back to article Consent, datasets and avoiding a visit from the information commissioner

Big data has been branded as - we're throwing up in our mouths as we say this – the "oil" of what has annoyingly become known as the "fourth industrial revolution."* Strip that down, and we're in part talking about the way individuals' data is used to knit new, virtual businesses. It's the basis of the app economy and …

  1. Chronos
    Big Brother

    Have you seen the credit reference parasites' answer to this?

    CRAIN: A long document that simply says, in garbled legal-speak, "4Q, peasant, we do Important Stuff™ and we'll just continue to do whatever we like."

    It will be interesting to see how long this particular stance can withstand millions of disaffected people who are fed up with these companies and their entitled viewpoint.

    1. Aladdin Sane

      Re: Have you seen the credit reference parasites' answer to this?

      What do you propose as an alternative to credit reference agencies?

      1. Chronos
        Flame

        Re: Have you seen the credit reference parasites' answer to this?

        What do you propose as an alternative to credit reference agencies?

        Why do you think we need an alternative? The root of this Big Data mess we're in right now stems from the total inability of some people to mind their own sodding business coupled with the overwhelming desire of some people, who I describe a compulsive consumers, to obtain things they don't need with money they don't have. Really good for The Economy®, piss-poor for anyone worth less than seven figures.

        We're frittering our privacy and our futures away for a few shiny trinkets. The last time people accepted this, the entire population of a continent was almost wiped out by smallpox contained within those trinkets while losing their autonomy and ancestral lands to a bunch of invading Europeans who, while less in numbers, were technologically superior. While this may not have such dramatic effects, it's still not sustainable and the parallels are clear.

        1. Aladdin Sane

          Re: Have you seen the credit reference parasites' answer to this?

          So you'd prefer things like mortgages to be provided based on an individual's firm handshake and steady gaze?

          1. Chronos
            Facepalm

            Re: Have you seen the credit reference parasites' answer to this?

            Payslips, employment status and all the other metrics that worked just fine before Big Data came along and took informed consent away. The fact that you still want to sell loans to people does not justify this massive, uncontrolled and invasive gathering of data on everyone. In fact, it's more like a protection racket than a business. Nice credit rating you have there. It would be a shame if something fucked it up, eh? Buy this monitoring service to keep an eye on our balls-ups that could cost you dearly...

            On that note, there should also be a duty to inform whenever a financial or other institution sends or requests data from one of these places. Relying on a subject access request to find out what lies they've collected, who you're linked with, how bad the fallout from the identity theft incident four years ago was and what addresses they've decided you're liable for the debts therefrom without any oversight is not acceptable. It's very much like having to go cap-in-hand to Crapita every two years when you don't need a TV licence to prevent them pestering the hell out of you.

            In other news, it's going to be fun watching the card issuing biggies deal with GDPR. So, Visa, how do you use that purchase history data these days?

            1. Doctor Syntax Silver badge

              Re: Have you seen the credit reference parasites' answer to this?

              "n other news, it's going to be fun watching the card issuing biggies deal with GDPR."

              Another one I'd like to find out about is PayPal. I discovered that they send the buyer's email address to the vendor. I discovered it because one vendor discovered in no uncertain terms that I don't like being spammed. I had to go through the trouble of changing my PayPal email address.

              This is stupid beyond the spam issue. The email address is also half of the login credentials. That alone is more than sufficient reason not to pass it on.

              If the vendor needs, or thinks they need, an email address I'll give them one. Unless I anticipate giving them repeat business it'll be a short-lived address and even shorter lived if they spam me. And if I do anticipate repeat business the most effective way for them to forgo that is to spam in which case that email address will also be short-lived.

              So far I haven't seen any request from PayPal for permission to continue doing this although, of course, it's possible that they've stopped doing it.

      2. Nonymous Crowd Nerd

        Re: Have you seen the credit reference parasites' answer to this?

        "What do you propose as an alternative to credit reference agencies?"

        The world somehow turned before there were credit reference agencies didn't it? They aren't that magical. What they enable in essence is lending without face to face contact - without trust in other words. Look, for instance, at the world conjured up by the Nationwide advert of a family in the 1880s getting a mortgage for their first house for 6 bob a week (30p in new money). I don't think any credit reference agency was involved there, was it?

