"GDPR?" Topic

Over the last few days I've been receiving a number of "opt in" messages and notifications of updates in privacy policies from websites, companies, clubs and societies whose email lists I'm on, all in preparation for the introduction of the EU's GDPR data protection regs next month.

Until yesterday these were exclusively from entities hosted in the EU, but in the last 24 hours I've started to get a load from the US as well and not just from large companies. Will TMP be going through a GDPR-proofing exercise?

…. and does this apply to individuals who mail to their clubs ?

With my councillor's hat on, I attended a GDPR training course last week, so know that commercial and government organisations are covered by the legislation.

Holding e-mails in particular is a key point, so I would assume that either the US has enacted similar legislation, or US companies are playing safe as the potential fines for mis-use of such personal information could be steep.

With my other hat on, as deputy chair of the village hall I am also tracking down what the GDPR legislation means for us (a small charity). So far the guidance is that it is not clear, but the ICO will not be aggressively pursuing us yet.

Therefore I have advised our management committee best to play safe, back up all our data, not distribute it to anyone etc, and ensure that it is minuted we are taking steps to comply with the legislation and monitor the advice being given as to what we should do. The hall is lucky as the lease is held by my council, who delegate control to the management committee, and we should be covered by the council for a DPO.

Therefore, if you do have a club, that keeps records of members' e-mails, telephone number etc, and handles financial contributions, best to have a meeting that is minuted, and states you will keep an eye on developments. I would also advise that you start using BCC a lot more, and that the full list is held only by a single named individual (backed up) who is the Data Processing Clerk.

I have a leaflet of information if people want to PM me. Similarly, for those who really do a lot of financial stuff, my clerk has soft copies of relevant policies, templates for letters etc.

Please note, the value of this advice is worth what you paid me for it. ;-)

Giles

Is this it?

PDF link
link

Dan

I have a different one, but most of that pamphlet is good (it's obviously a marketing one)

I note that it is of US origin (a Nasdaq quoted company) so will be slightly different to the origins I have for UK stuff.

It is worth noting the punch line at the end of the first page:

GDPR is applicable even if your organization is not in the EU. As long as an organization processes EU citizens' data, it should abide by the text of the regulation.

Obviously being in the EU still the training and material I have is more orientated to UK and other EU countries.

Just noticed your second link which is more comprehensive.

My advice for what it is worth, is to err on the side of caution, get it minuted or written down that you are chasing up the implications of GDPR.

But I would not be unduly alarmed, any organisation worth its salt should already be following DPA regs, basic IT procedures such as IT backup, and regular data cleansing.

One of the pieces of advice received, was if you are using a personal computer, to ensure all relevant e-mails and info are kept in separate folder(s), so that if you move on, or need to find data that needs to be deleted or amended it makes it simple.

GDPR is applicable even if your organization is not in the EU. As long as an organization processes EU citizens' data, it should abide by the text of the regulation.

Which is, of course, complete garbage.

Large companies outside the EU will do whatever they have to in order not to be mentioned in the press.

First off, I'm not an international business lawyer. Good, that's out of the way.

So a small company operating in Cuba has a customer in Germany and collects that customer's email address. The Cuban company is now subject to EU regulations? I see a bunch of worms in a can and it seems to be open.

So, not the German Democratic People's Republic, then. But someone with a similar notion of state power.

GDPR is applicable even if your organization is not in the EU. As long as an organization processes EU citizens' data, it should abide by the text of the regulation.

Which is, of course, complete garbage.

Sadly, perhaps, it isn't. An EU resident data subject can lodge a complaint with their local supervisory authority against any company in the world that is handling their personal data.

Will TMP be going through a GDPR-proofing exercise?

What personal data does TMP hold about EU resident data subjects?

What personal data does TMP hold about EU resident data subjects?

E-mail details.
And if they are a supporting member potentially bank details or that they have a PayPal account.

So a small company operating in Cuba has a customer in Germany and collects that customer's email address. The Cuban company is now subject to EU regulations?

Again not a lawyer, but as CC's link shows, there are countries that have trade agreements with the EU that effectively mean those countries sign up to certain EU laws such as GDPR. The US is one of them apparently.

So, not the German Democratic People's Republic, then. But someone with a similar notion of state power.

That was the DDR.

I know its hard to think that personal information should be safeguarded.

