Re: Government & Post Election Discussion
 

I've not said that you've not said it shouldn't be protected. Where have I made such a statement?

The obligations for organisations are set out by the GDPR. But a privacy notice for Facebook will vary from that for a local snooker club, for example. That's sensible, proportionate and not a sledge hammer by any wild stretch of the imagination.

There is legitimate use of customer data, you don't need to get customers' consent if this is the case. If you're sending millions of emails it sounds like you're the consultants' favourite customer and are gold-plating things unnecessarily as your prejudices are overly-shaping your implementation.

Re: Government & Post Election Discussion
 

You questioned my appreciation of the value of having personal data, Andrew. I do not misunderstand that.

But you certainly appear to misunderstand the impact of this regulation on small and medium sized organisations if you believe that you don't need to get customer consent to use their data.

I am secretary of an organisation that collects names and addresses simply for the purpose of collecting subscriptions and sending information to our members. That is perfectly legitimate, but we still have to write to all 1000 odd subscribers and get their written consent to the collection of this data, and tell them how we use it, although they already know. We also have to give them all our privacy document.

This is simply unreasonable, short and simple. Apart from the time taken to compile all of this, we have to spend money on printing this lot, and train everyone on their duties under the regulations even though they already comply. We cannot risk a fine for not doing any of this properly.

I think you need to read the regulation again, Andrew, because I don't think you have taken the full implications on board.

Just read the ICO site and consider how a small organisation gets its head around all of this. It's a flaming nightmare. And totally unnecessary to tackle the problem this way.

Re: Government & Post Election Discussion
 

I'm afraid you have misinterpreted the regulations Old Boy and tied yourself up in knots. Legitmate use over-rules consent. I suggest you speak to the ICO.

Re: Government & Post Election Discussion
 

I think you are very complacent about this, Andrew.

The ICO makes it clear that if you collect personal data by consent, you have to tell every person affected for what purposes it will be used (even though it may be obvious) and get their informed consent. They have to be given a copy of your privacy notice as well. On consent, this is one of six 'lawful bases for processing' and by processing, they mean even simply keeping names and addresses. You have to tell people what the lawful basis is for collecting their data, and if you get it wrong, you have to grass on yourself by owning up to the ICO immediately, for which you will be subject to a huge fine.

From the ICO site itself:

What are the lawful bases for processing?

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)


Why the need for all this? Because the EU is a huge bureaucratic organisation that likes to control people by getting them to jump through their hoops. We will be well out of it when we leave, and my hope is that legislation like this (eg the Acquired Rights Directive, Working Time Directive, etc) will be simplified in UK legislation after we leave the EU.

You can achieve what you want to achieve without making legislation so complicated and time consuming for everyone.

Re: Government & Post Election Discussion
 

You're misunderstanduing things to match your strong prejudices and this inefficiency is costing your members in wasted admin costs.This is your typical anti-EU Project Fear manifesting itself again Old Boy even if its subliminal.
GDPR is about protecting individuals from the state and corporations. Standing up for the little guy.
You put your privacy notice on your website, destroy data when it's not required and advise people why you need their data and the purpose it will be used for. I'm fully conversant with the ICO's stance on fines and it's very much a carrot approach not a stick one. It's a UK upgrade to better privacy and the ICO knows things won't be picture perfect on 25th May but they will be seeking good practice starting with large organisations not small clubs. All your costly gold-plating ane mail-outs neeeds a rethink and I urge you to seek advice before spending more unnecessary time and money on this.

Re: Government & Post Election Discussion
 

Many small organisations don't have websites, Andrew, so they have to resort to printing and delivering door to door. You cannot deny with any credibility that we have to be able to prove consent, and this means we have to get people to accept in writing.

I am livid about this whole thing and I dare say that I have alerted people reading this thread to the insidious way in which EU bureaucracy is creeping into our lives, making innovation seem to be more trouble than it's worth.

