GDPR - training!

[Fekko]

Does anyone know of and decent courses to get to grips with this? I've read up on it but still have questions.

Well you get into another complication if you use an online service as you'd be using them to process data that you control and so must have a written data processing agreement in place (and make sure the processing is fine in the EU, or with other adequacy status provided)... this is where it gets into nonsense for the small business (and big ones too).

That's what I'm thinking too, while it is fairly clear what you need to do, templates to ensure you have worded notices correctly and not missed anything would be very useful.

yes I can see that too. And bigger businesses should be aware already.

It just seems slightly overkill the way it's written, so broad that it seems to encompass anyone who is self-employed. I'm already careful with names/emails/phone numbers, but just have never made it formal and documented in quite this way.

template notices would be a help. The professional associations that I've looked at all say they are looking into it, and will give advice 'in due course' about whether we need to register, and what to do , etc., so it sounds like nobody is entirely certain yet! Reading the rules very strictly suggests yes, but going by the spirit of what they're intending to accomplish, probably no.

good point about the online service. I was thinking it would be easier than getting people to return forms, but you're right, don't want any additional complications

Ive had some involvement where I work but IT are heading the project and my boss is more involved than me. But I'm in marketing and worry about my role because a big chunk of it is customer comms and if our database of contactable customers reduces this will reduce my work.

I won't lose my job but my role could change.
We are a buying group so if we can't tell our customers about the new offers (they pay to be part of the group), what's the point?
(Kept things vague to avoid being identified).

I'll be keeping an eye on this thread

Marketing is already covered by PECR which came in in 2004.

Yes, it's easy to get frightened reading it but you have to remember it is covering vast organisations with massive amounts of highly sensitive information (banks, insurance companies etc).

I finished the GDPR foundation and practitioners course a couple of weeks ago. It's not cheap (circa. 2k I think but my work paid for it) but it's bloody useful for anyone moving into a DPO role at work (which I'm not) and it's certainly focused my mind on exactly what's covered and what's not.

@toomuchlikehardwork if the service they buy into is to receive your offers then you are relying on contract not consent. If you are worried about your job then you need to find out a lot more about GDPR, the new DP bill and PECR. The ICO guidance on direct marketing is very good and on their website. But it's often difficult to understand how they dovetail. There is also a Marketing Code of Conduct you should know inside out if this is your core business area (I don't).

Mind you the boundary between marketing and to service the contract is quite a fine line. Did you know that a survey of customer satisfaction after a sale is not marketing? I'm way more sick of the constant badgering for feedback than a bit of advertising... but that may just be me.

The E-Privacy regulation was meant to come in alongside GDPR and replace PECR, but looking more like 2020 now, which doesn't help with the dovetailing problem and has post-Brexit issues all of its own...

I'm in the process of setting up an e-commerce website and really need to get my head around this. So good to have a thread here.

Can i ask a really basic question here. We are currently completing a data audit for the charity I work in.

What is classified as a piece of identifying data?

As an example (all made up of course), if we have a list of the groups up on a wall is that data if it only contains first names or firstname surname initial. Eg. Yellow group - James, Paul L, Paul M, Sarah.

I would say as it isn't identifying so therefore not data.
?

I have found my people.

I've just been put in charge of our GDPR compliance, deep joy! However I do feel I'm getting there, I work in finance and as we're so heavily regulated most things are quite tight anyway. I've spreadsheets coming out of my ears re all the data we keep, why we keep it, the lawful processing and who it's shared with. It's amazing what we do have on people.

My next big job is redrafting our policies in line with the new regulations. I dream of policies and procedures, funnily enough none of my friends really want to talk about it

Mogleflop is pretty much right, but move away from thinking about consent/permission. If you NEED to publish that personal data to provide the service then you can't rely on consent. But your users should be aware that it will be used in that way by the privacy notice information you provide when you collect the data.

ICO have some guidance on 'what is personal data' which may help you understand that it's often about context as Mogleflop says.

