Hi Afterworders,
Are any of you trying to get to grips with the impact of GDBR the new Data Protection legislation?
I suppose this lovely site is classed as a Social Media site.
I hope none of your profiles ever become the subject of a data protection issue (unlikely I know).
I won’t be sharing where I work however….
C42Blue
Comments
Leave a Reply
You must be logged in to post a comment.
craig42blue says
GDPR – Gillan, Dio, Paige and Ritchie..??
Moose the Mooche says
Grebo, Dubstep, Punk and Rap-rock.
craig42blue says
…or the Grand Deep Purple Reunion
Encouragingly the UK ICO says on GDPR “25 May is not the end. It is the beginning.”
moseleymoles says
I have been on a 120-slide presentation on this for the voluntary sector, and yes indeed ICO guidance is ‘you;re on a journey’ rather than having to have everything watertight by May 25.
Native says
I work for an international finance company and we have project managers running round like headless chickens…
Seems like it will be huge change for many businesses, but at the moment you just need to demonstrate that you understand that you have to change some processes and data storage, rather than actually make the changes.
Vulpes Vulpes says
The phony war ends on May 25th.
davebigpicture says
The trouble is, the information for micro companies is non existent. I know I have to be careful not to let customer data fall into the wrong hands but as I only keep email/business addresses for communication and invoicing and don’t have a marketing database what am I supposed to do? As I work all over the place, my laptop with this (not very confidential) stuff on it can’t be locked down and it’s not practical to use a cloud based system. Neither of my main clients, both household names, seem very concerned about what I do yet the government keep saying that I must take “appropriate steps” or some such vague nonsense. Unusually, the You and Yours programme devoted to it didn’t have any real information either. Short of locking my laptop in a box when I’m not using it, I don’t know what they expect.
johnw says
If I were in your shoes I’d use a very easy to use encryption application. I know it’s not perfect but my choice is VeraCrypt. Once you’ve set it up, you just need to log in everytime you want to use your data and, as far as I’m aware, it’s yet to be cracked so you couldn’t be accused of being fast and loose with people’s data. As VeraCrypt is open source, you can move your “container” from machine to machine easily and securely.
davebigpicture says
Thanks @johnw I’ll have a look at that.
Ahh_Bisto says
The main issue for a company – large or small – is to make sure anyone who receives marketing/sales material from you can opt out (same as currently) and if someone makes a request to have their data – assuming you have data about them – deleted you do it within 40 days. I think the main concern for many companies who are very active with consumer data is that the rights of the consumer/public have been strengthened in the way they can demand action from the company and the fines if the company fails to demonstrate they have taken action (4% of turnover or £20M) or demonstrate they have been careful with how they’ve managed the consumer’s data in their own systems and processes – e.g. if there has been a security breach.
So for the Afterword the issue will be if one of us says they want their account and all their previous posts deleted the site will need to be able to demonstrate that it has done so. The problem is that no website can simply delete all traces of activity as other sites/users/search engines may retain that data for a long time simply because of the way the web works..
chiz says
Does the AW need (or already have) a privacy policy?
Ahh_Bisto says
I’d say yes it should have one in the light of GDPR
Vulpes Vulpes says
Definitely. Belt and braces required, so do this. This website collects personal data, therefore it ought to have a DPN. It doesn’t need to be rocket science – there are pro-formas available that would be relatively easy to adapt. The Data Privacy Notice needs to be seen when someone signs up to join this merry crew.
At a minimum there also needs to be a link somewhere accessible that is labelled something like “I’ve decided I want to be a bricameron; please obliterate me”, so that anyone can decide to leave the party. Their posts can remain, but the personal data in their profile needs to vanish. It would make sense to replace their moniker and avatar with a default “No longer with us” as well.
If anyone should decide that they wish to avail themselves of their personal data held here, the admins just need to be able to retrieve the profile and all postings and provide it on request; nothing the member can’t do for themselves.
But unless our personal data are being sold on the quiet to Oxbridge Analistics, there’s not much actual relevant processing or data sharing going on as far as I can see.
I don’t believe that the occasional general appeal for funds constitutes marketing; this is a volunteer-run exercise and everyone knows that, so it’s in our collective legitimate interest to have a whip-round every now and then. The only thing we sign up for is the fun of being here, along with the painful pleasure of regular wallet-threatenings as a result of our compadre’s music and film recommendations, so there are no consents to worry about.
On the subject of whip-rounds, I’ve just given fifty quid’s worth of free consultancy advice, so how about making a donation right now everybody?
Vulpes Vulpes says
*Marvin the paranoid android voice*
Don’t talk to me about GDPR, I’ve been working on it since September for a large bank.
*shoots self*
Arthur Cowslip says
I was actually going to post about this a while ago but I decided it didn’t fit here! Glad you brought it up.
