Quote:
Originally Posted by OLD BOY
I think you are very complacent about this, Andrew.
The ICO makes it clear that if you collect personal data by consent, you have to tell every person affected for what purposes it will be used (even though it may be obvious) and get their informed consent. They have to be given a copy of your privacy notice as well. On consent, this is one of six 'lawful bases for processing' and by processing, they mean even simply keeping names and addresses. You have to tell people what the lawful basis is for collecting their data, and if you get it wrong, you have to grass on yourself by owning up to the ICO immediately, for which you will be subject to a huge fine.
From the ICO site itself:
What are the lawful bases for processing?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Why the need for all this? Because the EU is a huge bureaucratic organisation that likes to control people by getting them to jump through their hoops. We will be well out of it when we leave, and my hope is that legislation like this (eg the Acquired Rights Directive, Working Time Directive, etc) will be simplified in UK legislation after we leave the EU.
You can achieve what you want to achieve without making legislation so complicated and time consuming for everyone.
|
You're misunderstanduing things to match your strong prejudices and this inefficiency is costing your members in wasted admin costs.This is your typical anti-EU Project Fear manifesting itself again Old Boy even if its subliminal.
GDPR is about protecting individuals from the state and corporations. Standing up for the little guy.
You put your privacy notice on your website, destroy data when it's not required and advise people why you need their data and the purpose it will be used for. I'm fully conversant with the ICO's stance on fines and it's very much a carrot approach not a stick one. It's a UK upgrade to better privacy and the ICO knows things won't be picture perfect on 25th May but they will be seeking good practice starting with large organisations not small clubs. All your costly gold-plating ane mail-outs neeeds a rethink and I urge you to seek advice before spending more unnecessary time and money on this.