Data protection law coming in

PT1029
Posts: 522
Joined: 16 Apr 2012, 9:20pm

Data protection law coming in

Postby PT1029 » 22 May 2018, 7:19am

My inbox is currently getting lots of e mails saying there is a new data protection law coming in (this Friday, 25th), you need to update/opt out of various bits of personal data held to allow the company in question comply with the new law.
Shouldn't we be getting one from Cycling UK? (or have I had one but missed it?)
I know national office were mulling it over, because they stopped sending out membership data to out local member groups some months back while they pondered the issue, I think they recently started sending membership data out again.

Cheers

User avatar
Si
Moderator
Posts: 14784
Joined: 5 Jan 2007, 7:37pm

Re: Data protection law coming in

Postby Si » 22 May 2018, 8:03am

I think my MG has recieved something but my AG has had nothing. Ive also put in a request f0r guidence direct to HQ but heard nothing back yet. On the other hand ive had various stuff from BC on it.

drossall
Posts: 4149
Joined: 5 Jan 2007, 10:01pm
Location: North Hertfordshire

Re: Data protection law coming in

Postby drossall » 22 May 2018, 11:45pm

It depends. In broad terms, the GDPR is saying that an organisation needs to:
  • Understand what it does with personal data, as a prerequisite for everything else (often, there are a few uses going on that most of the organisation has forgotten about)
  • Make sure that there is a basis, i.e. a reason, for doing it (there are six broad categories possible, of which consent is only one)
  • Make sure that that is reasonable and (normally) in the interests of the individual (the data subject)
  • Make sure that the data subject has the same expectations of what is being done as does the organisation (usually achieved by publishing a privacy policy)
  • Stick to the above in future (or make updates to everything above, subject to some conditions)

It could be said that consent is the last option that an organisation should go for, i.e. if you really can't justify doing it for any of the other reasons (which include, for example, that you're legally required to, e.g. tax or employment records). Keeping membership lists and sending details of AGMs and subscription notices, as another example, would normally be done because it's in the "legitimate interests" of the organisation, i.e. you really can't be a membership body without keeping a list of your members and charging them subs!

But, marketing, which typically includes campaigning and the promotion of views, does normally need consent. So, it depends what CUK communications we're talking about but, if you're a member, they shouldn't be emailing you to ask for consent to keep your details on file, but they should be asking for permission to promote the latest CUK clothing to you.

User avatar
admin
Site Admin
Posts: 1103
Joined: 14 Dec 2006, 8:27pm
Location: Lancing, West Sussex
Contact:

Re: Data protection law coming in

Postby admin » 23 May 2018, 11:56am

There is a lot of (sometimes deliberate) misunderstanding of the GDPR requirements.

As drossal says, explicit consent is only one of six valid situations where organisations can process personal data. The other situations are basically common sense: roughly-speaking if the person is going to be surprised by the processing, you can't do it without asking first. The whole point is to protect people's privacy, and to try to stop another situation like Facebook personal data being sent to Cambridge Analytica to help influence elections.

The six types of situation where personal data can legally be processed by organisations, from the horse's mouth:

https://ec.europa.eu/info/law/law-topic ... ocessed_en

And the actual Regulation text (see Article 6 subparagraph 1):

https://eur-lex.europa.eu/legal-content ... 001.01.ENG

Here's a nice summary from the Guardian newspaper:

https://www.theguardian.com/technology/ ... ay-experts

I've seen lots of "Please re-confirm you want us to contact you" messages coming from organisations I've never heard of, let alone want to be contacted by. I think they hope that people will automatically click the "Yes, please keep me in touch" button and thus legally gain permission to send them spam marketing emails in future!

Psamathe
Posts: 8708
Joined: 10 Jan 2014, 8:56pm

Re: Data protection law coming in

Postby Psamathe » 23 May 2018, 12:53pm

admin wrote:....
I've seen lots of "Please re-confirm you want us to contact you" messages coming from organisations I've never heard of, let alone want to be contacted by. I think they hope that people will automatically click the "Yes, please keep me in touch" button and thus legally gain permission to send them spam marketing emails in future!

