[News] Drowning under GDPR emails

[jasetheace]

West Sussex County Council has basically gone back 20 years.

There were contractual agreements in place under the Data Protection Act which allowed us to share sensitive information between contracted service providers with the verbal consent of the individual, however the need for 'positive consent' means written, 'affirmative' consent, which means Mental Capacity Assessments need to be carried out in a lot of cases before you can even ask for someone to give permission for their information being shared.

So it's back to posting assessments and support plans out to people for them to pass onto services themselves, which is all well and good until you need to action something quickly.

Can see a lot of fines coming for local authorities.

Yes, each sector/industry will face its own very specific issues. Two things that may assist here are that;

I believe (correct me if I am wrong) this legislation whilst being kept will have to be re-ratified (if that is a word) post brexit and that may provide for one or two common sense amendments (or rather additions that clarify).

I understand that the ICO are having to scale up to cope with all this and are still in the early to middle of that process (whilst having a fairly full in-tray already) so unlikely to be an Operation Shock and Awe effect, not initially at least.

 

[Audax]

West Sussex County Council has basically gone back 20 years.

There were contractual agreements in place under the Data Protection Act which allowed us to share sensitive information between contracted service providers with the verbal consent of the individual, however the need for 'positive consent' means written, 'affirmative' consent, which means Mental Capacity Assessments need to be carried out in a lot of cases before you can even ask for someone to give permission for their information being shared.

So it's back to posting assessments and support plans out to people for them to pass onto services themselves, which is all well and good until you need to action something quickly.

Can see a lot of fines coming for local authorities.

The council (and NHS) approach to the DPA was overly cautious IMO. As will be their approach to GDPR.

 

[Dorset Seagull]

Thanks for your reply, I appreciate your time. Yeah, actually it's not my concern either, but I work for a company where the situations I described occur a lot. I'm not sure what they plan on doing, I might run it past the Sales Director next time I see her.

Thanks again.

According to the ICO documentation you are able to market your products to customers who have purchased before under what is known as the soft opt in. This is based on the fact that the customer may well be interested in similar products or services. This also applies to customers that haven’t previously purchased but have been provided with a quote or shown an interest in a product or service you sell

 

[timbha]

Yes, each sector/industry will face its own very specific issues. Two things that may assist here are that;

I believe (correct me if I am wrong) this legislation whilst being kept will have to be re-ratified (if that is a word) post brexit and that may provide for one or two common sense amendments (or rather additions that clarify).

I understand that the ICO are having to scale up to cope with all this and are still in the early to middle of that process (whilst having a fairly full in-tray already) so unlikely to be an Operation Shock and Awe effect, not initially at least.

About a year ago it was suggested that organisations would be required to provide the ICO with a statement of compliance/readiness confirming full GDPR compliance by 25th May, or disclosing areas of non compliance and plans to rectify. Not sure where we are on this.

I suspect the ICO will wait for the first big name failure, eg something like the recent TSB computer problems where people could access the wrong accounts, and then launch an investigation knowing full well that it will win. This will send out a strong message.

 

[beorhthelm]

Oof, now you're getting into areas I'm less certain of. Where I work that's not a scenario we need to consider.

In theory, I think GDPR just flat out kills cold calling of any sort given cold calls, by their very definition, don't have prior explicit consent. For the sales follow up, I suspect the answer is no, not allowed without explicit consent. But I can't be sure (see above disclaimer)

i dont see it that way. its part of legitimate business to call up clients. Art 5 starts "Personal data shall be .. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes"; and Art 6 says processing is lawful if "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract". so the intending meaning is that personal information given freely for business purpose, i.e. follow up sales leads. only if that article 6 clause (and a half dozen others) doesnt apply does consent need to be given. i.e. cant sell your contacts to another business.

meanwhile firms are apparently storing email and voicemail in CRM systems, with little hope of being able to conform to rights set out in Articles 12-23. not a poke any one, from my dealings with GDPR this si he area people are failing with, no systems of processes to apply these rights, and the additional workload and systems to do so are rather burdensome.

 

[Audax]

i dont see it that way. its part of legitimate business to call up clients. Art 5 starts "Personal data shall be .. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes"; and Art 6 says processing is lawful if "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract". so the intending meaning is that personal information given freely for business purpose, i.e. follow up sales leads. only if that article 6 clause (and a half dozen others) doesnt apply does consent need to be given. i.e. cant sell your contacts to another business.

I think you need to read the rest of my post then. I talked around it a fair bit, but where I got to was that *if* the follow up call in 6 months can be described as legitimately related to the original purchase, then it'd (probably) be ok. But I think it's a massive grey space because in a lot of cases (unless the original purchase is a subscription), the original purchase will be "contract completed" and thus Art 6 and any permissions associated with it will no longer apply (unless explicit permission has been granted for ongoing use beyond the initial contract). Or if the data was originally supplied for the explicit purposes of sales leads, then it'd obviously be fine. I'm not sure how clear that needs to be - might get away with just putting it in the Privacy Policy, but the PP itself must be clearly referenced at the point the data is gathered.