I work for a large financial company. In my experience there might be a solid common sense rationale behind GDPR but by the time it has trickled down to us plebs on the floor it’s just turned into a collection of slogans and buzz words. It’s very much emperors new clothes – everyone is keen to affirm they know it is happening and how important it is, but when pressed no one actually seems very sure what it ‘is’. Yes, we have to be careful to look after customer’s data… but wasn’t that always the case? What has actually changed? Bigger fines and consequences I suppose.
Ahh_Bisto says
There is a change of emphasis for consumers to be able to ‘opt in’ to have their data used before the fact rather than ‘opt out’ after the fact. It’s to make sure companies aren’t just gathering whatever data they like without prior consent. Obviously there are exceptions to this rule – e.g. for legal reasons ‘opt in’ is assumed – but it’s to prevent that type of “under the radar” data grab that many sites and apps do automatically. The consumer also has more rights about asking what companies are actually doing with their data and by law those companies need to respond in a way that is meaningful and transparent. Again there are exceptions – e.g. company says the request is mischievous – but if you’re a bank I’d be sweating about all the inter/intra/extra-departmental data processing around customer accounts and data that goes on without full transparency, even within the hierarchies of the banks themselves.
Arthur Cowslip says
Like emails! We regularly discuss (by email) cases and individual customers (including medical info) quite a lot…. Easy to forget you are not just chatting but actually creating little pockets of sensitive data about real people.
Ahh_Bisto says
With emails or any data/info transfer channels it’s all about encryption
Vulpes Vulpes says
Suffice it to say that, never mind the tightening up that GDPR represents, you are already in high-risk territory under the existing legislation, sharing data like that over vanilla email, which is a fundamentally insecure medium of communication. Even more so if you use web based email.
Vulpes Vulpes says
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Rigid Digit says
Just started to try and (properly) get my head round it – rather than just saying “Ah, it’s the Data Protection Act with bells on”.
My fear is that it will implemented too strongly without actually testing what is and isn’t permissable
(or maybe that’s just my experience of how my company has dealt with all forms of enforcing legislation in the past).
Not convinced it’s much of a change from what we already have, just maybe need to prove strong controls and reasons for holding
(but I only properly read the bumph for the first time on Monday)
Vulpes Vulpes says
It’s quite a lot more than the existing legislation. There are individual rights enshrined under GDPR that have never really been nailed down before, as an example.
But you should really read the ICO website – there’s tons of good information and advice there, publicly available:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Mike_H says
Getting a few emails from mailing lists that I’m on lately, asking permission to keep sending stuff to me and what manner of stuff I want to receive.
Could be a handy way to ditch the one or two that no longer interest me.
atcf says
I work for a company supplying Universities with software so it’s a big deal for us. We are imminently going to be sent a link to an online training course which all staff will have to complete. Our bosses are usually very hands off but they’re adamant that we all complete this quickly so it’s clearly a serious matter in their eyes.
The Good Doctor says
I’ve no problem in principle with Data Protection but even the GDPR is so out-of-date with technology and nobody seems capable of articulating how it should be applied to 2018 and certainly with something like this website is far from clear what it would actually need to do to comply with the legislation. Presumably you’re supposed to hire an expensive consultant to prevent you from falling foul of the law?
There’s a much bigger issue that’s missed here. I’m not a parent but I’m very aware that my friends pre-teen kids are glued to their phones and sharing, filming, snapchatting, instrgramming etc every detail of their young lives – whether they’re old enough to or not (there is nothing to stop them regardless of the age limitations). The GDPR does fuck all to address that. There doesn’t seem to be much impetus to protect kids and educate their parents who don’t understand social media and it doesn’t address the implications of how much their kids are sharing online.
johnw says
I know this probably belongs in another thread but are you saying that parents can’t be bothered to learn how to stop their children doing these things or that there’s no way to do it? Obviously they are very different things and need to be addressed in very different ways.
The Good Doctor says
I’m generalising @johnw but I think a lot of people are pretty naive and blase about how things like Twitter, Facebook and Instagram work (hence the shock horror about the Facebook revelations). I’m always amazed by how gullible adults are in the stuff they choose to share on Facebook – ‘THIS IS REAL!!!!! Share this and you’ll get a free £100 Amazon Voucher’ or some well-meaning meme illustrated with that Yellow cartoon character everyone seems obsessed with, which turns out to be a viral thing started by some dodgy right wing group. If otherwise intelligent, decent adults I know can’t see through the scams, chain letters, dodgy propaganda and other traps online what hope have their kids got? I’m not knocking parents – I know the pressure Kids are under to get on social media so they can communicate with their friends constantly and not be an outsider.
Don’t know what the answer is but I can’t see the tech giants falling over themselves to safeguard anyone, especially kids (Cyberbullying anyone?) -with or without this legislation.