        1. Anonymous Coward
          Anonymous Coward

          Re: Have you seen the credit reference parasites' answer to this?

          As someone who (in the distant past) tried to get lies corrected - specifically a mobile provider (the one with a colourful name of a fruit) falsely claiming that I owed them money because they couldn't put the same tariff info into their billing system as they put in their ads, and were totally incapable of understanding the problem - I look forward to the new powers the GDPR will bring. In the past the reference agencies simply refused to post my note stating why the accusation of debt was false, claiming it was defamatory. So they basically accept at face value anything told to them by the lying scumbag business, but refused point blank to post anything suggesting that these lies could be just that - lies.

          Nearly lost me a house purchase a few years later :-(

    2. Anonymous Coward
      Meh

      GDPR Nirvana versus reality

      The reality of the GDPR is that there will just be a whole load more terms and conditions attached to every website and every agreement that no one will ever read, at least past page 97.

      The same as the EU Cookie Law, loaded with good intentions but the actual result is just a rather pointless click through message on most websites.

      And around page 390 it will say something like "please note that if you withdraw consent for data about you to be processed by ourselves and the people we have flogged it to, and the people they have flogged it on to, it may take up to a millenium for this to be actioned". I paraphrase, of course, as it will all be in the most impenetrable legalese.

      1. Doctor Syntax Silver badge

        Re: GDPR Nirvana versus reality

        "The reality of the GDPR is that there will just be a whole load more terms and conditions attached to every website and every agreement that no one will ever read, at least past page 97."

        How many times do we have to explain it? You can't add data-slurping to provision of whatever it is that you're selling on a take it or leave it basis and attempting to do so is one of the behaviours that brings the top tier of fines.

        1. Adam 52 Silver badge

          Re: GDPR Nirvana versus reality

          "You can't add data-slurping to provision of whatever it is that you're selling on a take it or leave it basis"

          It's not as simple as that. For example if I run a pub and I want to count the number of beers you've bought so that I can charge you the right amount for your tab, I can. You can't withdraw consent for that and still expect to be served.

          1. Chronos
            Pint

            Re: GDPR Nirvana versus reality

            It's not as simple as that. For example if I run a pub and I want to count the number of beers you've bought so that I can charge you the right amount for your tab, I can. You can't withdraw consent for that and still expect to be served.

            Quite, but by the same token I wouldn't expect you to follow me around town totting up the number of pints I have at other pubs, either. We also have a choice, to drink elsewhere where you can pay for a round as you get it at the bar with anonymous cash money. If you try to process the data on those transactions, especially around here, you'd probably end up taking your next meal through a straw and shoving your toothbrush up your arse in the morning as that's where your teeth now reside.

            The CRAs don't limit their slurpage. You don't have a choice. This is what we're hoping the GDPR rectifies - and not just with the CRAs.

  2. Ian McLaughlin

    "In the GDPR world we'll all be living in after 25 May, it's simple: if the data controller tells a third-party data processor (to which it has provided data) that consent no longer exists for the party to hold that data and to delete it, then they have to do it. And as long as the controller made reasonable efforts to ensure that this is done, it's the third party that carries the can."

    It's not that simple. You've assumed that consent is used as the basis for processing, but data processors are often engaged to form a contract between the subject and the controller e.g. a ticket sale for an event. If consent was not basis for processing, removal of consent is not applicable.

    1. Doctor Syntax Silver badge

      "data processors are often engaged to form a contract between the subject and the controller e.g. a ticket sale for an event. If consent was not basis for processing, removal of consent is not applicable."

      Once the processing for performance of the contract is over there is no ongoing basis for retaining the data. In your example there might be a basis for retaining the data until the event is over in case refunds have to be made but when that possibility has passed the entire basis for holding the data has gone. The data should then be deleted. However the entire basis for processing was performance of the contract and there is no basis in the form of consent for the ticket processing business to use the data whilst it exists for anything else such as trying to sell tickets for something else.

      1. Adam 52 Silver badge

        In English law it's possible to sue for a refund for 6 years. So there's a six year retention right there.

        See Limitation Act 1980.

