GDPR

[Sharky]

I just wonder if the new law is causing more harm than good. In the last few weeks, I've had countless number of emails asking me to reset my preferences. It would be so easy for the spammers to create rogue/harmful email requests to entice us to click on a link.

One organisation emailed with their revised privacy policy BUT included all their members in a CC dist list. So now everybody knows everybodys ail. They should Bcc 'd everybody instead.

I am hoping that by not responding that a lot of unwanted emails will now stop.

 

[mustang1]

Sharky means GDPR?
Mod note: yes - thread title edited!

 

[Levo-Lon]

It's costing a fortune and will no doubt cost lots and lots of good companies a fortune in fines.
Pathetic busy body nonsense.

I had to do a training course on the damn thing last week, just loads of waffle..
Will it stop scammers and internet crime ?? No
Everything will probably go up to pay for this.

 

[PaulSB]

I’ve always tried to have the discipline to unsubscribe from any mailing list I’m not interested in. I feel I’ve been quite successful in this and get very little spam.

The number of organisations who felt it necessary to email me re GDPR has been surprising - some I’ve never heard of. It’s been a great opportunity to unsubscribe, update etc. and hopefully reduce further my junk mail.

 

[Crackle]

I've had some fairly dodgy emails which seem to have completely missed the point, including asking me to opt in if I want to continue receiving emails from people I opted out of a long time ago. I dare say they've taken 'expert' advice, quite a bit of which, from reading around, has been wrong.

I haven't yet checked my spam folders to see if I've stopped receiving stuff which supposedly I've unsubscribed from but hasn't worked. This goes straight to my spam folder after I've created a rule to forward a copy to someone I've chosen within the organisation sending it.

 

[AndyRM]

 

[User6179]

Bikeradar have sent me a final chance email 5 times now

 

[classic33]

Bikeradar have sent me a final chance email 5 times now

Not had one from them.

 

[User6179]

Not had one from them.

I have never used the site for years, forgot I had even been a member.

 

[classic33]

It's nowt new, just reinforcing existing laws already in place.

Might make people think twice about what they make available online. And who with.

 

[Inertia]

It's nowt new, just reinforcing existing laws already in place.

Might make people think twice about what they make available online. And who with.

How so? I think if Cambridge analytics doesn’t, then this won’t. If anything it moght make people more lax as they will feel they have more power over their data than before.

 

[swansonj]

'Good companies' will have been preparing for this for the last two years (after all, this isn't something recent - it's been around since 2016), so I can't see why you think it will cost them a 'fortune in fines'.

As for this being 'Pathetic busy body nonsense', I would suggest that you perhaps don't fully understand what GDPR is actually about.

The reality is GDPR is about ensuring that 'personal data' is only processed with either:

1. the specific consent of the person whose data it is; or
2. in line with a 'legitimate interest' (which are mainly related to legal obligations and powers)

GDPR also updates data protection legislation, provides a consistent approach across the EU (and the UK when it leaves the EU) and bring it into the new digital age.

What GDPR does is firmly reset the relationship between individuals and organisations. It makes it clear that someone's personal data is theirs - organisations can no longer take the approach that you 'give' your data to them and that's it. Despite what some people might suggest, you cannot sign away your rights to your personal data under GDPR.

'Personal data' is defined as “any information relating to an identified or identifiable natural person”, whether it relates to their private, professional or public life. As a general rule, any information that could be used to identify an individual – either on its own or when combined with another piece of information* – is classified as personal data. This can include:

• a name (including a username);
• a photo;
• an email address (including a work email address);
• posts on social networking websites;
• location data (e.g. IP addresses)

as well as the more specific and easily recognisable 'personal' stuff such as biometric or genetic data, medical records, banks records, criminal records, HR records etc.

The GDPR has also closed down some of the loopholes used by unscrupulous organisations (both big and small) to try and avoid meeting their data protection obligations (e.g. offshoring).

Given the whole Facebook and Cambridge Analytica issues in recent weeks, this could not have come at a more opportune time.



* This is a very important bit of the equation, as it means that pseudonymised data is also covered. Organisations won't be able to try to get around their obligations by (for example) changing a username.

Reg

Speaking for myself alone, I think I have a tolerably acceptable understanding of what the regs are trying to achieve, and I accept that there was an imbalance that needed addressing, but I still have a feeling that these regs (or the way they are being applied) are going too far.

Personally, I find the scope of "legitimate interest" to be a bit grey, and it seems to me it allows more people to do more things than the currently prevailing orthodoxy has it. I guess we will have to await some test cases.

 

[marinyork]

The consequence from work is we are no longer allowed to use fax machines - hurray, hurray, hurray. Something that should have happened a long time ago.

 

[swansonj]

I'm not sure that's the case. I think the 'legitimate interest' aspects are similar to the provisions we already had under the DPA 1988 (which in themselves were quite wide in scope and open to interpretation). However, I think the balance has shifted fundamentally to the side of the individual, particularly in relation to the ability to challenge or stop processing - even where this is being carried out under a legitimate interest, and as a result of some of the less talked about changes (e.g. in relation to automated decision making).

Let me give an example: I've been looking recently at access to patient notes by CCGs for the purpose of auditing clinical coding - in particular in relation to paying for activity. In the past, they CCGs could argue there was a legitimate interest in the processing (the audit) taking place and that hasn't changed post-GDPR. As this isn't an audit directly related to patient care, consent was required from patients pre-GDPR and will be post-GDPR. But the fundamental change is that we won't, as we've done in the past, be able to rely on assumed consent unless opting out (e.g. tell us if you don't want your notes included) - now we will have to ensure they give positive consent (i.e. they have to agree to their records being included). That's a very significant - and important - change.

I was at an NHS GDPR seminar a few weeks ago, where this was being discussed. It was clear that some of the NHS providers were looking at treating this as "business as usual" and looking for ways to avoid having to get consent - and they were being encouraged in this by the NHS regulators to a certain extent - but a very different view was being given by the patient groups.

I fully expect one of the early challenges to the interpretation of the legitimate interests provisions to be related to the NHS, as it is open to abuse and we are talking about sensitive personal data.

Now I'm confused (which isn't hard, I do not profess to be an expert).

IF there is a legitimate interest (and and I'm not saying whether I think there is or not) isn't that an alternative lawful basis to consent? If they are claiming legitimate interest, why are they claiming consent as well?

 

[Genau]

The LA Times and Chicago Tribune (same parent owner) are currently unavailable in "most European companies" due to GDPR. Other US newspapers are still available so the issue seems to be confined to Tribune Media.