But, as an example, if I bought a 10kg bag of cat food from Random Company A on Amazon, I *would not* accept that GDPR then allows that company to contact me with a follow up sales lead *unless* my explicit permission was sought at the original sale. IMO the contract for the initial purchase is complete once I've paid for and received the bag of cat food, and unless I've given explicit permission to further contact I'm not going to accept "but you paid for cat food from us 6 months ago" as an excuse for calling me up out of the blue to ask if I want to buy more.

On the flip side, if I was a builder and always bought my supplies from Supplier A with whom I have a continuous, ongoing, relationship then I would accept that GDPR rules would (probably) allow them to call me up to check if I need to make a new bulk purchase of bags of concrete mix.

So realistically, the answer here is "depends on the specifics of the situation" on this one.

 

[Audax]

According to the ICO documentation you are able to market your products to customers who have purchased before under what is known as the soft opt in. This is based on the fact that the customer may well be interested in similar products or services. This also applies to customers that haven’t previously purchased but have been provided with a quote or shown an interest in a product or service you sell

Yep, gone and checked and you're correct. But the soft-opt-in rules have been tightened and are actually impacted by other rules within GDPR and PECR. The soft opt in guidance states clearly that you can only use the soft opt in if the customer was given a clear option to opt out at the point of data collection. But elsewhere in GDPR and PECR it's stipulated that those options cannot default to the "opt in" selection anymore - they must default to opt-out, and the customer explicitly choose to opt-in through a positive action. That essentially means the "soft opt in" is pointless for all intents and purposes, as by meeting the requirements for the soft opt in you've also had to meet the requirements for gaining explicit consent.

 

[beorhthelm]

But, as an example, if I bought a 10kg bag of cat food from Random Company A on Amazon, I *would not* accept that GDPR then allows that company to contact me with a follow up sales lead *unless* my explicit permission was sought at the original sale. IMO the contract for the initial purchase is complete once I've paid for and received the bag of cat food, and unless I've given explicit permission to further contact I'm not going to accept "but you paid for cat food from us 6 months ago" as an excuse for calling me up out of the blue to ask if I want to buy more.

getting subjective, seems like a legitmate purpose to followup with a customer. the guidance i've read certainly says the intended purpose of the legislation is not to break normal customer relations, though seems from this thread that guidance is either misplaced or not being widely followed. too much focus on "contact".
i was also going to make same point about putting permission in privacy policy as this looks likely way to cover one legally.

 

[DavidRyder]

Perfect time for scammers to send out emails with a 'click here' etc on, as most people probably lose track of what they signed up to. I'm just going to bin them.

 

[Audax]

getting subjective, seems like a legitmate purpose to followup with a customer. the guidance i've read certainly says the intended purpose of the legislation is not to break normal customer relations, though seems from this thread that guidance is either misplaced or not being widely followed. too much focus on "contact".
i was also going to make same point about putting permission in privacy policy as this looks likely way to cover one legally.

Depends on the follow up. If it's a follow up to confirm the initial delivery arrived safely and the cat food was satisfactory for the purpose it was bought for, then yeah that's fine. If it's a follow up 6 months later to ask if I want to buy another bag, then it starts getting a lot more tenuous *unless* I have an established history of placing orders every 6 months, in which case it becomes more relevant - especially if it's in the context of making the future purchase easier.

I suspect there's a fair few areas of the new rules where companies are going to "play it safe" until they get comfortable and see how the ICO handles enforcement, and this is one area where I think playing it safe would be the smart thing to do.

 

[TheJasperCo]

Are charities included? Will these laws still apply after Brexit?

 

[Springal]

Are charities included? Will these laws still apply after Brexit?

Yes & Yes

 

[marcos3263]

So I am not allowed to go home and talk about my day with as that will breach GDPR rules unless I am very vague (which is hard to talk about things if you cant mention any details or the actual point of the story) I cant use my mobile phone for work emails anymore as although it has finger print access my wife knows my PIN (and I would rather her trust me than change my PIN for a new bollocky rule)
We have to always clear desks etc whenever we leave them not just end of day which means already I spend a silly amount of time looking for something that should have just been just there.
We shred everything now which seems just really dishonest.
Basically a right pain in the bum although if it stops cold calling its a win.

 

[timbha]

So I am not allowed to go home and talk about my day with as that will breach GDPR rules unless I am very vague (which is hard to talk about things if you cant mention any details or the actual point of the story) I cant use my mobile phone for work emails anymore as although it has finger print access my wife knows my PIN (and I would rather her trust me than change my PIN for a new bollocky rule)
We have to always clear desks etc whenever we leave them not just end of day which means already I spend a silly amount of time looking for something that should have just been just there.
We shred everything now which seems just really dishonest.
Basically a right pain in the bum although if it stops cold calling its a win.

Most of this is good practice and data security. Should be doing it anyway. Can’t blame GDPR!!

Clear desk during the day seems a bit OTT but depends on how sensitive the data is. Ask yourself, how would you like info on you to be handled?