  3. Doctor Syntax Silver badge

    "First, you have to make clear to the subjects where you got the data and what you're doing with it, and – most importantly – why you have the right to do what you're doing."

    Arse about face| You don't have to make it clear to the subjects where you got it. You have to make it clear to them what you want to do with it before you get it and ask them if you can have it. If they say no you can't have it. And if they change their minds subsequently you have to delete it.

    (Note the exceptions of data used for the provision of a service, etc. or statutory requirements. Of course you need a name and address for delivery of goods but you can't then presume to use it for mailshots trying to sell other stuff.)

    1. John G Imrie

      but you can't then presume to use it for mailshots trying to sell other stuff

      Does this break Amazon's recommendation system, unless they explicitly ask for your consent?

      Second thoughts, IIRC you can refuse to have your data used to promote recommendations with out it affecting your ability to buy a book.

      1. Doctor Syntax Silver badge

        Re: but you can't then presume to use it for mailshots trying to sell other stuff

        "Does this break Amazon's recommendation system, unless they explicitly ask for your consent?"

        You mean the "Other people who but what you bought also bought..."

        I'm not sure how that could possibly be any more broken than it is. Isn't it based on a random selection?

        1. Killfalcon Silver badge

          Re: but you can't then presume to use it for mailshots trying to sell other stuff

          I assume he means the (extensive) array of things on amazon's homepage that recommends things to the logged in user based on said user's purchase, rating and viewing history. You can tailor it in a few ways, and it generally ignores items you bought as gifts for other people.

          It's legitimately useful at times - it does suggest music of the right genres, new books by authors you like, videogames on the same console, and so forth.

          I am pretty sure that you can challenge Amazon's right to process your account history in this way, mind, since it is a form of advertising. I don't see an existing option to disable it at the moment.

          As for the "others bought this..." thing... I'm with you, in that I don't know if that would fall under the GDPR but would guess not.

          1. Anonymous Coward
            Anonymous Coward

            Re: but you can't then presume to use it for mailshots trying to sell other stuff

            > I am pretty sure that you can challenge Amazon's right to process your account history in this way

            I expect they will "anonymize" it, e.g. "user ID 1234ABCD bought a Foo and a Bar". They will claim that the system which holds this data doesn't have the ability to convert 1234ABCD back to the original user (although some other system must have a copy of this key, so that when Fred Bloggs orders a widget it is clocked up against user ID 1234ABCD).

            There is a fine legal line here. If necessary they will ship the data (with user ID but without personal data) over to a separate legal entity which doesn't have the ability to map 1234ABCD to a personal identity, process it for recommendations, and pass the results back ("10% of users who bought Foo also bought Bar"). And then claim they are not using your personal data for recommendations.

            1. Tomato42

              Re: but you can't then presume to use it for mailshots trying to sell other stuff

              @AC: having ability to de-anonymise the data means that it is not anonymised, so it still needs to remain protected

  4. Pascal Monett Silver badge

    Glad to see the appropriate GDPR noises are being made

    It's a good thing that journalists are taking GDPR seriously and making the appropriate noises in the appropriate amounts. I do expect that all the hoopla is necessary and, after May, companies will not be able to say they were not aware of their obligations.

    That said, I am not expecting all that great an impact for most companies. Nobody is going to go after a customer/contacts database because if so, then every company in Europe can close shop. So most companies will wait for June, then July to see what happens and, since nothing will, there will be a collective shrug and life will go on.

    For some companies, the ones that deal with great amounts of data, there is already a flurry of activity to be sure, but I am not hearing of massive data sets being obliterated to ensure GDPR compliance. From what I hear, it's much more massaging existing data to help it squeeze through the GDPR obligations.

    Not that I hear everything, to be sure.

    Still, I have the feeling that GDPR will be wielded mostly against companies that have been caught goofing around or getting hacked. Those companies will endure the pain of an investigation which will bring to light bad goings-on and, additionally, GDPR non-compliance and they'll be hit with the fines for that.

    1. Doctor Syntax Silver badge

      Re: Glad to see the appropriate GDPR noises are being made

      "Nobody is going to go after a customer/contacts database"

      Some of us are going to do what we can to make life uncomfortable for those who don't behave.

