For help, advice and discussion about stuff not related to aviation. Play nice: no religion, no politics and no axe grinding please.
By Colonel Panic
#1612608
We run a small "business" with perhaps 15-20 users of a DIY stabling venture, & 2-3 house tenants. All done through an unincorporated entity (but ultimately on behalf of a family Trust). We hold names, addresses, email addresses, phone numbers, horse names & vet details on a computer. Very much an excel spreadsheet & Apple Contacts sort of thing; no bespoke or complicated software.

Do we need to do anything re: GDPR, and if so does anyone have a good source explaining exactly what we need to do - bearing in mind the size & (lack of) complexity?

TIA
User avatar
By dhs
#1612609
I'll find you some pointers later, but v. briefly:-

1. Write down what data you hold (you've done that above).
2. Add to it, the list of things (purposes, in GDPR-speak) that you want to use the data for. That's roughly your privacy statement.
3. Determine what 'lawful basis' you are using to legitimise processing the data: 'perfomance of a contract' and 'controllers legitimate interests' are most likely candidates.
4. Is the data 'proportionate' (not excessive) for the task. Does it infringe 'the rights and freedoms' of the data subject'. Assuming no, proceed to next step.
5. Keep the personal data up-to-date, and safe and 'secure.
Colonel Panic, johnm liked this
By TopCat
FLYER Club Member  FLYER Club Member
#1612610
If you already have a relationship whereby you provide services to them, then you probably have a 'Legitimate Interest' in keeping and processing their details.

'Legitimate Interests' is one perfectly acceptable means of complying with GDPR.

However, I'd suggest a careful read of this ICO article about Legitimate Interests.

It's quite readable.

There's also this three part test, which is a fairly straightforward way of determining if you'll be ok complying on the basis of Legitimate Interests.
Colonel Panic liked this
User avatar
By rikur_
FLYER Club Member  FLYER Club Member
#1612613
I agree with the previous posts, just to add the ICO guidance is generally pretty readable - I'd suggest that you start here https://ico.org.uk/for-organisations/gu ... tion-gdpr/ and their blogs are quite helpful at busting myths: https://iconewsblog.org.uk/2017/08/09/g ... e-fiction/

Also worth adding that the ICO have been pointing out that they see GDPR compliance as a journey and they're not going to be out closing business down next week for not being perfect.
Colonel Panic, johnm liked this
By avtur3
FLYER Club Member  FLYER Club Member
#1613163
Slight twist on the original thread, over the last week or so I've received many emails from big organisations about GDPR, there appear to be two different approaches, some saying regardless of what I've signed up to previously that I must actively opt-in to remain in contact. Others saying we must tell you about GDPR but you need do nothing more.

Is this reflective of big business not understanding (or different IT folks making different interpretations of) GDPR or is there perhaps something subtly different about the way I originally signed up to these organisations that warrants the different approach :?:
User avatar
By dhs
#1613779
johnm wrote:It's mostly interpretation of subtleties :D :D

There's nothing subtle about it: it's galatic levels of stupidity, incompetance, laziness and blind panic, not helped by both 'the media' and other people, who should know better, spouting drivel, based mostly on the appearance of the word "consent" a few times in the Regulation.

See, for example, the excellent Jon Baines, https://informationrightsandwrongs.com
By TopCat
FLYER Club Member  FLYER Club Member
#1613813
avtur3 wrote:Is this reflective of big business not understanding (or different IT folks making different interpretations of) GDPR or is there perhaps something subtly different about the way I originally signed up to these organisations that warrants the different approach :?:

I would guess the former, in many cases.

There is an unbelievable amount of misunderstanding and misinformation about GDPR. Much of it is caused, AFAICT, by lawyers and 'consultants' whose main interest is the fees they can milk it for.

I have nearly 70 clients, all of whom are data controllers, and the vast majority of whom would IMHO be absolutely fine using Legitimate Interests to comply with GDPR (and all for the same reasons). With all the standard caveats, obviously, about transparency, documented processes, and giving people the right to withdraw if they wish.

Yet some have opted for consent, for no good reason other than the lawyers told them (without rational explanation other than 'caution') they must; some have had so much conflicting advice that they've put off doing anything until very recently, finally choosing Legitimate Interests as a backstop; some have attempted (until I suggested otherwise) a potentially disastrous half way house, claiming Legitimate Interests but seeking consent as well.

The whole thing has been a complete mess so far. It's been compounded by the fact that until relatively recently the ICO guidance was not all that clear and/or easy to find, and the media and so-called experts have often been either plain wrong, or have focused on the wrong things - like the potentially enormous penalties for non-compliance, which only puts the frighteners on everyone.

I really hope it all simmers down, but I fear it's got a way to go yet.
johnm, dhs liked this
User avatar
By dhs
#1613829
TopCat puts it far more eloquently than I.

It is undoubtedly true that while the ICO has been warning businesses to get ready for GDPR, its own provision of good quality guidance has been tardy at best. It is also unhelpful that the UK DPA 2018 (which writes the GDPR into UK domestic law) says in Part 1 clause (2)(1)(a) : "requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis", implying that "consent" is somehow better or preferable to "another specified basis" -- which it isn't.

Many, understandably confused, businesses have heard the consent mantra being endlessly repeated, and have gone "stuff it, we'll just get consent -- whether that's the right thing to do or not -- and hope that it's our trump card if anybody asks", not realising that consent may be just as easily withdrawn as given; at which point any business relying on consent for processing, when they should have been using 'performance of a contract' or LI, are stuffed... :-/
#1614125
My partner's pilates instructor sent an opt-in request as opt-in was "required" before she could send out the timetable of classes to her customers.
By TopCat
FLYER Club Member  FLYER Club Member
#1614142
MercianMarcus wrote:My partner's pilates instructor sent an opt-in request as opt-in was "required" before she could send out the timetable of classes to her customers.

One of the most obvious cases you could imagine, of Legitimate Interests being perfectly fine .

It's not at all uncommon. I'd guess either freaked out by the publicity, or very very badly advised.

The trouble with consent is that there are all sorts of reasons someone might not click a link in an email. Busy, delete the email unopened, don't read it if they open it, don't understand if they do read it, get distracted, bad mood that morning... the list is endless.

The risk is that a small business might have so few recorded consents, that they go bust before waking up and realising that they could comply perfectly well by doing almost nothing at all (subject to caveats I mentioned above).
User avatar
By defcribed
#1614302
Caused the same way as most misunderstandings of regulations.

Someone who doesn't know what they're talking about says "you have to do X". People then believe them, despite the fact that a quick glance at the regulations tells you that nothing of the sort is required.

If you want to see this go really out of control, try getting involved in organising a Charity Soap Box Derby on a public highway in a small village. Any number of 'experts' will tell you that various things are definitely required (road closures, high-vis, risk assessments, insurance, marshals, St John's Ambulance) because........ well........ they just know that the law definitely requires them!

Additional fun can be had by asking these experts things like who will hold the insurance policy, and under what authority will your marshals make the residents move their cars off the road?
#1614316
defcribed wrote:
...despite the fact that a quick glance at the regulations tells you that nothing of the sort is required....


Not sure I agree with that. Imagine you are a micro business, then read the ICO GDPR faqs. They are not frequently asked, instead they are questions the ICO fancies answering.
Colonel Panic liked this