 

[hitony]

I think when he said 'you' he meant 'your company', not 'you' personally. As you say you have to abide by your company's rules, but your company have either received poor advice or have misinterpreted the advice they've received.

As that maybe, BUT I have been with the company for 8 months, the company can and will get rid of people for not abiding by their rules and regulations, the company ARE a major national company who can and will dispose of people as and when IF you / me / they / we /us DON'T follow their rules and regulations......I am 63 years old, I still have a mortgage and other large outgoings, hence I have to carry on working till i drop, very likely!

Whilst I totally and completely DISAGREE with what I was told at this meeting, I am far from in a position to take them on in ANY legal or moral or whatever else style jargon anyone wants to use....so........I will HAVE to abide by their ignorant / miss informed / crap stupid WRONG rules on the basis I really need to pay my mortgage on a monthly basis! like many people in this country I am a month away from technically being homeless, at 63 I would rather do as they say however miss informed they maybe.

This reply is not meant at you personally, sorry if it reads like that, it is not, that I promise.

 

[timbha]

As that maybe, BUT I have been with the company for 8 months, the company can and will get rid of people for not abiding by their rules and regulations, the company ARE a major national company who can and will dispose of people as and when IF you / me / they / we /us DON'T follow their rules and regulations......I am 63 years old, I still have a mortgage and other large outgoings, hence I have to carry on working till i drop, very likely!

Whilst I totally and completely DISAGREE with what I was told at this meeting, I am far from in a position to take them on in ANY legal or moral or whatever else style jargon anyone wants to use....so........I will HAVE to abide by their ignorant / miss informed / crap stupid WRONG rules on the basis I really need to pay my mortgage on a monthly basis! like many people in this country I am a month away from technically being homeless, at 63 I would rather do as they say however miss informed they maybe.

This reply is not meant at you personally, sorry if it reads like that, it is not, that I promise.

I don’t blame you!! To cover your back I would make sure I kept copies of emails, training notes, etc in a safe place.

 

[Cheshire Cat]

Apparently I have to document and list the contents of the10s of thousands emails, spreadsheet and word documents I have lying around on my networks. I can't delete them. Those I want to delete I have to move to a special drive, and somebody else is supposed to analyse those I think should be deleted, decide on my behalf, and delete them for me.

Whether this is what is actually required or not is immaterial - it is unworkable and complete bollocks. I may just "accidently" delete everything, and when somebody wants a copy of an e-mail from 5 years ago (as they did yesterday), I will tell them where they have stuck it.

 

[thedonkeycentrehalf]

Apparently I have to document and list the contents of the10s of thousands emails, spreadsheet and word documents I have lying around on my networks. I can't delete them. Those I want to delete I have to move to a special drive, and somebody else is supposed to analyse those I think should be deleted, decide on my behalf, and delete them for me.

Whether this is what is actually required or not is immaterial - it is unworkable and complete bollocks. I may just "accidently" delete everything, and when somebody wants a copy of an e-mail from 5 years ago (as they did yesterday), I will tell them where they have stuck it.

There is a difference between structured data and unstructured data. Spreadsheets used for processing data do need to be recorded. Generally, emails are classed as unstructured data and therefore you wouldn't have to record them.

 

[Cheshire Cat]

As that maybe, BUT I have been with the company for 8 months, the company can and will get rid of people for not abiding by their rules and regulations, the company ARE a major national company who can and will dispose of people as and when IF you / me / they / we /us DON'T follow their rules and regulations......I am 63 years old, I still have a mortgage and other large outgoings, hence I have to carry on working till i drop, very likely!

Whilst I totally and completely DISAGREE with what I was told at this meeting, I am far from in a position to take them on in ANY legal or moral or whatever else style jargon anyone wants to use....so........I will HAVE to abide by their ignorant / miss informed / crap stupid WRONG rules on the basis I really need to pay my mortgage on a monthly basis! like many people in this country I am a month away from technically being homeless, at 63 I would rather do as they say however miss informed they maybe.

This reply is not meant at you personally, sorry if it reads like that, it is not, that I promise.

You really do need to go and have a lie down.

 

[darkwolf666]

As that maybe, BUT I have been with the company for 8 months, the company can and will get rid of people for not abiding by their rules and regulations, the company ARE a major national company who can and will dispose of people as and when IF you / me / they / we /us DON'T follow their rules and regulations......I am 63 years old, I still have a mortgage and other large outgoings, hence I have to carry on working till i drop, very likely!

Whilst I totally and completely DISAGREE with what I was told at this meeting, I am far from in a position to take them on in ANY legal or moral or whatever else style jargon anyone wants to use....so........I will HAVE to abide by their ignorant / miss informed / crap stupid WRONG rules on the basis I really need to pay my mortgage on a monthly basis! like many people in this country I am a month away from technically being homeless, at 63 I would rather do as they say however miss informed they maybe.

This reply is not meant at you personally, sorry if it reads like that, it is not, that I promise.

To be a pedant, and lighten the mood, can I just point out it is misinformed.