      One that I have saved up relates to an enquiry I made a few weeks ago. The enquiry was answered but soon after there was a "rate our service" request which, in fact came from a third party. The reply address was in the form first-party@third-party so I replied pointing out that my permission had not been given for my data (email address) to be passed to the third party, I wasn't going to click any links in a spam and I wanted my data deleted and confirmation that that had been done. The only response was a follow-up because I hadn't filled in their survey. Come GDPR day a letter will go out to the data controllers of both organisations asking them to explain themselves and pointing out the consequences if this were to happen now.

      I suspect that in many cases the data controllers don't know what others, particularly sales and marketing are getting up to. If nothing else complaints like this are going to mean that many of the guilty get a well-deserved kicking from their data controllers.

      1. Adam 52 Silver badge

        Re: Glad to see the appropriate GDPR noises are being made

        "so I replied pointing out that my permission had not been given for my data (email address) to be passed to the third party"

        Genuine research, which "rate my service" is, is automatically lawful regardless of consent so your complaint should be rejected.

        1. Tomato42

          Re: Glad to see the appropriate GDPR noises are being made

          @Adam 52: not when it includes a 3rd party

  5. frank ly

    How does that work?

    "In the corporate world, your social feeds may be sucked into business systems to assist financial services firms looking into your financial status and habits and making decisions about whether to offer you a loan or some other product."

    If I join Facebook and make lots of posts saying I've won the lottery and have invested it wisely, will my credit rating go up?

    I'm wondering what information they trawl and how they use it.

    1. Aladdin Sane

      Re: How does that work?

      They'll see that you play the lottery and infer that you're an idiot.

      1. frank ly

        Re: How does that work?

        No, you're wrong! I have a carefully thought out system.

  6. Pen-y-gors

    Commercial relationship?

    I presume (wrongly?) that keeping details of a sale/customer remains legal, provided the data is kept safe. Does entering into a contract to develop a website for someone mean they have given you explicit agreement to remember who they are? And to send them invoices in the future for renewal?

    One good thing about GDPR - I keep getting emails now from companies asking me to confirm that they can send me mail in the future. It's so satisfying to just bin the email without confirming!

    1. Anonymous Coward
      Anonymous Coward

      Re: Commercial relationship?

      "One good thing about GDPR - I keep getting emails now from companies asking me to confirm that they can send me mail in the future. It's so satisfying to just bin the email without confirming!"

      So true. Obviously, I am not replying to any of them, even to ask a question, lest that be misconstrued, but some of these companies, in fact most of these companies who have my data, appear to be recruiters. It seems scraping CV's has been a very common business practise.

      I was looking at Python programming jobs yesterday, and it seems almost every junior job in Python programming requires you to do web scraping, surely that is basically illegal under GDPR?

      1. Doctor Syntax Silver badge

        Re: Commercial relationship?

        "every junior job in Python programming requires you to do web scraping, surely that is basically illegal under GDPR?"

        It depends what's being scraped. If it's personal data then yes but it does raise the question of why it's on the screen being scraped.

        1. Wensleydale Cheese

          Re: Commercial relationship?

          "It depends what's being scraped. If it's personal data then yes but it does raise the question of why it's on the screen being scraped."

          Legitimate cases of screen scraping would include getting data out of a legacy system where the original software didn't include adequate data export functionality.

          Just about any pre-relational database application I've ever come across would fall into this category when considering how many screens contain data assembled from more than one indexed file.

    2. Alister

      Re: Commercial relationship?

      I presume (wrongly?) that keeping details of a sale/customer remains legal, provided the data is kept safe.

      You presume correctly that you're wrong... :)

      For a one-off purchase, there is no legal reason to keep details of the customer, and the old practice of requiring that someone set up an account before being able to buy something will no longer be tenable.

      Does entering into a contract to develop a website for someone mean they have given you explicit agreement to remember who they are? And to send them invoices in the future for renewal?

      If you have an ongoing contract to supply both a website and future updates, then keeping the customer details on file is fine, but you mustn't use that information for any other purpose.

      1. richardcox13

        Re: Commercial relationship?

        > old practice of requiring that someone set up an account before being able to buy something will no longer be tenable.