@Mogleflop photos are sensitive or special category personal data as they give ethnicity information! People struggle with this! So you need Schedule 3/Art 9 condition for processing.

My understanding was that as long as you are sending marketing emails pertaining to the actual business eg. Party supplies and nothing else e.g. trips abroad for your partner companies then you were fine? This is as long as they can clearly ‘unsubscribe’ and they have consented to this already. The trick is finding out when consent was given..there’s a difference between consent being given 6 months ago and 6 years ago?

Photos are NOT special category data/sensitive personal data. The ICO has never defined it like this. You cannot tell a person's ethnicity/sexual orientation/disability etc from a photo. You might want to speculate but that's not enough to make it special category data.
I agree : don't get bogged down looking for consent. Saw something the other day where I was asked for consent by a charity that I regularly contact and support. It was "updating its records because of new law" or some such expensive nonsense. If I don't bother to reply , it should assume it no longer has my consent. Pretty risky tactics on their part.

@gussyfinknottle Ok, i should have said photos can be personal data rather than 'are'. And if we're being pedantic, the ICO don't define anything -the legislation does, and GDPR is more proscriptive than DPA (IP addresses for example - these aren't always personal data either). Photos certainly can contain information of an ethnic or health related nature that could be used to affect the fights and freedoms of the individual, that is to say the could be discriminated against for example. On the other hand, a street scene is unlikely to be personal data as you don't hold other information to identify them. That could change if you were the police processing the data and had access to more information about the scene, for example.

My understanding was that as long as you are sending marketing emails pertaining to the actual business eg. Party supplies and nothing else e.g. trips abroad for your partner companies then you were fine? This is as long as they can clearly ‘unsubscribe’ and they have consented to this already. The trick is finding out when consent was given..there’s a difference between consent being given 6 months ago and 6 years ago?

@EZA15 I think you're nearly right here. Emails (not marketing ones) about the service being provided does not need marketing consent - so a message about your purchase itself. Feedback requests are also not marketing (and yet I find these more annoying!). You may rely on the soft opt-in offered by PECR* to then send marketing material for the same sort of goods, as long as you offer 'unsubscribe' in the first and every email/text/electronic message. Your GDPR legal basis would probably be legitimate interests here.

I think! The relationship between DPA/GDPR and PECR is awfully convoluted!

By the way, there is no time limit to consent, so it doesn't really matter how long ago, but whether it was reasonable to continue indefinitely will depend on the circumstances. It does matter whether it meets up to GDPR standards. No need to refresh older ones if clearly indicated freely-given informed etc etc.

PECR is Privacy and Electronic Communication Regulation, due to be superseded by the E-Privacy Regulation which has now slipped to 2020, which is post-Brexit... so who knows what will happen with that.

Sorry to go on - it's helpful to me to try to make sure I have this straight!

There's a bit of a time limit to consent isn't there, don't you have to make sure you're not keeping old data?

(So if someone hasn't opened emails, logged in, etc, you shouldn't be keeping their old information forever.)

Snuper I don’t think you’ve gone on. I just wanted to ensure that what I’ve implemented at work is correct and was panicking somewhat but I’m happy with the headway we’re making. We’ve just updated our T & C’s and in the process of getting the relevant customers to sign. I’ll be happy when we’re fully compliant then it’s just ongoing rather than the massive initial slog.

@dekfiji well, if they've consented to you keeping it forever then why not? But it's good practice to review. As you say, if they're not engaging, they're not interested and not buying. But let's say you sell cars... people go years between purchases, or university alumni they lose interest until 10 years after graduating... or theatre your customers might not go out much when they have kids but come back as the kids get older. Some businesses do want to keep customers long term - I still like hearing from my uni 20+ years on.

Nothing as black and white as it sounds in this.. which is making it quite fun albeit headache-inducing!

Sure, but part of data protection means cleaning out old data, and not storing it longer than necessary doesn't it?

Yes, but it's figuring out how long is necessary that's the hard part quite often.