Weird one I got recently was that my GP has my mobile number and had a couple of
new Data Protection (GDPR) comes in on 25th May. We need consent to text you, including appointment reminder texts. Please text YES to *********** to consent to this. Without consent we have to delete your mobile number.

I only gave it to them when I was away for a few months and had a routine scan due during that time. I'm all for privacy and all for people being made fully aware of what is being done with their information, but I'd have thought giving your mobile number to your GP it is rather obvious that they might use it for legitimate contact purposes!

Particularly so given the apparent excessive "no shows" for appointments these days (and thus probable benefits from appointment reminders).

I'd have expected them to text telling you to contact them if you want your number removed (or text STOP as seems standard "unsubscribe" practice these days).

Ian

AlaninWales
Posts: 1518
Joined: 26 Oct 2012, 1:47pm

Re: Data protection law coming in

Postby AlaninWales » 23 May 2018, 5:57pm

Psamathe wrote:
admin wrote:....
I've seen lots of "Please re-confirm you want us to contact you" messages coming from organisations I've never heard of, let alone want to be contacted by. I think they hope that people will automatically click the "Yes, please keep me in touch" button and thus legally gain permission to send them spam marketing emails in future!

Weird one I got recently was that my GP has my mobile number and had a couple of
new Data Protection (GDPR) comes in on 25th May. We need consent to text you, including appointment reminder texts. Please text YES to *********** to consent to this. Without consent we have to delete your mobile number.

I only gave it to them when I was away for a few months and had a routine scan due during that time. I'm all for privacy and all for people being made fully aware of what is being done with their information, but I'd have thought giving your mobile number to your GP it is rather obvious that they might use it for legitimate contact purposes!

Particularly so given the apparent excessive "no shows" for appointments these days (and thus probable benefits from appointment reminders).

I'd have expected them to text telling you to contact them if you want your number removed (or text STOP as seems standard "unsubscribe" practice these days).

Ian

I think it's one of the major misunderstandings that some are making about GDPR. As suggested above, this is probably deliberate (by some at least) as a means of increasing their marketing database. You don't need consent to keep details which are required to deliver the actual service (you do need consent to use details to deliver a load of marketing along with that service - and can't make that a condition of providing the service).

Contact details as part of a service in which they will contact you via the provided information? Consent is not required, you gave those details specifically because they were necessary in order to provide that service.

However in your case you gave them in order to receive the details about the scan whilst you were away: There is no continued business need for them to hold that information now (from what you have said anyway). If you need them to contact you whilst you are away again, they would have to confirm the mobile number with you, so the need to keep the data disappears. However they can keep the data if you consent to them doing so (but to what point? Next time when they want to txt you results of a scan, they will - or at least should(!) check that number is still current for you).

For them to use this number for (e.g. appt reminders) they do need consent, as that is a change in the reason for holding the data.

(Disclaimer: IANAL nor a GDPR Consultant and no, I will not give you the email address for one :) ).

User avatar
admin
Site Admin
Posts: 1103
Joined: 14 Dec 2006, 8:27pm
Location: Lancing, West Sussex
Contact:

Re: Data protection law coming in

Postby admin » 23 May 2018, 6:30pm

AlaninWales wrote:For them to use this number for (e.g. appt reminders) they do need consent, as that is a change in the reason for holding the data.


Consent is only one of six situations where personal data may be legitimately processed. The GP may process personal data:

GDPR wrote:to protect the vital interests of an individual


and

GDPR wrote:for your organisation’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you’re processing aren’t seriously impacted. If the person’s rights override your interests, then processing cannot be carried out based on legitimate interest. The assessment as to whether your company/organisation has a legitimate interest for processing override those of the persons concerned depends on the individual circumstances of the case.


which I would say includes appointment reminders to your mobile phone (unless there is a strong reason why this would impact your fundamental rights and freedoms).