        How? If having an account is part of the contract for the sale (ie. "we only sell to customers who have an account") then that account is converted as part of the contractual consent.

        (Also, keeping order details around is likely to be a statutory consent because orders drive stock changes which drive accounts and keeping correct accounts is a statutory requirement.)

        Sending marketing emails is not covered, that requires an explicit consent.

        1. Doctor Syntax Silver badge

          Re: Commercial relationship?

          If having an account is part of the contract for the sale (ie. "we only sell to customers who have an account") then that account is converted as part of the contractual consent.

          GDPR requires granularity of permissions. You can't rope an extraneous set of conditions in as a requirement of doing business. A one-off sale does not need an account. Everyday purchases in a bricks and mortar shop prove that so insisting on an account wouldn't be essential to the sale and putting it into a contract for the sale would be contrary to GDPR.

          1. Anonymous Coward
            Anonymous Coward

            Re: Commercial relationship?

            Not strictly true, some retail sectors / products legally require age verification, record keeping by the retailer over & above VAT, questions that consumers must answer before the product can legally be sold etc, Pharmacy is good a example. Pharmacy has a whole bunch of professional regulations and NHS contractual requirments that pharmacy business owners and staff must obey. These trump inviduals' rights under GDPR.

      2. Ben Tasker

        Re: Commercial relationship?

        > For a one-off purchase, there is no legal reason to keep details of the customer, and the old practice of requiring that someone set up an account before being able to buy something will no longer be tenable.

        That's also not strictly true.

        You may need to retain the customer's details (in the form of your invoice) for tax purposes. GDPR provides for this with Section 6(1)(c) Compliance with a Legal Obligation.

        Course, you need to actually show that you are obliged, but the user/customer can also not withdraw consent (as it's not held/processed on the basis of consent for this). They can still ask you to provide details of everything you've got stored for them.

        But the details you'd be holding should, at most, be those that are essential for the invoice and nothing more. And you can't then scrape data off your invoices and go off and send marketing emails as that's processing for a purpose other than that stated.

        1. Doctor Syntax Silver badge

          Re: Commercial relationship?

          > For a one-off purchase, there is no legal reason to keep details of the customer, and the old practice of requiring that someone set up an account before being able to buy something will no longer be tenable.

          That's also not strictly true.

          You may need to retain the customer's details (in the form of your invoice) for tax purposes. GDPR provides for this with Section 6(1)(c) Compliance with a Legal Obligation.

          That's rather a different situation than insisting on the customer set up an account with a login ID and password and hold all sorts of information against it "so as to make your purchases easier next time". It's liable to mean that they want to hold payment methods such as card number/expiry date/security number. The card number might reasonably be held as long as the distance selling cooling off period. If I only want a one-off purchase I don't want any of it held longer than the length of time it takes to go through. As to the user name and password making hypothetical repeat purchases easier it's quite easy, and preferable, to enter my name and address again as opposed to either setting up a unique set of credentials and then looking them up again or of giving some generic credentials which will be usable elsewhere should their site leak.

      3. Doctor Syntax Silver badge

        Re: Commercial relationship?

        "For a one-off purchase, there is no legal reason to keep details of the customer, and the old practice of requiring that someone set up an account before being able to buy something will no longer be tenable."

        Several different issues here. You may need an audit trail for the VAT man even for the one-off purchase or to verify possible warranty claims. In the context of the original query then there's also the implication of an on-going business relationship if, for instance, the website development includes hosting arrangements or software which requires periodic licence payments.

        OTOH the set up an account sites are going to be in trouble.

        1. Wensleydale Cheese

          Re: Commercial relationship?

          "You may need an audit trail for the VAT man even for the one-off purchase or to verify possible warranty claims. "

          It's many years since I read the UK VAT Handbook, but there was a requirement (often not followed by retailers) to record the name and address of the purchaser for goods over a specified value (was £100 back in the '80s). Then there are tellies, purchase of which demands a name and address for TV Licencing purposes.

      4. Anonymous Coward
        Anonymous Coward

        Re: Commercial relationship?