As the training guy told us on the course, holding a list of lots of e-mails that are genuine, is a gold mine for hackers spammers and scammers who will pay good money for such lists. Many log ins use the e-mail address of clients as the first part of the logon to their websites, so the hackers are half way there if they can get this data. Then all they need to do is run their automated bot programmes for a few hours and brute force will get them in. That's if they don't simply use the accounts to spam the victims – one counci clerk had their account spammed 18,000 times in one day. Hopefully their delete key didn't get broken…

It appears that TMP is already in compliance.

It appears that TMP is already in compliance.

Where is the Privacy Notice then?

Where is the Privacy Notice then?

Check the site FAQ.

The GDPR website is unclear as to whether the GDPR protects EU citizens or simply EU residents.

Potentially, someone would have to provide proof of citizenship (or residency) before claiming these protections.

It seems ironic that someone would need to give away more of their privacy in order to claim these privacy protections.

Then, would a company be obligated to keep the GDPR request and the verification records to prove they were compliant with the GDPR? It seems this law does more harm than good.

The claims to privacy and evidence would be done via the courts, who would naturally keep such evidence private. Whether the complainant is an EU citizen or not would similarly be a matter for the court and judicial process.

So its really a case as to whether a company or organisation wants to have a long drawn out court case and associated costs (financial and reputational) or not.

Having spent Friday evening visiting a crop picker's camp of 280 or so people whose nationalities vary greatly (daily/monthly/annually) I would not like to bet my council's money on verifying which of them are EU residents, or citizens etc. It's not worth the time or money.

There are always downsides and unintended consequences to most legislation.

The GDPR website is unclear as to whether the GDPR protects EU citizens or simply EU residents.

It is quite clear. It applies to people who are 'in' the EU at the time that their data is processed. It also applies to EU citizens that are outside the EU who have their data processed by an organisation with a base in the EU at the time of that processing.

Potentially, someone would have to provide proof of citizenship (or residency) before claiming these protections.

It seems ironic that someone would need to give away more of their privacy in order to claim these privacy protections.

As with any attempt to make a claim/complaint to a statutory authority, you are going to have to give that authority details of who you are etc. They are not going to investigate a breach of your data protection rights if they don't know who you are or where you live. Hardly ironic.

The claims to privacy and evidence would be done via the courts, who would naturally keep such evidence private. Whether the complainant is an EU citizen or not would similarly be a matter for the court and judicial process.

It is more than likely that any privacy breaches etc. would be dealt with outside of the court system, at least in the UK. The Information Commissioners Office has powers to advise, warn, reprimand, demand enforcement action and issue fines.

As an aside, in the UK the vast majority of court cases are heard in 'open court' and so nothing is kept secret there.

Having spent Friday evening visiting a crop picker's camp of 280 or so people whose nationalities vary greatly (daily/monthly/annually) I would not like to bet my council's money on verifying which of them are EU residents, or citizens etc. It's not worth the time or money.

Since all these people are living in a crop pickers camp in the UK it is quite clear that all of them are EU resident at this time. Nationality is irrelevant.

"The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy."

eugdpr.org

Yet once you read beyond the opening screen you will discover that the GDPR serves to protect the privacy of data subjects IN the EU. Legal commentators admit that there is some ambiguity in the wording of the GDPR, but several advise that to play safe it would be wise to assume that it serves to protect people in the EU and not just EU citizens.

A problem for any data processor thinking that this will not affect them is that enforcement is delegated to the various national statutory authorities. I understand thst the Germans in particular are quite keen to protect their data subject's privacy. Any data processor with ‘clients' in more than one EU country could find themselves being pursued by several statutory authorities if they are in breach of the regulations.

Looks like people in the UK won't fall under the GDPR due to Brexit. There is also question about EU citizens who are abroad.

Fortunately, TMP doesn't collect much in the way of personal information.

There is a need to keep abreast of Brexit in relation to this matter. The UK is transitioning EU law into UK law, and talk is that GDPR will be no different. Whilst the new regulations will no doubt not be called GDPR you can rest assured that it will be the same in terms of protections.

Clearly TMP is a data processor of both EU citizens and EU residents and should therefore take steps to meet the GDPR requirements.

Fortunately, TMP doesn't collect much in the way of personal information.

If you have our e-mail and IP addresses and you store that information then that is sufficient. The amount of data kept is irrelevant.

"Looks like people in the UK won't fall under the GDPR due to Brexit"

No, people in the UK definitely do fall under GDPR regulations (and so will TMP)