Psamathe
Posts: 8708
Joined: 10 Jan 2014, 8:56pm

Re: Data protection law coming in

Postby Psamathe » 23 May 2018, 7:49pm

admin wrote:
AlaninWales wrote:For them to use this number for (e.g. appt reminders) they do need consent, as that is a change in the reason for holding the data.


Consent is only one of six situations where personal data may be legitimately processed. The GP may process personal data:

GDPR wrote:to protect the vital interests of an individual


and

GDPR wrote:for your organisation’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the person whose data you’re processing aren’t seriously impacted. If the person’s rights override your interests, then processing cannot be carried out based on legitimate interest. The assessment as to whether your company/organisation has a legitimate interest for processing override those of the persons concerned depends on the individual circumstances of the case.


which I would say includes appointment reminders to your mobile phone (unless there is a strong reason why this would impact your fundamental rights and freedoms).

(I'm not expert, so personal opinion) To me the issue is the individual recognising why they are giving their GP their mobile number. In my case it was given on my assumption that they would use it to contact me (I did not constrain that to the specific tests). When people give out their mobile number I'd regard it as reasonable that they assume the organisation will use that number to contact them.

The example of my own case maybe highlights an ambiguity in the detail, I was stuck away from home and had e-mailed my GP reminding him my routine annual scan was due soon. They actually tried to phone me at home to say they had requested the scan from the hospital but I was living elsewhere temporarily. After a bit I contacted my GP practice worried an appointment letter was sitting in my letter box and I might "no show" and then they recounted their contact attempts so I gave them my mobile number for future contact.

It seems reasonable that as I gave them my mobile so they could contact me that they store and use that number to contact me (and provide some means where I can have that number removed from their systems). When I 1st registered I also gave them my landline number yet I've had no letters asking for permission to store and use my landline number for contact.

Ian

Psamathe
Posts: 8708
Joined: 10 Jan 2014, 8:56pm

Re: Data protection law coming in

Postby Psamathe » 23 May 2018, 8:00pm

I suspect GDPR will end-up yet another un-enforced joke (in the UK). Over the last few months I've had a big argument with a company I purchased from followed by the ICO pursuing my case.

I purchased online giving the company my e-mail address but only after reading their T&Cs and Privacy Policy where they "never pass your details to 3rd parties". Within hours of my item being delivered a 3rd arty review site was e-mailing me to "rate your experience" (they knew exactly what I ordered and the e-mail address was on the unique e-mail address I used for the order).

I complained and the company attitude was "tough luck, it's what we do".

So referred the case to the ICO who accepted there was a case to investigate and investigated. Company basically ignored the ICO, playing for time (person is on holiday, no reply, etc.). ICO repeatedly made requests of the company and never got satisfactory answers and their conclusion "The organisation was informed that it was unlikely that it had complied with its legal obligations under the Data Protection Act 1998." and "we have provided a compliance unlikely assessment. " with the comment "while it is not clear why the organisation is refusing to respond" and their decision is to take no action.

So the company has received a very clear message, refuse to respond, ignore the ICO and nothing will happen. A bit like mobile phone use whilst driving - no enforcement and people quickly realise nothing will happen when they break the rules.

Ian

User avatar
Cunobelin
Posts: 7585
Joined: 6 Feb 2007, 7:22pm

Re: Data protection law coming in

Postby Cunobelin » 23 May 2018, 8:26pm

Sent from a company today :

Know, knock

Who's there?

No idea , because from 25th May, you no longer have access to that data

drossall
Posts: 4149
Joined: 5 Jan 2007, 10:01pm
Location: North Hertfordshire

Re: Data protection law coming in

Postby drossall » 24 May 2018, 12:01am

admin wrote:I've seen lots of "Please re-confirm you want us to contact you" messages coming from organisations I've never heard of, let alone want to be contacted by. I think they hope that people will automatically click the "Yes, please keep me in touch" button and thus legally gain permission to send them spam marketing emails in future!


