b_b_o_r_g is looking into it

Oh.

Had a briefing from our Information Officer on this last week which was quite good. He's been doing it for a while and basically likes the ICO and assured us that the big headline fines (up to £17M!) are for firms who are making no effort at all. Anyone following the guidance should be OK and most importantly the big change is that the onus is now on the firm to report if there is a data breach. If you do that and work with the ICO, fines will be small (or may not even happen).
We sometimes have minor breaches where I work (I sent an unsecured email myself a while back which I reported). These are only a problem if you are in denial about them or don't do anything about them.
And the last thing he told us was that anyone advertising themselves as an expert in this field is pulling a fast one, because it is going to be worked out via cases and so the detail isn't there yet.

It is not all about consent. That is one of six lawful reasons for processing data. Others include fulfilment of a contract and "legitimate interest" which can include communicating with your customers via direct marketing.

As usual, a lot of stuff and nonsense and people trying to make money out of fear and ignorance.

kimbo said:

We are working on this in my charity.
I have a specific question which I am getting different answers It’s about geographical scope. We have a legal branch in Vietnam would they have to adher to GDPR or is it just for EU data. We will of course roll out best practice throughout the organisation.

I think it’s a Y2K too

We’re in the same boat. Here’s a starter for 10:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/?q=children

Dazzler21 said:

Just to confirm, by May you only have to evidence you are working towards being GDPR compliant.

It am currently working on a consent management piece of work. It's crazy the hoops you have to jump through and this is for people actively seeking marketing!

I'm 99% sure that is not true. People have had since April 2016 to "work towards" being compliant.

Come May 25th the directive is enforceable.

sinking feesh said:

WSS said:

Dazzler21 said:

Just to confirm, by May you only have to evidence you are working towards being GDPR compliant.

It am currently working on a consent management piece of work. It's crazy the hoops you have to jump through and this is for people actively seeking marketing!

I'm 99% sure that is not true. People have had since April 2016 to "work towards" being compliant.

Come May 25th the act is enforceable.

This is true.

Also, in reference to your only post, you can use personal data without express permission if your company has a "legitimate interest". How "legitimate interest" is defined is another matter.

Agreed, then the question comes about you acquired that personal data in the first place.

I think the ease of withdrawing consent is a big one and the one 'customers' will benefit from (if enforced properly). For example, take Charlton's emails they send out - you have to jump through hoops to stop them sending them to you, I've tried it. Sure it's all in hand though...