GDPR question - b0ll0x or not?

graham bowers · 31 Oct 2018

Struggling with this, so hoping for informed input please.

By way of context, I'm a committee member of a volunteer group that operates in the new national forest, centered on Moira, DE12. We work with landowners to manage their woodlands, so we cut down trees at the first thinning stage for no charge, and keep the timber for firewood. It's great fun!

It's been suggested to me by other committee members that when we use email to communicate with members, we should use bcc, so recipients email addresses are not shared. Not sure if this is b0ll0x or not. For round-robin stuff, I have no issue with that anyway. However, for example, if I'm arranging a training session for half a dozen people, and it is helpful for all involved to know who is involved, in the old days I'd just send it to all 6 so everybody could see each other's email addresses. I'm struggling to form an opinion on whether that would be a GDPR infringement or not.

Background context, members expect to receive emails from the group about the group's activities.

Slick · 31 Oct 2018

As long as you haven't more than 1 piece of identifying information you would be okay. So name but no address that kind of thing. You could encrypt your email and remove any issues that way.

That's my understanding anyway.

classic33 · 31 Oct 2018

Go with the bcc method. There's too much uncertaintity over it at present.

The other way is to get everyone to agree about knowing each others e-mail addresses.

Pro Tour Punditry · 31 Oct 2018

It could be. However if you get permission from them then it's not.

Joey Shabadoo · 31 Oct 2018

We used to have an expert on this around here.

Pro Tour Punditry · 31 Oct 2018

Diogenes said:
We used to have an expert on this around here.

I'm still here

gavgav · 31 Oct 2018

The key is consent. You need to get consent, off all of the recipients, that they are happy for their email addresses to be shared. Otherwise, yes you need to use BCC.

gavgav · 31 Oct 2018

Slick said:
As long as you haven't more than 1 piece of identifying information you would be okay. So name but no address that kind of thing. You could encrypt your email and remove any issues that way.

That's my understanding anyway.

Wrong, sorry. Even 1 piece of personally identifiable data, which an email address is, is a breach of GDPR if shared without consent.

Old jon · 31 Oct 2018

No problem, bcc works as easily and well as cc. Just use it.

bruce1530 · 31 Oct 2018

graham bowers said:
Background context, members expect to receive emails from the group about the group's activities.

... but they may not generally expect their personal data to be shared with everyone else in the group without consent. And under GDPR, email addresses are classed as personal data.

I’d say BCC for general group emails, CC for small groups where people would be expected to know/need each others emails, but strictly speaking, you should be asking your members if it’s OK to share their email addresses with others in the group.

Slick · 31 Oct 2018

This seems a sensible guide with further links to the full guide if you have the time. :wacko:

https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018

classic33 · 31 Oct 2018

graham bowers said:
Struggling with this, so hoping for informed input please.

By way of context, I'm a committee member of a volunteer group that operates in the new national forest, centered on Moira, DE12. We work with landowners to manage their woodlands, so we cut down trees at the first thinning stage for no charge, and keep the timber for firewood. It's great fun!

It's been suggested to me by other committee members that when we use email to communicate with members, we should use bcc, so recipients email addresses are not shared. Not sure if this is b0ll0x or not. For round-robin stuff, I have no issue with that anyway. However, for example, if I'm arranging a training session for half a dozen people, and it is helpful for all involved to know who is involved, in the old days I'd just send it to all 6 so everybody could see each other's email addresses. I'm struggling to form an opinion on whether that would be a GDPR infringement or not.

Background context, members expect to receive emails from the group about the group's activities.

I'd say, from what you've posted, that there's someone unhappy that others may know their e-mail addresses.

Best bet is to cut off any disputes before they start.

Levo-Lon · 1 Nov 2018

Diogenes said:
We used to have an expert on this around here.

Ask in Walking forum,he still uses that

Slick · 1 Nov 2018

gavgav said:
Wrong, sorry. Even 1 piece of personally identifiable data, which an email address is, is a breach of GDPR if shared without consent.

I'm not sure if we're talking about exactly the same thing but this thread got me thinking so much so I had a discussion with our compliance officer this morning and they are satisfied that single points of information is still in scope of the new regulations for emailing to other stakeholders.

Electric_Andy · 1 Nov 2018

My Dad had the same advice (he is on the local parish council). Always better to Bcc as a belt and braces approach. All of my Dad's lot have taken it seriously and would rather Bcc than not.

GDPR question - b0ll0x or not?

graham bowers

Guru

Slick

Guru

classic33

Leg End Member

Pro Tour Punditry

Guru

Joey Shabadoo

My pronouns are "He", "Him" and "buggerlugs"

Pro Tour Punditry

Guru

gavgav

Legendary Member

gavgav

Legendary Member

Old jon

Guru

bruce1530

Guru

Slick

Guru

classic33

Leg End Member

Levo-Lon

Guru

Slick

Guru

Electric_Andy

Heavy Metal Fan

Similar threads