But the problem there is that the 1998 Data Protection Act, and the current version of the Privacy and Electronic Communications Regulation (PECR), are already in force, requiring consent. The GDPR raises the bar by making it very clear that an opt-in is required, and that there must be a record of the consent. That's what all these emails should be doing - enhancing that existing consent to meet the new standards. It's still a breach of the existing legislation to contact people without basic consent, even if that's to ask them for consent :D

AlaninWales
Posts: 1518
Joined: 26 Oct 2012, 1:47pm

Re: Data protection law coming in

Postby AlaninWales » 24 May 2018, 10:43am

This is actually quite a good summary (in quiz form) of the affects of GDPR on the individual (at least what it is attempting to achieve) http://www.bbc.co.uk/news/technology-44224802. Note the way that "to protect the vital interests of an individual" is interpreted. I would not include reminding me of appointments in that category, nor it seems does the GP Surgery under discussion. I think my dentist might though! :lol: If they do, they'll be corrected.

Psamathe
Posts: 8708
Joined: 10 Jan 2014, 8:56pm

Re: Data protection law coming in

Postby Psamathe » 24 May 2018, 10:58am

AlaninWales wrote:This is actually quite a good summary (in quiz form) of the affects of GDPR on the individual (at least what it is attempting to achieve) http://www.bbc.co.uk/news/technology-44224802. Note the way that "to protect the vital interests of an individual" is interpreted. I would not include reminding me of appointments in that category, nor it seems does the GP Surgery under discussion. I think my dentist might though! :lol: If they do, they'll be corrected.

I don't have strong opinions about inclusion of appointment reminders and maybe it points to a shortcoming in their IT systems as apparently the only way they can disable appointment reminders is to delete your mobile number. I even asked if they could just replace my landline number with my mobile (i.e. not "categorise" the number as "mobile") and they tried and it prompted another "new Data Protection (GDPR) comes in on 25th May. We need consent ..." text.

But the BBC quiz is interesting as I believe it suggests your landline is included in GDPR data "The UK’s Information Commissioner’s Office defines personal data as: "Information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier."" - which in my case would include landline. Yet they are not asking for permission to use my landline.

I did the quiz and without knowing much about GDPR I scored 8 out of 9 which suggests to me it's probably fairly sensible (or maybe that it fits well with me personal opinions).

Ian

Psamathe
Posts: 8708
Joined: 10 Jan 2014, 8:56pm

Re: Data protection law coming in

Postby Psamathe » 24 May 2018, 11:01am

On the assumption that Brexit happens, has the UK committed to equivalent regs whatever the outcome of negotiations or is it going to be watered down in the interests of commercial profitability? i.e. commitment to at least equivalence or UK "going its own way"

Ian

Psamathe
Posts: 8708
Joined: 10 Jan 2014, 8:56pm

Re: Data protection law coming in

Postby Psamathe » 24 May 2018, 1:23pm

I see it reported that some sites have now blocked EU based users (though they/some claim it's temporary)
https://www.theguardian.com/technology/2018/may/24/sites-block-eu-users-before-gdpr-takes-effect wrote:Sites block EU users before GDPR takes effect
...
Instapaper, a read-later service owned by the US firm Pinterest, became the latest to disconnect European customers on Thursday. It said the cutoff was temporary while it made the required changes, and told users: “We apologise for any inconvenience, and we intend to restore access as soon as possible.” Pinterest did not respond to a request for comment.

Other companies have taken a more permanent approach. Unroll.me, an inbox management firm, announced it was withdrawing services for EU companies due to an inability to offer its product – which is monetised by selling insights gleaned from reading users’ emails – in a way that was compatible with EU law. “We are truly sorry that we are unable to offer our service to you,” the company told EU users.

Some online games, including Ragnarok Online, have switched off their EU servers.

even if only temporary, how long have these companies had to become compliant!

Ian