If you’ve not heard of GDPR, where have you been. It’s probably the most exciting thing to have come from the world of the web in Europe… well since the web began.
OK, I am joking. If you read the small print — and to be fair I’ve read most of the legislation. It’s dull as hell. Especially if you’ve then suffered the various differing views on how to enact GDPR.
So what is GDPR for those who don’t know… put simply:
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It also addresses the export of personal data outside the EU and EEA. c. wikipedia. 25 may 18
Wondering what I am thinking?
A few things…
GDPR should NOT have been a harsh stepping stone for any organisation that had truly looked after it’s users. I understand for those larger organisations with data not held in the UK for some reason or in the EU this may have caused one or two issues to comply, but these aren’t massive.
2 — GDPR is not the only thing that has changed! And MOST businesses have missed the other bill!
On 23 May, the Data Protection Act 2018 received it’s royal assent, a bill which accepts most processing and legislation is under GDPR but also supplements GDPR!
OH YES! Supplements! That means there is more to this than may meet the eye for businesses.
3 — If you’re concerned about changing your Policies, in my view (and I know others who share this), is to dump your current policies around this area and start again. Often Privacy Policies and Customer Policies can be years old and out of date due to how your own policies have changed, this is the perfect chance to update, and ensure internally you know everything is just right.
I’ve seen so man people just bodge this and stick on GDPR, add a sentence or two — hope for the best by adding GDPR into sentence and copy someone elses block of text … but GDPR isn’t a one size fit’s all.
GDPR by it’s nature is almost all encompassing, it isn’t like many are used to by dealing with data online and offline separately — it deals with it as one. It’s highly logical in this way, and a bodge job doesn’t cut it and you will get caught out.
4 — I’ve seen a ton of organisations emailing for permission to keep emailing me newsletters even though I pay a subscription, or there is a CLEAR VESTED INTEREST…
You do NOT need to send me that email. If you hadn’t put me on your list I probably would have skipped out and now you have I probably will. Some companies I know have seen 100K+ email lists go to 5K because they were stupid enough to not realise they didn’t need to do this.
To be clear… Here is what consent means and why in the case above you don’t need to send me that email…
Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; © processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
GDPR EU Legislation c may 2018
By being a paid member, it is clear I have a legitimate interest in your service and offering. It’s also clear that I have signed up to your service.
However, what I do agree with is if you are dodgy enough to not have asked permission on day one then yes send that email!
5 — and finally. I’m looking forward to my inbox being a lot quieter :)