It's not sticking up for the little guy. It's making life a misery for voluntary and charitable organisations, clubs and SMEs. The little guy gets bombarded with conditions every time he/she signs up for a service. I know for a fact that most people sign up without reading these terms because they are pages and pages long. All the bureaucracy achieves nowt.

Anyway, you are never going to admit that this is OTT, but I hope I have got my point across to others. And if anyone reading this finds that they may be affected by this because they hold personal data, don't just accept Andrew's soothing words. Don't be complacent - go to the ICO website and read it for yourself.

Re: Government & Post Election Discussion
 

Maybe think in 21st century manner and put it on a Google doc and make it public. Think creatively and try and reduce the costs for your members. Don't gold plate your privacy statement, a few sentences will do.
Everyone else has tried to point out your misinterpretation so I'm quite happy if you take Hugh's word or Jon's instead.
You're livid because you're misunderstanding things. Please save your members time and money by connnecting more with the ICO and less with your anti-EU prejudices.
You also seem to have forgotten that legitimate use over rules consent. Or is this an inconvenient truth?

Re: Government & Post Election Discussion
 

Sorry OB but I agree with the others, you are reading too much into what you think is required as opposed to what actually is.

I would suggest you contact the ICO and get the relevant advice before taking action which may prove expensive and unnecessary.

https://ico.org.uk/global/contact-us/

Re: Government & Post Election Discussion
 

Well, I can read the ico website as well as anyone, and if People Management believe there is a problem for small organisations, people will be advised to take this seriously.

https://www.peoplemanagement.co.uk/n...nto-GDPR-abyss


Ann Bevitt, partner at law firm Cooley, said a reported lack of preparation for the GDPR could be the result of smaller businesses that have been outside previous EU directives on data protection. “There are a lot of smaller companies and tech start-ups that are not caught by existing EU law, but will be caught by the GDPR,” she told People Management.

“Within that population, the vast majority are just waking up to it, purely because they did not anticipate that the GDPR would apply to them. Those small companies will also have to grapple with a steeper learning curve than larger organisations, because they do not have that base of directive compliance to build on, so will have to get to grips with the terminology and legal bases.”

According to the report, companies could be forced to spend eight hours a day, or 172 hours a month, on data searches after the implementation of the GDPR, with more than one in three (39 per cent) UK-based directors saying they were concerned about their ability to be compliant. More than one in 10 (13 per cent) UK companies said they were not confident they knew where their data was housed, while 12 per cent reported that they had not accounted for all databases.

Re: Government & Post Election Discussion
 

For fear of pointing out the obvious, none of that magazine's reproduction of a law firm's press release justifies the way that you are expensivley gold plating GDPR for a small club.

Re: Government & Post Election Discussion
 

What, that we have to contact everybody to explain our policy and construct a privacy notice? In the end, that's what it has meant for us. That is why small organisations have got a problem. In order to do this, you have to read and understand all the ico guidance, and unfortunately they have failed to produce models so that you can just fill in the blanks.

Re: Government & Post Election Discussion
 

As others have said, you are doing far, far more than you need to. Having some lateral thoughts like those I've suggested will save you a ton of money.
To consider it another way, how many councils, organisations or companies have contacted you to inform you of their privacy policies?

Re: Government & Post Election Discussion
 

The larger companies probably don't rely so much on the 'consent' justification, have web sites and a great deal of in house expertise on data protection.

Smaller organisations have not previously been covered by the data protection regime and normally do rely on consent to gather their data, which is often only names and addresses.

I still say, however, that whatever you say about this, there are better ways of passing laws that should not need to require a level of organisational bureaucracy to enforce.

Re: Government & Post Election Discussion
 

The ICO has some useful information on its website about what you need to do. I think you will find it good news and will hopefully reduce the work which you have envisaged, thereby allowing you to put your feet up this Easter and watch some more telly. :)
https://ico.org.uk/media/1624219/pre...r-12-steps.pdf

Re: Government & Post Election Discussion
 

Section 7 in that PDF resolves OB's main complaint.

As I said he's reading more into it than is what is required.