        "For a one-off purchase, there is no legal reason to keep details of the customer,"

        Wrong. You still have the right to retain the details of the sale and the customer details for a set period . This is a legitimate business reason. If you destroyed all records of sale and customer details, how would you handle warranties, returns, recalls etc.

        However you can't simply say Oh, we'll pass this on to company XYZ as they may be interested. Nor could you keep the records if the customer asks you to remove them.

        1. Alister

          Re: Commercial relationship?

          You still have the right to retain the details of the sale and the customer details for a set period .

          Wrong, you have no rights to any customer details, just purchase time, date and amount.

          If you destroyed all records of sale and customer details, how would you handle warranties, returns, recalls etc.

          Erm, in exactly the same way as bricks-and-mortar shops do. Unless the purchaser gives you their details for a warranty claim, you have no records except of a sale for an amount on a day and time, no personal info at all.

          1. Doctor Syntax Silver badge

            Re: Commercial relationship?

            "Erm, in exactly the same way as bricks-and-mortar shops do."

            Not quite. Bricks and mortar shops aren't subject to the distance selling regulations. If you're subject to those you may have a good basis for retaining the minimum info needed to make a refund to the card used for the purchase. Also, if the bricks and mortar shop is selling on a pick it up and take it away basis they don't need a delivery address.

      5. Anonymous Coward
        Anonymous Coward

        Re: Commercial relationship?

        > For a one-off purchase, there is no legal reason to keep details of the customer

        I can think of some, for physical goods at least:

        - items may be subject to product recall by the manufacturer

        - the Sale of Goods act may require the seller to repair or exchange up to 6 years after sale. I would presume the seller is entitled to keep their own records to confirm whether a purchase took place or not? Or is the onus on (a) the consumer to keep the receipt, and (b) the seller to accept whatever proof of purchase they present?

      6. Wensleydale Cheese
        Happy

        Re: Commercial relationship?

        "or a one-off purchase, there is no legal reason to keep details of the customer, and the old practice of requiring that someone set up an account before being able to buy something will no longer be tenable."

        Interestingly, I came across a website yesterday which allows purchases to be made as "a guest", no account creation required. It was a refreshing change.

        Prompted by GDPR or simply a way of making one-off purchases easier, I know not, but it definitely makes a one-off purchase less hassle.

        They also offered account creation for those who want things like purchase history, monthly statements etc, but the guest option was offered first.

    3. Doctor Syntax Silver badge

      Re: Commercial relationship?

      "I presume (wrongly?) that keeping details of a sale/customer remains legal, provided the data is kept safe. Does entering into a contract to develop a website for someone mean they have given you explicit agreement to remember who they are? "

      Keeping what's necessary and using it for what's necessary is legal.

      You may need their business address, you don't need their home address, their age, their spouse's name or their children's names - unless they want that as content on the site.

      Although you need their business address that doesn't mean you can also sell it a double-glazing salesman.

    4. Anonymous Coward
      Anonymous Coward

      Re: Commercial relationship?

      If you have not already consented then the email asking for consent is illegal under PECR (2003). If you had consented, then there is no need for these GDPR related consent emails.

      1. Ben Tasker

        Re: Commercial relationship?

        > If you had consented, then there is no need for these GDPR related consent emails.

        To be fair, there is if they feel they don't have sufficient records of your consent. Remember they've got to record the exact terms you consented to as well as the fact that you consented - that's a gap for an awful lot of companies

        1. Anonymous Coward
          Anonymous Coward

          Screen Scraping

          Sometimes that means "just pull the data out of the table in this HTML document, it's easier than farting about trying to get someone's homebrewed API to give up the goods".

          Case in point, I wrote a webscraper in t'office (crap, mentioned work, better click anon) to get application forms off a cross-industry web service we created, and who's technical steering committee we (corporately) chair... because it will take a minimum of six months to get them sent to us directly. It's got to go to the SC, then dev, then test, then pre-prod and then the next release window...

          Or I can waste a week with Stackoverflow and learn webscrapers from first principles. I know which costs less, shuddup about the technical debt...

      2. Adam 52 Silver badge

        Re: Commercial relationship?

        Many of the other misconceptions in this thread have already been corrected, but this one hasn't:

        "If you have not already consented then the email asking for consent is illegal under PECR (2003). If you had consented, then there is no need for these GDPR related consent emails"

        PECR includes an exception for certain corporate entities. If your customer is one of those then you are free to email them without consent provided that you allow an opt-out. There's a better explanation on the ICO website.

    5. JerseyDaveC

      Re: Commercial relationship?

      One of the grounds for lawful processing is that you're doing it in order to satisfy a contract with someone. So yes, it's fine to retain data on sales and the like as long as it's secure. Main consideration is that you shouldn't keep it forever: define a retention/disposal policy and timeline for old stuff and stick to it.

  7. Doctor Syntax Silver badge

    IANAL but...

    ...as far as I can the following should be a good starting point, "data" being personal data

    If you are required to collect and process data for statutory reasons then you're allowed to do so to the extent that the statute says.

    If you need to collect and process data in order to complete a transaction for goods or services then you can do so and retain it as long as needed bearing in mind that different data items may be required for different lengths of time. You should delete data when its no longer needed.

    You should only process the data according to the needs of the transaction for which it was required.

    Need is not want, neither for collection, storage or processing. What some department wants is irrelevant, it's what the transaction needs that matters. You need to analyse this carefully; so carefully you can stand over your analysis in court if need be.

    If you want extra data or want to process it in some additional way you must get explicit consent for that extra data or usage from the data subject. The consent may be withdrawn at any time. If it is you must delete that extra data. The regulations allow for technological limits so you don't have to edit backups. OTOH you're unlikely to get away with not re-deleting it if you have to restore from backup.

    Getting extra permission can't be tied to providing the goods or services. Trying to weasel out of that or anything else is what brings the top tier of fines. The authors of GDPR saw you doing that previously. They've taken precautions this time.

    You need to show data subjects what you hold about them if they ask and fix it if it's wrong.

    You need a data protection officer. That's a role not a post. You don't need somebody full-time unless you think the workload is going to justify it. The DPO needs sufficient clout to say what can and can't be done and to find out the truth of what's being done.

    Data is stuff held in written records as well as this trendy electronicry

    If thy business is monetising data subjects' data rather than just selling goods and services to them then the curse of GDPR be upon thee and upon thy weasels lawyers

  8. Throatwarbler Mangrove Silver badge
    Holmes

    Seems clear

    Based on the contents of this comment thread alone, it seems pretty evident that the requirements, implications, and implementation of GDPR are all quite clear and well-understood, so I expect there to be no issues whatsoever when it goes into effect.

    1. The Nazz

      Re: Seems clear

      No issues?

      What about the poor buggers dealing with thousands, tens of thousands, millions even, of requests claiming unlawful holding of, or processing, data under GDPR.

      May i suggest The Reg do a template letter or templates? Or are there any elsewhere ie ICO site?

      I have a letter in front of me now, seeking my consent to continue (huh?) with a range of data which their systems "have captured" i have previously consented to. I haven't.

      They kindly enclose a freephone number to deny all consent. The usual automated crap, except i now have to enter a date of birth to identify me ( disregarding i have the physical letter here). Enter a number of false ones and it would not proceed, so somehow the *bastards* have acquired my actual one from somewhere.*

      Why on earth the provider requires such personal data is beyond me, and incidentally is not listed on the details for which i should give (continued huh? ) consent .

      * Anyone know where a date of birth is listed on a lawful Public database? It certainly isn't on the Electoral Role. Which uniquely some are, if they are likely to turn 18 in the next year and actually submitted to the council.

      What are the GDPR rules for cough, ahem, cough again, CHILDREN who are but 17 years of age?

    2. Anonymous Coward
      Anonymous Coward

      Re: Seems clear

      I'm worried about my Inbox on 25th May when users read a Daily Mail article and patiently write us an exhaustive list of things they've misunderstood we should be doing

  9. greenwood-IT

    Records for removal requests

    Seeing as one of the rules relates to data loss, what's the position in verifying and retaining records of removal requests?

    If I have someones email address on a mailing list and they phone up and ask to be removed, do I need to request a written requests and a copy of their ID to verify this is in fact the correct person making the request? How long do I need to retain a copy of their driving license? What if they then request removal of the removal request????

    Oh joy!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like